Spam Increases Make Things Tough For Companies

dosten sent us a link to a story running on Cnet about the spam epidemic. My favorite stat is that by 2006, we'll be getting 1400 spam a year. Of course, I already get that every week. Talks about foreign spam relays, block lists, and so on. Decent piece explaining a huge problem that's only getting worse.

Resume bots

[skippy5066]

The biggest offender for me? Resume bots. I post my resume to see if people are hiring, and I get 12 messages a day from OTHER resume posting sites trying to get me to go there and post again.

If they're smart enough to grab my email addy, why can't they harvest my resume too and leave me alone?

-skip

Re:Resume bots

[reaper20]

Agreed, another one that sucks are the one that your registrar sold you out on. I only own 5 domains, and these can start to pile up. I generally avoid register.com, but it seems like most of the domain houses are selling you out.

I know the spammers are probably harvesting your whois information but having

"Register.com let us know that your website is missing on some search engines"

really pisses me off. I guess I shouldn't have bought them on such a long contract ...

Re:Resume bots

[arkanes]

It's interesting, I registed via register.com (I use dns2go for my dynamic DNS, and it's easier/faster to get the domain set up if I register with register.com, who owns them or is a partner or something), and was bracing myself for a flood of spam when they sold me out. So far, not a drop. Makes me really happy. I did make sure to check and uncheck all the approriate boxes, so maybe that actually did something....

Re:Resume bots

[chrisvr]

Even worse is when the spam masquerades as a job lead with a subject like "So-and-so, I found your resume".

Yeah, I open it. And it makes me feel cheap and used. It's just cruel. They are usually trying to sell me a resume blast, or listing or whatever. Why on earth would they think I want to do business with a company that led me on like that?!

Re:Resume bots

[ncc74656]

If they're smart enough to grab my email addy, why can't they harvest my resume too and leave me alone?

Considering what some people do with résumé spam and the morons who send it, maybe you should consider yourself lucky that they aren't doing that.

Law makers might realize the problem.

[www.sorehands.com]

Maybe after seeing this lawmakers will realize the extent of the problem.

The Chinese government ignored SPAM problems, until enough people blacklisted China and then they took notice.

Maybe we should forward all the spam that we receive to congress, with a little note attached. Maybe they would take notice, then.

Re:Law makers might realize the problem.

[Binestar]

I wouldn't. I'd be willing to bet the people who track down the spam know when an IP is spoofed and when to ignore it. The majority of spam coming from Korea and China are through open relay's.

Re:Law makers might realize the problem.

[revscat]

Just because there have been bills passed that are heinous doesn't mean we should stop legislating in other areas.

Re:Law makers might realize the problem.

[www.sorehands.com]

There are many examples of SPAM scams. There are instances where the FTC and SEC have gone after SPAMMERs.

The argument that SPAM creates more business because there are companies making money blocking spam is ludicrous. This is the same as saying herion is good because it creates business for rehab centers. Or drunk driving is good because it helps lawyers make money.

Growth, Growth, Growth....

[mlknowle]

The 1400 number is a bit sketchy; I think to assume that SPAM will continue to grow at a current rate for four years is more than a bit unreasonable.

On the contrary, I think one of two things will happen:

1. SPAM will explode long before 2006 - the number of messages will grow to such an extent that a political solution will become unavoidable. In effect, the SPAMers will SPAM themselves out of existence - but not without paralyzing the net for some time.

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

Even if costs increase, something tells me that 1) is far more likely to occur than 2)..... But the most likely thing to happen will be that I move to a address-book-only-accepted mailbox setup... Sigh.....

Re:Growth, Growth, Growth....

[Riskable]

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

Ahh, but you do realize that most spammers utilize others' bandwidth for their task? That's why it's so popular (no overhead). What we really need to happen is for companies with open relays to sue spammers for the cost of the bandwidth useage... Not just blocking the spam.

Re:Growth, Growth, Growth....

[amuro98]

So long as AOL is giving out those "Free hours!" CDs, spam will never be too expensive to send.

Until all ISPs start charging 'clean up' fees for spam offenses, there's really no big incentive to keep folks from ever spamming. Sure, they'll lose their account that sent the spam, but the damage has already been done.

I think the spammers realize this as well. I'm getting more and more spam that tells me to call a phone number or write to some physical address for more information. This way, even if they lose their mail account (and they WILL lose it) there's still a chance one or two suckers will contact them.

This means even if they only make $1 from a spam run, that's all profit. Is it any wonder there's so much spam?

That's why spammers need to be fined by their ISP for deleting their account. If nothing else, it'll raise the price of spamming.

Re:Growth, Growth, Growth....

[Wire+Tap]

The 1400 number is a bit sketchy

Excuse me? Are you living under a rock? Every day I receive something like 30-40 spams. So, that totals to: 35 (mid-range) * 365 = 12775 spams in a year. I'm not kidding. I get junked down with so much spam I have a hard time finding messages that are NOT spam in my mailbox. Is this a problem? You bet your ass. Have I done anything about it? Yep. I spent about a month forwarding headers to abuse addresses, but did that help? no! What it did was cost me time. Lots of time. About an hour every day, devoted to nothing but bothering with spam.

I don't want that shit in my email box. I didn't ask for it (I _NEVER_ use that email address for registrations) - it just seems to come to me. Personally, I want all those companies shut down, and hard. They should be fined like crazy. Ever hear of an effulent fee? That's what should be proposed. They are wasting bandwidth, time, money, electricity, everything.

It's a big problem. I don't know what cloud you are on, but come back to Earth.

Re:Growth, Growth, Growth....

[rbeattie]

I completely agree with this. The responses to SPAM are still coming from people who are relatively new to the Internet (say my Mom). Once Mom gets the idea that SPAM is crap she'll stop paying attention to it (she already has really... it doesn't take long). So it won't be long before the click rates fall through the floor... right now it's just the suckers (and there are a lot of 'em... but the number isn't infinite.)

And the ISPs are going to start lobbying congress soon because of all the zillions they're spending on bandwidth. Spamming is a 2002 problem at best, by 2004 I think it'll be taken care of. Seriously. Lawmakers get as much SPAM or more then we do and they're sick of it too.

As an aside, I feel like the parent when I have to say to Mom things like, "HOW many times have I told you not to respond to emails from strangers?!? Don't come running to me when you get a virus on your computer that erases everything and drains your bank account dry."

-Russ

Re:Growth, Growth, Growth....

[smallpaul]

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

Bandwidth costs are not storing. There is a ton of left over bandwidth from the .COM bubble which is going unused. SPAM is relatively lightweight. We need either technical or political solutions. We can't wait for spam to get too expensive because of bandwidth.

Re:Growth, Growth, Growth....

[Dephex+Twin]

right now it's just the suckers (and there are a lot of 'em... but the number isn't infinite.)

One born every minute, or so the saying goes. Enough people still seem to be switching long-distance services when they receive telephone solicitations, so I don't see spam stopping anytime soon.

mark

Re:Growth, Growth, Growth....

[LinuxHam]

Bandwidth costs are not storing. There is a ton of left over bandwidth from the .COM bubble which is going unused

I'm assuming you meant "soaring", not "storing". It's funny you should make this comment because today's USA Today has an article that explains precisely why bandwidth charges will soon start to soar. Bandwidth left over from the .com era is in DARK fibre. And while the telecoms that bought all that fibre are going under, it costs **20 times as much** as the purchase price of all that fibre to actually light it up. Not to mention it takes 9 to 18 months to do it.

So while bandwidth needs will continuously climb at dramatic rates, no one is starting projects to actually light up all that fibre to meet 1q04 needs. The article compares dark fibre to seed that farmers buy. You can't compare seed in a silo to corn being sold in a supermarket.

Re:Growth, Growth, Growth....

[UncleFluffy]

I think the spammers realize this as well. I'm getting more and more spam that tells me to call a phone number or write to some physical address for more information. This way, even if they lose their mail account (and they WILL lose it) there's still a chance one or two suckers will contact them.

The fun ones are where they give you a fax number to reply to. Sending back a fax containing the whole text of their spam with the words "no thankyou" is usually quite effective. If you do it in a 180 point font, that is :)

Re:Growth, Growth, Growth....

[bero-rh]

The one and only good thing about monopolist telcos - this is the sole reason why you don't usually see any spam sent from a DSL user in .de.

We should just give Microsoft what they always wanted - replace the internet with MSN so spammers can be permanently shut off... And those who oppose Bill Gates, and those who oppose Bush, and Linux users... Oh, wait... ;)

Re:Growth, Growth, Growth....

[alexjohns]

Russ,

Are you guessing that lawmakers get just as much spam as we do or do you know something? I happen to know that spammers filter out all .gov addresses. For a long time, they also filtered on .net since that was mainly system admin types for a few years and we have a vicious bite. That may have changed. I haven't been a sysadmin for a couple of years now.

Perhaps they get a lot of spam on their home accounts, but how much time does the average lawmaker have for casual surfing? I doubt more than one or two have ever posted to Usenet.

However, now that I think about it, I think I will send my representatives (2 senators and a congressperson) a detailed description of how much spam I get at the beginning of every month, summarizing the previous month's activities. I just switched to Eudora a couple of weeks ago, so it's all fresh in my mind - I get 30-50 spams a day. (2 domains aliased to an email address that's 6 years old. I don't bother spam-proofing. Filters are all that stand between me and insanity. It's a fun game, if you look at it that way - "How do I ensure that I never see any email like this again?" After 2 weeks, I'm down to seeing about 3 new spams a day. In a couple more weeks I should be down to 1 a day. I think that's about as low as I can possibly go.)

Re:Growth, Growth, Growth....

