Slashdot Mirror
ISP Chief on Spam
saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.
Track them down. Let them pay for all the trouble!
Yes, that's right. You probably just have to live with it. The best that ISP's can hope to achieve is a reasonable amount a spam filtering, and locking down their own systems to prevent abuse. Beyond that, quit your whining....the internet is a hostile place, and spam is just one part of it that you have to learn how to fight.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
internetweek.com talk to Alan Ralsky - someone highly affected by spam - "I'm a victim of crime and no-one gives a damn!"
WASHINGTON, DC- Instead of dealing with the email spam problem, the Congress today passed a bill that blocks the use of email by all American citzens. Although this may hurt buisness in the short term, officials expect that this will probably help the post office.
www.superdorf.com
Maybe it's because I'm not subscribed to twenty different mailinglists and don't post my email address everywhere I can, but I'm not that much bothered by spam. I get a handful of unwanted mail a day at most. Why is it that others are so much worse off?
This happens because the people who are in position to make laws and policies are directly affected. All the whining goes on in the technical community, but talk to your elected representative and ask them where spam figures in their priority.
Secondly, to get laws passed, you need a lobby. Hell, even *IAA managed to get asinine laws passed because they lobbied as a group: they were able to highlight (rightly/wrongly) how their financial interests were being compromised.
Unless a lobby is formed and pressure sustained, we can whine all day on /. We can send 100 spam's to Alan Ransky. We CAN'T end spamming.
Though I've never really investigated it, there HAS to be some kind of alternative to SMTP. It's always struck me as a horribly insecure protocol and something that should have been replaced long ago.
I suppose the real problem now isn't finding a new protocol, but rather, getting wide-spread adoption of it, seeing as email has become a part of daily life.
...but I am going to anyway. There are a handful of very feasible ideas out there for stopping spam. Permission to send systems. Systems that require a token to be processed with each message sent (sending a message is trivial, sending millions of messages at once requires a server farm doing nothing but processing tokens). The list goes on (probably considerably longer than I realize). I hoenstly think it is simply a matter of time until the Open Source community begins implementing this and the rest of the industry follows. Now, lets get hopping.
ER
Slashdot them bankrupt!
Click all the adverts, they are ads for spamware/spamming. The 1000's of clicks slashdot could generate will really hurt their cash flow!
Want to hurt them more? Click here!
I don't think Barry is right about the situation being about to implode. "Imminent death of the net predicted" has a poor track record for accuracy. But I wouldn't be surprised to see things get much worse over the next, let's say, three years.
What we need is to have a replacement ready. Waiting in the wings to take over. As "SMTP email" becomes more and more spammy, and people get more and more frustrated with both spam and the inconveniences caused by fighting spam, the number of people willing to adopt a replacement will grow.
My contention is that the only way to solve the problem is to make it cost something to send spam. The root of the problem is the unbelievable cheapness of delivery. Every attempt to solve the problem has been an attempt to make delivering spam more expensive (typically by getting spammers kicked off ISPs, cancelling their contracts and costing them money circuitously).
We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.
Maybe it can be done with "hash cash," requiring the email sender to spend CPU cycles to solve a math problem. Personally I don't think that's going anywhere; CPUs are way too cheap right now. But that's an ingenious approach to the problem and a good example of the kind of thinking that will be needed.
I lean toward inventing an entire micropayment system to solve this problem. The advantage is that, piggybacked on the solution to spam, you get micropayments -- which, when applied to the web, usher in a whole new era of content production.
But whatever happens, something needs to be waiting in the wings for when SMTP finally hits the wall.
They can implement strong AUPs that will do the following:
Fight Spammers!
Most users might be able to live with it, but what they don't see is the 50%-90%+ of spam that is filtered out before it even hits their inbox.
I know I still get about a spam a day, after my personal filters ditch about 80% of what comes in. And that's after my ISP filters out what is likely an equal amount.
That means about 25 spams a day are sent my way. Multiply by the tens of thousands of e-mail accounts on a mid-sized ISP, and it starts to cost these businesses real money.
*Splort*
Lets face it, SMTP as well as POP3 and IMAP are old protocols. They came to be when networks were small and more trusted. The fact that 99% of ISP's use the email account as the service provider account is clearly insecure. Email travels around in clear text, passwords and all. This is how most crackers get into networks, by simply sniffing out the name and password of email accounts.
Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.
Email needs to be cleaned up, secured and as easy to use as it is today. Encrypting it helps, but you also need to design the protocol so that headers can't be faked. You need to design anti spam into it from the beginning. Anything we do to SMTP now is just a hack on a very old outdated protocol.
Oh and yes I know what I'm talking about, I've run several nationwide mail systems for two ISP's. It's a nightmare I wouldn't wish on an enemy.
I keep seeing all these messages about spam and the spam filter that I get with yahoo mail keeps filtering almost everything. Thats right, I get almost NO spam.
I'm not sure how it works but I'm pretty sure it is just analyzing mail that goes to many of its users and if it hits a certain criteria its moved to your bulk mail folder. I get only a handful a spam messages a week.
