A Conference About Spam

zonker writes "January 17th will be the first (annual?) meeting of the Spam Conference held in Cambridge, Massachusetts. The informal meeting will feature Paul Graham, John Graham-Cumming, John "Cap'n Crunch" Draper among others (possibly including ESR though he hasn't yet confirmed). The free conference will consist of a number of talks about new ways to combat the growing spam problem, after which everyone's going out and getting some Chinese food. Should be an informative and fun meeting and a chance to meet some interesting people."

Annual, hmm...

[Miroku]

I'm not sure if I want it to become an annual conference or not. While combating spam is always good, and the list of those involved looks decent, if the conference becomes a regular thing, it means that spam is still a big problem.
Yeah, yeah. I'm probably being over-idealistic again to try to imagine that spam would become any less of a problem, no matter what measures are enforced.
So while I really hope something somehow gets done (Maybe that *cringe* AOL thing will help...) I'm not throwing out my spam filter just yet.

spammers mining public keys

[hey]

I was just about to update my mail address in my PGP public key which is on my website but then I released that spammers might mine mail addresses from public keys. Do they?

MIT (who is hosting this conference) has a key server that presumably hold millions of mail addresses.

Re:spammers mining public keys

[carpe_noctem]

I don't know if this is actually being done, but it's a rather novel concept. I did a search for ".com", and unfortunately, I got an error saying too many results had been found. However, it would be relatively easy to write a script to pick 3 random letters/digits out of the english language, and keep submitting them. That way, you'd probably not exceed the limit for returned addys and you'd get lots of data.

So is it hypothetically possible? Yes.
Is there anything we can do about it that wouldn't defeat the concept of using a public-key conservatory? No, probably not.
And finally, are most spammers intelligent enough to harvest email addys this way rather than use scripts they got hungry college students to write for them 4 years ago? Definitely not. ;)

Re:spammers mining public keys

[RLaager]

There are three reasons (that I can think of off the top of my head) that spammers are not doing this:
1. The people that have PGP keys are extremely unlikely to respond (positively) to the product/service/scam being offered in the spam, as compared to a broad cross-section of Internet users.
2. Many of the addresses on PGP keys are outdated.
3. The keyserver operators (should) notice if there are suddenly a ton of queries from the same person. (Just recently, I got an e-mail from a keyserver operator asking if I was an individual who was making lots of requests.)

Re:spammers mining public keys

[xercist]

The entire keyring is available for all to download. It would be pretty trivial to do this and grab the addresses afterword. If it's actually done, I couldn't tell you.

What does ESR know about anything?

This is the guy who brags on his website that he doesn't have a credit card. The same guy who helped "steer" VA Linux to the biggest dot com stock flameout in history. The same guy who runs a blog that is so right wing that his solution to plane hijackings is to arm all the passengers. The same guy who brags he has no formal training in software development. The same guy who was pretty much run off the Linux kernel developer mailing list.

Who exactly gives a shit what this guy has to say?

Just asking ...

funny

[Yusaku+Godai]

I just received one of the fakest spams I've ever seen:

Hi Ya, I saw your post on the message boards... I hope you don't mind sharing some information with me ^_^ I'm transfering to your neck of the woods in the spring and would like a penpal. What do you think? ^_^ Care to share some info.. hehehhe..eh If you'd like more information about me you can checkout my homepage if you have time... www.geocities.com/cafecutie21 Hope to hear from ya soon! BYEE~~~ Sammi~

It's obviously spam, what with lines like "I hope you don't mind sharing some information with me" but this time they went beyond just fake emails. Out of curiosity and boredom I clicked on the link which had a whole fake website for this girl, which ultimately linked to some online dating service. Why would companies turn to deceptive advertising? Why would anyone want to trust a company using such dirty methods.

Re:funny

[GMontag]

No doooode! She's into you! Score doode score!

Re:funny

[aiken_d]

I work in both the adult internet industry and internet dating service industry.

