Lawsuits Against Spammers

apc writes "Pretty good overview of the state of the law regarding spammers, and some stories about people who have sued them and won. Nice to see the topic getting mainstream attention." It talks about several different states and several different people who have won cases. I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

Technical / Social solution please

[Tom7]

Instead of encouraging litigation, why don't we develop (easy) and attempt to gain acceptance (harder) of an authenticated e-mail format?

I would much rather see technical (or social) solutions to the spam problem... laws have a funny way of not going in our favor, don't they?

Re:Technical / Social solution please

[hogsback]

Is there a technical solution?

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

If the spam is sent from within your own country, this makes using the law against the perpetrator easier, it doesn't remove the need for the law.

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.
Spam is behaviour that we can't stop, therefore we need laws to discourage it.

Re:Technical / Social solution please

[Deagol]

Just because we won't use the law, it doesn't mean they won't. I suspect that any truly effective technical solution will meet the same fate as ORBS and MAPS with lawsuits.

Re:Technical / Social solution please

[garett_spencley]

I completely agree. I relate SMTP to TCP/IP. It's very simple which is why it caught on but it just doesn't live up to today's standards.

All of this litigation, while a worthwhile cause, is like security through obscurity. While it may be a deterrent for some people, lots will do it anyway.

So what we need is a new e-mail protocol that will make forgeing at least non-trivial but attempt to make it 100% impossible.

Ideally it would even be backwards compatible with SMTP so that older e-mail clients would work with newer servers.

--
Garett

Re:Technical / Social solution please

[weave]

laws have a funny way of not going in our favor, don't they?

Agreed, but on the flip side, I'd certainly like to see a law that says any ISP, employer, or individual has a right to block any e-mails that they do not wish to receive. Spammers sometimes throw out empty threats like "I'm going to sue you for blocking interstate commerce" or some crap. Look at what happend to the various voluntary black hole lists. At a lot of companies, if anyone even mentions a lawsuit, whether serious or not, the sys admin must stop all communications and immediately notify corporate legal. Then they start asking lots of questions and start poking around in the operation.

Basically, affirm my right (as provider or customer) to block unwanted e-mail, and then technical solutions are possible...

Re:Technical / Social solution please

Preventing forging doesn't prevent spam.

Re:Technical / Social solution please

[smack_attack]

No, it just increases accountability.

Personally I think we should be forwarding our spam to our elected representatives with full headers. Then again most representatives don't even read their own email.

Re:Technical / Social solution please

[garett_spencley]

You're right but it would take away spammer's anonimity.

To further this the new protocol would also have to be better at authenticating as the parent poster said. But this can already be implemented to an extent with our current protocol by denying access to SMTP services from anyone who's host does not belong to certain domains.

That still won't elliminate spam all together since many companies spam using their own servers. But at least if you force spammers to do it in the open then at least you can prove that they were the ones who spammed you and can charge them with fraud, false advertising, sexual harrasment (if the add contains sexual material) etc.

It will reduce spam considerably and probably make it a lot less "annoying" since the adds will be more up to par with junk mail. It will still be a problem but it won't be nearly as big of one and then we can use the litigation to regulate it and if there is a God elliminate it :O)

--
Garett

Re:Technical / Social solution please

[jcr]

You're right but it would take away spammer's anonimity.

I've seen proposals for adding "postage" to e-mail, which in the normal course of things would be refunded.

So, if someone I don't know sends me a message, it would come with a dime or so of digital coinage attached, which my mail client would authenticate and cash in *before* I ever saw the message. If the message was spam, I'd keep the money. If it wasn't spam, I'd automatically refund the dime to the sender.

Of course, I could also set up a white list of addresses from which I'd accept messages without payment. (Zero payment, actually)

-jcr

Re:Technical / Social solution please

[kiwipeso]

As a New Zealander, I can state that Spam is definately in violation of all but the 8th part of the Privacy Actt 1993 (NZ)
Australians have a simular Act, but I'm not sure if it covers the same things.

Re:Technical / Social solution please

[Jay+L]

I thought a lot about stamped e-mail in a previous life as a mail systems developer. Our VP of development was really hot on the idea, since it would solve both the authentication problem and the no-incentive-for-targeting problem. You wouldn't even have to make it backwards-compatible; just create a new tier of "first-class" e-mail. Two big problems though:

1. Technical: It would be very, very expensive to process e-mail stamped with some form of digital cash. You're adding lots of crypto calculations, database lookups, and some sort of synchronization scheme that scales up to whole-Internet level. Large sites would likely have to have crypto plug-in hardware to do this at all efficiently.

2. Political: You'd have to get a significant number of ISPs on board, and these days most spam is NOT sent directly through the big ISP mail servers anyway.

It's a neat concept but there are too many problems. It ended up not being worth it.

Re:Technical / Social solution please

[grammar+nazi]

...but I also believe forging SMTP headers should be legally punishable by castration.

The grammar nazi believes that poor grammar by an editor should be punishable by castration.

Re:Technical / Social solution please

[BitterOak]

You're right but it would take away spammer's anonimity.

It would also take away everyone else's anonymity. Given the number of people who get sued by corporations for telling truthful but disparaging things, and given the number of "whistle blowers" who end up out of a job, or worse, do you really think that we should give up the ability to send anonymous e-mail just to avoid the inconvenience of junk mail? I sure don't.

Re:Technical / Social solution please

[Wonderkid]

We at http://www.oNumber.net are working on just such a system. Incidentally, ICQ has a form of authehtication system, but judging by the number of 'spam' ICE messages I get, it doesn't always work. Ideally, authenticated e-mail should be standard. When we (O'WONDER) introduce such a system to oNumber.net, we'll announce it here so you guys can comment. Our motives are good. History will be the judge of course.

Re:Technical / Social solution please

I use Authd :) Authd

Re:Technical / Social solution please

[hey]

Why not just refuse to accept mail that isn't PGP-signed?

Re:Technical / Social solution please

[Happy+go+Lucky]

Why not just refuse to accept mail that isn't PGP-signed?

At least 80% of the securityfocus.com mailing list traffic is unsigned. So is the EFF newsletter. So are most of the other lists out there.

When you have people come into your home without permission (spammers), you have a problem no matter what spam-apologists say. However, when you require all of your visitors to wear photo-ID badges, you don't get too many visitors. Even the people you want to have visiting aren't as likely to do it.

Re:Technical / Social solution please

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

That looks good enough to me. The idea is not necessarily to "find" the sender, but to have his REAL name/birthplace/etc (whatever is necessary to uniquely pinpoint a human being). Then it is up to you do decide if you sue/block future emails/make sure you never hire that person.

Re:Technical / Social solution please

[Darren+Winsper]

IIRC ICQ's authentication is client-side, leading to all sorts of hacks, and many open source clients can simply ignore the refusal of permission to add someone to their contact list.

Jabber's authentication is server-side, so if I sent a message to joe@jabber.org it would be refused unless he had already given me permission.

Re:Technical / Social solution please

[zerocool^]

You can change your sendmail.cf to disalow sending of messages that have the from field indicated with the -f tag (i.e. a manually specified "from"), and you can set up your spam filters to disalow any mail that has a from field set with a -f tag.

Also, you can stop bounces from happening by editing your deliminators in the Scheck_rcpt section of sendmail.cf so that R$* @ $* @ $* returns an error code. Anything that is "someone colon at someplace at someplace.com" bounces thru your sendmail and gets sent, looking like it came from you.

I was gonna post a good clip of my sendmail.cf file here, but the lameness filter got it first - so here's a link: sendmail.txt. Just don't pound the server too hard, the load balencing's a little off.

~z

Re:Technical / Social solution please

[nomadic]

Most of the whistleblowers seem to prefer posting on bulletin boards; don't think that would be threatened by this.

Re:Technical / Social solution please

[anthony_dipierro]

It would also take away everyone else's anonymity.

I can't see any reason why someone would want to receive unsolicited anonymous email. If they are soliciting the anonymous mail they can allow that key. If someone wants to receive unsolicited anonymous mail, then they can't block spam at the same time.

Re:Technical / Social solution please

And do all spammers and forgers set the -f flag?

Re:Technical / Social solution please

[Electrum]

Is there a technical solution?

Spam is an abuse of the email sysem. The collective opinion is that some characteristics of the emails are bad - otherwise there isn't much to distinguish it from legitimate mail. Because it is a social problem, laws are needed to combat it.

D. J. Bernstein has an excellent solution to spam and many of the other problems of email: Internet Mail 2000

Essentially, with IM2000, mail is stored on the sender's machine, rather than on the recipient's, much like with HTTP. Spam is still possible, but it makes it much easier to identify the sender and to block it.

Re:Technical / Social solution please

[SpacePunk]

They only want anonymity for themselves, but for nobody else. The whole anonymity on the net thing has come to bit everyone in the ass in the form of spam. The script kiddies you usually see here on slashdot that want their anonymity, their pirated music, etc... dont' realize that anonymity is an all or nothing thing.

-

Re:Technical / Social solution please

[zerocool^]

no, but it's a start. if the spammers are the ones running the sendmail, then it won't do any good, because they'll just not enable that, but if someone on your network is sending spam, you can note it and stop it.

And no, not everyone sets the from with the -f flag. however, it is one of the ear marks of a spam message - the fact that the from address doesn't exist or is just wrong

~z

Re:Technical / Social solution please

[mpe]

Is there a technical solution?

A technical solution which would make spamming far more expsnsive to the spammer would be the complete elimination of third party relaying. (Including ISP provided third party relays.)
This also makes the source of any spam which is still around a lot easier to identify.(especially if use of dynamically assigned IP addresses is minimised.)
IMHO methods such as forcing the use of third party relays perpetuates many problems. Especially where ISPs have no way of verifying the identity of their customers...

Re:Technical / Social solution please

[DecimalThree]

I agree. I have a feeling laws regarding SMTP headers would also have a negative impact on the ability to send anonymous email.

Re:Technical / Social solution please

[Sodium+Attack]

A legal solution is nothing more than a formalized social solution. Why the animosity towards a legal solution? True, laws can be abused, but so can unwritten, informal social solutions.

A technical solution simply encourages a "[technical] might makes right" attitude. Which may be fine for many /.ers, but hardly suits your average user.

Re:Technical / Social solution please

I just had a Hogs Back T.E.A. 4.2% at the "Gallows Bird", a public house in Espoo (near Helsinki), Finland, Real Ale festival last weekend. It was far far tastier than spam.
(there you go - I'm on topic!)

Me.

Re:Technical / Social solution please

[Hater's+Leaving,+The]

Dan's system is more of a revolution rather than an evolution.

Computer users tend to evolve, so despite it being a smart potential solution it will almost certainly never happen, which is a shame. Of course, there's nothing to stop people actually running the system for fun, and just see if it ever grows (so I'd have SMTP for one job, but use IM2000 or whatever to converse with fellow geeks.)
IRC started that way, for example (as did most things).

Phil

Re:Technical / Social solution please

[maxpublic]

Laws are needed to combat it? Sure, right; and who is going to enforce the same law for all 300+ countries in the world? In case you haven't noticed there are always a good chunk of nations willing to ignore their larger First-World neighbors in order to make a buck, like the good capitalists they are.

Laws will never work. Anyone with half a brain can see this - unless you honestly believe that you can actually get anti-spam laws passed in every single country in the world. *Effective* anti-spam laws. If so, I laugh in your general direction.

Max

Re:Technical / Social solution please

[Lobsang]

I was receiving an average of 15 spam mails A DAY! It was extremely annoying. I wrote myself a tool to authenticate (i.e. send an email back) to everyone that sends me an email and is unknown to me. The system is working pretty fine (after a lot of changes and refinements). If you want to check it, go to http://www.paganini.net/ask.
This solution is far from being perfect, but is being an acceptable workaround for my problem.

I hope it helps in any way.

Re:Technical / Social solution please

[Tom7]

I have animosity towards legal solutions because they violate the spirit of the internet. Wasn't it just a few days ago that we were discussing on slashdot the imposition of one country's (often stupid) laws on another via the internet?

It would seem to me that a technical solution would be more effective, and also would retain the most freedoms.

Re:Technical / Social solution please

[Sodium+Attack]

I have animosity towards legal solutions because they violate the spirit of the internet.

And just what is the "spirit of the internet"? Anarchy? Or rule by some technical standards body which the average person has absolutely no say in?

It would seem to me that a technical solution would be more effective.

I don't have any objection to a technical solution as long as it is transparent, or nearly so, to the average user. All too many proposed technical solutions require skill far beyond that of the average user--particularly here on /. where it is easy to forget that the skills of the average /. reader are far beyond that of most users.

Re:Technical / Social solution please

[jo42]

So a spammer signs their spam with a valid PGP signature.

Cool site

[Dark+Legend]

Reminds me of that cool site where U can set the SMTP headers and send anonymous mail to freak ppl out, mischiefmail.com methinks..

Re:Cool site

[hogsback]

Some British Telecom phoneboxes now contain phones with screen and keyboards instead of a regular phone.

For 20p, you can send an email and specify any 'from' address you like. IIRC, 20p buys you 7 minutes of typing time.

It appends a signature saying the message was sent from a phone. It's still 100% anonymous though (unless you happen to be caught on one of the ubiquitous security CCTV cameras sending the mail and this can be cross-referenced against BT's logs)

Re:Cool site

[Dark+Legend]

I have seen these around and about, never used one yet tho, sounds like a cool idea. Now all we need to do is get BT to change every box in the country to an Internet box and Blairs UK Online vision can become a reality! Cheaper than a laptop and an acoustic coupler in a regular phonebox.
BTW are these the ones with a glass touchscreen or the ones with the Metal KB? Cos i have seen both, but IIRC the touchscreen ones allow you to surf the web too.

Re:Cool site

[hogsback]

I've used the one with the metal keyboard.

PITA to use because the keyboard is mounted too vertically. I'm average height and build, but I had to crouch to type.

Re:Cool site

[sirsnork]

While this sounds cool. Why? If you need to go to a phonebooth to send an email what are you going to use as a return address. Presumably if you had access to the internet you would also have acces to email of some kind, and if you didn't have access to the net you wouldn't have a return address and they couldn't reply.

"should be punishable by castration"

[Stone+Rhino]

And I assuming the removed body parts would be affixed to the male spammers female coworkers?

Re:"should be punishable by castration"

[Stone+Rhino]

there are female spammers you know, so this can't be universal.

Re:"should be punishable by castration"

Why are you arguing with yourself? Trying a bit of Karma Whoring perhaps? It failed.

Re:"should be punishable by castration"

no, its just that the idiot moderators don't get my jokes and mod me down for it

Re:"should be punishable by castration"

...or perhaps you aren't funny.

Double standard

Why are lawsuits against spammers (and castration!!) fantastic but against open source guys -- like the GAIM author sued by AIM-owner AOL -- terrible. You can't have it both ways. Either the law applies on the net or it doesn't.

Personally, I'd prefer no laws -- even for spammers.

Re:Double standard

[CaptainSuperBoy]

Well, AOL had a trademark complaint about GAIM. This has absolutely nothing to do with spam - what are you saying? If you're against one lawsuit, you shouldn't support any laws whatsoever? I guess you disagree with some trademark laws, so you believe that we should live in anarchy because SOME laws are bad.

Re:Double standard

[smack_attack]

The laws aren't the only problem, it's the selective enforcement that bothers most people.

Re:Double standard

[fotoLilith]

Personally I favor taking the spammers out to the woods and beating them with socks filled with 8balls, then sticking the fleas of a thousand bloody camels in their arses. But I suppose that is just too "Home-grown George W. Justice" for some. ;-) But yeah, spammers spend a few pennies (if that) per email address, so if they send out thousands (yeah, that's a foreign concept. ;-) ), and a few test-tube babies fall for the ploy, they profit. But, as for lawsuits: how many LEGAL businesses truly utilize this method to reach the public?

Castration?

[frostgiant]

"but I also believe forging SMTP headers should be legally punishable by castration"

I also believe publishing laugable stories about an "XBox emulator" without actually testing it first should be punishable by castration.

Re:Castration?

[damiam]

But what if you're a female spammer/editor?

Re:Castration?

Main Entry: cas.trate
Pronunciation: 'kas-"trAt
Function: transitive verb
Etymology: Latin castratus, past participle of castrare; akin to Greek keazein to split, Sanskrit sasati he slaughters
Date: 1609
Inflected Form(s): cas.trat.ed; cas.trat.ing
1 a : to deprive of the testes : GELD b : to deprive of the ovaries : SPAY

Re:Castration?

[mESSDan]

Hmm, considering that this is a website about Linux, and that most of the editors use ONLY Linux, how would they go about testing this? Under Wine? And if it gave an error, would that have been a Wine error, or an XBox emulation error?

The story was interesting, not because it was a hoax, but because it might NOT have been a hoax.

Re:Castration?

[Dr.Dubious+DDQ]

But what if you're a female spammer/editor?

Then, in traditional US fashion, the government will pay wads of taxpayer money to send the convicted Spammerette to Sweden for a sex change operation.

Once the operation is complete and everything's operating...THEN we castrate them...

(Hey, if we worry about disinfecting equipment used to perform lethal injection....)

Re:Castration?

that most of the editors use ONLY Linux

Do really believe that???

Re:Castration?

[Gannoc]

But what if you're a female spammer/editor?

Yeah, its not like Tammy and her "barely 18" horny friends are going to be intimidated by potential castration.

Once again, ./ hasn't thought the problem through.

Re:Castration?

[Skim123]

It's called Female Sexual Castration (FSC) or sometimes referred to as genital mutilation, and is performed (forcefully, no doubt) in a number of African nations.

Re:Castration?

I beat up white women with my 12" black dick.

