Spam Increases Make Things Tough For Companies

dosten sent us a link to a story running on Cnet about the spam epidemic. My favorite stat is that by 2006, we'll be getting 1400 spam a year. Of course, I already get that every week. Talks about foreign spam relays, block lists, and so on. Decent piece explaining a huge problem that's only getting worse.

Growth, Growth, Growth....

[mlknowle]

The 1400 number is a bit sketchy; I think to assume that SPAM will continue to grow at a current rate for four years is more than a bit unreasonable.

On the contrary, I think one of two things will happen:

1. SPAM will explode long before 2006 - the number of messages will grow to such an extent that a political solution will become unavoidable. In effect, the SPAMers will SPAM themselves out of existence - but not without paralyzing the net for some time.

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

Even if costs increase, something tells me that 1) is far more likely to occur than 2)..... But the most likely thing to happen will be that I move to a address-book-only-accepted mailbox setup... Sigh.....

Re:Growth, Growth, Growth....

[Wire+Tap]

The 1400 number is a bit sketchy

Excuse me? Are you living under a rock? Every day I receive something like 30-40 spams. So, that totals to: 35 (mid-range) * 365 = 12775 spams in a year. I'm not kidding. I get junked down with so much spam I have a hard time finding messages that are NOT spam in my mailbox. Is this a problem? You bet your ass. Have I done anything about it? Yep. I spent about a month forwarding headers to abuse addresses, but did that help? no! What it did was cost me time. Lots of time. About an hour every day, devoted to nothing but bothering with spam.

I don't want that shit in my email box. I didn't ask for it (I _NEVER_ use that email address for registrations) - it just seems to come to me. Personally, I want all those companies shut down, and hard. They should be fined like crazy. Ever hear of an effulent fee? That's what should be proposed. They are wasting bandwidth, time, money, electricity, everything.

It's a big problem. I don't know what cloud you are on, but come back to Earth.

1,400 per YEAR

[NickPest]

Internet researcher Jupiter Media Metrix estimates that consumers will receive about 206 billion junk e-mailings in 2006--an average of 1,400 per person, compared with about 700 per person this year.

Still, that's only about 4/day which seems very conservative to me.

Overblown article

[binarybits]

As others have pointed out, this is 1400 a year, not per day. Malda needs to learn to read.

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it. 5 seconds of my time isn't worth $1. And the 10k it took the mail server to store the message and fraction of a penny in bandwidth aren't worth a dollar either.

If corporate anti-spam offices are costing that much, then they're wasting their money. Let employees delete their own spam messages. It's really not that hard. It wastes maybe 5 minutes per week of my time. Is it annoying? Absolutely. Is it an "epidemic"? I don't think so.

I hate spam as much as the next guy, but a sense of perspective is important. The technology to filter spam is rapidly advancing, and ISP's often *do* respond to complaints. Once Asia gets with the program, I'd expect this problem to subside somewhat.

Re:Overblown article

[telbij]

First of all, I think you are right that simply deleting spam is not all that difficult or expensive. But in practice there are many more costly effects spam can have that can drive up the average cost ($1 is still pretty high though):

• Employees may actually waste time clicking on spam links
• High-bandwidth graphical spam can bring slow computers and connections to their knees
• Spam can obfuscate legitimate emails, causing them to be deleted by accident in a flurry of spam deletions
• I've experienced crashes that may have been caused by the huge volume of email, or the piss-poor HTML code, but definitely had to do with spam. Data loss is unquantifiable.

All in all, I think having an administrator try to filter out spam before it gets to the 45,000 employees is a good idea. I mean, if a spam targets only 20,000 employees, they will still have to spend the 5*20,000 seconds to collectively delete the single spam that an admin could take care of at the root (also saving bandwidth and storage space). Throw in the issues of employees working with slow computers and slow connections and I can definitely see a full-time spam admin.

Re:Overblown article

[alexburke]

this is 1400 a year

Right.

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it. 5 seconds of my time isn't worth $1.