I know many people who know little to nothing about computers or the internet. They have not yet been jaded by the flashing banners and e-mail spam messages that promise free programs, trips, prizes etc. So they click away, and before you know it they are getting flooded with hordes of unsolicited e-mail. My aunt recently got a warning from her ISP for exceeding her allotted mail box space 17 times last month. I had to write them a nasty e-mail critisizing the lack of filters (even though it was my aunt's fault for posting to a bunch of newsgroups).
I guess the point is this: As long as people who don't know any better keep clicking on banner ads and checking out spam e-mail, the advertising companies are going to keep flooding people with messages. Their point of view is this: As long as we are getting some kind of return on our investment, we might as well continue to exploit this service. People just need to be educated on techniques designed to avoid supporting spammers, whether purposely or inadvertantly.
"This food is problematic."
There is, of course, a difference between osmehting that is a crime, and something that is obnoxious, and intereferes with the operation of a company. Right now, spam isn't, for the most part, illegal - but it is a huge headache for ISPs (and everyone else.) It isn't that the police arn't prosecuting offenders; rather,thef havn't yet been given the legislative tools to do so. This is like the owner of a stoor complaining about people with muddy feet trampsing trhough his stoor; the police can't do anything (unless the isolate a single person, and charge them with trespass - see the Intel email case!).
Are spammers stealing from ISPs? In a way, yes; they are using the ISP's resources to earn money for themselves, wihtout the conset of, and certinly without compensating, the ISPs. It doesn't fit the current statutatory definitions of theft of service enough to prosecute, however, so methings this ISPer is mis-direcing his efforts - instead of trying to goad the cops into action, he should be seeking legislative (or better yet, technological) remedy.
Those of you who see this and start yelling "lets outlaw SPAM it's bad!" might want to sit back and think for it. Sure, an anti-SPAM law would be great, however, it could open the floodgates to other laws relating to the internet that would not be so great. Once the law makers get into our realm, they're not gonna leave until they've changed the internet completely.
We are a small company (2 people) who run some high profile (non-spam, non-porn) sites. Without the DNS BLs, spam traps etc, we would get over 1000 per day (close to 2000 on some days). One email that has not been used since 1995 still gets spam sent to it...it is a primary spam trap.
What is a solution? Various ones, but legal ones will not work for any length of time, it is like a hydra, cut off one head and more grow back.
What I would like to see (and what we proposed years ago, when micro-payments were in their infancy) was something that allowed you to specify users who you were willing to accept mail from. Everyone else had to pay you something (you could specify it), say, $0.01 or $0.10. Anyone willing to pay that could send you the mail, otherwise they are out of luck.
Personally I would love to get junk mail then - at 1000-2000 per day, that is a nice bit of money per year!
Heh, that's funny, I usually use Michael Sims e-mail when I sign up for things.
I went and got POPfile and now, two weeks after I saw the link to it in a article, my spam filtering has a 99.7 sucess rate. It filters everything by adding a X-Text-Classification header and then my mailer does the rest.. Easy easy easy..just give it a bigger corpus and block those type of emails on the smtp server.
At least the war on the environment is going well
NUMBER ONE REASON SPAM CONTINUES - Little or no consequences for the SPAMMER. No way to make your AUP stick easily. Until you start taking the consequences for thievery out of the cyber world and start applying them in the real world, SPAM will continue.
If your an ISP (or related industry) your credit card vendor/bank automatically places you in a category called "high risk". This means that if a customer refutes a charge then you the money is taken AWAY from you and you are charged an additional charge called a charge back. Congratulations, you have a iron clad AUP, but if you don't have a signature (and most ISP's take signups over the phone) then your screwed should the SPAMMER SPAM. It's such a nice feeling to know your getting nailed twice by the spammer,
a. They use your system for something illegal, taking up resources in addition to the time it takes to hunt them down and turn them off.
b. They then charge their credit card back for the account and the AUP violation charge (SPAM Cleanup fee).
I have worked for ISP's for almost 10 years now (Yes THAT long). In that time I have watched and fought against the huge rise in SPAM. Currently I help administer mail servers for several domains that are high profile SPAM targets. So that you can get an idea of how bad spam is let me give you some statistics from the trenches.
1. One popular domains recieves about 120,000 messages/day for accounts that don't exist. There are actually only 35 mail accounts on that box. The target is very popular because of the domain name. That doesn't count the faked bounces which often constitute a few thousand messages/day
2. With one domain that services about 10,000 users, the implementation of a "mailgate" (BSD box with postfix and RBL and other anti-spam measures) reduced the amount of spam by 2/3s. Statistically that meant that 89% of all attempted connections to that box were refused.
3. The equipment used to deliver mail as little as 8 years ago can not be used now for reliable mail delivery. It would not survive the load. A SPARC 2 running sendmail could easily handle mail for thousands of users 8 years ago. With the advent of spam and the shere VOLUME of mail transactions such a solution today would be problematic at best. Moore new law may say something like "Every 3 years the amount of computing power required to run an e-mail server will triple"
The number one cause of complaints for ISP's is e-mail problems. If e-mail fails customers go nuts (as the rightly should). This means ISP's must invest serious money, time and effort into an e-mail solution. Stopping SPAM or preventing it from overwheling your e-mail servers is no easy task. It takes time, energy, intelligence and precious resources away from other things.