Re:Castration?

[damiam]

Taco has at least one Windows box, as evidenced by his occasional mentions of the Windows games he likes.

Re:Castration?

1.) See the fact that it probably is a scam; very obvious.
2.) See the possibility of it holding a virus.
3.) See that if he posted the story without having it checked, many people could download a virus.
4.) See that checking would be a good idea.

Thank goodness it wasnt a virus.

Re:Castration?

[frostgiant]

If it would have been a virus... That would have been catastrophic.
Really though, the /. editors had to have a way to test it. Even if they have no Windows boxes, they could have IM'ed a close friend and asked them to test it...

Re:Castration?

Hmm, considering that this is a website about Linux,

This is NOT a website about Linux. It's not a even a website about open source software. It's a website about news for nerds.

Fuck Linux. Fuck Microsoft. Fuck Apple.

Business opportunity

[yggdrazil]

Let's hope some people see this as a business opportunity, and start a business or organization to sue on behalf of all of us who don't bother now, and collect a percentage. So that more of us can use our lawful right to make the spammers pay for their nuisance.

We could donate proceedings of successful spam litigation to open source projects or to the EFF.

Re:Business opportunity

[sirsnork]

Make that percentage 100. Do we need the money? Not really. The only problem I see is that eventually (If they were good), they would run out of spammers to sue, and so would be out of a job. And it would all start again.

What we need

[CaptainSuperBoy]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

The article makes a good point about laws that require spam to be labeled. This isn't a solution, and there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT". This is a perfect example of laws being too specific - legislation has no business dictating changes to the SMTP protocol. This isn't useful either: shouldn't spam laws apply to more than SMTP? Say, ICQ spam? Internal AOL spam?

This is why we need a national spam law. No conflicts, no SMTP requirements, no opt-out. Make spam illegal, period. Spam is harassment, theft of service, and usually fraudulent. It costs ISPs millions of dollars that are passed on to YOU. Companies lose productivity because of workers receiving spam.

If you think this is any different from junk fax laws, you're kidding yourself. Spam and junk faxes both hurt the recipient. Spam is not free speech. Spam is not a constitutional right. Banning spam IS the right answer.

Re:What we need

[stefanjo]

You must remember that the internet is bigger than your country so a national law wouldnt help much (unless you pull the plug to the rest of the world). There will allways be some countries that doesnt make spam illegal.

Re:What we need

[sqlrob]

It helps more than you think. Of the services advertised, most that I get are in the US. If you make the company advertised liable, that's going to minimize the advertising.

Re:What we need

[stefanjo]

yea probably. But it wont get rid of the problem.

Re:What we need

The problem is that the typical spammer is here today, gone tomorrow. If you want to really stop spam, then you must go after the provider, be it isp or hosting or somewhere in between. Given the typical resources in such companies, the easiest course of action will be to take no risk and only allow customers with a large amount of cash or well known name. Say goodbye to getting online cheaply.

Re:What we need

[mystran]

If you American's make it national law, then spammers just move their spam business somewhere else. To do any good we would need an international agreement which in turn tends to be impossible.

Re:What we need

In addition to what's been said already, another problem with opt-out laws is this: When a spam recipient responds to an advertisement with a request to opt out, even given that the reply-to address is legitimate and the response is properly recieved, all this means is that the spam recipient will not recieve any similiar mail from the same company.

Speaking as someone who's done data entry grunt work for one of these companies, I say with some small amount of authority that none of the money my company made came from any of the zany borderline pyramid scheme advertisements we mailed out on a daily basis to thousands of unsuspecting people.

All of the real money came from selling the rather impressive mailing list databases the company built up using the names of people who had responded to their mail in the past, whether to express interest, or request removal from the list. Technically, they were being removed from our list of mailouts, but they were only added to a database of names that were sold to various other companies on a regular basis.

The only real purpose of mailing out the ripoff advertisements was to see exactly which people would respond, and thus be more susceptible to other advertisements. Even the people who responded to request removal only verified that their own name/address was correct, and thus, their names only become that much more valuable for others to purchase.

The most effective way to avoid spam, whether through junk mail or e-mail, is to simply ignore and/or delete it, and hope that eventually your name's entry will be part of a list that's too old and outdated for other companies to be interested in purchasing.

It makes me very glad I stopped working for that company over a year ago, with my integrity still intact.

Re:What we need

[a_n_d_e_r_s]

Well, all nations should have a national law making spam a crime. Those countries that do not - should not be allowed to connect to Internet.

I am peronally stopping ALL email from some countries since all I get from them are spam anyway.

By makeing laws that both the one sending spam and the corporation whose ad it is are criminals, one can stop spam from most countries.
Also it sould be a fine for each open relay mail server...

Don't you onder how snail-mail can be sent over the world to different countries - the same kind of cooperations needs to be done to stop spammer. All nations need to unite against hte spammers.

This does not stop spam completely, but it should lower it considerable. That is enough for me.

What should be done is the someone should sets up a law proposal an try and get everyone to agree on it and to sell it too all countries in the United Nations.

Re:What we need

[sqlrob]

Of course not. Will illegalizing anything get rid of it?

But the better question is, does it make the problem more manageable?

Re:What we need

[edstromp]

A national law will get you no where. Over 90% of the spam I receive doesn't originate in the United States. International law *might* get you a little somewhere, but it will never pass, and even if by some act of god did pass, it would never be enforced.

The correct technical solution is to filter your e-mail. No laws to sneak up and get us later, and we can improve the filter to our likeing at any point. I find www.spamcop.net to work wonders for my inbox. Not only does it block the unwanted mail very accuratly, but it simplifies the complain-to-the-system-admin's process.

Re:What we need

[Hunsvotti]

The thing is that spammers are usually SELLING something. That means that they have to leave a method of contact. Law enforcement can follow these leads, and then hopefully beat the bastards about the face and neck.

It's true about international spammers, though. Not sure what we can do about them.

Re:What we need

[schon]

there are also conflicting requirements between state laws. One law requires "ADV: ADLT" on the subject header, another law requires "ADULT ADVERTISEMENT".

Maybe it's just be, but I don't see a conflict here.

If the recipient is in California, you use the first one, if they're in Wisconsin, you use the second one. (The recipient can't reside in more than one state at a time.)

The way I see it, this "conflict" is a GOOD thing - as it slows the rate of spam (spammers have to take "care", instead of blasting hundreds of thousands of identical emails.) Once they get bitten a couple of times, they're likely to say "screw it, I'll go back to working at the 7-11"

Re:What we need

[fishebulb]

looking through my spam, there is no way to contact the vast majority of them. they hid themselves so well, that i couldnt buy their product if i wanted to ;)

Re:What we need

[q-soe]

Actually i can tell you from the spam i have followed up and complained about 90% of our spam (my company) - comes from the US and the overwhleming majority comes from 3 ISP's

AT&T
Worldcom
@ home (used to be but replaced now by)
earthlink

oh and of course there are a lot from yahoo, hotmail etc.

Now that might just mean it's routed thru the US so im not neccesarily attacking that country

Re:What we need

[mpe]

What we need is national legislation against spam. There are too many state laws that legitimize spam in one way or another. This gives every spammer a one time get out of jail free card, and does nothing for spam problem in general. New spammers pop up all the time - it doesn't make sense to 'opt out' of every new spam list you get onto.

Actually you need a treaty, since spammers enguage in their behaviour worldwide. Though it is surprising that the US federal government hasn't passed any relevent legislation. Maybe because it would require actually following the US constitution rather than attempting to subvert/rewrite it :)

Re:What we need

[budgenator]

The most effective way to avoid spam, whether through junk mail or e-mail, is to simply ignore and/or delete it,
I would like a client that deletes the spam without having to download it;Maybe just down load the header's, does the POP3 protocal allow this?
As far as confirming the address something like this;
<img src=evilspam.nul/image/onebit.gif?spamvictem@examp le.com >
makes an entry in the server logs confirming the Email address if html is enabled in the client.

My brother's employer out-sourced their Email to an other company, that company considered have Email's funneled through their NT box by a solaris box running 30 instances of sendmail over a T1 line a deinal-of-service attack.

Re:What we need

[ahodgson]

This is so dumb it's unbelievable. What makes you think an International treaty on the Internet would only include spam?

It would certainly legislate adult materials.

It would try to impose DMCA-type restrictions on all published material anywhere in the world.

It would probably impose draconian (ie. UK-style) libel restrictions on all published material anywhere in the world.

It would probably explicitly permit any country that wants to get you to force your local government to help them out.

Fight spam yourself. Don't expect your government to help you, because they don't work for you, they work for their paymasters. And for pity's sake don't expect the UN, EU or world trade consortium to help you, because they don't want to help you, they want to control you.

Castration?

[the+bluebrain]

...ouch! I mean, who, having come across RFC 821, hasn't thought to themselves "woo ... spoofable ... cool", and tried it out?
I foresee the end of silicon valley, within a generation, at a tender age, if such legislation were passed.

...how about caning?

Check out my latest piece of spam !

[J.D.+Hogg]

DEAR FRIEND !

Tired of not making enough MONEY ? HOW ABOUT $3000 PER WEEK OR MORE !
No, this is not a joke, YOU TOO CAN QUIT YOUR JOB AND MAKE THE MONEY YOU DESERVE !

HOW ?

Very recently, I have discovered that anybody on the internet receives "SPAM" emails, and that it is usuall possible to sue those "SPAMMERS". Most often, "SPAM" originates from VERY LARGE COMPANIES who have a LOT OF MONEY MOST OFTEN, and these companies don't want to lose their reputation in the "SPAM" industry, therefore they are usually willing to give plaintiffs A LOT OF MONEY to settle their claims.

I CAN ALREADY HEAR YOU SAY "HOW CAN I SUE SPAMMERS TOO AND RECEIVE A LOT OF SETTLEMENT MONEY ?" !

IF YOU SEND ME A RESPONSE AT THE EMAIL ADDRESS AT THE BOTTOM OF THIS MESSAGE, I'LL INTRODUCE YOU TO MY NEW BOOK CALLED "HOW TO SUCCESSFULLY SUE SPAMMERS AND RECEIVE A LOT OF SETTLEMENT MONEY". MY BOOK NORMALLY COSTS IN EXCESS OF $85 FROM NORMAL RETAIL CHANNELS, BUT ONLY FOR YOU, I OFFER YOU THIS INCREDIBLE MONEY-MAKING TOOL FOR ONLY $19.99 !!

DON'T PASS UP YOUR CHANCE TO MAKE THE MONEY YOU DESERVE. SEND ME A RESPONSE RIGHT NOW, OR CALL ME AT THE NUMBER BELOW.

THANK YOU DEAR FRIEND !

email: SUCKER_RESPONSE@HOTMAIL.COM
phone: 1-800-YOU-SUCK

**********

THIS IS A ONE-TIME EMAIL, YOU DO NOT NEED TO DO ANYTHING IF YOU DO NOT WISH TO RECEIVE ANYMORE INFORMATION ABOUT THIS INCREDIBLE OFFER.

Re:Check out my latest piece of spam !

dammit. you beat me to it

Re:Check out my latest piece of spam !

no, i beat you to death

Re:Check out my latest piece of spam !

[InterruptDescriptorT]

I didn't believe it for a minute. The grammar and spelling are too good for it to be legitimate. :-)

---
Some say Netware is just like a wheel/ When you abend it, you can't mend it

Re:Check out my latest piece of spam !

i tried the phone number and i get some phone sex service. ???

The solution to spam.

[Restil]

The only reason spam is so prevalant is because there are still enough suckers out there who respond to it and buy into the schemes. We need to do one of two things. Either successfully educate the suckers so the spam becomes uneconomical, or compile a real list of suckers and find a way to convince the spammers to ONLY spam them, and not the rest of the world.

Neither of these things will happen, unfortunately.

-Restil

Re:The solution to spam.

[clark625]

Since there's a sucker born every minute, that gives plenty of "new" customers for the spammers. That's 1,440 potential suckers every single day--or 525,600 per year. And if you can get the typical $19.99 out of each of them, you can get a whopping $10,506,744 of revenue. When you look at numbers like that, you can easily see how spammers (and TV commercials) can continue to annoy the rest of the population.

The problem with having a "sucker list" is that no one ever thinks he/she is one; and would do everything possible to stay off it. It's very similar to how most people believe they have an above average IQ. Nevermind the fact that most people can't be above average. A lot of people simply don't think of themselves as suckers.

Anyways, I need to go buy that new Igia ElectoSage 8. Have you seen it? It looks absolutely amazing! I'm gonna lose lots of weight with this thing--all without getting off my butt. Schweet!

Re:The solution to spam.

[sholden]

The problem with having a "sucker list" is that no one ever thinks he/she is one; and would do everything possible to stay off it. It's very similar to how most people believe they have an above average IQ. Nevermind the fact that most people can't be above average. A lot of people simply don't think of themselves as suckers.

It depends on what you mean by average. Most uses of average refer to the mean. If that's what people are referring then it is quite possible that most people are above average. For example if there are more *very* stupid people than *very* smart people then >50% of people can be above the mean... (a world of five people with IQs of 1,7,7,7,10 would have 4 of them being above the average (which is 6.4) as an example of the example) ;)

Of course if they by average they are referring to median then your point is valid - but most people don't interprete 'average' as 'median'.

Re:The solution to spam.

then it is quite possible that most people are above average

It is possible, however it isn't true.

IQ in a large population is normally distributed (follows a bell curve) therefore the mean, median and mode are the same (IQ=100 (by definition)) and there is an equal number of people that are above average as below.

e.g.

Re:The solution to spam.

... except for the fact that IQ follows pretty close to a Gaussian distribution, except for deviations in the extreme (e.g., there are way more 180 IQs in the world than there should be).

I have always found that interesting though. 80% of people don't think that they are more attractive than average, not that they are more honest than average (I'd guess 65%, tops, on both counts), but with intelligence, every man is a closet savant and every genuinely intelligent person is a William James Sidis but for a different environment or less pr0n and other distractions. Why does practically everybody need to think that they are more intelligent than they are?

Re:The solution to spam.

[sholden]

IQ in a large population is normally distributed (follows a bell curve) therefore the mean, median and mode are the same (IQ=100 (by definition)) and there is an equal number of people that are above average as below.

That's what the psychologists/statisticians/whoever-it-is claim.

But I swear the bottom end of intelligence is over represented at my university. I'd hate to think how big the bulge at the low end would be if you included all those people who didn't get into university.

After all, how many *really* stupid people have you met? And how many *really* smart people? Lots and none by any chance?

Look at the stupidity of my argument and the fact that I'm bothering typing this as an indication of my intelligence. I got better than average marks in my courses. Hence, I am stupid and yet of above average intelligence.

Average IQ of 100, try 5...

Re:The solution to spam.

[Chris+Colohan]

It's very similar to how most people believe they have an above average IQ. Nevermind the fact that most people can't be above average.

Do you have an above average IQ? You seem to have confused "average" with "median"...

Re:The solution to spam.

the problem, of course, is that so many people are close to average (within 1 standard deviation, say). If you consider 2 SDs above the mean to be the minimum, and if that happens to be the average of all your friends, life is *very* frustrating, and it seems that almost everybody is a moron. If you consider, on the other hand, that we are apes, then even our average are pretty bloody smart. Lamenting that so many are average is a bit like lamenting that 2+2=4: silly, and cause for unending frustration.

Re:The solution to spam.

[Swaffs]

Ten million... That's just amazing! I had no idea one could make so much money spamming... Boy, spam sure makes sense now that you think about it. Thanks for all the info, I'm going to go and start spamming right now!

Re:The solution to spam.

[pmc]

Do you have an above average IQ? You seem to have confused "average" with "median"...

Since by definition IQ follows a normal distribution (with m=100 and s=15 usually - s can vary), then mode=median=mean.

So the original post was correct.

Re:The solution to spam.

Actually i agree - measuring ones IQ is a sign of arrogance and seeing as how its only done in western countries bny governments and otherwise as a sort of vanity test how can you believe it. I know my IQ and it does not mean one thing in the real world - sure i can join mensa - whoppeee as if.

And anyway does nobody see the irony of discussing intelligence and IQ on slashdot - the true home of people who have trouble seeing further in any argument that Microsoft bad linux good (and i mean ANY argument folks !)

Open source means open to any moron who comes along i sometimes think

When will help arrive?

[Methuseus]

Most of us hate spam, but there are always those stupid users that click on every email promising another money-making opportunity. If you make an authenticated-mail protocol, that means everyone needs to use it, but those people targeted by spammers are the late adopters of new tech, so I don't think it would work too well.

Re:When will help arrive?

Most of us hate bad software, but there are always those stupid users that use and download free, low quality software like Linux. If you make an alternative operating system, that means everyone needs to learn how to use it, but those people targeted by spammers are the late adopters of new tech, so I don't think it would work too well.

www.xns.org

This is why XNS (a next generation DNS replacement) needs to be adopted ASAP by the worldwide technical community. For example, here is the white paper on spam filtering. In a nutshell, if someone who is not on your acceptable email list wants to send you an email, they must first (and this is all automatically handled by the software) accept an agreement which dictates your exact privacy requirements. If it is a personal email with actual valid content, clearly they will simply accept the agreement and automatically be added to your list. On the other hand, bulk email spammers (hereafter referred to as "Dickwads") will probably not like the section talking about your fees for accepting bulk advertising. :)

Re:www.xns.org

[johnburton]

I like this.

But I can't see any reasable hope of pursuading people to replace DNS. But I suppose people won't care what kind of name lookup their email software is doing.... Hmm...

Or what about something like ICQ where you can say who you want to be able to receive communciations from. Anyone else you have to authorize before they can send you an actual message. I doubt spammers could be bothered to do this, they'd go find some other way to annoy people.