Oh boy. Here we go! [breaks out calculator]

5 x 1400 = 7000 / 60 = 116.67 = just under TWO HOURS of your time. Is this worth $1? Or more, perhaps?

And the 10k it took the mail server to store the message and fraction of a penny in bandwidth aren't worth a dollar either.

10 x 1400 = 14000 / 1024 = 13.67MB.

And that's just for you.

Assuming the ISP has 10,000 customers, that's almost 375 MB (13.67 x 10000 / 365) the ISP has to reserve on their mail server JUST FOR SPAM, PER DAY.

Obviously, that assumes every user checks their mail once per day, no more, no less, and everyone gets 1,400 spam/year at 10k each. Since you made the same assumptions, I did as well to keep the numbers the same.

So, is 375MB per day per 10k users worth $1? Or more, perhaps?

Malda needs to learn to read.

We know Rob's English isn't the best. What you've done is handily demonstrate that apparently your math isn't, either...

My first spamless day in years was today.

[Apuleius]

(Disclaimer: not directly relevant, but I thought I'd share.) My email address is scannable from Usenet posts made when I was young and foolish, so there is no hope of it not being available to spammers. But, since using Spamcop, my spam levels decreased, and today at 9 AM MST, for the first time in years I checked my mail and it was spam free. I'm starting to suspect that spammers now keep lists of email addresses of people who are vigilant in reporting spam, and deleting them from their lists. (My hope is, that the CDs in which my email address resides, are now considered "no good," not just my address.) So, there is hope.

Use Disposable Addresses

[Coward+Anonymous]

The easiest way to avoid most spam is to use disposable email addresses - open an account with Hotmail or Yahoo, etc. and use that as your "sign-up"/"service" email. Use your personal/work email just for that - work and personal correspondence. I rarely, if ever, get spam in my personal accounts.

The effect will hopefully be twofold:
1. You don't get spam where you don't want it.
2. Choke Hotmail & Yahoo with spam, turning it into a corporate nuisance. Then they might move to actually blocking it - say by blacklisting mail servers. After all, there's nothing like a little corporate sponsorship to get the job done in the U.S.

It's hard not to notice

[kindbud]

As the anti-spam vigilantes have become more shrill, more dogmatic, more draconian, and have moved into causing "collateral damage" to sites whose only crime is being neighbors of a spam sewer, the spam continues to increase.

I submit that DNSBL and public blacklists are a failure. They have not done anything substantial to stem the tide of junk email, as this article shows.

In fact, from what I can tell, the spammers use the various DNSBL, especially the ones that list open relays, in order to locate their next set of victim relays. They could not care less that a relative handful of fanatics who use the DNSBL as intended will not be seeing their message. In fact, they are probably happy to ensure that their message will not be seen by those who are most likely to report them and try to get their activities shut down.

1400?

[wizarddc]

That's not a lot, by a friggin longshot. I know Taco is in a unique situation, where people would put him on a list for paybacks or vendettas or whatever form of agression they are taking for not having their story accepted. Me, in a position where I really, really try to keep spam out of my inbox by only giving it to places I deem worthy, and removing myself from lists where I believe that will do me any good, I still get about 15 a day. Filtering out 90% helps, which might make it to 1400 spams a year that reach my inbox. But whoever is doing this study must really know how to repevent the uncolicited crap away If 4 a day is too much for them to handle.

Why not just re-invent the wheel?

[jeremy+f]

Back when e-mail was invented, say, in 1623 (I'm too lazy to do actual research), people used it as a basis of instant communication between two or more parties.

(Some people used it as a basis of communication between only one party; however, these people were usually either the types who needed to write themselves little sticky notes, or they had disassociative identity disorder.)

Considering how small the 'Internet' was back during the days of the first e-mail (I use quotes because, again, I've not done my research; and I'm uncertain whether e-mail or the 'net itself came first), e-mail was developed with a very open set of rules:

I create a server.

I set up a few accounts.

I open a port to allow for e-mails to be sent to me.

People connect to my computer, write me a message, and then magically disappear.

In time, relaying was invented, and was implemented such that the existing mail servers could be used as relay points -- I send an e-mail from my computer, it gets bounced around until it reaches its recipient.