[gnovos]

Once Mom gets the idea that SPAM is crap she'll stop paying attention to it (she already has really... it doesn't take long). So it won't be long before the click rates fall through the floor... right now it's just the suckers (and there are a lot of 'em... but the number isn't infinite.)

The problem is, as long as there is ONE sucker out there, spam is viable. If you send out 100 billion spams, at zero cost to you, and get 1 single sell, then you have made money.

Re:Growth, Growth, Growth....

[willybur]

Wait a second here, doesn't "spam" = unsolicted email, while "SPAM" = potted meat?

So are you saying that processed meat will spontaneously combust well before 2006, and that only a political solution can solve this problem? :)

spam defense

[sheol]

I recently sent a reply to a spam I recieved demanding $110 for my troubles. Maybe if everyone starts taking legal action against spammers, they'll get a clue, and stop bombarding us with this junk.

Re:spam defense

[cecil36]

I recieved a spam from the same company that was mentioned. Of all things, the spam was generated when I posted to an alumni message board of the high school I went to. To start with, the website is not mine, and second, I would much rather see the students in the web programming class learn how to promote the site. I forwarded the spam to Neil Schwartzman and he replied back to me stating that the best thing I can do is ignore it. I wouldn't expect a dime from this. If they do act, it would be a very interesting precedent that was set.

Re:spam defense

[reaper20]

I don't think that will fix the problem, except increase the amount of lawyers in the world, and we can be sure that's not good.

I know two wrongs don't make a right, but I would actually respect script kiddies and the like if they targetted spammers instead of everyone. Someone cracking into the spamhouses and creating havoc on their networks, thrashing their servers, and randomly destroying spam programs would make for some good storytelling on slashdot.

I say screw the legal road, they're using 'illegal' and sneaky ways to take over systems - I say we give it right back to them.

Normally if that happens to a sysadmin or friend of mine, I am apologetic - having this happen to spam scumbags, I would cheer from the sideline.

How profitable is spam?

[Yoda2]

I know its cheap, but I'm really curious to see how much spammers really profit from their ads. There has to be a certain profile for the person who really believes that they can enlarge their penis by "clicking here".

Maybe the spammers should focus on only AOL addresses since their members seem to like daily solicitation, and leave the rest of us alone!

Re:How profitable is spam?

[AnotherBlackHat]

know its cheap, but I'm really curious to see how much spammers really profit from their ads. There has to be a certain profile for the person who really believes that they can enlarge their penis by "clicking here".

Maybe the spammers should focus on only AOL addresses since their members seem to like daily solicitation, and leave the rest of us alone!

Opinions vary, but I believe that the response rate is 1-3 per 10,000.
Responses aren't sales, but if we use junk mail as a guide, there's approximately a 10%
sell through rate. That means 1-3 sales per 100,000. As a guess, most crap sold via spam
is about 90% profit and sells for about $40.00. A dedicated spammer could easily saturate the market,
which is about 150,000,000 people. That works out to about $50,000.
That's a lot of assumptions, but I believe $50,000 is within an order of magnitude of correct.
Not enough to excite me, but unfortunately more than enough to keep those assholes going.

I have a friend who works for an ISP. He claims a spammer offered to pay the ISP $10,000
a month to cover the cost of dealing with the spam complaints, if they were allowed to continue spamming.
The spammer clearly thought that spam was worth more the $10,000 a month.

-- Spam Wolf, the best spam blocking vaporware yet!

This may be the only way to keep up:

[TheFlu]

Here is, what I believe to be, a better approach to fighting SPAM: Tagged Message Delivery Agent(TMDA)

Re:This may be the only way to keep up:

[Suppafly]

Someone should patent spam and then charge spammers a huge license fee for every piece of spam sent..

1,400 per YEAR

[NickPest]

Internet researcher Jupiter Media Metrix estimates that consumers will receive about 206 billion junk e-mailings in 2006--an average of 1,400 per person, compared with about 700 per person this year.

Still, that's only about 4/day which seems very conservative to me.

Re:1,400 per YEAR

[Random+Walk]

Still, that's only about 4/day which seems very conservative to me.

True - it's about what I get daily. The problem is: I can pretty well get rid of spam in my private mail using one-time mail aliases for most purposes, but I can't do that at work.

How to solve the spam problem

[WillSeattle]

Find your lawmakers home emails - city council, county council, city prosecuting attorney,state reps, governor, state attorney general, federal delegations ...

And change your settings to "reply to" the spamsters that send you spam with their info.

They'll fix it fast if it affects them. That's why we have some of our state's laws about credit reports - it directly affected my senator's daughter (he's retired from the senate now).

Nothing like making it personal.

[note - I am not advising you do this - just pointing out what will happen if some people did this - caveat emptor]
-

Re:How to solve the spam problem

[reemul]

Don't mess with any of the fields in emails, or forward anything to the gov't types. Just create a few web pages with the email addresses of the folks you want to take official notice of the problem, and let the spam spiders do all the work. A few test posts to usenet with those addresses included for those harvesters would also help.

Any deception on your part makes you look bad, not the poor mislead spammer. Spammers are bad enough on their own, just maybe they need a push to go after the people you want particularly mad at spam.

I block Asia, Russia and other places

[Offwhite98]

I noticed a massive increase in the amount of spam that I was getting. Fortunately I am running my own FreeBSD server for mail and I simply updated access lists for the frequent offenders. That blocked some, but I was still getting a great deal of mail coming in.

Finally I was told that I can identify countries by their IP block. Now that I block Korea, Russia and other countries I am not back down to my normal daily allowance of 2 pieces of spam a day.

I also have a spam blocking strategy others may want to use. Since I run my own domain I create an alias for every website which wants me to register. For example, here I have an alias for slashdot@offwhite.net which is posted along with my comments. I also have one for cdnow.com@offwhite.net, cnn.com@offwhite.net, etc. When I sign up for a newsletter or post comments I will know where the incoming spam originated. Unfortunately I found that my slashdot alias was the culprit for much of the mail. Spammers are obviously scraping this site.

After I put my spam blocking lists in place, in addition to the normal RBL features you can do with spam I am block tons of mail for me and all the users on my server. And in a single day the daily report that FreeBSD sends out shows that I blocked 111 pieces of mail just for my offwhite.net domain.

Perhaps eventually I can release some of these offending domains from my access/blocking list, but for now I am simply returning an obscure message that the user was not found. It is my hope that they simply remove my name from their lists. One can only hope.

Re:I block Asia, Russia and other places

[telbij]

That's pretty sad, considering the vehement hatred of spam and high level of technical skill here at Slashdot, harvesting email addresses here seems like a fool's game. Of course, spamming falls in the category of get-rich-quick schemes, so that's no surprise.

Re:I block Asia, Russia and other places

[alexburke]

I also have one for cdnow.com@offwhite.net, cnn.com@offwhite.net, etc. When I sign up for a newsletter or post comments I will know where the incoming spam originated.

What you've just done is totally b0rk your scheme.

Spammers are obviously scraping this site.

And you know about it.

Brilliant.

Now, when you get spam to your CDNow or CNN aliases, you won't know where they really came from.

Idiot...

Re:I block Asia, Russia and other places

[alcmena]

I prefer "support@[website]". For example, to get RealPlayer to quit bugging me, my email address it was assigned was "support@real.com". I also make an extra effort to ensure all the correct check boxes are selected to "yes" as well. :)

Re:I block Asia, Russia and other places

[arkanes]

Thats an amazingly fantastic idea and I wish I'd thought of it. Now I'll finally "register" realplayer instead of constantly canceling out of it everytime I play something.

Overblown article

[binarybits]

As others have pointed out, this is 1400 a year, not per day. Malda needs to learn to read.

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it. 5 seconds of my time isn't worth $1. And the 10k it took the mail server to store the message and fraction of a penny in bandwidth aren't worth a dollar either.

If corporate anti-spam offices are costing that much, then they're wasting their money. Let employees delete their own spam messages. It's really not that hard. It wastes maybe 5 minutes per week of my time. Is it annoying? Absolutely. Is it an "epidemic"? I don't think so.

I hate spam as much as the next guy, but a sense of perspective is important. The technology to filter spam is rapidly advancing, and ISP's often *do* respond to complaints. Once Asia gets with the program, I'd expect this problem to subside somewhat.

Re:Overblown article

[telbij]

First of all, I think you are right that simply deleting spam is not all that difficult or expensive. But in practice there are many more costly effects spam can have that can drive up the average cost ($1 is still pretty high though):

• Employees may actually waste time clicking on spam links
• High-bandwidth graphical spam can bring slow computers and connections to their knees
• Spam can obfuscate legitimate emails, causing them to be deleted by accident in a flurry of spam deletions
• I've experienced crashes that may have been caused by the huge volume of email, or the piss-poor HTML code, but definitely had to do with spam. Data loss is unquantifiable.

All in all, I think having an administrator try to filter out spam before it gets to the 45,000 employees is a good idea. I mean, if a spam targets only 20,000 employees, they will still have to spend the 5*20,000 seconds to collectively delete the single spam that an admin could take care of at the root (also saving bandwidth and storage space). Throw in the issues of employees working with slow computers and slow connections and I can definitely see a full-time spam admin.

Re:Overblown article

[dubl-u]

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it.

So let's assume that like most geeks, you're way on the end of the bell curve when it comes to processing information. Suppose the average spam delay is 30 seconds per person. They just said the guy worked at "a major telecommunications company"; let's assume that they're in the same league as SGI, another company mentioned in the article which has revenues of $300,000 per year per employee.

That works out to about $150 per hour in revenue, or $2.50 per minute. So that 30-second spam distraction costs $1.25 on average.