Odds are, the website you clicked through to wasn't set up by whatever matchmaker service you ended up on. The matchmaker service probably has an affiliate program ("send us traffic and we'll give you 50% of all signups"), and some enterprising college kid (or adult) discovered that they could set up geocities websites that link to the matchmaker site, spam the entire world, and make a few bucks from the affiliate commissions.

There are probably a couple of things wrong here:

1) The matchmaker site is probably not enforcing its TOS, if they have one. There's a temptation to turn a blind eye to what affiliates do to generate traffic; if people get upset enough about a particular spammer, you can always say "Gosh! They were violating our TOS. We'll kick them off!"

2) Geocities is pretty notorious for being slow to respond to abuse complaints.

It's a nasty problem, and one inherent to affiliate programs. Ethical companies aggressively pursue thier TOS and make it really clear that they do before allowing affiliates to sign up ("DO NOT USE SPAM to promote our site; we will not pay you your commissions on referrals generated by spam, we will immediately terminate your account, and we will happily share your personal information with any anti-spammers who complain").

Cheers
-b

Re:funny

[eaolson]

The matchmaker service probably has an affiliate program ("send us traffic and we'll give you 50% of all signups"), and some enterprising college kid (or adult) discovered that they could set up geocities websites that link to the matchmaker site, spam the entire world, and make a few bucks from the affiliate commissions.

Based solely on my observations, this probably isn't "some enterprising college kid" so much as their business model.

1) The matchmaker site is probably not enforcing its TOS, if they have one. There's a temptation to turn a blind eye to what affiliates do to generate traffic; if people get upset enough about a particular spammer, you can always say "Gosh! They were violating our TOS. We'll kick them off!"

At which point they turn around and sign up as another "affiliate" within seconds. Assuming, of course, it wasn't the main site doing it through shills in the first place.

As far as I'm concerned, if your system is this trivially easy to abuse, then you aren't an innocent bystander, you are part of the problem.

Geocities is pretty notorious for being slow to respond to abuse complaints.

Really? I don't think I've ever had Geocities take more than 48 hours to nuke a site, except over the weekend.

To get specific, I've been having some problems with a chatroom spammer that has persistently been spamming ifriends.com / webpower.com for quite some time. They're always geocities or tripod pages that link to an ifriends "affiliate" page. Geocities and Tripod take the pages down within a day or so. Ifriends has left them running for six weeks or more. They're either unwilling to deal with the problem, unable to do so, or (as I suspect) they are the spammers themselves.

speaking of...

[ack154]

Does anyone know what happens to the hundreds of emails I forward to uce@ftc.gov each month? Someone mentioned to send them there, and I tried to read the stuff on the ftc site, but they just say its their "database" for spam. What does that mean? Do they actually do anything with the stuff? Not that the 20 seconds to forward with headers really kills my day. But I just want it to be useful to someone...

And out of curiosity, what are some other people's ideas on trying to prevent it? Basically right now I just try not to have my email address anywhere online (without some sort of word in it or something along those lines). And I watch what I might sign up for and their "privacy" policies. And I don't reply to the spam I get, since usually that apparently just confirms your address and makes you more valuable.

So any more tips?

Re:speaking of...

[dr_dank]

Do they actually do anything with the stuff?

Of course they do. Judging by their large penises and all that money made from home, they've done quite well for themselves to boot.

Re:speaking of...

I can comment on that.... I'm in touch with some people at the FTC, including the Webmaster and their network administrator. ALL of the spam (40,000 per day) goes into a huge database. This database is made available to all law enforcement agencys, both Federal and State. So far, they are getting good prosecutions of the more prolific spammers.

The ones they give higher priority to are DOMESTIC spammers, so don't waste the bandwidth sending your chinese or korean spam to them. Although they process it, the ones that get the highest priority are the ones with broken opt out links or ones that bounce for opt out requests. Also quantity takes a higher priority. Plus they also look at the stuff they sell, and sometimes make legit purchases to verify they are not scamming. But ONLY to the more prolific ones.