Spammers do such nice things as fake bounce messages, hijack school computers in the far east, use several dial up connectiosn concurrently and start running spam until the get shut down. The use faked return addresses from a legitimate domain, overloading those domain's mail servers as thousands of bounces go to it. The take over poorly maintainted machines with highbandwidth and open up hundreds of simultanteous connections to mailserver essentially preventing legitimate traffic from hitting those servers until the spam run is done.
BUT I HAVE A SOLUTION!! Using spammers logic here is my solution. I have automatically signed up every e-mail sender to a new contract. This contract says that if you send me an e-mail that I don't like I can break your kneecaps. If you don't like this arangement you can "opt-out". Just send your opt out message to dev-null@aol.com and I'll be sure to add you to the list of people that don't want their knee caps broken!
SPAMMING is nothing more than common thievery, it is a theft of services, it is theft of time, it is theft of resources and finally most spam runs should be considered a denial of service attack. In fact for small ISP's they often are. Until you bring consequences out of the cyber world into the real world there will never be a solution. Knee cap breaking is a fine real world consequence.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Allow me to borrow an oft used cliche from the book of "geek copyright arguments". "Perhaps they should find a better business model?" Clearly their current one isn't working and they need to fix it. And just to add more fuel to the fire, "information wants to be free", even if it is about penis enlargments, herbal medicines and pyramid schemes.
SMTP has a fundimental flaw that spammers have been able to exploit for years. It is far too easy to place false header information, making it impossible to identify the true source of spam. The best way to isolate spammers is to require that the sender must continue to store the message and only send a smaller crypto checksum of the message with an the information about where the full message is available at the sender-provided server. Yeah, spammers could still send out there trash this way... but this system does not allow them to lie about their IP address, because the IP address the sender specifies has to be where the full message lives. Once a server is being identified as spewing spam, the server would be quickly nuked by either ISPs pulling the plug or blacklisting. The remaining users would have a key that leads to a non-existant message, which client software can drop without ever needing to present the failure to the user. Effectively, spam is killed after its been sent, and the user never is bothered.
30-50? That's pretty good. Between work and home, I get around 175 spams a day. It's nice taking a vacation, and checking my email for the first time in a week. There's about 800 messages at home, plus another hundred at work.
And I have a hotmail account that's used for when I buy stuff from businesses I expect spam from. Places that don't use the double opt-in and sell my name to others. I often change my name to see the spam spread. But I don't really count that email as spam because that's what it's for.
My yahoo accounts don't get much spam, and that's what I use when I sign up for mailing lists.
I've never signed up for anything under my domain name, that's bots scanning sites. I use servercentral as my webhost, and I get around 50 spams a day that are addressed to servercentral-user@spam.com
And lately, I've been getting bounce backs from servers from spam that's sent under my domain name. It's having a domain name that gets me so much spam.
I've been using MailWasher (bounces email saying I don't exist), but that's going to change I think. After a vacation, MailWasher doesn't work because there's so much spam. And besides, who sends spam without faking the From address? It's effective about 95% of the time - about 5% false-positives.
Ah, that was good. I hit preview, and got a call from a telemarketer.
riding round the world on an old motorcycle
Hash cash seems more reasonable, but in order to really stop a spammer you want to delay him/her (it?) for probably on the order of a second per message, at least. Even if you find some algorithm to do that, it'll really annoy me to have to wait a second to send regular email also. So, I'm bitching about a second. But those can add up.
Now, maybe what you could do is charge for bounced email messages. The recipient decides whether he/she wants to open the message. If they open it, it is automatically free of charge. If they bounce it without opening it, the sender gets a small charge. The idea being, you get payed for the unwanted mail people send to you.
Ever thing of a good way to allow the internet to poliece itself? What do you think would happen if we get the polititians to make some blanket fine for voilating and RPC required or something similar? Collect enough uncollected fines and get a world wide enforable ISP ban. There are enough people that would be more than happy to track down spammers for cash. And they dont pay after awhile it's say by by to ISP connections world wide. Granted this will never happen our politicians would hate to let soemthing regulate itself they love to "help" us.
No sir I dont like it.
Being a Web Developer, I do a great deal of business on the web so my addy is everywhere. I would probably get thousands of pieces of spam a day if I didn't use filters. That's insane. I use mailwasher to make e-mail as spam and bounce it back. There are probably more elegant solutions but it sees to have lessened my spam a bit. I think part of the problem is that some people actually buy from spam. If everyone would refuse to buy anything or from anyone that ever sent bulk email, they'd stop doing it. Why should they bother if it doesn't work? I know people who complain about spam who will actually order from bulk emails! My computer illiterate relatives are always printing out spam for vacations and cell phones to let me read to see if it's legit. Then again, how popular can these ads be? How many people actually want to enlarge their penis and see "barnyard love" . . . On second thought, I don't want to know. It'd be interesting to see the return rates on spam though.
I was searching around earlier, and to solve my own spam problem I downloaded POPFile. It is a cross platform email proxy (runs locally). You still use whatever email client you want, with just a few minor changes to your configuration (pop server is now 127.0.0.1 and username is now mail.server:username). It employs a bayesian filtering method. It is very easy to use and has been working GREAT for me so far. It can add a classification to the subject (IE an email labed hello, would become [spam] hello) or it can add a X-Text-Classification header which your mail client can search for, so you can decide exactly what you want to do with different kinds of email. I havn't found a better solution yet.