And assuming their mail beeped and distracted them from something else, the cost could be a lot higher; distractions substantially reduce productivity. And if they click on a link or actually read the spam? yet more time gone. $1 is probably too low.

Re:Overblown article

[alexburke]

this is 1400 a year

Right.

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it. 5 seconds of my time isn't worth $1.

Oh boy. Here we go! [breaks out calculator]

5 x 1400 = 7000 / 60 = 116.67 = just under TWO HOURS of your time. Is this worth $1? Or more, perhaps?

And the 10k it took the mail server to store the message and fraction of a penny in bandwidth aren't worth a dollar either.

10 x 1400 = 14000 / 1024 = 13.67MB.

And that's just for you.

Assuming the ISP has 10,000 customers, that's almost 375 MB (13.67 x 10000 / 365) the ISP has to reserve on their mail server JUST FOR SPAM, PER DAY.

Obviously, that assumes every user checks their mail once per day, no more, no less, and everyone gets 1,400 spam/year at 10k each. Since you made the same assumptions, I did as well to keep the numbers the same.

So, is 375MB per day per 10k users worth $1? Or more, perhaps?

Malda needs to learn to read.

We know Rob's English isn't the best. What you've done is handily demonstrate that apparently your math isn't, either...

Re:Overblown article

[sdo1]

I find the figure of $1 per spam to be kind of ludicrous

I don't. A really good employee is paid, say $150/hr. That's not unreasonable for someone who's making decent money if you include their overhead (benefits, etc.). At that rate, $1 works out to be about 24 seconds worth of time. Add in a bit of network and infrastrucure costs to deal with the traffic and of course the time for the person(s) setting up the blocks and dealing with email traffic...

Yea, I can easily see where corporations might see the costs of spam as something like $1 per.

-S

Re:Overblown article

[Technician]

Throw in the issues of employees working with slow computers and slow connections and I can definitely see a full-time spam admin.
Where I work, we do have a full time e-mail admin. They are worth their weight in gold. Sometimes is takes 5 minutes to open my mailbox in the morning. It's from all the identical messages sent to more than 5 employees from outside the company being purged off the servers. If you don't want mail delivered to me, just cc it to 5 more employees in the company and an admin will review it for content. It saves us a lot of time.

Re:Overblown article

[HardCase]

Secondly, I find the figure of $1 per spam to be kind of ludicrous. It takes me about 5 seconds to recognize a piece of mail is spam and delete it. 5 seconds of my time isn't worth $1. And the 10k it took the mail server to store the message and fraction of a penny in bandwidth aren't worth a dollar either

From the article: But it's slow going. For every piece of mail that takes seconds to delete, there are always those that require hours in security investigations--which is how Lewis arrived at his estimate that each piece of junk mail costs his company $1.

Sure, you can tell if the email is spam because it's sent to you. But the sysadmin in this case has to investigate a few more emails that you do and also has to be very sure that he's deleting spam...plus I'm sure he wants to know where it came from. I don't think that the estimate is out of line.

-h-

Re:Overblown article

[symbolic]

Here's what I do - I know it won't work well for those who get a lot of e-mail from unknown sources (like a popular personality on the net might receive), but it works for me. Using Eudora, I set up a separate folder for each legitimate source that from which I EXPECT to receive e-mail. When my mail is download (about 600-700 pieces a day), Eudora sorts through it all, and after all is said and done, the only thing left in my in box is junk. I usually give it a quick review just to be sure I haven't overlooked anything, but the only "cost" to me is having to type Command-A, and then hit the delete key. Sit on THAT and rotate for a while, Rowena!!!

My first spamless day in years was today.

[Apuleius]

(Disclaimer: not directly relevant, but I thought I'd share.) My email address is scannable from Usenet posts made when I was young and foolish, so there is no hope of it not being available to spammers. But, since using Spamcop, my spam levels decreased, and today at 9 AM MST, for the first time in years I checked my mail and it was spam free. I'm starting to suspect that spammers now keep lists of email addresses of people who are vigilant in reporting spam, and deleting them from their lists. (My hope is, that the CDs in which my email address resides, are now considered "no good," not just my address.) So, there is hope.

Re:My first spamless day in years was today.

[cmowire]

I've noticed a similar phenomena. I've been quite vigilant about reporting spammers and have been trying to report them to all of the possible channels, including the SEC if it's yet another pump-and-dump scheme.

The best part is reporting first-time spammers. I make damn sure that when I see a spam I haven't seen before that I report it. I had the great satisfaction of watching some girl who wanted to be the next Britney Spears or something get her website shut down for spamming. Those people are the big spammers of the future. If somebody gets started in spamming and gets their access canned right away, they hopefully will realize that it's not as easy money as the person who set them up with spamming software said it was.

But it is an uphill battle. Some companies are claiming that I did, in fact, opt-in at some point to receiving spam from their "partners". Taking care of those folks and tracking who initially sold my address has resulted quite a bit of improvement in my spam count. I don't have the opt-in networks, just the bulk viagra mails and whatnot coming from Asia, at this point.

I've also noticed that unless you report spammers, they will spam you forever. I have some addresses that haven't been used for years that are still getting spam. I notice this because I get error messages occasionally because the auto-bounce message has nowhere to bounce to.

When I get in one of those moods, I'll crank call all of the 1-800 numbers listed in the spam. That doesn't do anything for the spam count, but it does wonders for my mood. ;)

The problem is...

[tomstdenis]

We are trying to cling to a system not designed with spammers in mind.

Instead of trying to make it illegal to send spam [which is not going to stop it anyways] why not just invent whole new protocols?

Primarily I'd add a hashcash payment system. Where in order for you to send me a message [that I would eventually see] you *must* do some work [e.g. find an N-bit collision].

The idea is simple and if implemented correctly will be a huge deterrent to sending spam. Specially if it takes you 2 seconds or so to prepare the email!

I think as a project I will implement a trivial version of this over TCP. In reality though it would be nice to see real professionals tackle something like this.

Face it SMTP is outdated and wholly inappropriate!

Tom

Re:The problem is...

[AnotherBlackHat]

Hashcash is a specific type of challenge/response system.
These have been tried before, and they haven't worked well.
The major problem is acceptance, not implementation.

My approach is to use challenge as a "saver" to reduce false positives. I.e. instead of just trashing email that is identified as spam, you send back a note that says "your email was identified as spam because . If you feel this was in error, please send me the answer to the following question ... (which can be found using this java app)" Even this has met with resistance in the small sample of users I've questioned about it. Most people think of email as a easy way for others to reach them. They do not want /anything/ to make it harder for people to send them email. Losing a single legitimate email is considered a disaster, and annoying a potential customer is completely unacceptable.

-- Spam Wolf, the best spam blocking vaporware yet!

Re:The problem is...

[Fweeky]

> The idea is simple and if implemented correctly
> will be a huge deterrent to sending spam.
> Specially if it takes you 2 seconds or so to
> prepare the email!

That's great until someone legitimate wants to send lots of email; mailing lists etc. Sure, you can add whitelists, but all that does is add $MAX_INT maintainence costs.

> Face it SMTP is outdated and wholly inappropriate!

Under what criteria? How are you going to reliably and cheaply prevent some people from mass mailing and header forging while allowing others to mass mail?

Use Disposable Addresses

[Coward+Anonymous]

The easiest way to avoid most spam is to use disposable email addresses - open an account with Hotmail or Yahoo, etc. and use that as your "sign-up"/"service" email. Use your personal/work email just for that - work and personal correspondence. I rarely, if ever, get spam in my personal accounts.

The effect will hopefully be twofold:
1. You don't get spam where you don't want it.
2. Choke Hotmail & Yahoo with spam, turning it into a corporate nuisance. Then they might move to actually blocking it - say by blacklisting mail servers. After all, there's nothing like a little corporate sponsorship to get the job done in the U.S.

Boycott spammers

[furiousgeorge]

Yup - i'm drowning in spam like the rest of us.... a 'typical' day is somewhere around 80 mails. Weekends are much worse....

BUT.......

There are MANY big name commercial companies that are spamming. They aren't stupid enough to spam themselves, they subcontract it to some other weasel who gets click-thru fees for the referrals that their spam generates.

My two biggest offenders are NetFlix and 1-800-Flowers.

Every piece of spam i get associated with a 'legit' company i make sure to forward to every address I can find on their web site, and make it very clear that I will NEVER do business with them as long as they maintain the practice.... and will discourage anybody who will listen to me to do the same.

It won't stop everything. I still get tons of 'Cum Guzzling Co-Ed's', 'Increase your Penis Size', 'Viagra without a prescription', and 'REPAIR YOUR CREDIT NOW' mail, but every little bit helps....

BOYCOTT NETFLIX
BOYCOTT NETFLIX
BOYCOTT NETFLIX
BOYCOTT NETFLIX
BOYCOTT NETFLIX
BOYCOTT NETFLIX
BOYCOTT NETFLIX

Re:Boycott spammers

[mcfiddish]

My two biggest offenders are NetFlix and 1-800-Flowers.


Interesting. I joined Netflix about two months ago and noticed a dramatic increase in spam since then. Are you sure about this?

Re:Boycott spammers

[furiousgeorge]

>>Interesting. I joined Netflix about two months
>>ago and noticed a dramatic increase in spam
>>since then. Are you sure about this?

Misunderstanding. I'm not saying that Netflix is selling my email address to spammers. (but i wouldn't put it past them)

I'm saying that Netflix is hiring spammers to spam whoever is in their lists (ME) to JOIN netflix.

I get probably one Netflix spam every day, or at least every 2 days.

Therefore I will NEVER join Netflix. Any business that thinks this asshole behaviour is acceptable can burn. And i'll discourage anybody who'll listen to doing business with them.

