STAMP: Toward Reclaiming Email Address Privacy

Email has grown into one of the dominant forms of communication in the 21st century. However, email systems were designed without security in mind, thus allowing attackers to abuse the system and send unsolicited email (or spam). The problem of spam has become so severe that recent studies [1], [2] report that over 90% of the emails sent in 2007 were spam, resulting in productivity losses amounting to over $20 billion annually [3]. The negative impact of spam is also amplified by its use in identity theft [4]. Not surprisingly, there has been significant effort during the last few years to develop and deploy solutions to prevent, detect, and filter out spam. Most current solutions to spam center on content-based filtering (e.g., SpamAssassin [5]), behavioral-based filtering [6], or domain blacklisting approaches, all of which are inaccurate and slow to adapt to the changing face of spam. Methods such as user/domain authentication (e.g., PGP [7], IBE-email [8], and DKIM [9]) and email address obfuscation [10], [11], [12] raise the bar for the attacker but offer only a limited protection against spam. Moreover, these schemes do not provide accountability of email address leakage, which would allow a user to know which untrustworthy parties divulged his address. We propose STAMP, the Solicitation Token Authenticated Mail Protocol, as a server-side solution to filter unsolicited mail from ever reaching the end-user’s inbox, as well as allowing the user to revoke inbox access from solicited parties who prove to be untrustworthy with their email access. STAMP employs distributed access control, making use of transitive trust to reduce email solicitation overhead and allow the user’s address book to grow organically through trusted entities. We implement a prototype of our scheme as an extensible mail filter plug-in for an industry standard mail server and compare performance against a popular content-based filter.