There are several competing approaches to spam blocking, but only one of these works reliably. We call it "Identity-Based Challenge/Response." What this really means is treating your email inbox the same way you treat the front door of your house. For me to come in, you have to know who I am and what I want. Unless you have answers to those questions, the door stays shut. And even when you have the answers, you still may decide not to let me in. In either case, it should be your choice.
This discussion starts with a basic premise – that you have the right to manage your privacy, to admit to your personal space only those whom you know and trust. All systems aimed at helping you do so, whether involving your email, your telephone (i.e., caller ID) or your actual front door, either constitute attempts to answer the most basic privacy management questions – "Who are you? What do you want? – or are proxies for them, attempts to guess at the answers and help you make the right decision.
Our message is simple – real information is always better than guesswork. Identity-Based Challenge/Response is the only method of email management that will reliably free you from unwanted email and give you the tools to make sure you do not miss any mail you want. Properly implemented, it is both reliable and free from obsolescence. And the more people who use it, the better it works.
The "Identity-Based" portion of this methodology is simple and non-controversial. Any system that processes email based on identity is principally interested with the specific identity of the sender (not the network or server from which the sender’s message was sent, which is how most current spam filters work). This method works because it is far easier to decide whether email is legitimate and wanted if you know who sent it than if you only have an approximation of this information, such as the identity of the server from which the message originated.
In the real world, the sender’s email address is used as a proxy for the sender’s actual identity. This has proven to be a perfectly effective proxy. Smart identity-based programs pre-approve senders by building a list of people the user presumably wants to hear from (i.e., those in the user’s address book) and adding addressees on any future email. The principal is that if I send you mail, it is reasonable to assume that I am interested in getting mail from you as well. Of course, smart programs also let you change who is pre-approved. You may decide in the future that you do not want mail from me and need to have the ability to take me off your approved list. The "Challenge/Response" part of this software model is far more controversial. The reasons for this controversy are not entirely clear, but it is clear that a portion of the technology community believes that sending out challenge messages is wrong. The objections appear to be driven in part by a belief that it is somehow wrong for senders to be asked to identify themselves, and in part by a belief that a large number of challenge messages will be bad for the Internet.
We believe these objections are simply wrong. In fact, we believe that within three to five years, it will be standard, accepted practice in all email environments for senders to expect to identify themselves before their mail is accepted by a recipient by whom they are not known. Ask yourself how many people you know whose homes you would be comfortable entering without knocking, announcing yourself and being invited in. We believe that the social norm that we all apply to our front doors today will soon be applied to our email inboxes as well.
The reason for this is simple: It works. It is relatively easy for an email program to allow into the inbox messages from email addresses that are on a whitelist. The hard part is figuring out what to do with the rest of the incoming email. The most obvious answer is to ask who the sender is and what he or she wants.