Re:Boycott spammers

[chrisvr]

I'm not saying that Netflix is selling my email address to spammers. (but i wouldn't put it past them)

I can attest that Netflix doesn't sell addresses- well, at least they haven't sold mine. We've been members for about 2 years, using an address netflix@ourdomain.com and I have never received any spam at that address, only netflix mail.

And I am also a very satisfied customer, and every one of my friends that I've recommended Netflix to loves it as well. I hope they stay in business for years to come. But it does sound like they need to make some changes to their marketing practices.

What is the impetus?

[nowt]

I don't mean to sound naive but what is the impetus that makes spam a revenue generator? Is it some kind of "sucker to spam" ratio.. for every 1 person who falls for the spam, enough revenue for 1000 spam e-mails is generated?

Re:Lost productivity

[sien]

Lost productivity figures are a strange and inexplicable number, like budget surplusses.

It's silly. I mean, lets say you're paid $50/hour when expenses are included. That means you're at about $1 / minute. Now - to lose $1 in productivity you'd have to spend 1 minute deleting the spam. I mean, 1 minute. Here in our office our most inexperienced computer user wouldn't even spend 5 seconds deleting spam. I don't see how bandwidth or storage space could even get you to that $1.

Spam is a problem, but these statements like $1 of lost productivity are pretty dubiuos. If you measure it like that the cost of my window would be enourmous, and the price of slashdot on the world economy billions per day.

No-win situation

[ari{Dal}]

Before, when it was just the individual that was getting bombarded by offers of barely legal pr0n and penis enhancers, Big Brother (the govt) didn't really seem to care. Sure, a few states have instituted laws.. but honestly, how effective has the "ADV" required by CA law been, if at all?

Finally, we're seeing reliable, solid information from big companies on how much these bits of unwanted flotsam are costing in actual dollars. This is exactly what it takes to get the Govt. to stand up and take notice. The big guys have the money, power, and voice to get the message heard and force action.

Unfortunately, even once laws are in place, I don't see much of a decrease in spam. The senders are getting smarter and smarter, the harvesting techniques are getting better, and their obfuscated headers and relays make them damned hard to track. Add in the fact that a lot of this stuff is across international boundaries, which makes local laws difficult if not impossible to enforce, so even if you can track down the offender, you end up with an incredibly difficult case to litigate.

I can see the same thing happening in this situation that has happened with online casinos: when things get unfriendly, they'll simply move their base of operation to a country that doesn't much care what they do as long as they're spending money. And with the right set up, it doesn't matter if they're spamming from NYC or Antartica... their damned message will still get through to cost you time and headaches.

not blacklists, whitelists

[einer]

This has been mentioned before (but I'm too lazy to search for the artcile), but blacklists aren't the answer. As inconvenient as it sounds, whitelists are the way to go. If your e-mail address isn't on the whitelist, your message doesn't get delivered. When a message is received that isn't on the whitelist, an automated message is sent to the sender informing them that they can be added to the whitelist by replying to this e-mail with a provided hash/password. Once they reply to the notification e-mail, they are whitelisted and their original message is delivered. Anyone who wanted to maintain a whitelist could do so, those who didn't want to bother with it could deal with the spam.

Re:not blacklists, whitelists

[tswinzig]

I was just going over this same exact thing with someone today, as we're trying to plan out a spam-blocking strategy for our network.

One problem with whitelists is that you have come up with a good way of adding legitimate "big" email senders that are not going to take the time to authorize themselves on your whitelist. If you're out-and-out blocking messages not approved by the whitelist, your users have to remember to add companies to their whitelists manually when they want to receive their information. Even then it's not perfect, since you never know what address or domain a company might send from. (A lot of them outsource their email.)

An ideal setup is something like SpamCop, where there's a queue of held mail, and your users can add people to whitelists and blacklists very easily (and even report spam if they're so inclined).

One reason we don't want to just use SpamCop's services is because we'd rather be in control of all aspects of our filtering, so we'll do it in-house as I suspect a lot of people will.

Re:not blacklists, whitelists

[telbij]

I was just going to post this myself. Of course this solution is basically unacceptable to people who receive email from new and prospective clients regularly.

Your idea of responding with a password that allows people to get added to the whitelist automatically is great as long as your system doesn't gain widespread use. If it did, then spam software would simply be updated to use the password. Probably not something to lose sleep over.. however, being a web designer my solution is to reply with a link to a form that people can use to email me. Granted, the form itself could be used to spam me, but it strikes me that spamming software that uses people's feedback forms would never be effective enough to make it a problem (what with the chaotic and dynamic nature of web forms).

As far as blacklisting goes there are some decent alternatives in that vein too. Read my next post.

Re:not blacklists, whitelists

[alcmena]

I accept messages from people not on my list and I don't get many porn messages anymore. I disabled all URL messages, since they tended to be the worst offender. Also, I disabled all multiple-recepient messages from people not on my list. This way I can still hear from new people I haven't met before, but spammers who click hundreds of names then "send" get filtered out.

Re:not blacklists, whitelists

[LinuxHam]

Check it out here.

Got it from O'Reilly's "Stopping Spam". It's a Procmail recipe that composes a reply and then looks for the new To: address in a locally-stored whitelist. If the address is found, the email is accepted. Otherwise, it returns an email with instructions. The sender just has to resend one email with the password in the subject line.

Totally self-maintaining. Spammers don't get replies and can't add themselves to your list. Even on the off-chance they did, no spammer is going to put "flarkelmarkle" in their subject line just so that one freaking person can get their crap.

Solving the spam problem?

[ShaniaTwain]

Maybe the spammers should focus on only AOL addresses since their members seem to like daily solicitation, and leave the rest of us alone!

Maybe we should enlarge the spammers penises. There is a variety of heavy machinery that could be used to result in a much larger (but paper thin) penis. Or perhaps we should shove bottle after bottle of their "herbal Viagra" down their throats until they are unable click the 'send' button.

'sigh' [deletes another batch of spam]

Re:Solving the spam problem?

[nucal]

There is a variety of heavy machinery that could be used to result in a much larger (but paper thin) penis.

Yeah, I think that one comes from Acme!

Simple solutions that work

[Joe+U]

It helps if you run your own mail server, I do.

Three months ago I changed my email address. I told all my friends and created a new email address for them. Then, for every site I registered with, I used a slightly different address. I created a few generic addresses as well, for online shopping or one-time stuff.

So far, only places I actually visited have sent me spam, but now it's easy enough to cut them off.

And the mail is not annoying, I don't mind getting a buy.com sale email, because I buy from them.

It's a simple solution, and it works well.

Not a problem for the spammers

[M_Talon]

As the number of email addresses grow, so does the spammer's lists. Also, it doesn't take any more effort for them to click and send 4 million spams as it does for them to send 40 million. It's still just one click to a harvested list, and they never have to see or pay for the damage and headaches they cause.

The problem is no one in power wants to admit that spam is getting to critical mass. Right now we're in an arms race as better blocking methods come up and better ways to run around those blocks are formed. The only sure way not to get spammed right now is to try to keep your email address private, but even that's failing as spambots get smarter about guessing valid addresses and databases of valid addresses get built. I even get spammed occassionally at work, and I've NEVER released that address to anyone.

Until someone (read major corporation) comes up and says "Hey, this is a problem that's costing us money" the situation is just going to get worse. The spamming situation is reaching a point where it cannot be controlled without intervention via legislation. I'm not a big fan of governement control, but this is the sort of thing that should be looked at heavily...not whether Billy downloaded a copy of Britney Spear's latest single.

This gives me an idea for a new piece of software

[CathedralRulz]

This suggests to me that there may be a growing need for a software or PCI wafer/chip AI that can be assigned tasks like filtering spam out that you don't want.

And this goes beyond just making rules or blocking all spam - after all, I do want to know about the $120 round trip ticket offers for Myrtle Beach or the discounted digicam at ThinkGeek.

The AI can work the same way Tivo does in being sensitive to the kind of email you prefer to get and maybe even smart enough to unsubscribe you from lists that you don't want to belong to or to reply to emails in your place.

Give it a voice recognition program and it can be your phone receptionist, too.

It's hard not to notice

[kindbud]

As the anti-spam vigilantes have become more shrill, more dogmatic, more draconian, and have moved into causing "collateral damage" to sites whose only crime is being neighbors of a spam sewer, the spam continues to increase.

I submit that DNSBL and public blacklists are a failure. They have not done anything substantial to stem the tide of junk email, as this article shows.

In fact, from what I can tell, the spammers use the various DNSBL, especially the ones that list open relays, in order to locate their next set of victim relays. They could not care less that a relative handful of fanatics who use the DNSBL as intended will not be seeing their message. In fact, they are probably happy to ensure that their message will not be seen by those who are most likely to report them and try to get their activities shut down.

Re:It's hard not to notice

[Silverhammer]

In fact, from what I can tell, the spammers use the various DNSBL, especially the ones that list open relays, in order to locate their next set of victim relays.

Y'know, this is the same argument that Microsoft uses against OSS. "You can't trust the security of open source software! The code just lays out there for any hacker to read!"

Re:It's hard not to notice

[kindbud]

Yes, it seems to be the same argument, I agree.

However, I never accused the DNSBL of being untrustworthy, nor did I call for them to be shut down. All I pointed out was that perhaps they are having an effect they they did not intend, to wit:

1. DNSBL maintainers and users get less spam, and report less spam as a result, thereby rendering their efforts less effective
   
2. The people who do not use DNSBL get more spam, thanks to the published list of open relays
   

Implicit in my argument is the assumption that people who don't use any DNSBL are less likely to report spam. That could be a faulty assumption, but I think there is good reason to believe it. Therefore, the DNSBL tend to make spam more effective and harder to punish, because they have the effect of keeping spam away from those who are most likely to report it and pursue punitive actions. Therefore, people who don't use the DNSBL get more spam as a result.

