Slashdot Mirror
Email (As We Know It) Doomed?
Mephie writes "A pretty interesting article at Slate.com takes a look at how spam may be killing email as we know it. With the increase of spam, the argument is made that more users will switch from blacklisting spammers to 'whitelisting' specific, trusted addresses, making email more like instant messaging: if you're not on someone's 'buddy list,' you have to prove you're an actual person (e.g. identify a word in an image) to send a message." May be?
You have no idea how much spam i get on ICQ. I cant even use it anymore its so bad.
Kan jeg få en pils, vær så snill?
Funny I never get spam [to speak of] on ICQ, MSN or YM. In fact the only spam I've received in the past year was on MSN sent via a "Mary-Sue" asking me to see her webcam. This person wasn't on my list but the block-sender list fixed that [mostly because the spammer is too stupid to change their name!]
As for ICQ I have it setup so you can't send me messages unless you're on my list and I haven't received a spam ever. Maybe you have an outdated client or you don't have the filters on?
Tom
Someday, I'll have a real sig.
... has been discussed here before: Hash Cash.
Am I the only person who doesn't receive spam? OK, that's a little bit of a lie, but by and large, I reckon less than 2% of my email is real spam. It's not like I don't get any email - I receive probably 60-100 emails per day over about 3 different accounts, including several mailing lists.
.net about a year ago (I think???), and then these settings were added and enabled for everyone so if you didn't notice it, it will still be enabled.
I think the secret with spam is to stop spreading your email address around the internet. I object to having to provide my email address to forms to register for every damn website (eg. download.com) - I always give a false address if I can. If I can't, I will very seriously reconsider whether I need access to that site (I usually don't). I have an email account that is used solely for the purpose of registering for websites or what have you. Whenever I stick my email address into any form on the web I always check to see whether there is a checkbox that lets me opt out (or in) any mailing lists. The only sites I don't mind signing up for are those that I am genuinely interested in receiving future correspondence from, but they are few and far between.
I also have an email address that is used solely for usenet - this one receives by far the most spam.
Another interesting thing that people may not be aware of is that the default setting for hotmail accounts allows your email address and personal information to be shared. Go to options->personal profile and have a look at the check boxes at the bottom. This never used to be the default setting until the service switched over to
"Because it's there." - George Mallory, when asked why he wanted to climb Mt Everest, March 18, 1923 (New York Times)
Well, there I go again, showing my ignorance of IM. Nevertheless, IM is meant to be synchronous communication, and most people use it only in this way. It is also meant to be ephemeral, unless there is an IM out there that allows for me to keep all previous messages (or not), arranged in a coherent, logical way, as I can email messages.
I've said it before, and I'll say it again.
Sending emails back to spammers is for brainless cretins - it serves only to clutter up your mail queue and risks offending innocent impersonated senders or having your email address confirmed as valid for spam.
And sending automated emails back to legitimate senders is downright *immoral* - making everyone do the work that a spammer *should* be doing to get through to you is indefensible.
And I've seen a case recently where this TMDA thing was so misconfigured that it sent an mail back to a mailing list saying there was an unrecognized sender address, and of course that mailing list was half of the gnu.emacs.help mail2news gateway, so the message appeared on the newsgroup for *all* to see. Talk about efficiently multiplying spam.
Now for something useful. Use one of the Bayesian filters, seeing as they're all the rage and get about 97-98% spam matched correctly, coupled with SpamAssassin as a fall-back for the remaining 2% cases, and you'll have far less of a problem.
Now incorporate those filters in your MTA so that the whole body is checked for spammishness before being "accepted for delivery" and you'll have the best solution of them all: bounce the mail at injection-point and be done.
~Tim
--
Rushing on down to the circle of the turn
as one person already mailed me about the unique address per spammer, I thought I should clarify here that it is infact: as unique per spammer as an md5sum of all the details gathered from the requester of the page can be - without attacking the requesting host :) Therefore it is _NOT_ unique per request, that would be insane - instead per host/useragent/referer & some mystical details. yes, you can avoid it, but it seems spammers are not that educated. And when they are, it will just need to be enhanced :)
And to the other question: No, I have not sent any actual invoice to a spammer. Instead I have succesfully made 5 spammers so fall apologize in the fear of being invoiced and stop harvesting my site for emails.
