CentMail is a charitable twist on the old idea of email postage stamps. The goals are to make it less like paying to send email, and to provide a plausible adoption path to solve the chicken-and-egg problem. In the standard email stamps approach, neither senders nor recipients gain by joining unilaterally, and senders lose money. CentMail begins as a charity fund-raising tool: Users donate $0.01 to a charity of their choice for each email they send. The user benefits by helping a cause and promoting it to friends, often at no additional cost beyond what they planned to donate anyway. Charitable organizations benefit and so may appeal to their members to join. The sender's email client certifies each outgoing message with an unforgeable stamp issued by the CentMail server. The recipient's email client verifies with CentMail that messages are appropriately stamped, and have not been queried by an unexpectedly large number of other recipients. More generally, the system can serve to rate-limit and validate many types of transactions, broadly construed, from weblog comments to web links to account creation.
CentMail is a research project at the moment, and we are exploring ways that it could be used someday to augment the company's product pipeline. Here is Yahoo's official statement on CentMail:
At Yahoo! we’re always looking for new and innovative ways make sure our users have the best experience online, including protecting them from scams. This Yahoo! Research project is an example of how we’re open to experimenting with new approaches for addressing some of the difficult issues that can impact our users and the internet at large. With CentMail we have two specific goals: to raise awareness and money for charitable organizations, and to learn about potential ways to put a dent in spam while doing so.
Yes, but only from a pre-selected list that meet certain criteria to legally qualify as charitable organizations. See also Question 30.
First, CentMail promotes your favorite causes with every email you send. Second, since CentMail donations may be matched by sponsors, your financial impact is directly amplified. Third, as the system gains popularity and becomes incorporated into spam filters, your emails are less likely to end up in the junk mail folder.
No, CentMail is strictly opt-in. Nor is there particular pressure to stamp your mail with CentMail. The attachment of a CentMail stamp to a message provides an informative feature to a recipient's spam filter that the message is not spam; this signal is meant to augment (rather than replace) existing features of spam filters. For adopting users this decreases the probability of false positive spam classifications on their recipients' end.
It costs tens of billions of dollars a year in the United States alone. Even if you've been careful with your email address and your spam filter keeps your inbox relatively spam-free, spam makes the whole internet slower and costlier. And it's likely that once in a while a legitimate message never reaches your inbox because it's falsely marked as spam. Worst of all, you often won't realize when that happens.
CentMail will essentially be free for the majority of users who already give yearly charitable donations. 89% of U.S. households already make annual donations, with an average contribution of $1620 and a median on the order of $100. By making these donations through CentMail (as opposed to directly to the charity), users will spend no additional money, but will be provided with CentMail's service.
No. All donations will go to the participating charities.
No. Email signatures are generated by a hash of an email digest and the user's secret key. A fake stamp cannot be generated without such a key, as issued by the CentMail server.
To become an effective spam deterrent, many people need to use CentMail. However, regardless of how many other people are using CentMail, each participant gets the immediate benefit of having their causes promoted and perhaps their donations matched. In terms of spam deterrence with partial adoption, CentMail's guarantee -- that the sender paid at least one cent per recipient -- is diluted but still meaningful.
Again, the vast majority of users who already make charitable contributions incur no additional monetary expense. Furthermore, there is also no significant computational expense (e.g., spent CPU cycles) or significant human expense (e.g., time spent solving CAPTCHAs). The system does require users to open a CentMail account and, in some cases, to install a simple application. With support from large email providers (e.g., Yahoo!, Google and Microsoft), however, this barrier to entry can be significantly reduced.
Since stamps are associated with a particular piece of content (as determined by its hash), a malicious user can only reuse a stolen stamp on identical content (see also Section 3.1 of our technical paper). This security guarantee makes it effectively useless for third parties to steal stamps since they would have no control over the content. A related scenario is when a user attempts to reuse a single legitimately obtained stamp to validate a single message sent to thousands of people. This is in fact considered to be acceptable behavior from the perspective of CentMail, similar to the use of blind carbon copy (bcc) for emails. Recipients are informed, however, of the number of times a message has been verified, alerting them to down-weight the value of a donation appropriately.