Re:It's hard not to notice

[Silverhammer]

Therefore, the DNSBL tend to make spam more effective and harder to punish, because they have the effect of keeping spam away from those who are most likely to report it and pursue punitive actions.

Only until the spammers find a new relay to exploit, and then the cycle starts over again. The system is adaptive.

Therefore, people who don't use the DNSBL get more spam as a result.

And that's the argument used to promote open source software. "The tools are there for anyone who cares to use them, and those who do are more secure in the end."

Re:It's hard not to notice

[Skapare]

It is not everyone's goal to "punish" spammers. My goal is principly to keep it away from me. I don't care if the spammers end up sending it to someone else. There may in theory be someone else who wants spam. Who am I to deprive them. I just don't want it sent to me.

Eventually, as spammers are crowded into fewer open relays, those that do remain open are not only unable to get to more and more places on the net, their servers are overloaded because they are the few that spammers can use. And they are dealing with more and more bouncing mail. The pressure rises, and maybe they, too, will close the relaying.

The DNSBL maintainers and users do get less spam. That's the goal. Reporting it to the spammer's ISP is NOT the goal; it's just another machanism to use to accomplish the real goal of getting less spam.

Re:It's hard not to notice

[kindbud]

Eventually, as spammers are crowded into fewer open relays, those that do remain open are not only unable to get to more and more places on the net, their servers are overloaded because they are the few that spammers can use.

This never happened, and it does not look like it ever will. As soon as one open relay is closed, four more are discovered by the spammmers, or are newly installed with permissive relaying enabled by admins who don't know any better.

Re:Tracking Spam

[GSloop]

Since around Dec 7, 2000, (the date I installed Spamassassin [a really great spam-catcher I must say!] on my mail server) I have received around 650 spam messages.

By the way, spamassassin is really really good. I have not had any mail that was personal get flagged as spam, (only a few list-serv messages) and out of all those spams, about 5, certainly less than 10 spam messages actually made it through without being flagged as spam!

If you get a chance, try spamassassin. It uses razor, and many of the RBL lists, as well as key-words. Plus it's really configurable, to match your prefs.

I'm probably going to install spamassassin on several of my clients mail servers to block spam site-wide.

Cheers!

This brings to mind a Simpsons math reference ...

[ian+stevens]

Spam is as old as the mainstream Internet itself, but its alarming rise is challenging companies more than ever. In the past six months, the volume of junk mail sent online more than doubled, according to spam filter company Brightmail. Internet researcher Jupiter Media Metrix estimates that consumers will receive about 206 billion junk e-mailings in 2006--an average of 1,400 per person, compared with about 700 per person this year.

This reminds me of a quote from the recent article regarding Simpsons math references:

The Twisted World Of Marge Simpson (4F08, 1/19/97)

Homer visits Disco Stu's "Can't Stop The Learnin'" Disco Academies kiosk at the Franchise Expo.

Disco Stu: Did you know that disco record sales were up 400% for the year ending 1976? [points to a chart for the years 1973-1976] If these trends continue ... aaaaaaay!

ian.

1400?

[wizarddc]

That's not a lot, by a friggin longshot. I know Taco is in a unique situation, where people would put him on a list for paybacks or vendettas or whatever form of agression they are taking for not having their story accepted. Me, in a position where I really, really try to keep spam out of my inbox by only giving it to places I deem worthy, and removing myself from lists where I believe that will do me any good, I still get about 15 a day. Filtering out 90% helps, which might make it to 1400 spams a year that reach my inbox. But whoever is doing this study must really know how to repevent the uncolicited crap away If 4 a day is too much for them to handle.

Only 200?

[www.sorehands.com]

No. No. No. What I mean is many contituents, each sending their 200 spams a day to their congressperson. Ie. Do select all text, reply, change the reply address to the congressperson's address (instead of the spammers), add a note at the top saying, "Here is another spam that I got. Please pass a law outlawing spamm."

Spamgourmet.com

[mr.ska]

I've been using Spamgourmet.com for about a year now. It provides you with an unlimited number of valid, disposable e-mail addresses, and lets you decide how many times each address can be used. The first N e-mails sent to that address are forwarded to you, and everything else is eaten.

It's perfect for registering online or leaving a temporary contact address. I've used it almost exclusively for one of my accounts, and I get virtually no spam on that account. It's a lifesaver.

I can highly, HIGHLY recommend that you sign up with them. You'll thank me later.

Re:Spamgourmet.com

[wedg]

I do essentially the same thing. Except I just setup an account at hotmail (with a silly name like send_me_spam) and all the online non-personal stuff I do through that. Then my personal account stays perfectly clean.

Why not just re-invent the wheel?

[jeremy+f]

Back when e-mail was invented, say, in 1623 (I'm too lazy to do actual research), people used it as a basis of instant communication between two or more parties.

(Some people used it as a basis of communication between only one party; however, these people were usually either the types who needed to write themselves little sticky notes, or they had disassociative identity disorder.)

Considering how small the 'Internet' was back during the days of the first e-mail (I use quotes because, again, I've not done my research; and I'm uncertain whether e-mail or the 'net itself came first), e-mail was developed with a very open set of rules:

I create a server.

I set up a few accounts.

I open a port to allow for e-mails to be sent to me.

People connect to my computer, write me a message, and then magically disappear.

In time, relaying was invented, and was implemented such that the existing mail servers could be used as relay points -- I send an e-mail from my computer, it gets bounced around until it reaches its recipient.

Thus, the entire idea of e-mail.

I hate to say it, but... This world of e-mail is greatly polluted. I'm not talking about Gulf of Mexico polluted -- this is pre-1972 Lake Erie polluted.

So... Why not re-invent the wheel? We've been so concerned with building filtering applications, and layers upon layers over the basic SNMP protocol that we've forgotten that no matter how many bridges we build, we're still going to be able to look down and see the same polluted water.

With this in mind, I call for a new type of e-mail service to be offered by various providers. One that explicitly denies old protocol e-mails. Something akin to Internet2, but for the public masses. Built-in encryption, a prerequisite (as well as several mechanisms) to determine that not only is the sender valid, but the router its sent from is uncompromised.

While this won't solve all the problems associated with spam, it'll certainly alleviate them. With a protocol designed from the ground up to disallow things such as anonymous e-mails or misrepresented e-mail addresses; as well as several other measures which would make for not only for a secure, but unpolluted e-mail atmosphere, we can abandon the current system which has become so polluted with the waste, filth, and garbage known as 'spam'.

Thank you.

Re:Why not just re-invent the wheel?

[j7953]

With this in mind, I call for a new type of e-mail service to be offered by various providers. One that explicitly denies old protocol e-mails. Something akin to Internet2, but for the public masses. Built-in encryption, a prerequisite (as well as several mechanisms) to determine that not only is the sender valid, but the router its sent from is uncompromised.

SMTP with user authentication already exitsts. SMTP with SSL/TLS-encrypted connections also exists. Yet open relays that don't care at all about who uses the server to send mail or if the mail is even valid exist as well. Designing a new protocol will not solve the problem, as there will always be incompetent/ignorant administrators and developers.

not all the time.

[www.sorehands.com]

The attempt at passing a law in Texas to require censorware was prompted by a senator getting porn spam on AOL.

Re:not all the time.

[meta_gorn]

OK, I stand corrected: Law makers need sponsorship from a corporation, religious conservatives, the gun lobby, or Jane Fonda before taking any legislative initiatives. ;)

Re:Lost productivity

[telbij]

Of course, with 45,000 employees at $5 an hour, payroll alone costs them $1.8 million a day, but your point is well-taken.

The magic bullet

[CKW]

Here's a hint. Don't give spammers your e-mail address in the first place.

Don't give it to shady businesses or websites, don't give it to amateur websites run by people you don't know, don't give it to small or medium sized businesses, don't give it to well known or big online or meat-space companies that have a reputation of being irresponsible in such matters, and don't give it to anyone whose privacy/non-use clauses don't look sincere or aren't backed by anyone you know.

And munge your e-mail address when used on Usenet.

That's it. I haven't gotten ONE SINGLE piece of spam in 4 years. I give my e-mail address to my friends and co-workers, the only people in the world who need it. It's on my website which is hosted from my ADSL line on dyndns.org, and it's never been reaped. It's in my profile at some online-groups and semi-private blog places (my CS clan's web-forum for example), and they've never been reaped.

An ounce of prevention is worth a pound of cure!

All that we need is a honest to goodness education campaign by the ISPs to clue in their lusers.

Re:Tracking Spam

[amuro98]

Yes, there are folks who keep rather detailed records of how much spam they receive.

Check google groups for news.admin.net-abuse.email for "spam stats" and you should find some information from various users. Of course, their amounts may be inflated, but the general trend is clear - the amount of spam is increasing quickly.

It is estimated that by this June, more spam will have been sent this year than ALL OF LAST YEAR. That's over 100% growth.

From what I'm seeing, this estimate is dead on target so far... I used to get ~10-20 a day. Now I'm getting 30-40+. Over half are blocked by my filters, but still, 20 spams at 10Kbyte each is a lot of email traffic that simply gets deleted.

A better solution!

[tweakt]

Sneakemail

It does exactly what you are talking about, only you dont need to run your own mail server. They forward to your real address. You can set each alias to allow all, deny all, allow all except specifically blocked (per sender), or block all except specifically allowed (per sender).