How about doing this?

Your email program looks at the headers of emails being received. If the message is from someone in your address book, or is from someone you sent an email to *recently*, or is from a recognised mailing list then you get the email.

If it does not fit any of those conditions, it must first validate the sender. To do this it sends back a message to the senders From address with instructions saying under what terms you are prepared to accept the email, and a code to send back saying that you accept those terms. Your client would then accept one, and only one message from that address to be delivered to you. If you want to accept more in future you can add them yo your local address book.
The fact that the "spammer" must explicitly accept your terms for accepting your email would give a lot more legal protection to filtering and blacklists of known spammers.

Hmm. Must think about this some, and implement something!

Re:www.xns.org

So why the heck do I need to implement XNS to do this kind of spam filtering? I have a similar system running on my home machine -- just a couple perl scripts. The scripts block incoming mail from unrecognized addresses and ask the sender to authenticate themselves as a real address.

Re:moron

he's full of shit. it would serve him right if there really was a chemical attack in chicago later on. you can be the feds would be interested in Slashdot's IP logs...

Ooh, a slashdot story on spam

[Paul+Wright]

Let me summarise:

Spam is Free Speaaech (A Troll)

No it isn't (Baittaker543)

Yes it is (Anonymous Spammer) 30 post thread snipped

No more government regulation (aynrand666) All problems have a technical solution. Just hit delete.

My webserver got RBL'd (warfire) So I've come here to cry instead of ditching my low-file ISP. Your technical solutions are no good.

I know more than you do (karmawhore23) I am cleverer than you.

Re:Ooh, a slashdot story on spam

[swb]

You forgot about this and this.

Here's a solution

How about banning spam, regardless of the label? Quibbling over labels of these kind of attacks is like arguing over whether burglars should be required to wear striped Hamburglar suits or "ROBBER" signs on their backs.

Re:Here's a solution

That's unnecessary. Burglars are already recognised by the dark pigmentation of their epidermis.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Put the ball in the court of the ISP

[smack_attack]

The simplest reasons that spammers "get away with it":

1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.

A lot of people have already commented on #1 so I'm going to skip that one.

In short, the accountability should come to the ISP, because they are the ones you inevitably allow this to happen. @Home or similar could implement a per day limit on outbound emails, same for the fre services, Yahoo! and Hotmail. There needs to be a clearinghouse for spam notification, someone who tracks spam and spammers, period. Fines should be imposed on ISPs who allow bulk email to originate from their service. Their choice should be simple: don't let spam originate from your system or face the penalty (steep fines, this could be used to fund the clearinghouse). Leniency could be worked into this, an ISP may have X number of reports per day based on the number of IPs they have. X should shrink every year.

The clearinghouse should also be audited on a yearly basis and the results made public (what ISPs spam the most/least, amount of fines paid, etc)

Re:Put the ball in the court of the ISP

[Dr.Dubious+DDQ]

2) ISPs turn a blind eye or aren't as responsive as they should be.

YES! Most times that I get spam, I trace down the headers to find the source and report the spam to the ISP hosting the address, and the spam stops.

MOST times. It took a while to get through to hinet.net about their 'tom lee designs' spammer, but even then, when I finally got through to somebody the spam was stopped.

For the last three months, I've been dealing with wads of spam from what I believe to be the same spammer due to the headers:

• They all have the same style of random-fake-hotmail.com addresses
• They all bounce through hijacked foreign servers
• They all have the same 'X-Mailer' header ('X-Mailer: Microsoft Outlook Express 5.50.4133.2400')
• They are repetitions of the same 5-8 advertisements (most for dubious semi-medical supplements e.g. 'increase your ejaculation 581%','stop hair loss', etc. on www.poxteam2001.com)
• And, of course, they ALL come from the same bank of apparently Texan addresses on prserv.net (slip.12.64.*.mis.prserv.net).

The ISP in question is AT&T Global. (mail to abuse@prserv.net ends up at postmaster@attglobal). For the last three months or so, I've diligently forwarding the messages, with headers, to abuse@prserv.net (or postmaster@attglobal.net). Until recently, they've been universally coming back with form-letters saying 'this problem has already been reported'. Sometimes the spam stops for a day or two, sometimes it doesn't.

I even looked up their contact number on whois and called THAT a few times (the only human beings there seem to be overworked and underpaid tech support people). The last few days, I've been getting my reports returned in a form letter stamped 'not our domain', as if whoever's getting my messages at AT&T Global is either 'in on it' or just doesn't want to deal with it any more (or perhaps is's just a 'new guy' who's not used to dealing with the headers, or thinks that only AT&T Global user's complaints about spam from their network should be dealt with)....

Point is, with roughly 80 spam messages from the same spammer forwarded, the spam has continued unabated, and I honestly wonder if some salesdrone at AT&T Global's Austin, Texas area POP has an 'understanding' with the spammer and has been willing to re-sign him every time he gets kicked off. Unfortunately, none of the emails I've sent to 'postmaster@attglobal.net' requesting more information about the spammer (including requests on the order of 'who do I contact to find out the proper legal procedure for obtaining the spammer's identity so that I can look into taking action myself') simply come back with more form-letters, or are unanswered...

I called them again today (after last night's two spams came back from them stamped 'not our domain') and for the first time, actually got to speak to someone in the postmaster department. She actually seemed helpful and polite, so hopefully something might finally be DONE about this spammer...

So, anyway, to get back to the point - the ISP's are the ones who have the power to do something about spammers on their network, and if they choose not to, there ought to be some sort of recourse. Small ISP's, you can complain to their upstream provider, but when you're dealing with AT&T Global?....

'scuze the verbosity of this post - this particular spammer/ISP issue has me pretty irritated at the moment...

Re:Put the ball in the court of the ISP

[BillTheKatt]

Yep, I've been getting tons of similar crap from prserv.net. I've been complaining to the ISPs for years. Most are pretty slow, some don't do crap (you hear me sprintlink???, talk about idiots running their network).
I've finally decided the law is the only way to get these people to stop sending SPAM. Technical solutions don't work, people just find ways around them. We need legislation to give SPAMMERs a reason to think twice before sending crap.
Lucky for me I live in CA. I've gotten SPAM from 2 other companies here in CA and I'm ready to take them to court just as soon as I can figure out the details of small claims court.

Re:Put the ball in the court of the ISP

[Y+B+MCSE]

1) Forged headers (SMTP auth would alleviate)
2) ISPs turn a blind eye or aren't as responsive as they should be. Many are repeat offenders which labels them "soft" on spam prevention.

Many ISPs turn a blind eye BECAUSE they can get a reputation for it. Think about it www.stupidlittleisp.com could make MORE money catering to big time spammers than it can with its normal home users. Their definitely needs to be a suit against the ISPs. If the ISPs are held accountable they will turn a vengeful (SMITE) arm on the spammers.

Re:Put the ball in the court of the ISP

I'm not quite sure if you have the same guy, but there has been a increase in the use of dialups to obscure the high-speed connections lately.

The scenario works like this:

The spammer has a high-speed circuit to somewhere. The spammer also has a bunch of throwaway dialups. While dialed in, the spammer pumps out the spam through the high speed circuit, but with the source address of the *dialup*. All the dialup has to do is route ACKs, not the main payload, so it's not that slow. Compare it to 1-way satellite internet. It works since nobody does egress filtering like they should.

So, as far as the dialup ISP is concerned, no outgoing port 25/tcp traffic is happening there. They may even have a block on those ports, and it won't matter, since the outgoing stuff is happening elsewhere.

What's more, the high-speed provider may have no idea what's going on. You'd also be hard pressed to discover exactly how it's routed as a result.

Re:Put the ball in the court of the ISP

[hogsback]

Spam is only useful to the spammer if people buy what the spam is advertising.

Instead of going after the spam, go after www.poxteam2001.com

Doesn't matter if the mail is forged, if www.poxteam2001.com is profiting from the spam, set your lawyers on them.

Re:Put the ball in the court of the ISP

[TheHawke]

Put a note onto Spamcop.net newsgroup with full headers and lets see what the wizards can come up with...
Im certain that we can get you fixed up in a jiffy..

Re:Put the ball in the court of the ISP

[BillTheKatt]

That's pretty nasty, never thought about SPAMMER's using that technique before. Pretty tricky.
What I think all ISPs should do is block outgoing SMTP on their dial-up routers for all connections. Only permit SMTP connections to their (the provider's) email server. Then they can detect mass mailings and figure out who's doing it much easier.
Maybe even a 14 day "waiting period" before accepting email on all new accounts. Enough time to verify those credit cards.

Re:Put the ball in the court of the ISP

[camusflage]

www.poxteam2001.com

Congratulations. You've met Alan Ralsky. Not one of the most prolific spammers, but definitely one of the most annoying ones.

His typical MO lately is to use asymmetrical routing, with his sites hosted on dialup connections. Through his own DNS servers which seemingly cannot be removed from the net, combined with joker.com not particularly caring that domain registration information is totally fraudulent, he's not going to be going anywhere anytime soon. The Registry of Known Spam Operators has more and more detailed info on him, including his various criminal convictions and civil judgements. This guy is a crook, flat-out.

Re:Put the ball in the court of the ISP

So that's where to send the mail to.

I had a similar problem with an ISP a year or two ago (can't remember it exactly). I had sent them my 'nastygram' several times which basically states if it's coming from your place, this is your first and only warning to remove me from your lists. Legal action will follow.

After ~10 tries to get the spam to stop I sent them a final notice saying that due to their failure to act upon my previous requests, I will be working with my ISP and my attorney to bring legal action against them.

Amazing. The next day, no more spam from them.

Oh, btw, I never did do anything but the mere thought of legal action was apparently enough.

Re:Put the ball in the court of the ISP

Way to use your +1 bonus to libel another Internet user. Were you afraid that you wouldn't get prosecuted if you posted at the default level? Moron.

The Solution: email protocol that stops spoofing i

[Tuxinatorium]

Block quoth the poster:
I still think its fairly hopeless, but I also believe forging SMTP headers should be legally punishable by castration.

There is a realistic protocol change that would make it impossible to spam without getting caught.

When the message arrives at the destination server, a confirmation packet is sent back to the alleged source with a checksum of the content of the message and a confirmation code. If the source has sent an email to the server that matches the checksum, it sends the confirmation code back to the server. If the server never recieves a reply with the confirmation code it sent out (in other words, if the alleged sender doesn't exist), it automatically deletes the email after 30 seconds. The whole cycle would last less than a second, depending on lag, so you wouldn't have to worry about losing email that you have sent unless you turn off your computer very quickly. This protocol would make it impossible to spoof IP/email addresses, etc, when sending email. Then the spammers could be tracked down easily and thrown in jail.

Jerry Cerasale can kiss my ass.

[jcr]

U.S. businesses generally oppose restrictions, equating advertising with free speech.

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

God DAMN IT, for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

-jcr

Re:Jerry Cerasale can kiss my ass.

[damiam]

The analogy I like to use is:

You have the right to sell your product, but you do not have the right to break my window during dinner hour, climb in, come to me and interrupt my dinner to scream in my face that "MY PRODUCT WILL INCREASE YOUR EJECULATION 581%!!!!!" without even looking first to see if I'm a women.

Re:Jerry Cerasale can kiss my ass.

[bryan1945]

Damn it!!!! Why can't I have mod points right now! +5 funny

I laughed so hard I shot my (not lit yet) cigarette half across the room. (I especially like that extra 1%!)

This really is a good analogy; some days I'm embarassed to check my _work_ email, since some company must have sold my email to some spammer. Bastards.

Re:Jerry Cerasale can kiss my ass.

[Y+B+MCSE]

If Mr. Cerasleazy wants to "enter the marketplace", he can damn well pay for his advertising.

My post has no value of its own what so ever, but I could not help myself...What he said, DAMN IT!!!!

Tolls for spamming gladly accepted

Re:Jerry Cerasale can kiss my ass.

[MillionthMonkey]

The 581% figure is from an authentic spam. Haven't you gotten it before?
I remember seeing that, and commenting to a friend of mine how that was an example of a statistic with high precision and low accuracy.
My favorite spam is the one about how Fortune 500 companies are looking for losers to work from home using their computers. That and the one offering diplomas from "prestigious, non-accredited" universities. Although it stops being funny the 200th time you see it.
Also, you should stop smoking. If you need help there are many people out there selling quality stop-smoking products. Just post your email address in any public forum and they'll be in touch with you.

Re:Jerry Cerasale can kiss my ass.

[Cramer]

AMEN!

"free speech" That's funny. Advertising is neither "free speech" nor "free". One must pay for radio and tv spots, magazine and newspaper ads, newspaper inserts, billboards, sky writers, and all that junk that collects in your US Postal mailbox. Advertising has never been fucking free.

As for "free speech"... that's laugh-in-your-face stupid! Perhaps they should begin lobying to allow cig. and booze ads on TV. I'd love to see p0rn on interstate billboards as well while their at it :-)

Re:Jerry Cerasale can kiss my ass.

[Kevin+DeGraaf]

for the LAST time, spam is not a free speech issue, it's a property rights issue. My computer is NOT a public utility for every sleazy marketing dink in the world to use at MY expense.

I hate spam as much as the next guy, but this is just complete bullcrap. You are choosing to run sendmail/qmail/exim/postfix on a publically routable IP address (or you are choosing to buy service from someone who does). You can't have your cake and eat it too; the second you set up (or begin to use) a publically-accessible mail host, you are accepting mail from anyone, i.e. you have a public utility. Don't like it? Use tcpwrappers or some other access-control method. Even so, email is public. Get off it.

Re:Jerry Cerasale can kiss my ass.

[bryan1945]

I've never got the 581% email.

As for the stop smoking, my email address is bryan1945@please.spam.my.ass.com!

Re:Jerry Cerasale can kiss my ass.

[Steve+B]

You are choosing to run sendmail/qmail/exim/postfix on a publically routable IP address (or you are choosing to buy service from someone who does).

You are choosing to accept paper mail at a publically accessible postal address. Since you are not a hypocrite, I expect you to post that address here forthwith, so that we may mail you whatever unwanted trash we may happen to have on hand.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Technical solution

[jbf]

Make people send you digital cash with each email. You return it if the email isn't spam (if you don't return it for nonspam, then you're a bastard) Unfortunately, it's impossible to make this work in a back-compatible way, so...

Example protocol:

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: spammer@mail.com
250 spammer@mail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 20 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 20 cents
DATA
...

I think some work in the IETF has been done on spam prevention, but no one has even tried to standardize it.

Re:Technical solution

[cmowire]

I think a better resolution to the problem is to enforce a certain amount of purity in the mail headers.

If you are spam, you should mark your message as being such. If you are a mailing list, you should mark your message as being such.

And then we need to have a network of trust between the mail servers. Something lightweight enough that it works 90% of the time. Servers who are trusted are trusted that they will send out mail with proper headers. Servers who aren't trusted will get their mail bounced most of the time.

Thus, spam can be dropped on the floor at the option of any mail server. And server admins who don't mark spam as spam are marked as untrusted servers. At the option of the country that the mail server exists in, this can be declared as fraud.

I wrote up some notes on it on my webpage but I'm not sure how well it would really work in practice.

Re:Technical solution

[Cramer]

"Trust"? The entire internet was designed on trust and we pay the price for it every second of the day. Sure, it worked fine in the beginning when everyone could be trusted.

You want to propose a system based on trust knowing nothing anywhere can be trusted? If we could trust spammers, we wouldn't have a problem.

Trust relationships in the electronic world are difficult, bordering on impossible. Trust relationships in the physical world are also difficult and often fail. Friendship, marrage, and employement are all trust relationships. Friends betray each other. Spouses cheat. Employers screw over their employees. And employees steal from their employers.

Trust is a very dangerous thing.

Re:Technical solution

[jbf]

You should take a look at http://www.ietf.org/ID-nits.html: you're still going to need some sort of authentication to prevent spoofing, and to provide nonrepudiation so you can blacklist spammers later.

In practice, the social aspects of trust would be a pain to implement. I personally would need to get my mail server trusted by everyone else in the net? Sounds like an inverse RBL, with the same sorts of problems (maybe worse because of scalability issues)

Re:Technical solution

[cmowire]

I think that an advagato styled trust metric might work out. Your mail server would be trusted by your upstream ISP's mail server, who would create trust relationships with a selection of other ISPs, enough that the large whole of the 'net would trust them.

I think getting a signifigant percentage of the mail servers in a trust system would be much less troublesome than trying to get every mail address on the 'net in a trust system.

Re:Technical solution

[cmowire]

This is true.

However, if you maintained your list of trust properly, it could be managed.

An RBL-like group could mistrust known spammers. You could decide that you will mistrust everybody they mistrust and get rid of a chunk of spammers. A TRUSTe group could trust a large group of ISPs that manage to keep their noses clean.

Trust relationships are difficult yes, but there are successes. Most employees don't steal from their employers, for example. Most marrages don't fail because of cheating, they arrise from personality differences. And creating a trust system between mail server admins would be much easier than creating a trust system between individual people on the 'net.

I suspect the downfall of my idea is that people don't like getting a "Your mail server isn't trusted" message, so all of the mail servers will be far too trusting.

The root of the problem

[SevenTowers]

The problem isn't going to be solved by suing spammers. why? Well,
because spammers are spread out around the globe
Because spammers highjack networks to send out their bulk mail
Because a lot of spammers aren't even legit cies
Because it is too easy to spam from a bogus account, or for that matter from pretty much any email account using a bot that anybody can write.