But ISPs have little to complain about. All the spam people receive amounts only to a small fraction of their normal Internet bandwidth usage: per day, you almost certainly generate more bandwidth, TCP connections, and server transactions in pop-up ads than in spam. If an ISP's E-mail servers cannot handle that workload for their users, they are doing something wrong. And if they want to off-load the responsibility of running the server, broadband providers should just drop their restrictions on their customers running servers so that everybody can run their own mail drop.
We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.
I've heard that before, and I don't think it's enough. All you need is one idiot to say, "Yes, I do wish my penis was larger!" and at $39.95, he's just covered 40,000 emails. Are spammers getting a 1 in 40,000 response rate right now? I don't know, but they're paying for net access somehow. So raise it. A dollar an email. Then you have a 50 million dollar outlay to spam the world. Better have a good response rate with a pricey item to get that back.
But that doesn't work for me. Why should I have to pay that, or any amount, to use a service I'm already paying for? Isn't that why I shell out 20 bucks a month - to use the intarweb, 80% of which is still probably email?
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
Look the best way to fight spam is to setup a dummy email account. Onethat you give to those on messages boards, buying something online, or downloading software for free. Then you get private email address for work and personal which you give to trusted people who you know. Now my mail client dowloads and sort my personal and work mail in separate folders with no spam. Every month or so I clean out the dummy account online. You don't get rid of spam, you just organize it out of the way.
You don't have to be smart to use a Mac, you just have to be smart enough to buy one
Is to get a mail hosting / filtering service that is spam-hostile. Like This one.
just one more example of how companies needlessly billing for bandwidth usage affects everyone and puts people out of business. Once you put the pipes in place, it doesn't cost anyone any more to send 2GB than it does 1GB, so there's no reason to charge by bandwidth *use*. Charge for how big of a pipe you supply, sure, but not for how much it gets used. If bandwidth providers would wise up to this fact then they'd not be losing customer after customer as the customers go out of business because of bandwidth bills, and business after business that would otherwise be profitable wouldn't be going under.
is link spam to terrorism!
... for a pretty large isp, I can say spam is the woe of your existance. orbs and similar services help to a degree, but users get mad when they cant get mail from/to certain domains. Alot of it comes down to server side filtering which ends up eatting ALOT of processing power on the machines. Spam costs isps big money in hardware to support growing filters and in time spent by employees cleaning up spam messes and tracking down people who spam from them. We had a zero tolerance policy which I liked alot... you spam, we keep your money, charge you $5/spam, and close your account. Pity when we got bought out all that changed... we had it to where no one in our neck of the woods would dare spam from us :)~ Now if only we could have figured out a way to prevent all the incoming spam... *sigh*
Shadus
Mention his name on news://ne.internet.services to hear his history...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
The best way to isolate spammers is to require that the sender must continue to store the message...
This doesn't work too well with mobile or off-line mail clients, or mail forwarders. The receiver could not retrieve the message if the sender has gone off-line. Also, each mail forwarder would have to store potentially unlimited amounts of per message forwarding state.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants.
If an ISP is running an open relay, then they deserve to get highjacked. There's no excuse for that these days.
However, filtering at the SMTP level, whilst useful, still isn't a complete solution. Why not? Well
So, what to do? Small ISPs will have problems. Spammers sign up with credit cards, do a spam run, and flee. So, you have the credit card number, FINE THEM. Put that in your contract.
What can be done about the big boys hosting spammers, Verio, Exodus et al? Block them at the routers.
One of the irritating things is the spam that comes to one of our internal mail aliases. I.e., the one that goes to all the developers. No one has ever sent a mail to the outside world using that address -- some spam software just guessed it. I've been bitching to have them close that address so only internal people can send to it...
I have a webmaster account to a site that gets about 1000 hits a week and I get about 2 pieces of spam mail a week. Now it seems that the rate of Spam related articles on /. is about 4 per week. Now i ask you, who's creating the spam?
The second phase of this is to have a blacklist database. Currenly, such a database is not possible, since you can forge email from popular sites such as hotmail and AOL and any blacklist inclusing these would cut out too many valid users.
The reason why spam exists is because if complacency with SMTP.
When I receive an unsolicited call on my cell phone, I get charged.
In the not so distant future ISPs will charge us for spam we receive. X cents per 100 e-mails, or somesuch.
Charging you is far, far easier and cheaper than tracking down and pursuing a hundred spammers in court.
After all, the ISP will say, it's your fault for not guarding your address from spammers. You jumped into shark infested waters and got bit. You are to blame. Oh, we'd be happy to set you up with a new address to fix your problem. There's only a $15 processing fee. Thankyouverymuch.
It's a solution politicians will love too because it allows "legit" corporations to continue spamming without regulation.
I think the problem right now is that everyone is focusing on just sorting it out after they receive it. So that the end user doesn't have to worry about this. Most people probably use some sort of this protection, I currently use Popfile, check it out at http://popfile.sourceforge.net. Open Source written in perl, naive bayesian spam filtering, works great. However we do need to somehow make it for we don't even have to sort this crap. An authenticated SMTP server, or something of the likes, a new standard could fix things, or at least help a ton.