So basically I have a slashdot alias, but slashdot@slashdot.org is the only person who can send mail to that alias ;-) All the other emails are put into a "mail-dam" that I periodically check for anything of real value. You can also set it to instantly trash mail from senders you dont allow.

I run ORDB on my mail server as well, and I will soon be blocking all of APNIC, I go several days now with no spam while receiving tons of legitimate email.

On the off chance I get a spam, I immediately report it to spamcop.net

You need to attack spam on many many levels for it to be effective ;-)

Come on!

[w.p.richardson]

2. SPAM click rates will continue to fall, and bandwidth costs will soar, so eventually the point will be reached that most SPAM will no longer be viable economically- this may be some time away, but I think it is certainly a possibility.

No way this will ever happen! Ever hear of junk mail (not spam email, real paper junk mail)? Has it become unviable? No. As a matter of fact, it is the most effective form of advertising. As more and more people worldwide use email, targeted spam will become as effective as the direct mail is now.

The spam is green. It is still in its infancy as a marketing medium.

Re:Come on!

[LinuxHam]

As a matter of fact, it is the most effective form of advertising.

Not in my house. I especially like the ads for pool cleaning, lawn care, and driveway repaving as I live in a condo. I taught my wife how to spot spam quickly in her Yahoo! inbox and luckily its carried over to our postal mail to. All our junk mail is a huge pain in the aishe and huge waste of time.

Re:Come on!

[w.p.richardson]

I agree. I meant effective in the "statistical" sense. Some people (present company included) are not particularly influenced by any marketing. I do like getting pizza coupons in the mail from time to time though, and those are often used at my house.

congress spammed out already

[Alien54]

Congress already gets 20 to 40 million emails per year. so they are spammed out already.

My modest proposal is that we have to make it legal for people and service providers to charge spammers for the traffic they create.

If you can make a profit in hunting down spammers, i bet a lot of people would jump at the chance.

A federal spamm license requiring spammer to register, etc, pay huge taxes to the government, complete with cute little orange tag for the ear.

and allowing people to charge them for the hassle. did I mention tthat yet?

people would get rich off this, hunting down illegal spammers, collecting fees for ISPs, etc.

Re:congress spammed out already

[4of12]

A federal spamm license requiring spammer to register, etc, pay huge taxes to the government, complete with cute little orange tag for the ear.

I love it.

Can I be the one in charge of the tool that is used to attach the cute little orange tag to the ear?

[I was surprised a few years back when a relative with a small herd of cattle used yellow ear tags instead of the ole brandin iron...]

it was nice

[abolith]

when my ISP decided to block ALL inbound mail coming from Asia. the spam dropped from 30 a day to FOUR. then under pressure they opened back up and now I am getting 50+ !!
*sigh* I hate spammers with a passion. A good friend decided to start spamming from his computer to promote his new business, so I Dos attacked him until he stopped :) after all thats what friends do for each other.

Won't work well with automated services

[tweakt]

Lot's of time, when registering for a website for example, an email is required. It requires you to respond to an email to verify the authenticity of the address. Lot's of time you have no idea what the sender email address will be ahead of time and even what mail server it will come from.

Obviously an automated email verification system won't understand the whitelist notice message and the whole thing will fail miserably.

So you decide to create an address that doesnt block non-whitelisted emails and now that address is vulnerable to spam.

Re:What are you talking about?

[miguelitof]

I don't know, I have a few email addresses, I just don't do stupid things with them! It's also why I barely get any junkmail in the real mail system!

I would say that you are very lucky. Or you don't do much on the net. [grin]

I've found spam much easier to deal with now that I own a domain. I created an email address (nospam@weightjournal.com) and use that email address anywhere that is supsicious (or anywhere that requires me to register an email address, but that I am not interested in receiving email from). I have a recipe at the top of the list that moves all email TO nospam@weightjournal.com to the Spamfilter mail folder.

So far, the mail delivered into this mailbox has been 100% spam.

Easy money is the impetus.

[Jason+Levine]

Well, let's say your moral compass has been permanently derailed and you are planning to enter the "spamming industry." You can buy CDs with e-mail lists for cheap (I believe it's something in the order of 1 million names for $100). You also would use a program to find open relays and exploit them (why run your own mail server when you can hijack someone else's for less dough). Then you forge your e-mail headers (after all, you don't want to deal with messy details like bouncing e-mails and angry recipients).

Now say you send out a million spam e-mails. Your cost is $100 or so (the cost of the list) and whatever you're using for your Internet connection. That's less than a penny per person. If one hundredth of one percent of those names were to send $5 each, you'd take in $500, or about $400 profit. And that's just from one mailing. You'd ignore any "remove me off this #&*#&@ list" e-mails (actually, with the forged headers you wouldn't see them) and send another round hoping to lure in more suckers.

Now these aren't hard and fast numbers, but you can see how some people are lured into the "easy money." Of course, breaking into people's homes and taking valuables is "easy money" also, but spammers somehow convince themselves that they have a constitutional right to misuse other people's bandwidth and time for their own personal gain.

Re:Easy money is the impetus.

[nowt]

It seems like 50% or more of the spam I receive is some kind of pyramid scheme.
I wish law enforement agencies put in some effort against these entities (I've heard precious little done on this front).

Seems to me spammers should be liable somehow for the bandwidth they waste. I believe the US postal service is paid duly by companies that send junk mail.. there's nothing to restrict spammers on their bandwidth.

Then you get into the 'forging headers' side of things.. if someone's offering a good or service, doesn't this amount to fraud?

SPAM as theft.

[Hallow]

All the SPAM'ers cite freedom of speech. Well, I wanna know what the hell happened to your rights ending where mine begin?

The problem of SPAM on fax machines back in the 80's, due to the fact that paper/toner/etc. cost $$ as well as tying up a business' fax line prompted a law that bans SPAMing fax machines. It was the use of resources and stopping of business that got this law passed.

Well, bandwidth is a resource, and if a major ISP's mail service is unusable for a good chunk of time, that's a stopping of business.

I pay for my bandwidth to run my own server. Using my resources (bandwidth), for a purpose I don't approve of, should be considered theft. It might be different for a dialup user (the end user doesn't pay for bandwidth, they pay a monthly fee for access, the ISP pays for the bandwidth, usually).

I'm so incredibly sick of SPAM! Oh, and by all means, I don't want to limit SPAM to commercial mail. I think any email that is soliciting, be it a campaign contribution, a donation to the kidney fund, or religion oriented ("come join us in fellowship", blah) should be considered SPAM as well.

Although, having said all that, I think that legislation is only part of the problem. I think what we need is a modification to the SMTP protocol itself that makes it easy and lightweight to identify and handle these types of email, and legislation enforcing this.

Something like identifying the message as spam immediately after the HELO or RCPT TO, or perhaps even requiring spam to use another port!

But even that's not enough because you know those direct marketing jackasses will still send it without the proper identifiers.

I'm real close to setting up a system where you have to give me your email address and I have to approve you to send me email or I'll never see it. (with a seperate dump account for registrations for web boards, etc.)

Re:SPAM as theft.

[kindbud]

I pay for my bandwidth to run my own server. Using my resources (bandwidth), for a purpose I don't approve of, should be considered theft.

The problem is codifying this sentiment into a law that applies universally. If the standard is to be "I don't approve of it, therefore it is theft" then what if a person disapproves of retransmitted FINs (because ZoneAlarm squawks about them)? Is it then actionable to have a web server with kernel tunes that do not take ZoneAlarm's incredibly short memory into account?

I'm sure you didn't mean that an anti-spam law should encode what Hallow thinks is appropriate, and apply that to everyone.

Even if you get a law passed, there is still the question of due process. If you get spammed, you still have to press charges, and the courts have to locate the spammer before he can be served. And even if you win the case, if its a civil matter you then face the chore of trying to collect on the judgement. If it's a criminal case, the spammer is in jail, or fined, or both. Well, that spammer is in jail. The other fifty million are still at large, still abusing Asian relays. So what have you accomplished?

I ask you, was all that effort really worth it to avoid having to hit delete? Or would you prefer to do away with due process in order to avoid those extra mouse clicks? Sometimes I wonder...

SPAM: The ultimate DoS

[gempabumi]

Is it possible to file a bug against an RFC? If so, I'm going to post to bugtraq about RFC 2821.

Spam is a problem for users. But the problem that users have pales in comparison to the problem that ISPs and other providers have.

Most of the available solutions are catch-up solutions, which, like virus detection software, always arrives too late and is easily defeated (and in any case not the best way to solve the problem).

Anyhoo, why is spam the ultimate DoS? Very simple. Spammer sends 50,000+ emails to 50,000+ addresses using a forged "From: fooXK343@forgedfrom.tld" header. 49,987 of the spam emails bounce, and where to they go? You guessed it, right to fooXK343@forgedfrom.tld. fooXK343@forgedfrom.tld doesn't exist, of course, so the messages get double-bounced to postmaster@forgedfrom.tld.

What can postmaster@forgedfrom.tld do? Very little.

Can he block the incoming connections? No, they are coming from 49,987 different sources, most of which are valid functioning SMTP servers.

Can he contact the admin of the machine or relay where the spam is coming from? Sure, if he magically has 37 hours in his day. But, the relay server is most likely a rooted machine on the other side of the world. Good luck there. Or, the machine belongs to one of the 15 largest ISPs on the planet, in which case he will have to jump through 7 different hoops to talk to the person that can fix the problem. And even if he does get through to that person and the offending dialup account is shut down, the spammer usually has 15 more compromised accounts to choose from and is active on the same ISP within days. Would the large ISP share information so postmaster@forgedfrom.tld can track down the spammer? Doubt it.