All in all, spamming is as controllable as peer-to-peer, as long as people really want to spam, there's not much you can do against it. As long as there's money to make, people that don't have money will be tempted, and unfortunatly a lot of those people are in countries in which there is little or no legislation (not that's it's better in more developped countries)...

Suing spammers will only stop the big boys

[Skim123]

Suing spammers will only stop the likes of Flooz.com (as quoted in the linked to article) and other large sites from sending spam (i.e., eBay/Buy.com, two companies I can't seem to unsubscribe from). I don't know about you, but the vast majority of spam I get is from individuals or very small companies, at least I'd assume it is. It's usually racked with spelling errors and grammatical no-no's, and are not ads for the latest mega-eCommerce site's sales, but for Viagra, toner cartridges, incredible wealth from a home-based business, "legal" ecstacy-type drugs, penis-lengtheners, and, of course, the usual solicitations from horny 18 year old lesbian cheerleaders.

Many of these spammers send from hotmail.com or from email addresses that are not in the US. So how would I go about suing them? Even assuming that I could sue them, how could I manage to go about collecting my settlement from them?

I'm afraid suing is not the answer to ending all spam, just a small class of spam.

Re:Suing spammers will only stop the big boys

eBay/Buy.com, two companies I can't seem to unsubscribe from

If you subscribed then it isn't spam, is it?

Re:Suing spammers will only stop the big boys

[Skim123]

If you subscribed then it isn't spam, is it?

If I buy something there and am unbeknowingstly signed up to some mail list, that, IMHO, is annoying, but not spam. If, upon receiving the mailing list, I click on the little link at the bottom to unsubscribe, and am told that I have unsubscribed, but still keep getting emails, then that is spam (IMHO).

Re:Suing spammers will only stop the big boys

[Todd+Knarr]

IMHO if I subscribe to a business or purchase a product, the only e-mail I should receive is information specifically about what I subscribed to or bought. Eg., if I sign up for eBay I should by default only get information about changes to my eBay account. Anything beyond, eg. information about eBay services I didn't sign up for, is unsolicited commercial e-mail. Until the company takes over paying for my access to my e-mail, the burden's on them and it's not my responsibility to track down and decline everything they'd like to send me.

At least this spam story is better than the last

[cecil36]

When Spammers try to sue you (posted last week)

I have a feeling that should changes be made, the spammer (who shall remain nameless) mentioned in the story will be living in a cardboard box in the streets of Chicago. And for lunch every day, he will only be able to afford cans of SPAM Luncheon Meat

(I wish /. would allow me to post ASCII art of a can of SPAM Luncheon Meat). Oh well, guess I'm lame.

Re:The Solution: email protocol that stops spoofin

[smack_attack]

Some flaws, but a good direction:

- DNS could be hacked and the TTL set extremely low (most people wouldn't notice).
- Free mail services.
- Open relays are still a problem.

No female spammers

[Utopia]

castration ? Does that mean all spammers are males ?

Re:No female spammers

no

Re:No female spammers

[Cramer]

And then what? Put 'em back and do it again?

oNumber solved the spam problem, and it works

[Wonderkid]

Signup at http://www.oNumber.net, and exchange oNumbers with friends. Avoid putting e-mail address on business cards etc and use oNumeber instead. By using the guest list system, only authorized people get to see your actual contact info. It's not free, but it's free of advertising and O'WONDER (who own oNumber) will not sell or release your info to anyone. Slashdot reader feedback encouraged.

Re:oNumber solved the spam problem, and it works

Most people here wouldn't trust their info with AOL, why would they trust this lameass website.

Re:oNumber solved the spam problem, and it works

[Wonderkid]

Because it is run by people (myself included) who care a lot about such issues. If it's 'lame', tell me why, and we'll fix whatever is lame about it. (We don't care for flashiness over substance.) Call my mobile in London, England if you want to discuss. +44 (0) 7976 750 730 or e-mail me at wk@owonder.com.

Re:oNumber solved the spam problem, and it works

[jo42]

Dear spammer,

Please stop spamming /. with advertising for your company and/or service. I don't read /. for advertising. Thank you.

Female Spammers

[kiwipeso]

Should be impregnated by the geek they send spam to.
Who knows, maybe you'll finally get some for a change?

Better yet...

[jcr]

220 foo.bar.com CASHMAIL System
HELO
250 foo.bar.com Hello
MAIL FROM: mom@aol.com
667 foo.bar.com accepts payment of 0 cents
DATA
..
MAIL FROM: unknown_spammer@hotmail.com
250 unknown_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 200 cents
CASH: 82kd0xma893mcos0
667 foo.bar.com accepts payment of 200 cents
DATA
...
MAIL FROM: known_spammer@hotmail.com
250 known_spammer@hotmail.com... Sender ok
RCPT TO: foo@bar.com
666 foo@bar.com requires payment of 1.0e09 cents
CASH: 82kd0xma893mcos0
666 foo.bar.com detects fraudulent/forged e-coin. Forwarding to fbi.gov

what if it's a female spammer / editor?

[kiwipeso]

Then she should get impregnated by the geeks she has offended.

Re:what if it's a female spammer / editor?

[lpwuk]

Nice way to give the resulting child a serious socialogical complex.

"What does your Dad do?"

"Oh, he's a geek!"

"Cool! And your Mom?"

Re:what if it's a female spammer / editor?

[kiwipeso]

I thought it would be interesting, maybe the only way some of the freaks here could ever get laid.
(unless they somehow get enough cash for a whore)

castration

might be a better idea if rape was punishable by castration first...

Re:castration

...or being an Enron executive.

RBL and SpamAssassin

[Gothmolly]

I run my own mail server, running qmail with the rblsmtpd daemon, pointing at several "underground", i.e. not for pay, black hole lists. In addition, there are spam _content_ filtering tools out there such as spamassassin, which looks for common telltale fingerprints in email. WORK FROM HOME, MAKE MONEY FAST, etc. etc. etc.

It can be done, with a little work.

Re:RBL and SpamAssassin

[dev0n]

The problem with the RBL and other blackhole lists, is that if you're a big provider, you WILL GET COMPLAINTS from your customers.

I should know... we recently tried to implement a spam filtering system at the place where I am employed. We immediately had customers complaining that they are not getting legitimate emails from THEIR customers/associates due to the fact that their providers are running open relays.

We simply do not have the resources to follow-up on every single blocked email, so we can't implement a blackhole list.

There has got to be a better solution. I really have no idea what it would be, but it has to exist. :)

Re:RBL and SpamAssassin

[nehril]

definitely. I put in spamassassin + vipul's razor on my utility linux machine, and I have it fetchmail my various accounts and scrub them. I use gotmail to fetch my hotmail and run it through the scrubber. this combo catches about 95% of all spam (and my hotmail account gets about 50 spams per day). Every other day I get one piece of spam or so.

Now I have all my accounts collected in one place and scrubbed. I even put in a webmail system (sqirrelmail.org) so I can fetch it remotely via ssl. If you have the means to hook up a setup like this I highly recommend it.

Re:RBL and SpamAssassin

[catman]

Hang on to your blocklists. Add SPEWS to your checks - it really works.

If anyone legitimate is blocked from sending mail into your system, let them complain to their own ISPs. They should ask for their money back - they have paid for a service that their ISP cannot deliver because it runs such a shoddy operation that it drops into block lists.

If you have customers who want spam, turn them over to the clueless ISPs ...

But what about us?

I know I forge headers all the time. Not to spam people, but to avoid my email address being farmed by spambots.

Certainly, wording from any law should have exclusionary cases, where the intent is not to advertise, etc.

Bernard Schifman

Bernard Schifman may then sue you for trying to sue him for sending spam.

Re:Bernard Schifman

I smell "law suit"!

Re:Bernard Schifman

was that a threat? i bet he'd sue you for that. hhahahaha.

Can you imagine...

a Bernard Schifman Cluster of these suits!

Forging headers?

Having open SMTP relays should be punishable by castration.

Re:Forging headers?

[Lord+Azrael]

ISPs should agree to pull the plug on those who do not close their open relays, just like @home did with people not able to patch their bloody IIS.

Re:Forging headers?

[smack_attack]

@Home fucked everyone by blocking port 80 across the board, not just those with IIS.

Re:Forging headers?

[Lord+Azrael]

that is true and i never thought that THAT what @home did to stop nimda was the best method they could have used, but what i wanted to point out was, that ISPs could agree on blocking mails from well known open relays. (just like i am doing it using ordb.org)

Don't the porn spammers realize?

[cliffy2000]

I must have recieved 200 e-mails on "farm action" and "hot family sex." I've never visited any such site nor have I ever responded to their e-mails... what makes them think that I'm suddenly gonna be interested in these deviant sexual activities... they should offer uhm... I dunno... NORMAL sexual behavior? I mean, hot playmates and stuff. They've gotta get their act together and stop catering to this select audience of sickos -- rather, they should attempt to appeal to the masses.
Sorry. Venting. Thank you.

Re:Don't the porn spammers realize?

[Lord+Azrael]

has it never come to your mind, that some people must be registering for pages like that? Otherwise spammer would have realized. believe me.
after all it's about earing money and not just " how can i send out millions of emails and do not earn anything from it?"

Re:Don't the porn spammers realize?

[NineNine]

Well, it's very simple. Straight porn is played out. People aren't interested in blonde, big chested airbrushed bimbos anymore. That's not where the money is any more.

Re:Don't the porn spammers realize?

[scheming+daemons]

Well, it's very simple. Straight porn is played out. People aren't interested in blonde, big chested airbrushed bimbos anymore. That's not where the money is any more.

I must be old-fashioned.

I'm VERY interested in blonde, big-chested, airbrushed bimbos.

Listen up

Listen up, people.

The deal is this. I will stomp this cute kitten to death with my heavy boots if you moderate me down.

You don't want the cute kitten dead, now do you?

Re:Listen up

nice cadillacs.

The laws in iowa

[autopr0n]

I was delighted the other day to find out that Iowa had an anti-spam law. I promptly requested 'remove' on all the 'psudo-opt-in' type spam (no, buying a list from someone does not mean that the people on it want your crap). Of course, under Iowa law I need to opt out before I can do anything, unless the spam is forged.

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

Are there any ways to find out who sends these out without incurring a large expense?

Hrm, I wonder how long before someone starts sending out "make money suing spammers, call today for your free kit." spam.

Re:The laws in iowa

[Happy+go+Lucky]

One of the 'university diploma' spams was illegal under Iowa law (invalid return address), but, of course how do you sue for something like that? I tried looking on reverse phone number sites to see who owned the phone number advertised, but nothing showed up.

When you opened up the full headers on the spam, I assume you found the Received: lines going back from your mail server to the sending mail server, and from the originating IP to the sending mail server.

I also assume that Iowa law provides for John Doe lawsuits, in which you can identify the defendant as a specific individual even if you don't have his name, and has a long-arm statute whereby torts that occur partly in Iowa can be filed in Iowa courts.

Given those things: File your case with a John Doe defendant. Identify the defendant as the person who was using IP 123.456.789.012 at July 4, 2001, at 12:00 noon CDT. If you can explain what that means to the judge (in writing!) you can make a pretty strong case that that's one distinct individual.

When you file, have a subpoena ready for the court clerk's signature. You'll want to send it to the ISP or whoever owns the IP number, and it's for all billing or other records which would show the identity of the person using that IP at that time. Once the subpoena gets served and gets compliance, you have your defendant.

As for "large expense," I frankly don't know what it's going to cost you. Some states mandate civil spam-related stuff to go through small-claims, and some states don't give their small-claims courts the power of compulsory process. Obviously, a court that can't subpoena evidence is a joke, but don't ask me to explain it.

Re:The laws in iowa

[Happy+go+Lucky]

As much as I hate to reply to my own posts...

If the spam included a fax number, then find out which telco supports that number. For instance, a 303 or 720 area code would be metro Denver and therefore Qworst.

When you file against your John Doe defendant, you can subpoena that number's owner from the phone company.

Frankly, I'd use both of these avenues. A judge would probably be more receptive to the phone company angle, since he might not understand your header-reading tutorial completely. Tracing through the IP could then be used as confirmation.

Also, the mail could have been relayed. Probably 75% of my spam is English-language with a payload site connected through a US provider, or a US phone/fax number. Easily a third of that 25% is relayed through an overseas mail server (usually a badly-misconfigured and ancient sendmail on some APNIC IP=read as China) which doesn't accurately report the originating IP. In theory, you could try to subpoena the info from the relay's owner. In practice, a Chinese sysadmin would wipe his ass with your subpoena even if he could read it.

In other words, the headers may or may not have the information that you need.

Also, spams may carry a PO box or another box number. The USPS will give out POB boxholder information to the public on any box used to do business with the public.

I don't know if that applies to the private pack-and-ship businesses like MBE. It's worth asking them, though.

Re:The Solution: email protocol that stops spoofin

[Tuxinatorium]

Free mail systems could log the IPs of all their users and stop spoofs with a similar system.

Re:I INVENTED LINUX!!!!

>>The President of the United States will assasinate Richard Stallman.
>With what, body odor? Boring speeches

I didn't know there was something wrong with GWB's body odor.

What?

[autopr0n]

That's not castration, the women can still have children. It's more commonly called 'female circumcision' or 'cliterectomy'(sp?)

Re:What?

Nice web site autopr0n. I got off with it.

Truth in Advertising approach

[coyote-san]

I think it's time to apply Truth in Advertising standards to spam.

You say your product will help me lose weight? We send a rebuttal picture of your naked fat ass to everyone you know.

You say your product will make my penis gain 3"? We get testimonial from your two mercy fucks about how you need to use this product yourself.

You say your product will get me hot dates every weekend? We distribute a copy of your busy social calendar - with a note that you were stood up for the sole entry, your Jr. Prom in 1989.

And lest we forget it, you say your product will net me $50,000 in only 10 weeks? We show your credit card bills, and how even Miss Cleo has cut you off as a deadbeat.

The best thing of all si that this doesn't really require any new laws. (Well, the suggestions above do, but not the concept.) Don't just nail the spammers with small fines for sending spam, hit them with large fines for fradulant advertising, participation in criminal enterprises, etc.

Are the lawsuits worth it?

[btempleton]

I've sued phone spammers, the type who use a machine that calls people and plays a recording, which as been blatantly illegal for almost 10 years.

I've won, but it takes more work than the $500 you win is worth even when you do win, and on average it's something you do only on principle and not for money.

And thus few do it. When I have been in court the judges/commissioners have said they don't often (if at all) see these cases.

Laws are not the answer to spam. In spite of what people say it is not just a question of "it's not a free speech issue it's a property issue."

Spam involves rights in conflict. It's a free speech issue AND a property issue AND a privacy issue, all in one. The answers are not so simple as these laws suggest.

Re:Are the lawsuits worth it?

[spacefrog]

INALB,

Companies that use these sorts ot tactics usually use jurisdiction issues to skirt the law.

This is why so many of your telemarketing calls come from out-of-state, which often makes it possible to skirt state laws, since the state court lacks jurisdiction.

This day in age, a surprising number of your telemarketing calls are originating from Canada as well.

Now we see the downside of dirt-cheap long distance!

Help: Spammers with Fax-Numbers to reply

[Lord+Azrael]

i would be very happy if anybody could tell me a solution what to do with spammers, who only use Fax-Numbers to respond. I have a massive problem with a guy who is using my domainname as sender adress. He always sends via open relays in taiwan, korea and all these countries and he always includes to fax numbers in the US. I do get an average of 500 bounces per day from mails this guy sent, because the recipient does not exist. Since he uses my domain i get these bounces every day. I am now collecting every day IPs of the open relays this guy uses and submitting them to ordb.org Open Relay DataBase, but obviously this is not the way to stop this.

I read alot on pages dealing with spam, many of them were pointing to ftc.gov which one should contact if a company of the US is doing spammings. But besides reporting that guy what can one do. i cannot phone up the telco and ask them to shut down these well known numbers (i saw procmail recipies of other people who in their spamfilters had these fax numbers included)

any hints or help would be greatly aprreciated

Re:Help: Spammers with Fax-Numbers to reply

[BCTECH]

I tried to find the lawsuit but came up empty. If I remember correctly a flower shop in TX sued a spammer who used a bogus email address on their domain as a return address. The flood of bounced email and complaints brought down their mail server. I beleive they were awarded $50,000. I think the perp was a minor kid who's parents had to flip the bill.

Re:Help: Spammers with Fax-Numbers to reply

[Happy+go+Lucky]

The flower shop was called flowers.com. A spamming piece of shit (like Bernie Shiftman) named Craig Nowak forged them into the From: lines of his spam. They got hammered with the bounces and bitches from people who couldn't read headers.

They identified Nowak (who is a spamming piece of shit like Bernie Shiftman) and sued him. And won.

I can't find the actual cite from the case. However, it was from 1997 in the District Court for Travis County, Texas. Tracy Parker, Zilker Internet Park, and others vs. Craig Nowak and C.N. Enterprises or something like that.

Re:Help: Spammers with Fax-Numbers to reply

[snarfer]

I've had the same problem a few times. They forge the domain in the headers, and I get thousands of angry people sending e-mail, and a few times calling me at 3AM (finding my phone number in the domain registration WHOIS).

I wish I knew what to do about it.

Re:Help: Spammers with Fax-Numbers to reply

[Sheetrock]

That really sucks. I don't have any bulletproof solutions for you, but the following idea might help you to cut back on the problem:

Create a web page under the domain explaining the situation. If you get any bounce messages from undeliverables from the spammer's run, include a link to a copy of one of them. Add links to websites with more information on tracing headers and advice on dealing with spam, and perhaps suggest to the visitor that they call a legislator or two about the issue. Then, in your WHOIS record, add the URL to the page with a short blurb calculated to get the reader to visit the page rather than disturbing you with a phone call. "Did you receive spam appearing to come from this domain? Please read this for more information." or something along those lines.