GeekWares - Buy and Download Today!
The only way to solve the problem is to make it cost something to send spam.
That's what I'm doing right now.
I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.
If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.
So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.
Bogofilter is pretty good, too.
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
The ISP is being inundated by spam sent through outside networks to them, not by their users spamming.
That's the most common problem. I run my own domain and do battle with the spammers on a daily basis. I don't have trouble with spam going out of my network. I have problems with spammers trying to send it in. I am blasted by spammers typically operating out of Brazil, China, Korea, and Russia. Complaints to the ISPs seldom even result in even an autoresponse -- much less any action.
What I can't understand is why people tolerate so much hard-core porn in their inboxes! I had my mother call me up once because she'd received a nasty spam email and wanted to know how to delete it without it showing up in the preview pane. Anyway, for what it's worth I've thought a lot about the problem and some solutions that occur to me are:
- Use semantic analysis rather than just keyword spotting to filter email. With smarter filtering it should be possible to identify messages that are spam without a shadow of doubt and can be deleted without confirmation. Requires more CPU time though so ISPs wouldn't like it.
- Allow spam to be filtered out and deleted after it has already been placed in the user's inbox. Spam is harder to detect when it first arrives, but if you compare the messages received by different users over a period of several hours, it's easy to see which are spam. Doesn't help the ISPs, but would be beneficial to users.
- Detect senders of spam in real time, rather than using static blacklists. Would require new software and large scale cooperation between ISPs.
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.
I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem.
It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.
Just slowing them down will make the whole affair less attractive. Not eliminate it, but at least eliminate a good deal of it.
.
You think the second will annoy you. My guess is that, unless you are using mail as some sort of IM device, after the first few times you won't notice *10* seconds.
Delay a spammer's mail 10 seconds *per item* and you bring him to his knees.
Of course the spammers are going after IM now. .
KFG
i think everybody should send thank you cards and gifts to spammers. we KNOW of one, don't we? i think this person might need some sets of weights delivered to his house, perhaps several tons of weights. they are cheap. You know gifts! be healthy spammer, and thanks for all of the special offers!
The last people who should be complaining about this are the ISPs, for they are the ones who can actually cause new mail technologies to be commonly used.
I don't think micropayments are the right way; I think just having authentication would go a long way. (Authentication acts as a sort of "hash cash" itself, since cryptographic signing is not a cheap operation.) The technology has been here for ages; we just need a coalition of ISPs to actually roll it out.
Spammers rely on the fact that they can send many thousands of emails in an hour or 2 before the ISP detects their violation and shuts them down. What if ISP's simply throttled the rate of email going through each account down to 1 or 2 (or 5 or 10) per minute. Then it would take much longer for a spammer to send the emails and they would get far less out before being shut down. If the email system used SpamAssasin to rate the emails and adjusted the rate, that would be even better (only 3 SpamAssasin "points" per minute, for example). If it costs a spammer $20 to send 200,000 emails, they might consider it worthwhile (assuming the ISP cancels their account after that many emails and doesn't refund their money), but if they only got 200 or 2000 emails through for the same price, they might decide it's not worth it.
You're free to accept whatever connections you want to receive. If you don't like how other ISPs handle spammers, don't accept email from them.
We need to take the George Bush approach to spammers. "We will make no distinction between the spammers who send us the spam and the ISPs which harbor them."
That's right, when your ISP gets a bunch of spam from another ISP, contact that ISP and demand either remuneration or cooperation in identifying the spammer, suing for damages, and getting a permanent injunction. If the ISP balks, blacklist 'em.
I'm sure there are plenty of afforadable hitmen/hired goons on the market so if the spammers were as much of a problem as the ISPs say, it could easily be fixed.
I've had this happen several times, but never worse than this particular case. I use my work address just for work, which is mostly contacting other people at the same company and an occasional client, but once in awhile, you get bitten anyway.
.doc files entitled stuff like "Quarterly Sales Projections", a very long and tough-to-read paper on some chemistry research I didn't quite follow, and so forth. Seeing what I got was almost fun.
I wrote a small Dreamweaver library function (javascript) as a favor for a friend in the graphics department who needed one that worked with the new-at-the-time NS6. I told him to deploy it to all the HTML folks, so that we wouldn't bump into the issue anymore-- and (here's the kicker) put my email into the comments so that if there were issues, they could find the author.
Whoops. I figured they'd clip the comments out to save page space, but I was wrong (my fault!). So my email address shows up in the HTML source of every page of a major patent-search website.
Which ends up in the browser cache of millions of people every week.
Which gets parsed by an email worm that can read IE browser caches.
Which then emails me.
When I finally had the admins shut that account out of desperation, I was getting thousands of emails a day, sometimes as frequently as one per second.
One slip, and you're gone. Of course, it's usually not so spectacular-- more along the lines of "your mom got an email virus and it raided her address book" or "your address got guessed at random and now they know it's live".
Side note-- the particular virus I was getting emails from attached files it found on the infected people's machines. I received pictures of families,
Ouch. Rather than quoting, I'll try to address each of your points individually;
Purchasing things via the Internet / web page form submissions; That's why I have a generic @yahoo.com e-mail account. Periodically I log in, select probably 9 of 10 messages, delete them, browse the other few messages then delete them too. When I'm expecting something I'll log in, read it, then select the whole mailbox for deletion. Problem solved.