Can't postmaster@forgedfrom.tld just send all incoming messages to fooXK343@forgedfrom.tld to the bitbucket? Sure. Will that save his bandwidth and prevent the DoS? Nope.

That's why Spam is the Ultimate DoS. A bug should be filed against RFC 2821. The implications of this type of DoS becoming widespread are serious.

More Gov't Enforcement of Fraud Laws

[swb]

I think SPAM could be limited if our government dedicated more resources to white collar crime and fraud than to other pursuits like the war on drugs.

Most of what passes for SPAM in my mailbox is either prima facie fraudulent products (penis enlargers) and offers (stock "tips") or setups to fraudulent web sites for porn or related items.

If people who did these scams were actually investigated and ultimately jailed with great frequency we would have fewer SPAM messages. They have to be invetigatable because there has to be a way for them to get money from your pocket to theirs.

Also, I think that there'd have to be few convictions. Merely having the FBI/SEC/ATF show up and start doing a serious investigation is enough to scare a lot of people into other lines of fraud.

This wouldn't do anything for offshore scammers, but I have a feeling that the offshore places are going to have to get their shit together or they will start finding lots of the 1st world net blackholed to all of their data.

Extend the SMTP protocol for crying out loud.

[dingbat2002]

a) It's clear that a legal solution probably won't work since SPAMMers will just move their operations to more legally clement shores and the one-world-government isn't around yet to enforce anti-spam laws on a planetary scale yet .

b) It's clear that a technological filtering solution is probably not the ideal way to go because ultimately, any filtering scheme doesn't address the issue that the SPAM is out there and it's still flooding our networks, regardless if you detect it as a SPAM or not.

The only conclusion is that we really need to fix the problem at it's source. Change the SMTP protocol to include a handshaking/whitelisting layer. Is there a reason why the big mail server makers and mail client makers couldn't get together and work on an extention of the protocol that would make the protocol secure?

To me, this is a no brainer and it's probably the only way to go at this point.

No, You need to learn how to read

[rufusdufus]

Read it again. You will see he says 1400 a year is what the article states, but that he himself gets 1400 a week. Not a day. Where'd that come from?

Spam filtering software.

[telbij]

I wish I could find the email that a friend of mine at my ISP sent me a while back (irony at its best).

Basically he has some software that parses emails and assigns it a 'spam value'. That is, it searches for various patterns, and cumulatively adds up the 'weights' for each pattern that matches. Because there are common threads throughout spam, and because a typical spam contains many identifiable factors, this software makes it possible to filter on patterns that you don't want to just filter outright (eg. HTML emails, or mail that contains porn-related swear words).

Can anyone remember the name of this software? I'm not familiar enough with unix administration to remember exactly what it's called or the gory implementation details.

Re:Spam filtering software.

[ONU+CS+Geek]

Sounds a lot like SpamAssassin. It's rather easy to implement if you're using qmail-scanner, you just re-configure your qmail scanner to do it. To have it filter out patterns that you don't like, you just go into the /etc/spamassassin.cf file and touch the fields along with a new value. Very easy, simple to install, and powerful.

I use it on my systems on both my home and live boxes, and I have it set both the X-Message-Flag header as well as the normal X-Spam-Flag: YES that spamassassin uses; so that the ones who use Micro$oft's Outlook/OE can filter their spam by flags.

spamradio.com

[jonesvery]

These guys set up a fun little system: incoming spam is stripped down to plain text, fed into a text-to-speech program, and then set to music. They broadcast 24 hours a day, and I've got to say that it becomes kind of hynotic...

I think it also has great business potential; spammers could use the stream as the hold music for their phone systems -- when people call up to complain about having been added to a "permission based" list without doing anything, they have to listen to spam while they wait.

Just a joke... =)

Re:spamradio.com

[eaddict]

Thanks! I just killed 20 minutes listening to this stuff! Horrible but addictive! Har! Thanks for the pointer....

Re:Another vote for spamassassin

[GSloop]

I'm pretty sure I have some scores well into the 30's...

I'll check...

Cheers!

Yet another vote for spamassassin

[ansible]

I've only had Spamassassin going a couple weeks, but I've been very pleased so far.

My e-mail address is 7 years old, so I must be on nearly every spam list in existence. Without filters I'd get at least 10 spam messages a day. Spamassassin tags over 90% of it.

The only false-positives so far have been stupid auto notification crap from a final four pool website. It's not as if I really missed those anyway.

It would be nice to have two-level selection, so that e-mails that score over 10 (for example) get automatically deleted. E-mail that scores over 5 merely gets a warning attached.

Maybe I'll have a look at the code this weekend... It's not as if I have a date. :-)

Rule-based Spam Filtering for an IMAP account?

[cant_get_a_good_nick]

I was young and stupid, and years ago I used my real, work address on Usenet. I answered a lot of newbie questions, so I wanted to make it easier for them to reply. Back then, I got 2 or 3 pieces of SPAM an hour, so didn't seem to cause much damage.

Now I get that in an hour. I got a big spike when Google brought back old posts. We have Netscape Messenger Service as our mail server. I usually use IMAP, though there is a web interface I sometimes am stuck with. Is there a way of filtering this account? Supposedly you can do server based filters in some clients, but our NMS doesn't seem to support this. I'm on a W2K box, so i'm not sure if fetchmail is an option.

Not like China.

[www.sorehands.com]

All I am saying, is make sure that before people SPAM, they are legally identifiable and financially able to pay for violations of the law. This is no more restrictive than requiring liability insurance on a car.

Suggestions to avoid spam.

[duffbeer703]

1. Never sign up for a pr0n site.

2. Do not post your primary address to a public forum.

3. Don't piss people off.

If you are getting 40 spams a day, you are doing something stupid.

Re:Suggestions to avoid spam.

[LinuxHam]

If you are getting 40 spams a day, you are doing something stupid.

Hey, that's a little harsh. Some of us here have posted to Usenet long before it was "stupid" to do so using a non-spam-protected email address. Back when people thought you could actually get in *trouble* for spam-protecting your email address because you were violating an Internet RFC.

Now with Google Groups bringing twenty years of Usenet back online for easy searching, one can only imagine how many "new" (new == really really old) email addresses have been snarfed. Of course, I'm sure my really old ones are circulating on a number of CDs. I've had my current one since 95 and I get about 35 to 40 spams a day. Luckily my provider uses some technique to mark all but five or so a day with an X-Spam-Warning.

Re:Suggestions to avoid spam.

[Wire+Tap]

1. I don't sign up for pr0n sites. There are enough free sites out there to keep my libido busy for a while.

2. I never even talk in public fora.

3. Wow.

No, I don't think I am doing something stupid. I think companies are acting very unethically.

Re:Suggestions to avoid spam.

[LinuxHam]

Nah... I'm talking 9 years now. Egads. 9 years. I need to sit down. :)

Re:Suggestions to avoid spam.

[bero-rh]

If you are getting 40 spams a day, you are doing something stupid.

No, not necessarily. I get about 80 spams a day, and I've tracked most of them down to a couple of things:

• The bug-gnu-utils list is gated to spamnet, formerly known as usenet. While I post to bug-gnu-utils with an obfuscated addresses these days, I can't prevent people from sending bug reports to bug-gnu-utils and Cc'ing me -- thereby making my address visible to spambots harvesting spamnet.
• Address mentioned in public places by someone else, such as "If you're seeing that bug in the Red Hat packages only, contact their packager at ..."
• Address listed on a website (feedback requests, without obfuscating the address to make it easier for users) - this is also what generates a lot of spam on our security contact address

All of those aren't stupid things to do - but spammers make use of them nevertheless.

Pointing them to my SMTP server's terms of service and trying to claim payment usually doesn't generate a response at all. [And if you can't afford a lawyer, trying to take a spammer to court won't do much good]

Actually, the only spammer ever to react to one turned out to be a 14 year old kid who fell for a "make money fast, we assure you it's legal" scam, and I don't really want to make a victim pay more than they have.

Re:Suggestions to avoid spam.

[bluGill]

I'll agree with 1 and 3. Not 2 though. I want some people I don't know to email me.

Here is an example: Say I post to sci.engr.heat-vent-ac a question about basement heating. (I am in fact thinking of this subject, though i've not posted anything). I want some experts to reply directly if they don't want to post publicly. I've given permission for a salemen selling heating products to send me an email "Hey, we make some products that are of interest to you, be sure to check out our website at...". The latter isn't spam, it is useful, and I don't want to miss any supplier. However a reply 6 months from now is out of date.

Not posting my email address publicly is WRONG. I should not get spam just because my address is public. I want people I don't know who have similear interests as me to communicate with me. I should not have to wade though 10 messages a day for things I'm not interested in (porn, loans, stock scams...)!

Re:Suggestions to avoid spam.

[duffbeer703]

I agree with you completely. But one of the hazards of making yourself accessible (by posting accurate contact information) is that people will misuse your information.

My dad was a reasonably well-known public official in a mid-sized city. Our telephone number and address remained listed in the telephone book throughout his career. In that time we received alot of prank calls and even a few threats (particularly when something controversial was going on or during a contract negotiation).

There were good work-related calls too though -- workers or just citizens with problems or information would call for him once in awhile too.

To my dad, those good calls and just the principle of keeping himself accessible & accountible was worth wading through the shit. (My mom didn't agree with him most of the time, as you can imagine)

If you want the convenience of replies to public postings, you need to put up with the spam. Unless we come up with a technical solution to the spam menace.

Re:Suggestions to avoid spam.

[mi]

1. ...
2. ...

If you are getting 40 spams a day, you are doing something stupid.

1. Don't wear a short skirt
2. ...
3. ...

   If are groped or raped, you are doing something stupid.