Although they DO pay attention to Nigerian spam, it is best to send those to mailto:419.fcd@usss.treas.gov?subject=NO_LOSS

I send ALL my spam to ftc, spamcop and Nigerian ones to the above address.

in my recon missions, I have indeed confimed that spammers DO share information, and opt out really just gets you MORE spam.

When sending reports to FTC, it's helpful if you are specific in your subject line. Like: "there is no opt out", or "opt out link dead", things like that.

The FTC has a rather large staff to process it, although most is done automatically and none of it's read my a human until AFTER it's entered into the database. Once in the database, it's classified and processed to make it easy for law enforcement to get good evidence on them.

My recommendation to all /.ers is to put out as many spam honeypots as you can, or "poison" their mailing list with bogus ones, by using phony hotmail addresses and opting out using those.... the idea is to increase the odds of filling their mailing lists with BOGUS ones... So lets all band together and start "poisoning" their mailing lists... :-)

Make YOUR batch of hotmail accounts today.. :-)

By the way, in doing this, you can also identify the ones that ARE selling your address, and you can then legally go after them, especially if they have a disclaimer telling you they WONT sell your information...

CC

Re:speaking of...

[LL]

Look at DJB's ideas

http://cr.yp.to/im2000.html

Goal is to make the sender responsible for storage (and implicitly communications which is public-key encrypted).

LL

Don't Like This Already...

[Grip3n]

I opened up my Inbox this morning and had like 50 emails about this conference...

Re:It's called "advertising"

[buss_error]

still don't get why people get their panties all in a bunch about a few emails

Try this on for size: If your received just one e-mail from every business in the US, you would get 1,200 per day.

Say it with me. Just hit delete. 1,200 times. Oops! Just deleted the e-mail from your (mother/father/brother/sister/spouce/SO/boss/once in a life time confidential offer).

One-dimensional approach

[Goonie]

It seems to me that this is a rather narrowly-focussed attempt to stop spam. Could the SMTP protocol be changed, for instance, to make life more difficult for spammers?

One idea that occurred to me was requiring the sender to do some nontrivial computation (for instance, the receiving mail server sends the product of two (large, but not RSA-large) primes, which the sender must factor and include with the message to be accepted.

Now, unfortunately, such a scheme has some problems. The huge variation in performance between machines out there means any computation substantial enough to crimp a spammer might cause grandma's 486 to become unusable for sending email. More to the point, it could greatly increase the cost of running webmail services (not to mention mailing lists). Now, the big webmail providers might be prepared to play along - they might even build some dedicated hardware for the purpose of running the protocol fast. However, there's nothing to stop spammers building exactly the same kind of hardware, enabling them to continue to send out spam by the bucketload!

So, anyway, I don't think my idea is the answer, but surely the whole area of improved mail protocol design would be worth exploring.

Re:One-dimensional approach

[rgmoore]

This will ensure that no one gets unsolicited email. Ever.

That's great, but what about people who want to receive some categories of unsolicited email? If you only listen to people on your whitelist, how will you find out about that classmate who you lost track of and is now sending you an email because he finally found your address? How will my boss handle the emails that she gets from prospective clients asking about the services that we provide? How will my previous boss receive questions about the scientific articles he's published?

The plain fact is that there are lots of kinds of unsolicited mail that people really do want to receive. They just want to be able to receive them without getting a ton of ads at the same time. The real answer is to figure out a way of smacking the people who are spamming the world with ads, not to cut off the legitimate unsolicited mail.

Re:One-dimensional approach

[Mr+Bill]

Just use a combination of a whitelist and an autoreply. If your on my whitelist you get through automatically. If not, my mailer automatically sends you a response saying that your not on my whitelist, and asks you to reply to the message to get through my filter. The returned message will have a unique ID in it that will work once to pass the filter. I will see the second message and can choose to add you to my whitelist.

The only way the spammer will get through is if they have a valid return email, and an intelligent agent on the other end that can interpret the returned mail and send a new spam. Highly unlikely that this would happen.