Mailing lists; I have an account that I use solely for mailing lists. Anything that doesn't fit into one of my (very stringent) procmail recipes destined for that address is bit-bucketed. If I didn't sign up for it, I don't want it.
I don't give out any of my personal e-mail addresses in electronic form, except to individuals whom I trust (which generally precludes people who run Outlook* e-mail clients).
Running my own domain; I don't get e-mail as a result of running a domain, for a number of reasons. I host my own websites, and everything involving my domain on my own computer. I don't publish any @snerk.org e-mail addresses; instead opting to use a small, little-known CGI e-mail contact form (that has a clearly visible "[FROM EMAIL CGI]" string in the subject line. Hell-o procmail! ;)
As a result, I haven't yet had any need for a SPAM catching utility.
As to your addendum about telemarketers; as many people said in the previous telemarketting thread (I forget which story); requesting to be removed from their call lists has worked absolute wonders for me. I'm to the point where I don't recall the last telemarketer phone call I've had. Kind of upsetting, too, since I've always enjoyed playing with them. Asking carpet cleaning companies if they can get human blood out.. No, no; it's fresh... Beaming with excitement and thanking chimney cleaning companies because, hey, if they're going to install a fireplace for me (you know, so they can then clean my chimney) ...
BD Phone Home!
Shameless plug. Like you weren't expecting it.
You know, he does make a good point about spam being, essentially, a denial of service attack. It denies me use of a portion of my hard drive, of my server's CPU cycles for SETI@Home, etc.
Here's a question. If I put up a page like this on my website:
Welcome to the glowingplate.com automated security test.
This is a free service provided to Internet users so that they can test the invulnerability of their computer systems.
We accept no liability whatsoever for any damages caused.
In order to test your computer - and ONLY to test your computer, no human ever reads e-mail sent to this address - send an e-mail to $E-MAIL_ADDRESS. We will retrieve your e-mail address from the message headers and immediately begin the test.
And then pound 'em into the ground with a script that runs through every known vulnerability of Windows networking.
I figure that if enough of their address lists can be polluted with enough e-mail addresses which crash their systems, they'll eventually die out.
Does anyone keep any good legal counsel on retainer? Any lawyers out there care to discuss ways that such a thing can be done legally from Canada or the US?
The alternative might be to buy service from a hosting provider in some third-world country with no laws, and take care of it from there.
Fire and Meat. Yummy.
By contract, an ISP can require payment by a company that spams. If a spammer uses an ISP to either send spam or to provide services to a site advertised by spam, they can charge the spammer for it. Similar to what happens when you return a rental car with a big dent in the door. This is not a big labor issue.
Fight Spammers!
I have thought about this a lot, we don't need an "arms race" of anti spam "filter" programs,that just leads to spammer's counter measures, which will lead to anti-anti counter measures,etc, back and forth ad absurdum,forever and ever, it just needs to be made clear to spammers everywhere that there are other ways to make a living.
Require a cleared deposit or a credit check. If they don't have good credit, don't let them have an account. When they chargeback, sue 'em. Call the FBI, too, cause they are engaging in criminal wire fraud.
I hate to suggest this but 99% of all spam would stop is every ISP just blocked all outgoing traffic on port 25. Of course people will bitch about running their own servers blah blah but how many companies allow that? A few DSL providers and thats about all. Now some people could setup rogue servers to use a different port but most spammers aren't that smart.
Only the State obtains its revenue by coercion. - Murray Rothbard
Just unsubscribe wherever and whenever you can and send that handful of remaining email addies (and extra info) to your helpful ISP and they'll *gladly* block it for you. I mean if *you* don't have to download the spam from *their* servers anymore they're already a bit happier, surely they still get it, but it won't cost them any internal bandwidth. It's not much, but it's something.
sign up your local politicial for every mailing list imagineable and show them the pain of spam!
Instead, we need to have people use an authenticating protocol to send mail, and they should get issued a key/certificate/whatever with their e-mail account that lets them send,say, 500 emails a month. That email server is in turn issuead a certificate with a known signing authority.
The problem is, how do you prevent a spammer from obtaining an arbitrary number of email server certificates? Commercial "authorities" like Thawte, etc. are not an answer; as many credit card numbers as you can get is as many certificates you can get. As long as you can send a few million emails before your certificate gets blacklisted, the cost per email for the ceritificate is trivial.
The only answer I see is to hold all email for a day before delivery, and to have a distributed mechansim for counting email sent by each server. If a given server is sending spam-house rates of email, it gets (automatically) blacklisted, and all the email being held from that server gets deleted before its ever delivered.
That's my Idea. What's yours?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Allowing the spammer's information to be given out may be what hurts a spammer more. Let 1000 spam victims file a lawsuit against them for spamming.
Of course there will have to be some defense to a joe-job.
Fight Spammers!
I wrote an article on spam filtering techniques at:
- sp amf.html
http://www-106.ibm.com/developerworks/library/l
Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.
I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.