I hope this helps. I doubt it will do much to stop the hate e-mail, but for me the worst part of the whole matter would be having people calling on the phone. I already don't like the idea of putting real contact information into WHOIS records, and somehow your situation doesn't make me feel any better about it.

Re:The Solution: email protocol that stops spoofin

[filtersweep]

That would just force spammers to use their own servers to spam, and there is enough of that going on already... or it is contracted out to third party "media services." It seriously pisses me off that in the year 2002, MS Outlook does not provide message filtering based on header content. I could filter out that remaining one percent of spam that sneaks through... but I digress. I hate the boilerplate disclaimer that insinuates that I have signed up for spam through the spammer or a partner company... I get a ton of spam directed to my default username through my ISP- and I've NEVER used that email (you know the name where they take your name and add a few numbers that none of your friends can ever remember?). My work used the same ISP for awhile, and there were already spams waiting for me before I sent even a single email... which tells me a little something about the ISP.... but again, I digress. I don't know that there are any technological solutions that I am comfortable with. On one hand, I appreciate the ability to send certain email anonymously, or to use a yahoo mail address that doesn't give my name. The other issue with using a handshake is that it seems a lot of email is cached. It has taken several hours for me to receive emails at work, whether I've emailed myself at home, or whether a co-worker has phoned to follow up with something sent to me. I've received Fed-Ex packages faster than some emails. It seems conceivable that emails could be lost in transit while the other server is waiting for confirmation (seems it could go both ways).

I know...offtopic, but a good question...

sorry for the offtopic post, but i have been wondering this for a while, and there is no better place to ask....

WHEN THE HELL IS SEGFAULT.ORG COMING BACK UP

What about....

[madenosine]

What about spamming on instant messaging systems such as ICQ? I know that I can (and have) blocked people who are not friends, but are there any laws against spamming of that sort? Or do we just have to wait until it becomes a larger industry?

Re:What about....

[kawaichan]

I know, those damn bots and you think people have better things to do..

I doubt it, since it's hard to trace the spammer and they are probably just some script kiddies anyways.

Stupid

[autopr0n]

Yeh, spam is annoying, so we should replace the entire domain name system. It is true that email information is integrated into the DNS system (MX records and stuff), but not to that level.

Secondly, it wouldn't really stop any spam anyway. Just because you 'claim' that they should owe you money for spamming doesn't that they actually will. And a huge number of spammers right now are committing crimes by hacking open relays/AOL accounts and the like right now. What's to prevent them from doing the same under XNS? I mean, even if the 'privacy policy' is enforceable by law, it doesn't mean that all spammers are going to start following it. And 'legit' spammers already have opt-outs.

Spam prevention (especially retarded crap that you outlined) does not belong in the DNS system. I'm not saying that the DNS system doesn't need to be replaced, but spam prevention doesn't belong it it.

Companies should be doing the suing!

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.
Everytime someone forges an e-mail address using their domain name, and someone forwards it to abuse@something.com then it costs them money to research it. It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

Don't they care about their PR? I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them?? I'll just keep assuming that till proven otherwise.

Re:Companies should be doing the suing!

[psavo]

After thinking for a while, I understood why 'back bone' -providers don't sue spammers/spammer sites. That's because they get their money for transporting data. Any data. And it's ISP which pays, and from that individual customers. ISP's are the ones who should sue. Some big one, like AOL/MSN.
Problem is that no ISP is really international (AOL has some europe thingies..), so they can't sue shit out from our korean friends (oh yes, I did get some korean spam this week)..

Re:Companies should be doing the suing!

[roystgnr]

It could also be considered slander if someone sends you an e-mail from something like animalsex@microsoft.com.

You know, I'm usually on the "public horsewhipping" side of this argument, but I'm almost tempted to become a spammer just so I can use that address...

Re:Companies should be doing the suing!

[herbierobinson]

Some do! AOL just won a big one.

Laws define both sides

[coyote-san]

The problem with a national law, with any law, is that it defines "safe turf" for both sides.

If Congress debated such a law, I'm sure that the DMA would yell and scream and "compromise" that it is willing to make it illegal to send unsolicited email of a criminal nature. Outlaw the pyramid schemes, outlaw the cock&tit creams that don't have FDA approval, etc.

Meanwhile, in the same spirit of compromise, it's now Federal law that companies can ignore repeated requests that you be removed from their spam lists because you have a bona fide business relationship. It doesn't matter that this "relationship" was a one-time purchase of a Christmas present a decade ago for a person who's long been out of your life - you might need another left-handed bacon turner some day and if they can't sent you reminders, you'll buy it elsewhere!

Likewise the legislation would undoubtably protect affiliated businesses - the reason I briefly got investment solicitations from my car insurance carrier, until I made it clear they were about to lose the latter account. It will even protect attempts to woo you away from existing businesses - you drive, so therefore you should hear about Fly-By-Night insurance rates. And Bob's detailing shop. And on and on and on....

I'm not saying that legislation would never be appropriate, just that it's too early to do it at the national level. Let's get a clear concensus that spam is a problem, then use the federal law *only* to normalize things like mandatory subject lines.

My cheap social solution

[bigdreamer]

This is an easy social solution for end users. In my experience, spammers screen out possible users by username. So the key is to choose a name most spammers won't screen.

Examples of bad usernames follow. Scroll down for summary.
________________________________
Here are some bad usernames, and the reasons why.

Username: morgan@mail.com
Spammer's reaction: Morgan's a guy's name! I'll send him pr0n! (Never mind that I'm a heterosexual female. :-) )

Username: blahblah1969@mail.com
Spammer's reaction: 69! I'll send this guy pr0n!

Username: nerd@mail.com
Spammer's reaction:This guy's a nerd that never got laid! I'll send him pr0n AND computer products!

Username: princess@mail.com
Spammer's reaction: Princess, eh? I'll send her all my products!

Username:ironknuckle@mail.com
Spammer's reaction: He must lift weights. I'll send him stuff to build his body!

Username: hasaki@mail.com
Spammer's reaction: My Japanese friend will like this guy. (Sends Japanese spam.)

Username: nurdchik8@mail.com
Spammer's reaction: Well, it's possibly nerd, maybe a female, and what does that 8 mean? I don't have pr0n, would he or she like computer stuff? What does 8 mean again? (Skips name.)

___________________________________
End of examples. Summary follows.

If you're an end user, avoid the following:
*Obvious gender references
*Numbers that could be construed as sexual references, or birthday years
*Names that may be perceived as a potential marketing group (princess, superstrongWWF)
*Names that may indicate you are a certain nationality or ethnic group

This doesn't prevent you getting spam completely. At least you'll start off spam free with the right username, like I have.

Re:My cheap social solution

[prog-guru]

Or maybe get your own domain, so you are less likely hit by a dictionary attack (aaa@mail.com, aab@mail.com...).

Re:My cheap social solution

[bigdreamer]

Give me a cheap domain to buy, and I'll do that.

Re:My cheap social solution

[number+one+duck]

Heh. *or*, you could get a job, so you are less likely hit by a dictionary attack...

This doesn't give them a whois entry to spam either.

Re:My cheap social solution

[Cramer]

That's a load of crap. Spammers do not "target" their shit. They may say they do, but it's a lie.

Re:My cheap social solution

[bigdreamer]

I'm not a spammer, but apparently they do target their people. Otherwise, why have I been spam-free for months on my free email accounts?

Re:My cheap social solution

[bigdreamer]

Spammers do not "target" their shit. They may say they do, but it's a lie.

*Spamming marketer adds Cramer to "naive" list.*

;-)

Re:My cheap social solution

[Cramer]

I keep a shrine to spam... it's over 12M at present. One of these days, I'll hook that folder up to the web so people can see all the stupid bullshit in the world. For a while, I got no spam -- see, MAPS and RBL (and others) do work.

Dude, never believe what you hear from spammers. (They lie, you know.) Don't even trust the headers. Although, the headers are often good for a laugh.

PINE 4.33 MESSAGE INDEX spam Msg 2,130 of 2,130

2121 Jan 12 1a7info1@iol.it (7,325) Save On Your Life Insurance -FREE Qu
2122 Jan 11 j89b4m4gt@hotmail. (2,373) Settle your tax debt for pennies on
+ 2123 Jan 12 Information (4,338) Get the cash you need to pay off you
2124 Jan 12 dvdcopy102@yahoo.c (2,493) Copy DVD's with a Regular CD Writer!
2125 Jan 13 pesavento@bass.se (2,971) Burn 36% more calories, block 30% of
2126 Jan 13 1a7info1@altavista (3,042) ::: NEW Universal Analog/Digital TV
2127 Jan 13 888marketing@371.n (2,074) Legal Services For Only Pennies a Da
2128 Jan 13 villaents2002@xwlf (6,546) Need Extra Money Over The Holidays?
2129 Jan 13 irene@m-ul.com (1,760) ADV: CONGRATULATIONS!! YOU WON!!
2130 Jan 13 folgermark@hotmail (2,298) ASSET & BACKGROUND CHECKS!!...WE CHE

(Note to slashcode idiots: why is there still no <pre> tag?!)

Re:My cheap social solution

[greenrd]

Because your email address has not been made widely visible, I would think. I get dozens of spams a day at my hotmail address.

Re:My cheap social solution

[bigdreamer]

Because your email address has not been made widely visible, I would think.

That's somewhat true. If I published them on public message boards with no spam protection, I'd probably get more spam than I do now.

However, I used to get dozens of spams a day at previous hotmail addresses without doing anything. One of them had my name in it (Morgan) and the other had the number 69 in it. The one with 69 in it had 7 or 8 spams within 24 hours of creating it. The one with Morgan in it got spams within a week. But I had other email addresses that hadn't received spam months after I created it.

I tried to make these email addresses hard to get, so I started thinking about their usernames.
That's when I began using some business logic to figure out what made addresses suspectible to spam and why others didn't. The result was my original post.

I've created a few variants of geekchicN addresses, and I've been spam free for a while. But don't listen to me. Try it yourself.

Re:My cheap social solution

[bigdreamer]

Dude, never believe what you hear from spammers. (They lie, you know.)

Spammers didn't tell me anything. I explained in a post to someone else how I got to my conclusions. Plus, I've discussed this in my friends to determine why they got the spam they get. It's surprisingly accurate. You can see some examples in my original post.

BTW, even I know how to fake e-mail addresses, etc. in headers. I was taught that in a basic programming class!

Re:My cheap social solution

[DrNibbler]

Or maybe get your own domain, so you are less likely hit by a dictionary attack (aaa@mail.com, aab@mail.com...)

Doesn't always work. I recently registered a domain that I'm currently using to host my email. I have 3 accounts one for family/friends, one for business and one for public posting on services such as the usenet or slashdot. I also set up a catch-all account for any other address using that domain. Well the catch-all account is receiving a ton of mail (mostly spam). I suspect that some spammers out there added my domain to their database for dictionary attacks.

Hash Cash

[Jobby]

Here's an interesting method of reducing spam called HashCash:

"Hash cash is an electronic payment system based on spent CPU cycles computing partial hash collisions. It finds particular use as a system for reducing unsolicited mail by requiring senders to include a small "payment" with each message.

Basically, you have to spend a certain amount of CPU time to send each message so sending large amounts of spam requires much more work. The reason n-bit partial hash collisions are used "is that they can be made arbitrarily expensive to compute (by choosing the desired number of bits of collision), and yet can be verified instantly." Sounds like an interesting idea, no? They've even produced a high rate of inflation for HashCash because of Moore's Law. Plus it has a funky name

--jobby

Digital Postage is the only answer

[Curt+Cox]

Unsolicited bulk email is used with such frequency because it is so incredibly cheap. This convinces those who use it, that it has a positive return on investment. In order to reduce the amount of spam, it is necessary to increase the cost of sending it. Digital postage is the only way to reduce spam.

This would be analogous to the stamps used on snail mail, now. If nobody else steps up to the plate, some corporations will try to do this for a profit, or national governments will try to do it for control. The better solution, however, is some sort standards-based decentralized digital postage, where everyone can issue their own estamps. It is then up to each individual to decide, how much a spammer has to pay to get to their inbox.

Of course to be widely adopted, this has to be well integrated into email clients. It also has to be completely painless to insure that your friends always have enough of your stamps on-hand.

Once in place, the benefits include:
- less spam
- no need for email size limits, because there would be an obvious mechanism to allow billing for arbitrarily large emails
- automatic payment method for email based customer support

Re:The Solution: email protocol that stops spoofin

[Tuxinatorium]

Block quoth the poster:
That would just force spammers to use their own servers to spam, and there is enough of that going on already...

No, I mean the destination server. When you send an email to "user@domain.com", the email goes to the "domain.com" server and is stored there until the user downloads it. The spammers would have to either control your ISP, or somehow intercept the packet with the conformation code to be able to spam without revealing their IP address. A bit of cryptography would make it prohibitively difficult to send mass spam the latter way.

Hrm

[autopr0n]

Well, I belive the reason that 'sicko' sites spam whereas 'normal' sites do not is that the main-stream porn industry simply does not spam at all. The practice has been banned by the industry association. Any pornographic spam you get is for cheap companies and individuals who are not really a part of the industry.

Btw, if you do want some normal porn, I know a great website you might want to check out...

Re:Hrm

I don't think there's really a porn "industry association," much less an association that has the power to "ban" things for porn sites to do. Wouldn't it have gotten rid of the "free membership with your credit card number" scam, or consoles?

Re:Hrm

[jo42]

Now only if the gnob that puts up the descriptions on autopr0n.com could spell...

Sexist Punishment...

[toupsie]

but I also believe forging SMTP headers should be legally punishable by castration.

So what you are saying is that only men can be punished for SPAMMING in your mind? I am sure there are women SPAMMING out there too! What part of their anatomy are you going to cut off? The National Organization for Women would like to know...

Re:Sexist Punishment...

[spaanoft]

I DEMAND we be punished too! ... OH CRAP! NO WAIT!

another tactic?

[Alien54]

I saw this idea else where, and it looks promising enough that I want to share ....

One could extend the SMTP protocol for mail delivery so that (non-favored?) senders were forced to jump through some computationally expensive hoop before mail to local users will be accepted.

Currently SMTP looks like this:

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender ok
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

We could add something like (not real numbers):

>>> 220 mailhost.domain.com ESMTP Sendmail 8.9.9/8.9.9; Fri, 11 Jan 2002 16:05:32 -0500 (EST)
>>> HELO host.domain2.com 250 mailhost.domain.com Hello host.domain2.com [155.108.129.30], pleased to meet you
>>> MAIL From: 250 ... Sender untrusted, please give prime factor of 34576184516935692342934759132 to continue
>>> FCTR 345837413 250 Ok, you bothered...
>>> RCPT To: 250 ... Recipient ok
>>> DATA 354 Enter mail, end with "." on a line by itself 250 QAA00187 Message accepted for delivery
>>> QUIT 221 mail.domain.com closing connection

The beauty of this is, putting support in sendmail would mostly be sufficient, and it lets you effectively add a cost per message without any sort of micropayments scheme, or giving up anonymity. I'd be curious what your reader groupmind thinks about this, or if the idea has been tossed around before?

- Mike Earl

Personally, I do not know the feasibility of this angle, although I am sure some expert with be willing to point out the flaws.

Re:another tactic?

[tomstdenis]

Well that will work, there are other schemes.

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The basic idea stems from squaring modulo a composite. Say you're given N=pq where p and q are two huge primes.

You can find

R = K^(2^T) mod pq

easily, but given R its hard to find K.

So if you specifically construct K to follow certain rules, you can help filter out spam very easily.

The basic scheme works like this

1. Make up two primes p and q and get N=pq
2. Choose a value of T [say 1024]
3. Publish N and T with your email address

The user wants to send you a message M so they make up

K = random_data || HASH(M) || time

They hash K and use that as a key for a symmetric cipher. Then they send R=K^(2^T) mod N [by squaring T times] along with the ciphertext.

The trick is that finding K from R is easy if you know the factors and squaring T times takes time.

You can sign K easily too ... anyways...

Re:another tactic?

[Dwonis]

This is broken. People will simply start selling CD-ROMS with pre-calculated hashes.

Re:another tactic?

[tomstdenis]

Hmm? You hash the message so you can't just store them on a CD.

The idea is not to stop people from SENDING spam its to stop you from having to SEE the spam.

For a message to be valid you must first make up a bignumber

K = random || hash(message) || time

Then you send to the user K^(2^T) mod N.

You're "attack" won't work since each user has their own N. So if you want to build up a huge table of valid numbers you can, but they will only work for one user.

I'd suggest you actually read the posting before attacking it.

Re:another tactic?

[vadim_t]

Nice idea, but only for normal people. I'm sure you don't send thousands of emails a day, so this doesn't bother you, but the Linux Kernel mailing list does...

Re:another tactic?

[GSloop]

Tomstdenis - if you want to not see it, use spamassassin - works great -

Oh, I forgot, you're a MS Bigot, so it will probably be a real bugger to get this to run properly on NT - what an advantage huh - unless MS provides it/thought of it, you can't get it...

I virtually NEVER have to see mail from spammers using spam assassin. (I do get a few false positives...)

The point is not to prevent me from seeing spam, but from having to pay to get spam. I _DO_ pay for bandwidth - I'm not a flat rate for bandwidth user, so I do care what I have to pay for...

Lastly, the only way to really make a dent in spamming is the following, which I have already mentioned here before...

===== Quote ====
Most of the spam I get now, is from companies that are using "contractors" to spam, or spam from offshore (i.e. China) ISP's. The advertised product is from the US often, but the advertisee is not. Therefore, shutting down the "spammer" isn't going to do anything.