There is a slight inconvenience the first time someone tries to contact you because they will have to mail you twice.

- Cees

Re:The Internet has given spam a bad name

[polymath69]

ill probably get mod'ed offtopic for this...

Only because there's not a -1, Wrong moderation type...

Ever since the internet came along spam has been a problem.

Not even remotely; you must be new to the 'Net. (Do you remember when it was called the Arpanet?)

As recently as back around 1990, commercial use of the net for any purpose was strictly prohibited and staunchly enforced. Anyone violating this principle was likely to be summarily removed from the network.

Vestiges of this old anti-commercialism can still be seen in poster's messages saying things like, I have no connection to this company, but am merely a satisfied customer.

Spam was really not a serious problem in the first 20+ years of the 'Net. Quite unlike now.

Re:It's called "advertising"

[realdpk]

spam costs the receiver money. magazine ads, TV commercials, and billboards do not. the first of those three are completely opt-in, as well, since you have to buy them or watch TV to see the ads. the third is fully paid for by the billboard owner. why is this concept so hard to grasp?

It's called theft, harrasment, and interference.

[silentbozo]

I run my own business. I rely on e-mail heavily to communicate with customers and clients (I get orders via e-mail, support questions, contract inquiries, etc.) I spend upwards of 5 non-billable hours each week having to take care of the crap that fills my order inboxes, customer support inboxes, and my main mailbox. This crap includes both spam and e-mail worms. I spend that 5 non-billable hours a week AFTER everything goes through filters (if I didn't have filters, then I'd be spending more like 20 hours a week) - and it's only getting worse.

So, to sum up - it's not just a few e-mails. And yes, e-mail is about communication, and spammers are destroying the value of e-mail as a communications medium. And, by extension, since my business relies on e-mail, spammers are destroying (or at least seriously disrupting) my business. I pay business taxes, my bottom line is being affected by these criminals, and I really wouldn't mind if we just outlawed spam altogether.

You want to know what's anti-american, anti-business, and anti-innovation? Scum who abuse public resources - namely, spammers.

What if you were a CEO? How would you feel about all this bad press?

I'd fire the asshole in the marketing department who decided mass-mail was an acceptable practice, and I'd lobby Congress to outlaw spam.

I know you're trolling, but..

[jcr]

For the last goddamned time:

This is not a free-speech issue, it's a property rights issue. Advertisers are no more entitled to use my computer to send me an ad at my expense, than they are to break into my house and paint a billboard on my living room wall.

No, advertising isn't illegal, but using other people's property without their consent is indeed illegal.

-jcr

Clueless, playing in havoc.

[AndroidCat]

Interested in spam filters? Come join us in Cambridge on January 17, 2003 at the first conference on spam filtering.

While anyone will be welcome, we're hoping most of all to make this an opportunity for hackers working on spam filters to get together and compare notes.

Filters. That's a give-away. Filters are damage-control after the thief has left. Block them at the first HELO, block them after their ISP refuses to handle complaints to abuse@, block widely, block often. Talking heads, I've said it once.

Re:It's called "advertising"

[tamnir]

There are over 24,361,450 businesses in the US

Ah yes, I forgot:

"According to the MPAA, there are over 65,744,682 businesses in the US. They actually found 24,361,450 but some of them were big corporations."

Re:It's called "advertising"

[humanerror]

Are there conferences on billboard ads? Do people lose sleep over magazine ads? Is there an anti-TV commercial movement?

Advertisers lease space on billboards. They give money to the owner of said property (the billboard) in consideration of its appropriate use by them. This is a legitimate contractual exchange between consenting parties, all of whom enter into said arrangement of their own volition.

Advertisers pay publishers to have their adverts printed. This is a legitimate contractual exchange between consenting parties, all of whom enter into said arrangement of their own volition.

Advertisers give money to networks and local stations to run their adverts. This is a legitimate contractual exchange between consenting parties, all of whom enter into said arrangement of their own volition.