We suspect that any long-term solution to spam will continue relying in part on domain and content-based filtering. In particular, organizations with a history of legitimate bulk mailings that verify their identities (e.g., via DomainKeys) can be whitelisted and avoid using CentMail altogether. CentMail is tailored for instances when individuals -- not organizations -- send messages to recipients for the first time. This type of correspondence is particularly hard to classify as spam or ham (i.e., legitimate email) via traditional methods.
Furthermore, CentMail would not pose any barrier to as-yet-unestablished bulk senders unless it were so ubiquitous that recipients commonly rejected unstamped messages from non-whitelisted senders. See Question 26 and 27 for more on the case of legitimate senders who cannot afford sufficient donations.
When making sufficiently large donations is not an issue, the protocol accommodates bulk senders by allowing arbitrary postage amounts on a stamp. That way, when sending a single message to many recipients, the sender would attach a stamp with higher postage. Each recipient when verifying the stamp would divide amount by queries to determine the amount donated per recipient and decide if that amount is high enough to be considered legitimate. For example, if you get a dollar's postage then the first 100 recipients will see a per-recipient postage of at least one cent. The rest would, if using one cent as a threshold, reject it as spam. This distinguishes spammers from legitimate bulk mail senders if we take as a definition of a spammer someone with sufficiently low value per recipient.
Mailing lists traditionally pose difficulties for economic approaches to reducing spam, as a sender's message to the mailing list address is redirected to the (potentially large) set of subscribers. While CentMail encounters some difficulty in dealing with mailing lists, a simple solution exists via whitelists. Although one could ask that either the original sender or the operator of the mailing list incur a relatively large fee to cover the number of subscribed users, we instead recommend that users whitelist relevant mailing lists to deal with this issue. Recent work on improving the management and useability of whitelists [1] has confirmed that this is an effective strategy.
Not at all. CentMail has correctly informed those 100 recipients that they were one of at most 100 CentMail users to receive the message. We take as a definition of a legitimate message one for which the sender paid at least one cent per actual recipient. Whether there were millions of attempted recipients is irrelevant. And in fact the would-be spammer would not attempt to send to more than the initial 100 since it wouldn't work.
A virus that infects a user's computer could deplete that user's CentMail account by sending out emails on their behalf. In this case, however, three factors mitigate the potential damage: (1) An increase in the number of stamps requested by a user would alert CentMail to a potential security issue, and the user could then be alerted to a possible infection; (2) since stamp proceeds are donated, stolen stamps amount to the user donating more money through CentMail than they had intended -- while still not ideal, this is perhaps a better scenario than money being lost outright; and (3) if one's computer is infected with a virus, the monetary loss of CentMail stamps -- on the order of $5-$10 -- is likely not the primary concern given the costs associated with corrupted data and other threats associated with viruses.
We're not proposing to eliminate Hashcash. Any viable solution to spam will likely draw on myriad techniques. That said, we believe CentMail is intrinsically more socially efficient in the sense that nothing (e.g., CPU cycles) is wasted.
Using CentMail does not require making a decision every time you send an email about whether or not to donate a penny. In contrast, users make upfront donations (typically $5-$10) that often amount to enough stamps to last several months or even years.
By analogy, postage stamps on paper mail are generally not considered an infringement on free speech. More to the point, CentMail is coercion-free. Senders choose to attach stamps proving they made charitable donations and recipients choose to read those messages based on any criteria they like, including potentially the existence of a stamp. See also Question 26.
If the message is remailed, then a new stamp is required since the sender's address is included in the message hash. On the other hand, if the message is bounced (i.e., the header -- including the sender address -- and message body remain unchanged), then a new stamp is not required. This latter scenario is akin to use of blind carbon copy (bcc). See also Question 12.
It is true that CentMail is giving the recipient a clue about the number of other recipients. If the sender wishes to fully conceal that information they should not stamp the message. Indeed, much of the point of stamping a message is to prove to the recipient that the message was not sent to them indiscriminately.