Now I don't know how to practically impliment this, as there are some pitfalls, but with some decent legislation, we could make it possible to target the beneficiary of the spam. That makes it possible to attack the real reason for the spam - where we can use our laws etc to attack it.

Sure, there will be spam that also has you send you money to China/Afganistan etc, but that will make the spam much less profitable, as most people won't do so. Lastly, most people will use credit cards, and I assume that most SPAM scams are frauds too, so the chargebacks will be hell for the spam beneficiary.

Anyway, it just seems that we can't just attack the spammer, we really need to attack the beneficiary. Then the spammers will go away, as they can't find anyone to demand their services.

=======

Until we make it too costly to benefit from SPAM, we won't solve the problem. The costs must outweigh the revenue.

Finally, as per your proposal. Are you planning to rewrite and distribute and impliment all the patches to sendmail, qmail etc for the SMTP dameons? Not to mention all the other SMTP RFT servers out there? That's a massive task, and one that isn't likely to get done any time soon. A better approach is to attack this with the law.

I shouldn't have to put up a taller fence to prevent you from littering in my yard. That's the approach here. It may work, but it smells.

Re:another tactic?

[tomstdenis]

First off, my scheme will work with existing email systems. You can use the same transport protocols you just have to tack on a plugin that will do the math part.

So you can still use pop3/smtp for transporting email.

Second, apply "law" to the problem just doesn't work. I send spam from country X to country Y, etc...

My solution takes work [i.e to implement it] but will work regardless of laws in place. Doesn't matter if you're sending spam from Mars, if you don't apply my coding my program [client] will just filter the message out.

Also, you can *NEVER* stop people from sending spam just by filtering for keywords or something. If I can send you an email in the clear and open, then I can just as easily find a new way to make a spam message that doesn't follow the heuristics of your filter.

With my scheme spammers can still get passed the filter, it just takes them time [which you can roughly control]. That makes it less profitable.

Think about it. Suppose you pick a setting [of T] that makes a fast ghz processor take about 7 seconds or so to make a valid email.

Would a spammer wait 7 seconds per email if they have a list of 10^8 emails to go through [probably 90% of which are fake to begin with!]?

I doubt it.

Also my scheme can be made simpler. Instead of repeated squaring, use repeated cubing.

I.e

Make up

K = random || hash(message) || time

Then cube K, T times...

K = K^3 mod pq
K = K^3 mod pq
...

The end user can compute

K^((1/3)^T mod (p-1)(q-1)) mod pq

Which means they can go directly to the original K value but an attacker [i.e spammer] must perform T cubings.

So no matter what T is the time for the person getting the email is the same.

Tom

Re:another tactic?

[Kiwi]

I have also seen the "create a random (or more) bit stream, for which the first 20 bits has a SHA-1 hash of: 867b5" method; both have the same thinking: Make it computationally expensive to send out email.

The problem with a technique like this it is unfair to the webmail and large ISPs who have, for the most part, large quantities of legitimate email traffic coming out of their mail servers. Then again, most "From fakename@yahoo.com" spam is sent from other servers, with a forged return address; we can add a "outgoing mail exchanger" record to DNS; mail that claims to be from "name@exmaple.com" but does not come from a listed outgoing mail exchanger for name@example.com is rejected.

Then again, this makes it inconvenient for travellers who may want to send out legitimate name@yahoo.com email from a non-Yahoo connection.

- Sam

Re:another tactic?

[Alien54]

Nice idea, but only for normal people. I'm sure you don't send thousands of emails a day, so this doesn't bother you, but the Linux Kernel mailing list does

so the question is: should the Linux Kernel mailing list be a trusted sender?

Somehow I thing that the people on the mailing list would be able to configure the mail server to see this as coming from a trusted source.

You could probably arrange to have it coordinated with one of the several blacklists, etc. out there, so that most are trusted, and a few are deservedly not.

Re:another tactic?

[reynaert]

How would you decide how difficult the problem should be? Believe it or not, but there are people using email on XT's. Or take Arache, a graphical browser+email+... that works fine on a 386. Those people would in effect unable to send email.

Re:another tactic?

[GSloop]

I'm sure that ISP's who process LOTS of mail (hundreds of thousands or millions of mails) a day would be glad for the 5-10 second delay for each mail...

That's a huge computational cost, and doesn't have a prayer of making it...

My soltution attacks the profitability - a market solution if you wish - it might not be the only solution, but it could work to make SPAM unprofitable, and thus once unprofitable, kill it.

Re:another tactic?

[tomstdenis]

Again I suggest you read the fucking post.

Its the ----->****END****----- users that do the work.

If joe@abc.com wants to send an email to blow@nbc.com then its user joe that does the cubing [T times] and user blow that does the inverse. The servers abc.com and nbc.com will just carry the message.

Tom

Re:another tactic?

[Dwonis]

Ah. I thought it was a system to waste spammers' CPU cycles.

Re:another tactic?

[tomstdenis]

I can't tell if you're agreeing with my post or not.

To recap my scheme is designed to make it so if the spammer doesn't do a lengthly calculation [that the end user can quickly verify] then the email gets automatically deleted.

I'm going to write a paper on the scheme just to get it out in the open. Who knows, if its secure maybe someone will implement it?

Tom

Re:another tactic?

[subbuk]

>We could add something like (not real numbers):
>>>> MAIL From: 250 ... Sender untrusted, please
>give prime factor of 34576184516935692342934759132
>to continue

>Personally, I do not know the feasibility of this
>angle, although I am sure some expert with be
>willing to point out the flaws.

Flaws like the fact that 2 suffices in the example? Too good to pass up :)

Re:another tactic?

[br0ck]

Maybe this is a crazy idea, but could we have them compute a block for distributed.net or SETI@home? Two birds, one boulder..

Re:another tactic?

[tomstdenis]

The problem with your idea is that you can't filter out the spam.

With my scheme if they don't do the work the email is rejected. [assuming there are no flaws in my scheme...]

Tom

Re:another tactic?

[GSloop]

This is getting old...

Your post doesn't specify with _ANY_ degree of certainty who generates the "cypher"...

Is is the EMail client - Outlook, Eudora, Pine etc? Is it SMTP?

If the former, you have an even harder task getting critical mass for a useable product. SMTP is MUCH easier, cause there's fewer pieces of software to modify and impliment. Thus a significant calc time will kill you. As I see it, either way, you're "dammed if you do (server) and dammed if you don't (client)"

Sure, it has it fine points, but it doesn't have a prayer of getting implimented. Thus NO practicality.

Now, you may argue that my political/law approach will never get enacted, and possibly you're right, but that's another story.

Thus, go read your own posts, rather than what you thought you wrote. Then think about the practical approach to implimenting these.

Lastly, you think you'll get MS to impliment any of these items in your favorite server and client programs? Good luck. Open software is your best friend for implimenting the stuff you propose. OSF style stuff may have it's drawbacks, but it would be a open project that will push for better software in these areas from the closed behemoths.

How's that for irony?

Cheers!

Re:another tactic?

[tomstdenis]

"Your post doesn't specify with _ANY_ degree of certainty who generates the "cypher"... "

You are really trolling now. It's rather obvious how my scheme works. Its the email *CLIENTS* that do the work.

Ah, whatever, fuck off.

Re:another tactic?

[GSloop]

What eloquence -


Ah, whatever, fuck off.


You don't state that the client does the work CLEARLY in your origional post.

Next, even if it is the client, the scheme is even less likely to get implimented in enough places to get critical mass. This is simply because the number of people that would have to DL and install and configure the system would be so great. Lastly, it's hard enough to use public key stuff through Verisign or Thawte etc, for email. You expect grandma to figure out how to use this system too?

I've hashed all this before, so I'll stop here. What surprises me, is that you seem incapable of admitting that the task is VERY DAUNTING! Technically possible and feasibly/reality based possible are two different things.

As long as we're wishing, I'l like a pony - to paraphrase Suzy in Cavlin and Hobbes (The comic strip)

Re:another tactic?

[rew]

Nope Won't work:

The spammers find a "open relay" (like they do now) and put the burden on those "other hosts".

Roger.

Re:another tactic?

[tomstdenis]

"You don't state that the client does the work CLEARLY in your origional post. "

Yes I did.

"What surprises me, is that you seem incapable of admitting that the task is VERY DAUNTING!"

And you think passing internationally accepted legislation is any easier?

Tom

Re:another tactic?

[tomstdenis]

http://tomstdenis.home.dhs.org/papers/nspam.pdf

Is that clear enough? [yes I know its a very rough draft but it outlines the idea]

Re:another tactic?

[GSloop]

Tom, go read the origional post...

I quote...

Most of the spam I get now, is from companies that are using "contractors" to spam, or spam from offshore (i.e. China) ISP's. The advertised product is from the US often, but the advertisee is not. Therefore, shutting down the "spammer" isn't going to do anything.

Now I don't know how to practically impliment this, as there are some pitfalls, but with some decent legislation, we could make it possible to target the beneficiary of the spam. That makes it possible to attack the real reason for the spam - where we can use our laws etc to attack it.

Sure, there will be spam that also has you send you money to China/Afganistan etc, but that will make the spam much less profitable, as most people won't do so. Lastly, most people will use credit cards, and I assume that most SPAM scams are frauds too, so the chargebacks will be hell for the spam beneficiary.

Anyway, it just seems that we can't just attack the spammer, we really need to attack the beneficiary. Then the spammers will go away, as they can't find anyone to demand their services


As you can see, I propose we target the beneficiary of the spam - not the spammer. To do any significant commerce here in the US, you'll have to have a financial nexus here too. Thus, we don't have to attack a foreign country based entity (at least in many cases) because the beneficiary will have assets and bank accounts here in the US. Tada! US based spam beneficiary, US based suit, and US retrieval of judgement. No foreign powers, no cross border legal judgements etc. Now, in cases where people are financally based outside the US this will be harder. But it's much harder to convince others to do business with a NON US business, and that would only be really viable via credit cards. It's lots easier to get chargebacks for fraud and abuse when the abuse is coming from an offshore account.

Getting the fabulous US congress and the President for and by "Big Business" to actually do this may be hard, but it doesn't have to be cross border.

Anyway - my post was clear in it's attack. The legislation here in the US may not be easy, but then again, we might just see something similar.

Cheers!

Re:another tactic?

[tomstdenis]

The law is always going to be 7 steps behind technology. Besides 99% of the spam in my hotmail box is not from real companies. They are "out of debt", "bigger penis" and "lovely lara" e-mails which are more of a nuance than anything else.

I seriously doubt that most spam people get are actually from huge companies [with money, worth sueing] who hire oversees people.

My scheme benefits from the ability to work regardless of the law. So people in Canada can benefit just as much from it as people from China.

Tom

Re:another tactic?

[neoThoth]

I have written a lot of perl scripts that talk in SMTP and I don't see how that would be particularly effective. It would be pretty simple to capture that line of the transaction as a string and simply use regular expressions to copy the number and paste it back in for the next reply. It would also open up a DoS attack creating a large number of connections and forcing the server to recompute new large prime numbers.

Re:another tactic?

[Dwonis]

From what I understand of your protocol, the keys can be pre-calculated, which would GREATLY reduce the effectiveness of the scheme.

Vanilla Sky

In the end we find out that it was all just a lucid dream while he is in a cryogenic chamber.

Issues regarding new technology

[TheMCP]

Isn't the only advantage of an authenticated email format that the recipient can easily find out who the sender really is?

Well, not exactly. You're right in that that's all it technically does for us. However, this leads us to two potential advantages:

• When the spammer is identifiable, they don't tend to last long because the volume of incoming complaints tends to overload the ISP.
• It makes it easier to create a groupware blocking system - for example, 10,000 people subscribe, and the system requires three subscribers to complain about an address before it's blocked. A spammer sends spam and it hits 8237 of the subscribers. The first three to see it click the "this is spam" button, and the system automatically removes the mail from the inboxes of the other 8234 subscribers who got it and blocks all future email from the sender.

Knowing who the sender is doesn't prevent spam being sent from spam friendly servers abroad.

You're right, but again, the volume of incoming complaints (and denial of service attacks) tends to make the ISPs balk at hosting spammers. Once they're tracable, the attacks begin, and the ISPs dump the spammers.

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly... because practically nobody is going to make a hard switch over to a new email system that will prevent most of their friends and associates from emailing them, and very few people are going to be willing to run two separate email clients. It would be best if the server-side software supported both standards as well, so server admins don't have to feel that they're getting an additional piece of software to support. Moreover, everything has to support every major platform and some of the more prominent minor ones so it can support a massive switchover and won't piss off users of any particular platform by not properly supporting them.

Java, anyone?

Re:Issues regarding new technology

[reynaert]

The problem is, we need a completely new email system with authentication, and we need mail clients that handle both it and the current standard seamlessly...

Not really... All you have to do is modify your mailserver to reject any message that does not include a valid PGP signature. And any descent mail client already supports it.

Re:Issues regarding new technology

[TheMCP]

All you have to do is modify your mailserver to reject any message that does not include a valid PGP signature.

And how am I going to get email from my clients who don't use PGP, and aren't going to? Go back and read what I wrote. Nobody is going to use an email system that cuts them off from almost everyone.

And any descent mail client already supports it.

Funny, but in 12 years on the Internet I don't think I've ever used a mail client that supported it natively.

overture

Don't forget to search "bulk email" on www.overture.com and click on a few links every day to make coders of spamming software loose money

Wrong

[NineNine]

Wrong. But thanks for the typical knee-jerk no-thinking solution. The vast majority of spamming originates from machines in Russia, other former Soviet states, and China. Most companies that spam are ghost corporations, legally residing in a small island in the Pacific. A US law cannot touch these people. It won't work any more than regulating porn or gambling online. The Net is a whole new set of rules. A simple "let's just make it illegal" won't even come close to solving the problem.

Re:Wrong

[CaptainSuperBoy]

Well, thanks for backing up your statements with all those statistics. Since you've pointed to studies, news articles, and online discussions backing up your facts I feel confident believing your statement that most companies spam from a shadowy data haven outside of the reach of law.

Of course, if you had said that my spam comes from some crazy island in the Pacific without backing up that statement with ANY FACT WHATSOEVER, I wouldn't believe you. Oh wait.. You don't have any proof to back up your statements. Never mind.

Re:Wrong

[NineNine]

Well, there aren't going to be studies and articles about companies that virtually nobody knows about. I happen to know people who do it, and that's how it's done. But you're right. I'm sure that all of the spam you're getting are from legitimate S-Corporations with nice large offices in Silicon Valley that have PR people with who you can register complaints. Right. Laws will be passed, but in the end, it will make no difference whatsoever.

Re:Wrong

[mpe]

Most companies that spam are ghost corporations, legally residing in a small island in the Pacific.A US law cannot touch these people. It won't work any more than regulating porn or gambling online.

It's more a case of so long as US corporate interests are not upset the US government won't do much about it. If they were to do so then expect these small islands to very quickly either gain an autocratic government very friendly to the US or possibly to wind up as a US state.

Re:Wrong

[CaptainSuperBoy]

Well, there aren't going to be studies and articles about companies that virtually nobody knows about. I happen to know people who do it, and that's how it's done.

There simply aren't companies spamming that slip under the radar of anti-spam groups. Read news.admin.net-abuse.email some time - you'll be amazed by the dedication (and thoroughness) of the regulars there. I did a quick google search for 'pacific island' and it came up with nothing. Believe me, the people in nanae are smarter than your spammer friends, and they would have found them by now.

I'm sure that all of the spam you're getting are from legitimate S-Corporations with nice large offices in Silicon Valley that have PR people with who you can register complaints.

That's a pretty big assumption you're making about spam, and it's not correct. Check out spamhaus.org for a more accurate picture of where spam comes from - Beaverhome / Monsterhut is a good example of a downright evil company. Fact is, a lot of spam comes from unscrupulous companies and people right here in the US, who could be shut down with the right laws. Even this slashdot story, is about Kozmo.com getting sued for spam.

You can't legislate against stupidity

[cheekymonkey_68]

Read up on Bernard Shifman

I know hes been featured here on slashdot, but Shifman just goes to prove you can't legislate against stupidity

Since congress likes free speech so much...

Start forwarding all the spam to Congress.

How to find out who sends those

[TheMCP]

Are there any ways to find out who sends these out without incurring a large expense?

Sure. Dial the number, say you're interested, and ask for their address so you "can mail them a check." It won't work every time, but in a lot of cases if they think they've got a sucker on the line they'll tell you where to send money.

Anyway I'm sure the state attorney general's office can make the phone company cough up an address where the bill for that number is sent, if you get them interested.

Remember that if the address is a PO box, the post office has the physical address of the boxholder.

Re:How to find out who sends those

Careful. I'd expect spammers to use disguised 900 numbers, to rake in even more money from morons.

Re:The Solution: email protocol that stops spoofin

[filtersweep]

I know what you are saying- the point I am making is that "the alleged source" of the spam would simply end up being a "legitimate" server with a legitimate return address... that the alleged sender would indeed exist. Spammers would merely have to change their tactics.

I appreciate everything you are saying, and it makes perfect sense. However, it is easy enough to set up a fly-by-night server, dump a boatload of spam that directs people to yet another third party site, be shut down for violating TOS, and set up another operation through another ISP. I don't think spammers would have any issue with revealing their IP address for purposes of spamming. The site that they direct users to for purposes of their business is already revealed- although the lowbrow spam is just as often on a geocities page as it is a registered site. I've reported a few violations like this to Yahoo just to see how long it takes to respond- and it can take weeks! The oddest thing this they could use their own technology to notice there are a bunch of spam sites sitting on THEIR own servers that are requesting credit card info, etc. (But these sites obviously are not even using their own IP addresses, etc...)