One thing I have observed about spam is that seems to especially target free webmail services, and in particular, MSN Hotmail. I have several email accounts, some of which are webmail accounts I signed up for, others came with dial-up or hosting accounts, the universities I've studied at, and the companies I've worked for. The webmail accounts I signed up for are the ones that receive the spam, the others get zero or next to none.
It is worth mentioning that my Hotmail account fills up in three days if I disable the `delete mail from unknown users' filter. The reason is that I enter my Hotmail address whenever I think it's going to be used for spamming. This keeps my other addresses clean.
The reason I use my Hotmail account for that, as opposed to another free-as-in-beer service, is that I have noticed that Hotmail accounts attract spam no matter what. Even though MicroSoft claims they do their best to protect their customers from junkmail, I have noticed that next to everyone who uses Hotmail complains about spam, email that is sent to a long sequence of ASCII-ordered addresses are delivered as if it wasn't obviously spam, a Hotmail account will receive junk mail even if you just let it sit there and never use it or give the address to anybody, and countless other badnesses. I don't know how this compares to other providers of free webmail, but I do know that my Yahoo account gets an acceptible (for me) amount of spam, despite having only the default level of spam protection, whatever that amounts to.
Now there is an additional issue here. I do not use my webmail accounts for everyday email; I prefer POP and SMTP for that. I don't know if more frequent usage would result in higher volumes of spam, but I could see a scenario of how this would work. Most modern email clients, whether they be stand-alone programs or web interfaces, keep an address book. The address books of notable email programs are known to contain exploits that allow hackers access to the stored addresses, and malicious (money-hungry?) webmail interfaces could easily read their clients' address books and sell the information to third parties. In this case, by sending an email to somebody, I expose myself to the risk that my email address will eventually be known by spammers.
Having said all this, I will come up with a couple of hints for avoiding spam. There work for me, YMMV:
1. Avoid using free webmail services (especially Hotmail) for accounts you don't wish to recieve spam on.
2. Use an address other than your primary account when dealing with a party you don't trust.
3. Don't leave your email address on webpages. Even encoding or scrambling your email address won't protect you - if humans can understand it, programs can be made to do so as well.
These practices have left my mailboxen uncluttered for years, aside from the incidental win32 virus. Which brings me to another point: make sure your email client does NOT execute code attached to emails. Most versions of MicroSoft Outlook and Outlook Express are known to be vulnerable. For your own good and that of the rest of the Internet: DO NOT USE THESE PROGRAMS.
I hope my comments will prove helpful to some of you. Feel free to redistribute as you see fit.
---
(1) Everything depends.
(2) Nothing is always.
(3) Everything is sometimes.
Please correct me if I got my facts wrong.
No idea how they implemented it, but I wouldnt be suprised if it was based on bayesian principles as well, since it learns from its mistake (it marks junk emails as such, but allows you to change a mail's status if it guessed wrongly).
Since it starts of in "learning mode", where it only color junk mail but does not delete them, you get to check its efficiency before putting it in "real mode". And even there, by default it only moves the mail in a "junk mail" box, so you can check once in a while if there was anything important there.
Since using it, my father found that it caught something like 95% of emails, and very very rarely had false positive. Even when it had, correcting the mistake meant it was not repeated.
I expect such anti-spam systems to get a lot more frequent... and they DO work. Not flawlessly, but well enough to stop spam being such a pain.
BTW, Apple's filter also have an elemnt of whitelisting, since emails from people in your address book go through without checking.
Just my 0.02 E
What do you know about World Politic? Find out in this quiz
The idea of SPEWS is not just to block spam, but also to force ISPs to terminate their spammers. Blocking only the spammer's IP is pointless; too many providers just move the spammer about in their IP space, and the world has to play whack-a-mole. SPEWS' policy is that if an ISP decides it wants to keep its spammer online in the face of repeated complaints, fine; but then SPEWS don't want to receive any email from such a network.