In addition to implementing CentMail ourselves (centmail.net), we are publishing the API as an open standard (see the appendix of our technical paper). We welcome other organizations to implement it and provide the service as well.
DomainKeys was adopted by Google and Yahoo! because of its promise to curb spam in the long run if it became a standard. We expect they have no less incentive to adopt CentMail.
Most corporate email is internal and need not be certified. However, even if employees send ten thousand emails per year, they need only one hundred dollars worth of stamps. Large companies often already donate that much per employee.
This depends on how many people are stamping their mail. If stamping were universal then stamp verification would likely become the primary spam filtering attribute. At the other extreme, with very few CentMail users, there's little incentive. Somewhere in between is a threshold. Since senders have an independent reason to use CentMail (to promote their charities) it remains to be seen whether that motivates enough early adoption to cross that threshold. See [2] for a recent survey of the cost of false positives.
CentMail does not shut out users who send unstamped email. Especially at first, CentMail's spam-fighting value will be in avoiding false positives. Sending unstamped mail just means forfeiting that protection against your message being falsely labeled as spam. Only when CentMail becomes so popular that a lack of a stamp is strong evidence of spam is there pressure to stamp all mail.
It is true that CentMail stamps are "free" only when users already intended to make charitable donations, and in fact CentMail may be prohibitively expensive for users in poorer countries. CentMail, however, does not shut out users who leave their messages unstamped (see Question 26), and we imagine CentMail to work in conjunction with myriad other spam fighting tools and techniques. In particular, CentMail eases the transition to alternative economic approaches, such as sender-posted bonds [3], which ultimately may be better suited for poorer users, but which initially lack the appropriate adoption incentives.
In the standard CentMail protocol (described in Section 2.1 of our technical paper) malicious users could in theory sniff a network and verify messages not intended for them, giving the impression that a legitimate user was trying to send spam. Although we believe this type of attack on the system is unlikely, Section 3.1 describes a modified protocol that closes this loophole by requiring senders to specify the intended recipients.
It is paramount that CentMail participants pre-pay for stamps, and do not in effect steal stamps by defaulting on their financial commitments. To a large extent, this situation is avoidable through no-refund policies and enforcing waiting periods to confirm that donations are in fact processed and debited from users' accounts.
Users receive stamps in exchange for donations to charitable organizations of their choice. Here, care must be taken to guarantee that spammers are not simply funneling payments to a "charitable" organization which they ultimately control. To address this problem, we restrict donations to known reputable organizations which, for example, have been given a Charity Seal from the Better Business Bureau Wise Giving Alliance (bbb.org/charity) or granted non-profit tax status by the U.S. government.
For those who make charitable donations, CentMail stamps are effectively free up to the amount of their donations. This creates the possibility of a black market for stamps in which users resell their stamps for potentially far less than their face value. While not inconceivable, this scenario seems implausible since the seller would still be associated with any stamps he sold (i.e., the stamps are traceable to the seller, regardless of who actually sends the message).
That is a more serious problem for economic approaches that pay the recipients of spam. CentMail minimizes this concern by leaving the choice of charity to the senders.
Zombie networks typically rely on being able to compromise computers undetected, to relay spam as a background process. With CentMail they would have to not only execute code on their host machines but steal users' CentMail credentials and deplete their balances. This type of attack is harder for spammers and, since CentMail generates an audit trail of stamp requests, more easily detectable. See also Question 16.
REFERENCES
[1] D. Erickson, M. Casado, and N. McKeown. The Effectiveness of Whitelisting: a User-Study, 2008. Fifth Conference on Email and Anti-Spam.
[2] T. C. Loder, M. W. V. Alstyne, and R. Walsh. An economic response to unsolicited communication. Advances in Economic Analysis & Policy, 6(1), 2006.
[3] Ferris Research. The Cost of Spam False Positives. http://www.ferris.com/2003/08/14/the-cost-of-spam-false-positives, 2003.