Non-domestic cases

[jasamaman]

What about countries without governments? What if someone spams from overseas? Or from a country with other problems on it's hands like Somalia, or Iraq? There isn't a way to punish them legally.

Try the police and the attorney general.

[TheMCP]

Try calling your state's attorney general's office and explaining the situation to them. Sometimes they can be surprisingly helpful, particularly if you can do a good job of explaining yourself (like pointing out repeatedly that they're doing this *incredibly* *loathesome* thing in *your* *name* and that it's just *destroying* the good name of your business) and can come off as genuinely hurt and confused.

If you got any threatening complaints about the spam, you could bring those up too, and claim that you fear for your life because of what this person is doing in your name.

The police might be willing to help, too.

You have public law enforcement resources. Use them. It's not just the RIAA and MPAA that have a right to call in the cops. You do too. Go for it. If THEY catch the spammer, and prosecute them for identity theft, defaming you, or whatever, the spammer will be in for a lot worse than having their relay shut down.

Re:Try the police and the attorney general.

[Lord+Azrael]

unfortunately i am living in Germany and with a US Fax Number involved which might be a call redirection to some other state i fear i do not have many chances to shut that down. FTV.GOV has not answered after two weeks now, which agency could be in charge then?

Re:Try the police and the attorney general.

[TheMCP]

Under the circumstances I'd try the US embassy, and the office of the Attorney General of the state that the phone number is in. (You can determine that by the area code as long as it's not a toll-free number.)

Your local police may still be willing to get involved, and may be willing to deal with the US authorities for you.

Making spammers pay

[Alien54]

I'm a student cryptographer and I'm working on a system which will provide authentication [signatures], privacy [via encryption] and at the same time make spam less feasible [you can do it but its easier to filter out].

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

similarly, a solution that causes you to spend time implementing more technical solutions is costing you time, and probably money.

bottom line: Make the spammer pay.

In my original example, the smtp could also be set to have several levels of trust, with corresponding levels of computional feedback for the sender.

Re:Making spammers pay

[Cramer]

• bottom line: Make the spammer pay

That's what the laws are supposed to support. The problem is, very few sue and even fewer ever pay. The only provable solution is death. (The dead do not send spam. [Lexx pun intended])

• an idea that forces the spamming computer to use up resources is fine

Except, of course, that the spammer's computer does next to nothing in the process of sending millions of emails. I'm on a 64k ISDN line and I can send email to 100k people in a matter of minutes. 100% of the work in sending the email is done by some one else's computer. That is what makes spam such a fucking problem. It doesn't cost the sender anything, but cost the rest of the world a great deal.

Re:Making spammers pay

[mpe]

The main thing I see is that the best idea is to somehow transfer costs back to the spammer. So an idea that forces the spamming computer to use up resources is fine.

Simple solution a) no third party relaying, simple solution b) if a certain IP is only performing DNS lookups and SMTP connections randomly drop packets.
Both of these are solutions individual ISP's can apply to prevent their usage for sending spam which do not require rewriting existing protocols.

Re:Making spammers pay

[mpe]

Except, of course, that the spammer's computer does next to nothing in the process of sending millions of emails. I'm on a 64k ISDN line and I can send email to 100k people in a matter of minutes. 100% of the work in sending the email is done by some one else's computer. That is what makes spam such a fucking problem. It doesn't cost the sender anything, but cost the rest of the world a great deal.

However if it was less easy to use someone elses computer then it wouldn't be anywhere near so easy. If your ISP didn't provide a third party relay machine then in order to use someone elses machine you'd have to find an open relay machine. But there arn't too many of these and other people are looking for them with the intent of getting their admin to fix them or getting them listed in a firewall, etc..

That's not the hacker spirit!

[GekkePrutser]

Legal enforcing laws instead of finding a technical solution that makes spoofing SMTP impossible in the first case? You should know better than that!

Correct Arachne link...

[reynaert]

Correct Arachne link

*sigh* too tired too post...

Long way to go, eunuchs!

[Drashcan]

legally punishable by castration

Long way to go, eunuchs!

It has to be said.. sorry...

[Viceice]

That'll make them think twice before they pull another /Bernie/ /Shifman/ !

Your ICQ settings can solve this INSTANTLY...

Go into your security and privacy settings, and make sure you do not accept:

(a) multi-recipient messages from people not on your contact list
(b) WWPager messages
(c) messages from people not on your contact list
(d) require other users to get your authorization before they add you to their contact lists.

ICQ spam will disappear completely. And, uh, oh yeah...don't forget to use Trillian (www.trillian.cc), it's smaller and faster than ICQ...

Re:Your ICQ settings can solve this INSTANTLY...

Read the post, dude

Believe what a SPAMMER says!

[www.sorehands.com]

Oh yes, all SPAMMERs tell the truth.

I like the bit of, "This is not SPAM in accordance with pending bill...

"I am a canadian attorney and this is legal according to US postal laws...".

Full text of Cerasale interview

[TekPolitik]

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

This is revealing, however the real text of the interview is more so:

Interviewer: I'm calling regarding Congressional action on spam.

Jerry Cerasale: If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace.

I: But surely with all the ads for porn, casinos and viagra substitutes that you'd be competing with, it's not going to be of any use to you anyway.

JC: You're not listening. I said if you ban me from entering the marketplace. You can ban everybody else.

I: So you're saying you want to ban everybody except Jerry Cerasale from using spam?

JC: No, I want to ban unethical marketers from using spam.

I: How do you define unethical marketers?

JC: They're the ones that forge stuff and won't honor remove requests.

I: So won't they just start following that law and you'll still have the volume problem?

JC: No, because they're unethical marketers.

I: So who are the ethical marketers

JC: They're the DMA members

I: So if the unethical marketers join the DMA do they become ethical marketers?

JC: Of course.

I: Even if they still forge and don't honor remove requests?

JC: Yes. If they join the DMA, then what they are doing is ethical marketing.

I: Surely all the spammers will just join the DMA then and they can all spam.

JC: That's OK.

I: But then won't email be useless for everybody because of the volume? After all, there's got to be hundred of millions of potential marketers out there who might want to use it.

JC: Yes.

I: So you're opposed to laws that will make spam unusable for marketing?

JC: Yes.

I: But you realise that if the laws aren't passed, spam will be unusable for anything.

JC: Yes.

I: Including marketing.

JC: Yes.

I: So really your opposition to laws banning spam achieves nothing to protect it for marketing, and just succeeds in destroying it for everybody.

JC: That's right - if me and my DMA buddie's can't use it for our purposes, then nobody can use it for any purposes.

I: Isn't that a little childish.

JC: Well since they won't play by my rules I would take by bat and ball and go home, but I don't own the bat or the ball, so the only way I can stop them from playing is by destroying the bat and the ball.

I: Mr Cerasale, thank-you for your time.

JC: My pleasure.

False Advertising

Why cannot the false advertising laws be used against spammers - False subjects, false return addresses...?

taiwan

[blisspix]

i just want to know how to get rid of taiwanese spam that crashes my computer when it tries to download.

i'm using spamcop but it just keeps mutating and multiplying.

...Bernie Shifman

man bernie is screwed. I wonder if the gonvernment will be as patient as neil when trying to impart a clue on spammers

NOT the solution

[Technodummy]

The biggest problem with spam is the increased traffic load.

The spammers are the problem, not the spamees.

It's AMAZING!

[freaker_TuC]

These subjects almost temp me to watch home-shopping, it's Amazing!

Only tv-home-shoppingdo have products that work (sometimes) ...

I would never buy anything that would be sent thru e-mail; why are they still bugging me with more than 30 messages a day? Harvested from my sites and company information ...

I would also never buy anything via banners ... why do I still get them almost the size of my screen? ...

I like to choose what I receive on my screen and not "swallow or chuckle"... Banners is not that annoying though the Real Spam(tm) is annoying as hell.

I cannot trust my mailbox anymore if somebody important mails me or somebody who has "Extremely good news" for me so I can take a loan I can't take (US spam to Belgian citizen) or how to enlarge my breasts (while being male!).

It's all about the whole 9yards ...

[freaker_TuC]

... or inches in this case :)

Seems to be popular though since spammers are still spending money for their advertising lists and are giving money to earn money...

(on a not-so-good way)

Sendmail is easier than that ...

[freaker_TuC]

... Just be sure to

• always include the IP where it came from;
• relay's can only relay their own subnets and
  
• block users that are not majordomo and do send 10.000 mails / second with the same email address or message body.
  

That should already clear up a-lot!

Something else (what I have not found yet) that can be used is a system:

• John Doe sends e-mail,
  
  • He is on my whitelist
    
  • -> Send email to my email box
    
  
  
  • He is on my blacklist
    
  • -> Send a reject mail or do nothing (according type of rejection on the list)
    
  
  
  • He is not on my list yet
    
  • -> Send mail where reply is needed (reply code in subject, body and header)
    
  • -> If code is received the email address gets on the white list or authorized list
    
  • -> If the code is not received delete mail or put as "SPAM" or unverified mail.
    
  
  
• That could also solve problems .. if anyone knows a opensource application for that :x)
  

DOS

There comes a time when negotiations fail, and you must DOS. I doubt you wnat to do so since you made a spectacle of yourself with the complaints, so who else with me? I hate this smallpoxteam.com MF more than you. He has 8,100 "orders" I just sent. Remember to proxy and randomize, I am sure he rejects duplicate IPs/text.
BTW, that EMpire Towers asshole
http://www.ca1.waredet.net.co.fr|https.travel .bzah.com/
is really
http://www.cell.tb.net.co.fr.https.dial3.goopt.c om /
(never mind the fake "animation history" homepage it shows when you come in with the unencrypted URL).

Logbust his ass with http://www.cell.tb.net.co.fr.https.dial3.goopt.com /?NNNNNNNNNNNNNNNNNNNNNNN [29,750 more n's]

Re:DOS

[robogun]

Dude,
If everyone did that, the internet would grind to a fucking halt.

Forward SPAM to spammers

[Pedrito]

I get a lot of SPAM, it came all of a sudden and hasn't let up and the jerks won't take me off their list (okay, I was a little optimistic). So, I took the time to find the email addresses of the spammers (from their own web sites, from WHOIS, etc), and I simply add them to my "SPAM" filter which then sends a copy of each piece of SPAM I get to all of these addresses.

Will this fix the problem? No. Am I adding to the bandwidth waste, yeah. Sorry, but it was the best solution I could come up with.

One of the biggest offenders is a company in San Francisco. I live in Virginia and thought I'd try to sue them under VA law. The problem is collecting on an out-of-state spammer is difficult. So, I spoke to my cousin who is a lawyer in San Francisco and asked him if I could sue them under CA. law. For one thing, CA. allows for 5 times the compensation per e-mail than VA, which was very appealing. Unfortunately he said it probably wouldn't apply to an out-of-state recpient of the SPAM.

So, really, the only way to get rid of it in the States is to make a national law that's tough and easy to enforce. Otherwise, do what I do, pester them.

Re:At least this spam story is better than the las

[Cramer]

Actually, SPAM(tm) is rather expensive stuff. Might I suggest the cheaper (and much less tasty Treet(tm) meat-like product.)

PS: Seeing all the "smokers" eating cans of "Smeat" was the funniest part of WaterWorld.

PPS: A can of SPAM(tm) was seen on an episode of Outward Bound (in the rocky mtns) a few weeks ago. They didn't actually show the logo, but I know what SPAM(tm) looks like.

Not peer to peer

[robogun]

The difference is, in peer to peer, people WANT to be in touch with each other. Who the hell wants to hear from a spammer? When sharing (you DO share and not leech, right?), don't you check the guy downloading off of you to see if he's a leech? and then punt him if he is? That's an example of unwanted peer to peer.

Polish porn sites are useful for revenge

[robogun]

It originates from a spammer in Poland. You probably opened the email as HTML. If you look at the source, you will see all the graphics have your email address in them eg http://www.incestsex.con/?from=you@work-email.con
Once he has your address, its like herpes, you'll never get rid of him. Enjoy all the spam you will be getting from him in the future.
HOWEVER, if there is someone you hate, (for instance, a spammer), type his name instead of yours after the URL to one of these sites. Come to think of, DON'T -- a spammer probably would like HOT LOLITA SEX.COM

Re:Polish porn sites are useful for revenge

[Lord+Azrael]

HOWEVER, if there is someone you hate, (for instance, a spammer), type his name instead of yours after the URL to one of these sites

yeah and his email adress will probably be forged anyway and you will bother another innocent user

Re:PALESTINIANS KILL CHILDREN

I hope the Israelis would start their biological war against the arabs already! They're trying to find DNA sequences unique for arabs and target these with viral agents. Hopefully, the disease the Israelis choose will take a few years to kill all the arabs, so that the arabs have time to annihilate as many kikes as possible before the Earth is rid of both those pests.

Relatively inexpensive technical solution

[jdoeii]

First, legislation is a good step, but it will not stop spam. Because the net is really world-wide. No US law is going to stop spam from Korea or Moldova.

Second, about 25% of spam I get is from first-time spamers. Every day some idiot salesman invents this new cool way of advertising. He might quite sincerely not understand the difference between direct mail and spam. He will learn eventually, but we would get spam anyways.

The real solution is to charge sender for sending mail. E-money won't work in the near future - there is no infrastructure for it. Instead, the mail recepient should bill his own ISP for every piece of mail. The per piece price cannot exceed a certain amount (let's say $1 or $5 or even $0.15). The ISP charges the sender's ISP for the cost and processing fee. The sender ISP passes the cost to the sender.

The infrastructure could be built the same way as HTTPS. If an ISP wants to participate, it gets a certificate from a root authority, sets a server for "SMTPS" and for billing. The SMTPS session is signed. There could be some price negotiation between SMTPS servers too. SMTPS would have to be properly amended.

This would be very similar to peering agreements between ISPs. The system could get started if 3-4 large digital carriers agreed on the standard. Others could join later.

Spam-Label Laws Haven't Worked Yet

[billstewart]

Several states have spam-labeling laws, which requires Subject: line tags like "ADV:" on any spam sent to or by residents of their states, and require spammers to maintain "Don't Send Me More Spam" lists and not send more spam to complainers. Yeah, right, like that's cut down on the spam I've received by 1%.

The only thing that it's accomplished was a brief round of spammers adding tag lines that said "This message isn't spam because I've complied with the labeling laws. The proposed Senate Bill S.1618 was a more popular excuse for that, so it was a useful pattern to feed spam filters in mail messages.

They've also popularized remove-me lists which confirm your address's validity: "We're happy to remove you from our 'Get Rich Starting January 1' mailing list and hope our 'Get Rich Starting January 2' and 'Get Viagra Starting January 3' lists will serve you better!".

"National boundaries are just speedbumps on the information superhighway." US State boundaries are even more so - unlike US telephone numbers, which give a somewhat strong hint about where a recipient's fax or voice phone is, or snail mail addresses, there's usually no way to determine where the recipient lives, so no way to determine whether any anti-spam or anti-birth-control-information or anti-religious-content or anti-political-incorrectness laws apply to the recipient (or their email server), so US senders of spam can argue lack of scienter in any legal cases. But spammers can just move offshore. Or they can pretend to move offshore (either buy service outside the US, or abuse open relays offshore) and be hard to trace, or they can set up corporations in a large number of non-US jurisdictions, and have the corporation be responsible for the spam, or for that matter set up cheap disposable US corporations that are sending the spam that can go bankrupt in case anybody successfully catches and busts them.

They're scum, but we need to find other ways to stop them. (And unfortunately, anti-spam and anti-cracking laws do make it tough to mailbomb the suckers or eliminate them directly....)

Re:Spam-Label Laws Haven't Worked Yet

[mpe]

unlike US telephone numbers, which give a somewhat strong hint about where a recipient's fax or voice phone is, or snail mail addresses, there's usually no way to determine where the recipient lives, so no way to determine whether any anti-spam or anti-birth-control-information or anti-religious-content or anti-political-incorrectness laws apply to the recipient (or their email server), so US senders of spam can argue lack of scienter in any legal cases.

This simply the side effect of operators in the US choosing not to use geographic domain names.

But spammers can just move offshore. Or they can pretend to move offshore (either buy service outside the US, or abuse open relays offshore) and be hard to trace, or they can set up corporations in a large number of non-US jurisdictions,

Courts in the US routinely ignore the concept of the case being outside the jurisdiction of the US. US law enforcement is quite happy to chase over to Norway , because the MPAA is upset. The US has frequently held citizens of other nations (including those it is supposedly "friendly" towards) in violation of a huge number of treaties.
It's probably more a case of since spammers don't upset the "elite" (either corporate or aristocracy) too much the US government has no interest in persuing them. They most definitly have the means.

Re:Spam-Label Laws Haven't Worked Yet

[Steve+B]

unfortunately, anti-spam and anti-cracking laws do make it tough to mailbomb the suckers

The best anti-spam law would be the application of the old-fashioned doctrine of outlawry -- i.e. once someone is proven to be a spammer, then he stands outside the protection of the laws pertaining to computer crime, and may be cracked, DOSsed, etc. with impunity.

Class action lawsuits

[MillionthMonkey]

I think companies like MSN/Microsoft/Hotmail, yahoo, excite and @home should be doing the suing.

Well, maybe, perhaps not. Companies will sue if it's in their interest. If their network becomes good enough to handle the congestion from spam, and the amount of spam doesn't vary too much as a customer moves from ISP to ISP, it's conceivable that the providers might begin to view spam as the customer's problem (as they pretty much do now). And even if they do start suing- who benefits from that directly? Besides the obvious value as a deterrent to spammers, there isn't much justice being done if the plaintiffs are all going to be large ISPs. The parties most damaged by spam are the end users and especially the smaller ISPs.