There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)
Buy Text Processing in Python
Never mind; that won't work at all unless the client machine stays dialed-up/connected/whatever and at the same IP address. And besides, it'd be faster to just have the final relay check the original source, in any case. That's what I get for posting without thinking first. :-) Sanity check status: failed.
So, as much as I loathe turning to gov't for solutions, here's what (I think) we need:
- Make it illegal to falsify headers.
- Make it explicity LEGAL to block IPs (spammers have gotten blocks removed through lawsuits, which they may have eventually lost, but which was expensive for the blocker)
- Establish criteria for making claims based on damages from SPAM. This so that it doesn't take a major ISP (AOL) to go after a spammer for damage to their systems
The trick is to have laws which allow ISPs to protect themselves without making them so heavy handed as to hurt online commerce. The first and third mean that you have to say who you are and you'll get sued for doing damage (which is now legally defined). That may push spammers overseas, but then the second means you can block IPs without fear of legal retribution.May that affect legit users? Maybe, but enough of an ISPs customers complain ("We can't send e-mail to the U.S.A./Europe/???! Why?") and they'll eventually do something about it. Which means they'll close their &*$% e-mail relays and kick off spammers. Perfect? No. I don't care about that as much as I care about reducing the background noise to what it was even a YEAR ago...
Computer Science is Applied Philosophy
As I understand it, many spammers make their killing by sending a single email to hundreds or thousands of recipients. They just need to find a single SMTP server they can use as a relay and the bandwidth burden of redistributing all those copies falls in someone else's lap.
What about the simple solution of disallowing multiple recipients in a single SMTP message? If someone legitimately needs to send to multiple email addresses, require a seperate SMTP connection and seperate copy sent for each.
I'm confident the increased overhead from people sending legitimate email to multiple recipients will be greatly outweighed by the overall reduction in email traffic from spammers.
Those of us who run mailing lists and the like could simply configure our SMTP servers to allow multiple recipients and then our server would be required to make seperate connections for each recipient.
I work for a relatively small, local ISP, and Spam costs us big time. You know those 210 spam emails you got that totalled to 5Megs? Well our email server is holding those for 2000 email boxes. We have constant 24/7 spam traffic on our SMTP servers. We have tried subscribing to RBL's, but as an ISP it is difficult to do that. There are several big names in the email game that are blacklisted, and inevitably you have a customer bitching that they can't get their email from user@OpenRelayX. The best you can hope for is heuristics testing to flag spam so that our users have usable mailboxes, but that, of course, doesn't help with out bandwidth HDD space theft issue.
Everyone is entitled to their own opinion. It's just that yours is stupid.
This happens because the people who are in position to make laws and policies are directly affected... Secondly, to get laws passed, you need a lobby... Unless a lobby is formed and pressure sustained, we can whine all day on
Dude, last time I checked my incoming spam, the originating IP address for most of it was from China and other third-world shitholes. You *don't* honestly think that they'll stop because the USA has a new law which will give them a slap on the wrist?
This is NOT a problem which can be legislated away. These are not 20-year-old mothers of 4 living in trailer parks in Florida.
A friend of mine, of Chinese descent, told me that it's unlucky to refuse to take someone's business card, and it's even unluckier to throw it out. This is the tradition with which we're dealing, and if an e-mail is seen as merely an electronic business card....
At this point, I have configured my mailserver to send all incoming mail from .cn, .kr, .pl, .pk and a few other choice hellholes directly to /dev/null. With no apologies. I know nobody in any of those places, and until they stop spamming, I have no interest in knowing anybody in any of those places.
I will tell you this, it sure does take most of the crap out of the mail spool.
Fire and Meat. Yummy.
BS. Propaganda. I got a Netcom account in 1988 (after being dissatisfied with portal.com, who were even earlier, but who sucked)
See Netcom in computing dictionary
And it wouldn't even help to say "oldest surviving" or some such. Netcom the corporation was acquired by Earthlink, but it didn't go away...I still have my original 1988 email address!
Some people might try to quibble by saying that initially Netcom only offered shell accounts with Internet access, so it didn't count, but I say that is wrong...many of us used the commercial TIA or the freeware "dipd" to forward TCP/IP from our home systems to the dialed-up shell. But even neglecting this, we were able to ftp, telnet, ping, etc any site on the net...I say that counts!
In the early days Netcom had only one server, and the founder, Bob Reiger, was initially the only sys admin...so if the system lost internet access in the wee hours of the morning, we would call the poor guy at home, wake him up and beg him to go fix it.
His wife insisted that he hire a night watch sys admin pretty early on. ;-)
Professional Wild-Eyed Visionary
we extended the death penalty to people who solicit this crap - telemarketers, spammers, infomercial actors... you get the picture.
Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said. Sounds kinda like what we hear day in day out from the RIAA, MPAA, etc...right? But we don't really care when they wave that banner do we? Spam seem to illicit a response of sue and jail and fine and hang by the nards etc... But the media giants should not be afforded the same protections that our inboxes are? Don't get me wrong, I believe that the **AA's hold a deathgrip on their products and want to strip us of our fair use rights..but c'mon..you can see the irony, right? Maybe not...
I put the finishing touches on my antispam program this week. I went from getting 150-200 spams a day to ZERO over night. It's very simple. If an email sent to me isn't from a known address, it puts the mail into a staging area and sends a confirmation request to the originator of the message. If they reply, their original email gets put in my mailbox. If they don't, their message is deleted from the staging area after a few days.