Thus, the entire idea of e-mail.

I hate to say it, but... This world of e-mail is greatly polluted. I'm not talking about Gulf of Mexico polluted -- this is pre-1972 Lake Erie polluted.

So... Why not re-invent the wheel? We've been so concerned with building filtering applications, and layers upon layers over the basic SNMP protocol that we've forgotten that no matter how many bridges we build, we're still going to be able to look down and see the same polluted water.

With this in mind, I call for a new type of e-mail service to be offered by various providers. One that explicitly denies old protocol e-mails. Something akin to Internet2, but for the public masses. Built-in encryption, a prerequisite (as well as several mechanisms) to determine that not only is the sender valid, but the router its sent from is uncompromised.

While this won't solve all the problems associated with spam, it'll certainly alleviate them. With a protocol designed from the ground up to disallow things such as anonymous e-mails or misrepresented e-mail addresses; as well as several other measures which would make for not only for a secure, but unpolluted e-mail atmosphere, we can abandon the current system which has become so polluted with the waste, filth, and garbage known as 'spam'.

Thank you.

Come on!

[w.p.richardson]

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

No way this will ever happen! Ever hear of junk mail (not spam email, real paper junk mail)? Has it become unviable? No. As a matter of fact, it is the most effective form of advertising. As more and more people worldwide use email, targeted spam will become as effective as the direct mail is now.

The spam is green. It is still in its infancy as a marketing medium.

Easy money is the impetus.

[Jason+Levine]

Well, let's say your moral compass has been permanently derailed and you are planning to enter the "spamming industry." You can buy CDs with e-mail lists for cheap (I believe it's something in the order of 1 million names for $100). You also would use a program to find open relays and exploit them (why run your own mail server when you can hijack someone else's for less dough). Then you forge your e-mail headers (after all, you don't want to deal with messy details like bouncing e-mails and angry recipients).

Now say you send out a million spam e-mails. Your cost is $100 or so (the cost of the list) and whatever you're using for your Internet connection. That's less than a penny per person. If one hundredth of one percent of those names were to send $5 each, you'd take in $500, or about $400 profit. And that's just from one mailing. You'd ignore any "remove me off this #&*#&@ list" e-mails (actually, with the forged headers you wouldn't see them) and send another round hoping to lure in more suckers.

Now these aren't hard and fast numbers, but you can see how some people are lured into the "easy money." Of course, breaking into people's homes and taking valuables is "easy money" also, but spammers somehow convince themselves that they have a constitutional right to misuse other people's bandwidth and time for their own personal gain.

SPAM as theft.

[Hallow]

All the SPAM'ers cite freedom of speech. Well, I wanna know what the hell happened to your rights ending where mine begin?

The problem of SPAM on fax machines back in the 80's, due to the fact that paper/toner/etc. cost $$ as well as tying up a business' fax line prompted a law that bans SPAMing fax machines. It was the use of resources and stopping of business that got this law passed.

Well, bandwidth is a resource, and if a major ISP's mail service is unusable for a good chunk of time, that's a stopping of business.

I pay for my bandwidth to run my own server. Using my resources (bandwidth), for a purpose I don't approve of, should be considered theft. It might be different for a dialup user (the end user doesn't pay for bandwidth, they pay a monthly fee for access, the ISP pays for the bandwidth, usually).

I'm so incredibly sick of SPAM! Oh, and by all means, I don't want to limit SPAM to commercial mail. I think any email that is soliciting, be it a campaign contribution, a donation to the kidney fund, or religion oriented ("come join us in fellowship", blah) should be considered SPAM as well.

Although, having said all that, I think that legislation is only part of the problem. I think what we need is a modification to the SMTP protocol itself that makes it easy and lightweight to identify and handle these types of email, and legislation enforcing this.

Something like identifying the message as spam immediately after the HELO or RCPT TO, or perhaps even requiring spam to use another port!

But even that's not enough because you know those direct marketing jackasses will still send it without the proper identifiers.