Re:Speaking of Spam. . .

[connorbd]

Subject: Sick of spam?

Sick and tired of unsolicited email? Our new Spam Laundry Disc (tm) with its patented HotWetNudeTeenSlut technology will eliminate all your spam problems while enlarging your breast size (even if you're a man) while allowing you to Make Money Fast by selling the Spam Laundry Disc (tm) in an innovative new Newtwork Marketing Scheme!

To unsubscribe from this silliness, just hit delete because as we all know any attempt to respond means you're interested in this product.

/Brian

is that all??

[josepha48]

By my calculations I currently get over 3000 spams in a year. Thank goodness I have filters to block some of this and earthlinks spaminator.... I think every ISP/mail service should have a spaminator...

Re:Tracking Spam

[AnotherBlackHat]

I get a lot of Spam and I am thinking about keeping every piece of Spam that I receive for a whole year, just to see how much I end up with.

Has anyone else does something like this?

Lots of people.
Based on my collections, you can expect around 700, just like the article predicts. (The prediction comes from the brightmail people, so it's not surprising that it's accurate.)

Despite the claims of 100-200 spams a day, most people get less than 10 a day, even old timers whose email address shows up everywhere. The average spam size is between 5K and 6K, so a years worth is going to be less than 4.5 megabytes. If you have an old address that's been heavily published, then you can expect around 10 times that amount. Just try saving spam for a week - you'll probably get enough data to convince yourself that the numbers listed in the article are resonable.

-- Spam Wolf, the best spam blocking vaporware yet!

Make Lawmakers Listen - Make the Problem Worse

[JohnDenver]

I think we're going about this all wrong, why should industry the military and government care that much about SPAM if it isn't a problem for them too?

Maybe we should be sharing the spam with those who have the power to stop it, or those who's voices will be heard.

We should be putting these people's email address on lists which constantly send offers for penis enlargement. So much so that it interferes with thier work and they start asking for people's heads.

A black hat's honey pot for spamers?

[Spoing]

Why not leave what looks like an open relay open, wait for spammers to test and abuse it, then break into the spammer's machine? A fitting bit of revenge would be to set up an open relay on the spammer's machine.

If they think it's OK to abuse a resource, they must think it's OK to get abused as well, right?

Razor by itself is pretty good too

[wytcld]

From Dec. 7th to date Vipul's Razor has caught 1300 spams to two users here, while passing through maybe half that. The only false positives have been a half-dozen messages to the razor listserv itself, which someone was fscking with for a while.

Then setting procmail to put stuff without an explicit To: line with my e-mail on it into a separate mailbox gets most of what gets by Razor, although that box needs to be checked occassionally, since there are legitimate e-mails that end up there. The other stuff is easy to report to Razor through a key assignment in mutt.

If enough people are using Razor, especially with honey-pot type mailboxes feeding reports directly to it, it should only get better.
___

Companies are among the worst offenders

[guttentag]

I used to buy books from Amazon, so they have my name and email address, and they like to send me emails about the latest computers and whatever else they're trying to sell. I log into my account, uncheck all the "send me mail" preferences, and still they send me this information.
My solution: All email from amazon.com is automatically deleted.

Microsoft started sending me some newsletter I never requested about five years ago. The newsletter states that I can stop the mailings by visiting a certain page on MS's site. I visit the page, and it asks me to log in. Since I've never signed up for anything, I can't log in and can't get them to stop sending the mail.
My solution: All email from microsoft.com is automatically deleted.

About 50% of the spam I get is received from outblaze.com servers. Some of it is from legitimate companies I know I have given my email address to, some is from legitimate companies I know I never gave my email address to, and the majority is from your typical "enlarge your penis/fire your boss" spammers.

Outblaze's front page actually has a link to a statement that effectively says, "we're not spammers, we're victims just like you. Our customers are legitimate businesses who send you useful information you want to read." Bull. I have received thousands of emails from outblaze (that I have read), and not one of them was solicited or of interest to me.
My solution: All email with outblaze.com in the "received" headers is automatically deleted.

Re:SpamCop

[bluGill]

I've been reporting all spam recived for a couple months now, with appearently no let up. still it makes me feel good that i'm doing something. I intend to subscribe, even if they don't seem to help much. If nothing else maybe I can solve the problem...

Re:Growth, Growth, Growth.... Nope not me

[q-soe]

The spam figures amaze me, i work as an IT manager and post on many newsgroups, i have hotmail address and i spend about 12 hours a day on line yet my spam haul is about 4-5 emails a day across 6 accounts ! Yes i post to usenet and i post to support forums and i use my hotmail .

The thing is i ONLY ever give out my hotmail address when subscribing for something, I never use my personal address at all unless i know and trust the person or org. Hotmail get a lot of abuse on this site i know, and i suspect most of you havent used it in a long time - its now a very good mail system and the spam blocks work very well, you see it once you block it and you dont see it again (the only ones that dont work for this are the degree mill people who run dictionary attacks against hotmail addys from throwaway accounts; but as its one a week im not too bothered.

I dont join any open discussion newsgroups with my real addresses, i use my hotmail or more often my bigfoot auto forwarder (had it for over 6 years) and get the mail forwarded to me, i can then manage it a bit better.

So i dont understand the 30-40 emails a day, that to me is simply someone who doesnt understand how to protect themselves and uses their email everywhere.

I dont subscribe to any porn sites (have you ever heard of newsgroups btw ? they are free you know) and i would never do so using my personal email - thats just stupid, as is posting to usenet with it.

Your mail client can no doubt filter spam (i use the dreaded and horrible outlook (never had a virus from it but maybe its just my systems) and it has very effective spam filters in XP) or set up some rules to handle it - mine just gets deleted immediately (dumped to tghe deleted items)

If you're getting 40 spams a day you've been careless with your email addy and youre reaping the price.

Its something i expect an AOL newbie to do not a software developer.

Here's a Startling Statistic for you

[serutan]

I don't know where they get the figure of 1400 spams per year, because honestly I didn't read the article. But there are over 12 million companies in the United States alone. If a mere one tenth of one percent of them sent you one email per year, you would get over 1000 msgs per month.

1400 per year? I wish!

[Sloppy]

1400 per year is only 4 per day. That is an order of magnitude less than the amount of spam I get right now.

Taco, it's not generally called spam...

[swillden]

... when you get e-mails from unhappy users of your web site.

OTOH, that you consider it such explains a great deal.

spam will undo itself

[Khopesh]

the slashdot community is rather advanced, seeing the internet under more experienced eyes than most. most of us already get more that that 1400spam/yr (4spam/day) mark (i'm at twice that).

what do we do when we find spam? we don't fall for the advertisement, we report the spam, and we revise our filters so that we don't see that message again. by 2006, people less tech-saavy will have adopted these practices too (and we can probably double or triple the 1400 rate).

if laws and isps don't help, people will get so fed up and spams will get so numerous that they will undo themselves; people will simply stop listening, and it won't be profitable to spam.

another possibility is (if things get really out of hand) that spammers will have enough information about victims to target them masquerading as friends, including real name and interest of the victim in a suggestion-like spam. ...we already see this today, but usually the guesses are wrong; for example, i just deleted a message to Harry from Molly about enlarging my cock. i am not Harry, i don't know a Molly, and i'm large enough already.

The order of magnitude is correct...

[driehuis]

I think it was Alan Ralsky who bragged about that figure per spam run. I remember reading an interview with one of the more persistent spammers who reported a 1-to-100,000 sell rate, but at 10,000,000 spams that's still a hundred sells.

If you google around, you'll find some web sites where anti-spammers (called "anti"s in spammer jargon) post their insight into the spammers world and psyches. One of the best is the venerable Behind Enemy Lines -- Premier Services Exposed" website.

Lots of info on how they communicate, harvest AOL accounts (that's now dated info, they have devised other techniques for their spam runs), and share the loot. A Must Read!

For documentation on organized spamming, there are two repositories with the dull date: SPEWS and spamhaus.

Spam is reaching the epidemic proportion that I now with increasing frequency receive the same spam on the same address several times, spaced a week apart...

Balancing act by the big players

[driehuis]

That 1,400 number may not be surprising to anyone who's been on the net for a while, but you also got to look at the balancing act that kept it that low so far.

Of the spam you receive, chances are that about a third is from spam outfits that spam from their own IP space, and about two thirds is real sleazy stuff sent through compromised servers around the world. Little if any is from companies you want (or need) to do business with.

Those two are not my main concern. The first category can (and eventually will) be blocked by IP address, and the second category will be battled in leaps and bounds by new block list initiatives.

Why is the first category being blocked? Simple: as ISPs get complaints from their customers, an increasing number is going to block them on their customers behalf, with no loss other than the spam messages.

The big thing that most people tend to forget is that the Real Big Firms have not really started spamming you, because of concerns over customer acceptance. If those concerns were to get less, then the real spam barrage starts.

Ever complained to your bank about the leaflets they insist on inserting in your monthly statements? If you expand this to the brave new world of cyberspace, it means you will not have much of a chance to stop the flood without losing your bank statements.

Fear is the only thing that keeps the thing from exploding beyond the current upward slope, and *that*'s why keeping up the pressure is so important.

Look at what happens if a company is near failure these days. In total desperation, an increasing number of them turns to spamming (hint: Google for Enron's involvement in spam).

Re:My sister's on Yahoo mail

[Skapare]

Wholesale blocking can be made to work if done right. Using a blacklist for *@yahoo.com and a whitelist for sistersname@yahoo.com has the right effect. It deletes anyone claiming to be from Yahoo other than those claiming to be his sister. What's the chance of some spammer using his sister's Yahoo address as the FROM address?