I always thought class action lawsuits by the actual recipients of spam are the most logical way to counter spam if the approach is going to be via the courts. After all, have you ever received a single, individual spam that's caused you to consider taking the case to court against that particular spammer, with lawyers and court costs and all that hassle? With a judge that might ask "well why didn't you just hit delete?" And getting that single spam email message isn't really what you're suing over. It's the degradation of your daily routine, the tedium of having to delete a hundred emails a day year in and year out, the loss of almost a day of your life per year deleting countless messages about herbal Viagara and credit repair software and diplomas from prestigious non-accredited universities and hair loss and government grants info packages and an EZ way to consolidate debt and reducing all payments by 60% and frisky teens. Going to court over a single spam seems to miss the point. And it's expensive and inconvenient to sue as an individual, so a spammer might very well recognize that his individual spam probably isn't going to elicit a lawsuit if it isn't outrageous enough for a spammed plaintiff to choose as THE spam (out of the 10000 in his box) that he's going to go to court over. In fact, people tend to sue when the spam particularly offends them (e.g. when it talks about sex with minors, or has nude photos in it and is received by a minor). Unless things proceed to the point where every spam message sent out results in a lawsuit, a spammer that keeps his emails polite and sticks ADV in the header is pretty much safe from being sued. So you don't even get much of a deterrent effect.

Unless we switch to using class action suits, which don't have these problems if someone with the resources starts consistently nailing all spammers with them. It's much easier than taking a case to court yourself. Someone is doing the suing for you and you get to hang on like a million other freeloaders and enjoy the fruits of your class action. I almost wouldn't mind getting spam if I knew there was a chance that I could stick it to the spammer for a few cents along with thousands of other people. If I even got a fraction of a penny on average per message, we could still be talking about some serious money. And it certainly wouldn't be too hard to set up. In fact (if this were 1999) you could probably build a dot-com out of it somehow, to coordinate the spam submissions, identify plaintiffs and defendants, litigate in court, hire collections agencies, and process the payments back to all plaintiffs. That's more of a business plan than many dot-coms had. I think that if there weren't so many jurisdictional problems with the idea in general (and if there were more spam laws) someone would try this.

I mean now I think that Microsoft has something to do with bestiality. How do I know that it wasn't really from them??

Strictly speaking, even if it turns out the email wasn't from Microsoft, it still doesn't prove that Microsoft has nothing to do with bestiality.

Joke

[Legion303]

Here's the joke:

"If you ban me from this type of medium, you have severely limited my ability to enter into the marketplace," said Jerry Cerasale of the Direct Marketing Association.

Here's the punchline:

Jerry Cerasale
Direct Marketing Association
Washington Office
1111 19th St NW
Washington, DC 20036
UNITED STATES
phone: (202)955-5030
fax: (202)955-0085
web: http://www.the-dma.org

Contact List by Subject
Accounts Payable
webmaster@the-dma.org 212.768.7277, ext. 1353
Advertising - Print
webmaster@the-dma.org 212.768.7277, ext. 1423
Advertising - Web Site
kebeling@the-dma.org 212.768.7277, ext. 1554
Awards - ECHO
echo@the-dma.org 212.768.7277, ext. 1397
Benefits Program
twalsh@the-dma.org 212.768.7277, ext. 1423
DMA Store - Books & More
lrc@the-dma.org 212.768.7277, ext. 1930
Chapters
chapters@the-dma.org 212.768.7277
Conference Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
Conference Programming
conference@the-dma.org 212.768.7277, ext. 1513
Conference Exhibitors
conference@the-dma.org 212.768.7277, ext. 2469
Conference Speakers
conference@the-dma.org 212.768.7277, ext. 1528
Consumer Assistance
consumer@the-dma.org 212.790.1488
Councils
councils@the-dma.org 212.768.7277
Council Membership
councils@the-dma.org 212.768.7277
Council Events
councils@the-dma.org 212.768.7277
DMA Interactive
webmaster@the-dma.org 212.768.7277, ext.1629
Direct Connect
councils@the-dma.org 212.768.7277, ext. 1575
directvoice
mmicali@the-dma.org 212.768.7277, ext. 2422
Direct Marketing Educational Foundation
dmef@the-dma.org 212.768.7277, ext. 1817
The DMA Government Affairs Online Member Outreach Program
Governme@the-dma.org 212.768.7277, ext. 2405
Government Affairs
Governme@the-dma.org 212.768.7277, ext. 2405
Human Resources
hr@the-dma.org 212.768.7277, ext. 1338
International Services
Internat@the-dma.org 212.768.7277, ext. 1786
Library
lrc@the-dma.org 212.768.7277, ext. 1930
Membership - Joining DMA
membership@the-dma.org 212.768.7277, ext. 1155
Membership - Renewal
membership@the-dma.org 212.768.7277, ext. 1155
Seminar Information
customerservice@the-dma.org 212.768.7277, ext. 1500
Seminar Registration
customerservice@the-dma.org 212.768.7277, ext. 1500
President's Office
Presiden@the-dma.org 212.768.7277, ext. 1604
Press Contact
Privacy
privacy@the-dma.org 212.768.7277, ext. 2408
Research
lrc@the-dma.org 212.768.7277, ext. 1637
Sweepstakes
Sweep@the-dma.org 212.768.7277, ext. 2475
Washington Report
Governme@the-dma.org 212.768.7277, ext. 2418
Web Site
webmaster@the-dma.org 212.768.7277, ext. 1629

Since he considers spam a legitimate business practice, make sure you forward all your "HOT WET PUSSY!" emails to him so he doesn't miss out on any great deals.

-Legion

Re:Joke

[catman]

Well - forwarding spam there would be fighting abuse with abuse. Not good. But surely I can add those addresses inside HTML comments on my web page? Nobody but spam spiders will ever see them.
Pretty soon they will be on the "gazillions" CDs ..

Lawsuits *will* be effective

[jestapher]

A single lawsuit won't do anything to stop spam, but once fifty or one hundred people start suing, it will get too expensive for many spammers. In Washington State, we've nearly a dozen folks filing lawsuits, some of them going for some serious amounts -- to the tune of tens or hundreds of thousands of dollars.

If you've got spam with a phone number or ordering address in it, you can (usually) track it down to a specific company or person. If it's only got a URL, like those mortgage spams, Washington litigants are filling out the contact forms on the site, then going after the mortgage company that contacts them. When these mortgage companies get hit with a lawsuit, they either want to settle right quick, or they rat out the spammer they hired. I've been focusing on spam with phone numbers, as I find it relatively easy and fun to track down the company behind the number. It may not always be easy to find the spammer, but it's not rocket science either. Anyone can do it given a little bit of time.

The Seattle Times had a good article on Saturday about the anti-spam law, some folks who've been using it, their wins, and the troubles they've encountered with the court system. The biggest issue in Washington is that court clerks and judges aren't fully educated about procedural issues like whether one can sue an out-of-state defendant or for punitive damages in small claims court. (The answer to both is yes.) It's been pretty frustrating for us "trailblazers," as the judges are saying contradictory and often quite stupid stuff.

Here's some nifty links:

• AboutSpam.com - Bruce Miller's site
• Peacefire anti-spam suits - Bennett Haselton's site
• Smallclaim.info - my site

For a copy of my 24 page zine, Zen and the art of small claims, send some stamps to PO Box 95227, Seattle, WA 98145. You can also just read it online at my site, but any zinester knows that it's just not the same.

What do they eat?

[jabapi]

Do those spammers eat SPAM while in prison?

Just wondering...

My spam is better than your spam!

[brettb]

I recently installed SpamAssassin to filter my mail and throw suspected spam into a separate mail folder. I didn't want to filter out spam completely because I just started using SpamAsassin and wanted to make sure my setup wasn't going to give me too many false positives.
BTW It hasn't yet!

I just recieved the following SPAM I'm posting here for your pleasure.

Spam, about anti-spam software, tagged as spam by SpamAssassin. I love it!

From gdert34@yahoo.com Mon Jan 14 03:16:24 2002
Date: Mon, 14 Jan 2002 00:28:47 -0500
From: gdert34@yahoo.com
To: 69@innocent.com
Subject: *****SPAM***** No More Junk Mail!

SPAM: Start SpamAssassin results
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (14.35 hits, 5 required)
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1.85 points) From: ends in numbers
SPAM: Hit! (0.5 points) Subject has an exclamation mark
SPAM: Hit! (1.63 points) BODY: Claims you can be removed from the list
SPAM: Hit! (0.6 points) BODY: Contains a line >=199 characters long
SPAM: Hit! (1.34 points) BODY: URL of page called "remove"
SPAM: Hit! (1.2 points) BODY: HTML mail with non-white background
SPAM: Hit! (1.83 points) Contains phrases frequently found in spam
SPAM: [score: 18, hits: another email, click here,]
SPAM: [email from, here learn, never receive, one our,]
SPAM: [receive another, removed from, that you, this]
SPAM: [email, you not, your mail]
SPAM: Hit! (0.7 points) Forged yahoo.com 'Received:' header found
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 129.87.207.216.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 145.48.4.4.relays.osirusoft.com.]
SPAM: Hit! (0.5 points) Received via a relay in ipwhois.rfc-ignorant.org
SPAM: [RBL check: found 129.87.207.216.ipwhois.rfc-ignorant.org., type: 127.0.0.6]
SPAM:
SPAM: End of SpamAssassin results

BRAND NEW ANTI-SPAM TECHNOLOGY!

Detect & eliminate spam BEFORE it gets to your mail client! Tired of the hundreds of unsolicited commercial email (UCE) infiltrating you mailbox everyday? Now you can do something about it! Seek and Destroy all unwanted junk e-mail at the click of a button, BEFORE it reaches your mailbox!

FEATURES:

Connects to any pop3 server! Eliminates spam BEFORE it reaches your mailbox!
Unlimited Account capability! Add as many e-mail accounts as you desire
User friendly, graphic interface makes spamscanner very easy to use
Scan manually, or let the scanner scan automatically at an auto time interval

GO HERE TO LEARN MORE
http://freehost.0o0o0o0oo0o0o0o0o0o.org/sscanner /i ndex.html?1-cyb

Please Note: No trees were destroyed in the sending of this contaminant free message
We do concede, a signicant number of electrons may have been inconvenienced.

This email was sent to you on behalf of the the coalition for responsible internet marketing. You are receiving this email because you purchased a product from us in the past, or downloaded software from one of our websites and agreed to allow us to send you offers. If you wished to be removed from this mailing, please utilize our automated removal system here. If you request to be removed, we guarantee that you will never receive another email from us, but ONLY through the use of this product can you ensure that you do not receive ANY commercial emails

http://freehost.0o0o0o0oo0o0o0o0o0o.org/remove.htm l

What are you, nuts?

[jcr]

I hate spam as much as the next guy, but this is just complete bullcrap. You are choosing to run sendmail/qmail/exim/postfix on a publically routable IP address (or you are choosing to buy service from someone who does).

Excuse me, but by that logic, there's nothing wrong with me sending you a few hundred gigs an hour on your port 25 until you crash or shut down your mail server.

I have a mailbox outside my house, too: that's not a license for someone to fill it with dog shit or toss a firecracker in it.

-jcr

Well...

[autopr0n]

I read an artical about it somewhere, forgot the offical name. Its not like I'm trying to pose as some kind of 'insider' or something :P

Their bandwidth is crap

so I doubt they are much of a problem yet. It's nearly always US companies that spam me, though I have no interest in viagra teen pyramid schemes.

Why doesn't Cauce.org have any solutions posted?

[Mustang+Matt]

I submitted this to askSlashdot and it's also in my journal entries, but shouldn't cauce.org have some proposed solutions to ending the spam problem? As in, laws that they think would actually work to benefit consumers, or mail server specs that would actually work to stop spam?

Technical solution

[nix0r]

Authentication is perfectly acceptable - it would require a secure protocol and/or some sort of ISP resposbility. Anonymous Mail is simply a mad idea, and unnecessary, and after all, standard SMTP would still be in use anyway.

Re:I INVENTED LINUX!!!!

a pretzel

International spam

[stubob]

Step 1: Forward it to whitehouse.gov and get President Bush to proclaim it an "Attack on the American Way of Life" or something.

Step 2: Get President Bush to fire up some cruise missles and remove said spammer in the name of Homeland Defense. And since most email probably passes through American servers at some point anyone can apply.

I see no downside to this approach.

My personal solution to unsolicited mail...

[NanoGator]

This is an idea that has been bouncing around my head for a while, I hope to implement it some day.

I'm having problems with getting too much unsolicited mail too. The idea I had borrows from something I saw at http://www.godaddy.com when I went to do a whois on my records. Here's the idea:

First, I need a mailserver that will *only* accept incoming emails from a certain domain, the domain of my website. Then I set up my website with a form used to send me email. Then, and this is where I borrow from www.godaddy.com, throw up a random number on the screen using .gif or .jpg images (not text!!!), the user must manually type in that number for the message to be accepted. Then the webserver sends the message to my mailserver. If sombody attempts to send an email to my mailserver and it is from the wrong domain, or it doesn't have the right number, then *flush*.

Is this the perfect solution? Well, no. It kind of puts a block to forwarded mail. (Although if I blocked forwarded mail alltogether I think my mailbox would be a lot less messy...)

It's possible that some day somebody'd come up with a spider that can read the numbers and fake it, but my feeling was that if everybody customized their websites with their own fonts etc, it'd be hard to make a general purpose spider that can spam everybody.

If I ever get a static IP, it's something I intend to try. :)

Websites a good way to avoid spam?

[NanoGator]

I had another idea, it's a little extreme, but I think it's an idea that can be built off of.

I'm a member of a forum that talks about a particular interest of mine. Basically, I log in to a site, and my friends that are online (of that particular interest, obviously I won't find my mom on a CG Art board...) show up and I can message them and check out the recent posts. There is a personal messaging system there so I can send private messages to people. If somebody sends me one, I get a notification on the home page.

Basically, I've obscured the method it takes to get a hold of me. A good chunk of my friends are on that forum, a coupla more are on another forum, and the rest including family are on icq. I've basically weined myself from the need for e-mail. I wouldn't have it at all if sites didn't require it for authorization.

This makes it a lot harder for a spammer to reach me. If every site has a different (and constantly mutating) method of sending messages around, then it's so much harder for spammers to get through.

Whatcha think, sirs?

Kevin DeGraaf - what should I call him?

Kevin DeGraaf spewed this stinking pile of shit:
>I hate spam as much as the next guy, but this is >just complete bullcrap. You are choosing to run >sendmail/qmail/exim/postfix on a publically >routable IP address (or you are choosing to buy >service from someone who does). You can't have
>your cake and eat it too; the second you set up
>(or begin to use) a publically-accessible mail >host, you are accepting mail from anyone, i.e.
>you have a public utility. Don't like it? Use
>tcpwrappers or some other access-control method.
>Even so, email is public. Get off it.

Kevin DeGraaf is turd.

Hey dickwad - yes, you, Kevin DeGraaf - why don't
you post your email address here so that I can
shit in your ever so public inbox.

In a room full of Trolls, there is always one Motherfucker.

- Bitch.

Re:GPL - Intellectual Theft?

Come on moderators, -1 Troll? this should get a +1 Funny! The parent is obviously a troll, but this is a wonderful piece

so many solutions, so much bullshit

[maxpublic]

Just keep heaping it on...

Laws won't work. Not now, not ever. There's no way in hell you're going to get all 300+ countries in the world to agree - and enforce - anti-spam laws. Many of these countries don't give a rat's ass if you've got a hardon about spam and will tell you to go fuck yourselves if you try to impose foreign law upon them. As is their right.

Your politicians will never use extreme measures to try to get anti-spam laws. No one will ever go to war over spam, or enforce an embargo of any kind. Spam just isn't that important.

Authentication of email, for those who haven't thought it through, allows dictatorial governments to more easily track dissidents. Especially in harsh regimes that tend to put a bullet in a dissident's head. Yeah, real bright solution, authentication is. Of course, those of us in the First World, excepting the U.S. which continues to rocket towards hell in a handbasket, generally don't have to worry about being shot by pissed off government types, so fuck the rest of the world, eh?

Deal with it, like we always have. Complain. Block spammers. Subscribe to blacklists. Find something more important to get your panties in a wad about.

Max

Make spammers pay

[walter.]

Go to www.overture.com, enter "bulk email" and click on some of the links.

Laws. Not tricks.

[eremos]

There's a sig on /. that says "The price of freedom is eternal vigilance" (or something like that). I think it ties in nicely here.

While I agree that we need some form of authentication, we shouldn't need to make it hard to spam.

What we need to do is take away the incentive to spam. ie. clear laws and punishment. Even a way for consumers to effortlessly charge spammers (and their beneficiaries!) for the spam they receive should do.

Because face it, once people know that they can report them and get money for it, they will.

How about....

[Grog6]

....a technological solution along the lines of:
"You have selected to use sendmail. Please insert your Testicles (privates) into the Spam-Feedback(TM)device to proceed..."
"You are sending 5000 pieces of mail to 5000 recicients, and has one of the known spam subject lines. Your testicles will be kept until the authorities arrive. Have a nice day."

Now if we could just pass a law that ALL computers everywhere had to have these kind of feedback devices, spam would be a thing of the past!

The cost of spam are probably higher than the costs of copyright infringement, so lets write our congressional staff!!

I'm sueing a spammer.

I increased my ejaculation 581% and my girlfriend almost drowned.

There should have been a drowning warning on the box.