I'm real close to setting up a system where you have to give me your email address and I have to approve you to send me email or I'll never see it. (with a seperate dump account for registrations for web boards, etc.)

Re:How to solve the spam problem

[reemul]

Don't mess with any of the fields in emails, or forward anything to the gov't types. Just create a few web pages with the email addresses of the folks you want to take official notice of the problem, and let the spam spiders do all the work. A few test posts to usenet with those addresses included for those harvesters would also help.

Any deception on your part makes you look bad, not the poor mislead spammer. Spammers are bad enough on their own, just maybe they need a push to go after the people you want particularly mad at spam.

SPAM: The ultimate DoS

[gempabumi]

Is it possible to file a bug against an RFC? If so, I'm going to post to bugtraq about RFC 2821.

Spam is a problem for users. But the problem that users have pales in comparison to the problem that ISPs and other providers have.

Most of the available solutions are catch-up solutions, which, like virus detection software, always arrives too late and is easily defeated (and in any case not the best way to solve the problem).

Anyhoo, why is spam the ultimate DoS? Very simple. Spammer sends 50,000+ emails to 50,000+ addresses using a forged "From: fooXK343@forgedfrom.tld" header. 49,987 of the spam emails bounce, and where to they go? You guessed it, right to fooXK343@forgedfrom.tld. fooXK343@forgedfrom.tld doesn't exist, of course, so the messages get double-bounced to postmaster@forgedfrom.tld.

What can postmaster@forgedfrom.tld do? Very little.

Can he block the incoming connections? No, they are coming from 49,987 different sources, most of which are valid functioning SMTP servers.

Can he contact the admin of the machine or relay where the spam is coming from? Sure, if he magically has 37 hours in his day. But, the relay server is most likely a rooted machine on the other side of the world. Good luck there. Or, the machine belongs to one of the 15 largest ISPs on the planet, in which case he will have to jump through 7 different hoops to talk to the person that can fix the problem. And even if he does get through to that person and the offending dialup account is shut down, the spammer usually has 15 more compromised accounts to choose from and is active on the same ISP within days. Would the large ISP share information so postmaster@forgedfrom.tld can track down the spammer? Doubt it.

Can't postmaster@forgedfrom.tld just send all incoming messages to fooXK343@forgedfrom.tld to the bitbucket? Sure. Will that save his bandwidth and prevent the DoS? Nope.

That's why Spam is the Ultimate DoS. A bug should be filed against RFC 2821. The implications of this type of DoS becoming widespread are serious.

More Gov't Enforcement of Fraud Laws

[swb]

I think SPAM could be limited if our government dedicated more resources to white collar crime and fraud than to other pursuits like the war on drugs.

Most of what passes for SPAM in my mailbox is either prima facie fraudulent products (penis enlargers) and offers (stock "tips") or setups to fraudulent web sites for porn or related items.

If people who did these scams were actually investigated and ultimately jailed with great frequency we would have fewer SPAM messages. They have to be invetigatable because there has to be a way for them to get money from your pocket to theirs.

Also, I think that there'd have to be few convictions. Merely having the FBI/SEC/ATF show up and start doing a serious investigation is enough to scare a lot of people into other lines of fraud.

This wouldn't do anything for offshore scammers, but I have a feeling that the offshore places are going to have to get their shit together or they will start finding lots of the 1st world net blackholed to all of their data.

Extend the SMTP protocol for crying out loud.

[dingbat2002]

a) It's clear that a legal solution probably won't work since SPAMMers will just move their operations to more legally clement shores and the one-world-government isn't around yet to enforce anti-spam laws on a planetary scale yet .

b) It's clear that a technological filtering solution is probably not the ideal way to go because ultimately, any filtering scheme doesn't address the issue that the SPAM is out there and it's still flooding our networks, regardless if you detect it as a SPAM or not.

The only conclusion is that we really need to fix the problem at it's source. Change the SMTP protocol to include a handshaking/whitelisting layer. Is there a reason why the big mail server makers and mail client makers couldn't get together and work on an extention of the protocol that would make the protocol secure?

To me, this is a no brainer and it's probably the only way to go at this point.