Spammers use network and computing resources that do not belong to them and for which they have not paid anything in consideration of use, often relaying through other networks (and hijacking bandwidth and CPU cycles that would otherwise be used for legitimate and probably profitable tasks) in an attempt to hide their origin. The processing of UCE on the receiving machines takes CPU cycles and ultimately otherwise useful and profitable time away from the owners of those resources. There is no legitimate contractual agreement there, anymore so than if I spraypainted my company's logo on your garage door in the dark of night and left it to you to bear the cost of cleaning it up. It's just advertising, right?

If I feel sorry for anyone it's the companies whose million dollar ad campaigns get shut down by "spam-blocking" email filters, portable video recorders (like TiVo) that allow "skip commercials" functionality, and other anti-America, anti-business, anti-innovation tactics.

Print and broadcast advertising are what keep publishers and networks in business, and what keeps the cost at the point of consumption of print and broadcast media in the range of free to a few dollars per unit for the consumer, but there is no binding agreement between the consumer and the network or publisher requiring the consumer to watch or read the adverts in consideration of consuming the product (the content of the magazine or TV show).

Freedom of speech != a right to a captive audience, and most certainly not at the audience's expense.

And, as an aside, if the profitability of a product or service rests solely on the success or failure of its "million dollar ad campaign," one surely must question just how innovative it could possibly be.

Accuracy

[GrouchoMarx]

If this is a conference on spam, then shouldn't about 1000 random people show up and tell the hosts that they could make big bucks by charging everyone who attends one dollar, but let them in for free if they bring ten friends?

Re:It's called "advertising"

[Steve+B]

Say it with me -- it's called advertising

***BZZZTTTT*** I'm sorry; the correct answer is "It's called theft of service".

Thank you for playing, and don't forget your lovely consolation prize.

whitelists aren't an answer

[Preposterous+Coward]

The problem isn't unsolicited e-mail, it's unsolicited BULK or INDISCRIMINATE e-mail. Unless all your correspondence is with a small and static group of people, you'll never be able to anticipate everyone you might want to have on your whitelist.

If you run a business, for example, you'll frequently (if you're lucky) get queries from potential customers who want more information. You WANT those unsolicited e-mails. Or you might get e-mail from someone you worked with 10 years ago but never thought to add to your whitelist, perhaps because you don't even know his or her current e-mail address.

I have whitelists set up for my e-mail accounts, but I face both these issues on a regular basis. I can't afford to discard an e-mail from an unknown sender without first verifying that the sender really doesn't have something useful to say. Fortunately, most spammers use obviously retarded e-mail addresses or subject lines that make it relatively easy to skim and filter them out quickly (and of course I use a blacklist for known offenders as well).

Do people still care about ESR?

[autopr0n]

Egads, hasn't that windbag been discredited enough.

Dear Recipient

[Convergence]

Due to the excessive volume of robotic responses to the emails I spend time and effort to send to people I have not known to prior to this, have been forced to do this robotics test.

If you do not run a robot, please ignore this message. I will only send it once. Its purpose is to check someone's mailbox to make sure that I am not communicating to a robot, either some whitelist robot, or a vacation program, or something equivalent. I value my time: Nothing is more annoying than to spend an hour carefully writing a message to you about a subtle technical flaw than to have an obnoxious robot tell me my effort was a waste. Now, if this email is sent without resulting in a bounce, my 'AEIOU ('Avoid Egocentric Ignorant Obnoxious Users') will inform me to not write the message. Otherwise, please reply to this message to confirm that you do exist and this message is read. Only then will I proceed to write the message I wished to.

So, if this email arrives in your inbox, my apologies. It will only happen once. I've been forced to such extremes only because of the widespread use of such robots. You have my apologies, but I have been left with no choice.

I do have some good news however. In the future, we'll have constructed a realtime blackhole list that anyone can check to verify if an address runs a robot or not. This way, people not running can be looked up to verify that they're not running a robot and will not see these messages. If you wish to voluntarily add yourself to this list to state that you are or are not a robot, please see http://aeiou.losers.example.com/addlist.html