Now, the question is: do you agree with SPEWS' policy? If you do, great! Use SPEWS' blacklist to filter incoming email. If you don't, no problem; there are plenty of other blacklists, some more lenient, some far more radical. Pick one or more, or none if you want to accept everything. It's a free internet.
The great advantage of SPEWS is that it _really_ hurts to be listed. It's the email version of the UDP, and has the power to hit rogue ISPs where it hurts, strongly encouraging them to rethink their policies.
Would your ISP have terminated their spammer if SPEWS hadn't escalated their listing to the whole /16? I doubt it... SPEWS normally start with the single IP, then incrementally expand the listing (as further complaints are ignored, most likely). If it took a /16 block to force them to terminate him, then certainly no number of polite mails to abuse@ would have worked.
As for big spammers who can change ISP frequently: if the threat of a SPEWS listing is so terrible, what ISP is going to sign up Empire Towers as a customer? Nobody in their right mind. Alan Ralsky spams from China these days, I gather, because nobody in the West will touch him. ISPs must decide whether they want spammers or humans as customers; those that choose the spammers will surely be listed by SPEWS, and so real humans won't have to receive their crap. Those that choose humans will not be listed, for they will terminate their spammers promptly and will not play silly buggers with IP numbers. If this means that the internet fragments into the spamnet and the nospamnet, fine - who wants to hear from the spamnet anyway?
Real Daleks don't climb stairs - they level the building.
While I fully agree spam is a serious problem - is it really that bad? I don't know what you are doing with your addresses to attract spammers, but at least for me, the DNS-based blacklists are still effective enough. Whitelists wouldn't make my life any easier, and they would surely complicate things for those who want to send me mail.
I get less than one actual spam message per day, and most of those are to the (unfiltered, as per RFC recommendations) postmaster@ address on my domain. All other addresses use blacklists only for spam prevention; there's a fair amount of spam blocked and very few legitimate messages are blocked - it has happened to me exactly once, even though I use somewhat aggressive blacklists. My main address have been in use for several years and I can't say I've been careful about revealing it - it has been used on mailing lists, various sign up forms, it's published on a number of web pages, etc.
Content filtering (Bayesian or whatever) seems to be popular among slashdotters. With an IP blacklist, erroneously blocked mail will bounce, making the sender aware of the problem. A content filter, on the other had, usually can't bounce so the message will be sent to /dev/null or stuffed in a trash folder together with other spam - the message is effectively lost. Sure, the filters may be good, but they still do make some mistakes and the cost of those mistakes are higher than it is for blacklists.
So I still prefer blacklists, despite their shortcomings (politics for one). They may be out of fashion, but the fact that messages are blocked before being accepted by the mail server feels right on principle - the spam never gets to waste my bandwidth or disk space.
The major ways of getting spam are:
1. Posting on a newsgroup with a valid e-mail address. (I use Sneakemail (www.sneakemail.com) to generate addresses for postings, and within hours of a post, I get new spam.)
2. Have a web page with your e-mail address on it in cleartext.
3. Respond to any spam, sign up for web contests, etc.
4. Have an e-mail address that is easily implied from your domain name (for example, john@johndoe.com, info@whatever.com, etc.)
5. Have a registered domain with contact info in the registration record.
http://www.filmthreat.com/GoreyDetails.asp?Id=221
I get a lot of spam at work (maybe 30 or more/day) and almost none at home. I am careful about giving out my email address, and in fact I think I've given out the home address more than the work address. It puzzled me that I was getting so much spam at work, then someone here mentioned that we should not use auto-reply with Lotus Notes because that replies to spammers and confirms your email address. Of course everyone here sets Notes to auto-reply when they are on vacation, etc. I'm convinced this courtesy is the source of my spam problem.
It's too late to do anything now. Yeesh.
Promising newcomers such as CloudMark, which taps the collective power of e-mail recipients to identify spam, may improve things for a while.
I've been using this for a while, and am catching like 80% with 0 false-positives so far. The only downside has been a few minor bugs, which is expected for a beta product and have more to do with Outlook than anything. I think the concept is sound, and would be pretty hard to circumvent. Basically, a fingerprint (one-way hash?) of the email (not just the header) is looked up in a database which contains reported spam. Reports are weighted for reliability, which prevents spammers from unblocking their own spam. I can think of only one way, besides a DoS, to get around it, but I ain't telling here =) www.cloudmark.com
In the trite words of a screaming Chris Tucker, "Do you understand the words coming out of my mouth?
Here's what typically happens.
1. SPAMMER gets account on your ISP
2. SPAMMER SPAMS from your ISP
3. Someone reports SPAMMER
4. SPEWS sends warning to your ISP
5. ISP does nothing
6. SPEWS blocks small IP range, sends second warning
7. ISP does nothing
8. SPEWS blocks larger IP range, sends third warning
9. YOU get blocked (It's obvious your ISP doesn't care about your connection)
10. ISP finally takes appropriate action, SPEWS unblocks ISP
If SPEWS didn't follow that procedure, then shame on SPEWS. If you're ISP didn't respond to SPEWS, then shame on your ISP.
Either way, Sounds like you need to get another ISP that actually cares about keeping the connection up for its legitimate customers.
"Communism is like having one [local] phone company " - Lenny Bruce
I was getting so much spam on my dial-up account that it sometimes took me 20 mins to download mostly useless, if not offensive, email. Sorting it automatically by client-side methods (e.g. SpamAssassin) wasn't helping the download time, since you still have to download the blasted spam before you sort it.
So I got rid of my contaminated address. I created an account on two web sites: www.spamgourmet.com (free) and www.sneakemail.com (mostly free).
Spamgourmet allows you to create an infinity of different email addresses all going to your POP3 account, by adding various prefixes. So say, to take a recent example, that your account is SpammerMaimer and you want to subscribe to, oh, MIT Technology Review's newsletter. You create an address called MITTechReview.20.SpammerMaimer (@ the SG domain). The "20" in the middle word of the address gives them 20 shots at emailing you before the address shuts itself down (and you can manually reset the counter).
Then, surprise! This stupid magazine sells your address to several spammers. On top of that, their forum system is spammer-friendly because it encourages email address collection.. You know that it's them, because you haven't given that address to anyone else. So what do you do? You go to your Spamgourmet account and shut down that MITTechReview.20.SpammerMaimer address. Problem solved.
For truly one-shot emails, I use sneakemail, which creates disposable addresses that you can disable individually.
The hardest thing is to keep the old address active for a while until all your usual correspondants have been informed of your new address. Then, when you switch your ISP email address, you just have to change the forward address in SG and Sneakemail.
Highly recommended.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The user will hook up, not change anything, and as soon as something goes out with a port 25 destination, your local mail server grabs the connection instead, and takes over sending the mail.
Their ease of use, your ease of control and security.
Why is this good?
I already explained why this is good. Previously, blacklist maintainers were subject to legal threats simply for reporting the truth: ISPs were tolerating criminal activity within their netblock. When word of these threats got out -- even if action was never filed -- many individuals added the ISPs blocks to their own personal firewall lists with a note not to remove them ever under any circumstances, ever. As a result, the ISP would find themselves blocked by hundreds of individual lists from which they could never be removed rather than one big central list where they could be removed if they just cleaned up their act.
SPEWS being anonymous and immune to legal action is a good thing for everyone. Well, except spammers, but spammers don't count. Spammers should all be shot into the sun, but not our sun. We should pick a sun that has no inhabited planets in orbit so as to avoid contaminating life.
If SPEWS became abusive, in listing ISPs simply because someone in SPEWS didn't like a person there, then people would stop using SPEWS. SPEWS works because it not only lists spam-friendly ISPs but provides information as to exactly why the ISP is listed. If that information becomes 'person X is a ninny' or it involves demonstratably false claims, people would know that it wasn't trustworthy and they would stop using it.
If you happen to be on a blocked Sprint IP, then yes, your complaint is with Sprint. Other ISPs CHOOSE to filter with SPEWS's list (one of the two, since there are two SPEWS lists) because they've decided that if an ISP tolerates spammers, nothing from that ISP is worth hearing. You don't like that, find an ISP that does not tolerate spammers or tell your ISP to stop doing it. SPEWS simply tells it like it is. Don't like it? Too bad.
STOP MISUSING APOSTROPHES, YOU MORONS!!!