It's transparent to me. I never see anything in my mailbox except email from known people, and unknown people who actually exist and reply to the confirmation request. So far, none of the responders have been spammers, and if they had I'd then know how to find them! Works flawlessly, so for me spam is a thing of the past. Go ahead spammers, do your worst.
It's impossible to describe the feeling of liberation.
Now that the Direct Marketing Association is no longer opposed to anti-spam legislation, it's time to push for tougher penalties and broader coverage. It should be possible to go after the beneficiary of spam, as well as the sender. (Legally, that can work; it's routinely applied to bill posters. It's reasonable to make it a rebuttable presumption that whomever collects money from the spam is an involved party.)
We should go after the people and companies that spam.
1) Set up an organization of volunteers (mostly techies from big ISPs) to serve on a technical group that evaluates spam reports and hunts down the companies and individuals behind the spam.
2) Publicize spammers identities extensively.
3) Encourage all businesses not to do ANY business with these people. Make it difficult for spammers to get a mortgage, telephone line, internet connection, new car, cable TV, lawn service, private school for their children, whatever.
4) Picket their places of business and their homes. Tell their neighbors what they do for a living.
Yeah, it's harsh. But it might work.
...Joke explains you!
That's all there is to it. Just reverse the thought behind the topic that your describing. Sometimes it's funnier than other times.
I haven't seen his bit either, so if there's any more meaning that can be found in the context I can't help.
Look, before you all start spewing your sure fire solutions for stopping spam, could you at least start from a global premise? Seeing as how it's a global problem and all?
Suggesting a new US state or federal law isn't a solution. All that means is that you'll get spam offering you powdered tiger penis in Cantonese or Mandarin.
A fee for sending (or getting bounced) emails isn't a solution. Who's going to enforce and collect that globally? You'd need to identify every IP connection, everywhere. Don't give John Ashcroft a rod to beat your back with.
Delayed SMTP relaying isn't a solution, because to work it has to be done globally. If it's done globally, email comes to a halt globally. That's beyond cutting off our nose to spite our face, it's cutting our throat.
Suggesting a new SMTP protocol isn't the answer. Go ahead and RFC one. Now, how are you going to persuade it to be used globally? Who's going to be the first ISP to cut their throat by sending only "Secure" mail? If they don't block SMTP, the problem's still there. If they do block SMTP, they cut their customers off from the majority of recipients. Does that sound like a good business plan? And how exactly are you going to stop individual people and Mom and Pop ISPs - all across the globe - from running POP and IMAP servers and accepting SMTP?
Suggesting better securing of open relays is nice in theory, but in practice if an admin is lazy and incompetent today, they'll be lazy and incompetent tomorrow. When you don't get responses to abuse@, what do you do? Email postmaster@? In an ISP that employers lazy incompetent people, that's the same person.
So, what's my magic, global solution? Easy. Blacklisting. Serious, hard core blacklisting at the backbone.
Let's please stop pretending that homogeneity is still desirable. That's the fuzzy old internet you're thinking of, when it was mostly used by academics and Bianca Troll's Smut Shack was shockingly outre. Wake up. We - you and I - would now be far better off with fragmenteed sub-nets, made up of groups of ISPs with the same tolerance for spam, and that just block off the garbage at their routers.
Who loses out if we do that? Not you and me. The only packets I get from Russian and Chinese ISPs are spam. Fuck 'em if they're too lazy or incompetent or cheap to clean up their networks. Let them spam each other. I don't want to see the messages, and I don't want my ISP to use my money to pay to receive the packets. Talk to them again when the demand from customers outweighs the cost of accepting the spam.
Now, once you've done that and formed an uber-net of the cleanest ISP's (which means mostly North American and European ISPs with a few conspicuous exceptions), then you start talking about improving SMTP on that sub-net. Then the cost of joining it becomes cleaning up your act.
What's the downside? China gets cut off from the 'net and a few free thinkers can't risk life and limb to read international news. Bummer. I can live with that.
The people that lose out most from a fragmented network are the backbone providers and the spammers. I can definitely live with that.
As much as I detest government regulation interfering with rich business leaders trying to eek out big profits, I think it's time that the Bush administration take notice and do something about the SPAM problem. I'm suggesting you make it a Federal felony Mr. President, because the state-by-state approach just isn't working. SPAMer's are stealing the rightful profits out of the pockets of ISP owner's, just the same way that the eco-freaks are stealing new business opportunities from the oil industry. But it's much worse then that.
You see, Internet bandwidth is a lot like oil. Everyone needs to use some, but there's a big group of rustlers out there right now that don't pay their fair share for it. They steal it, right out from under the Internet oilman's nose, because there are no stiff penalties to prevent it. These rustlers, let's call them terrorists because that's what they really are, tap Internet wells from across state lines, and if the state takes an interest, they just move their pumps to another state that hasn't run into the problem yet. Some of these pirates are stealing up to 40 percent of the Internet oilman's production. How can the poor Internet oilman operate under those kinds of circumstances?
Mr. President, it's simple really. SPAMers are terrorists, out to steal business profits by selling the modern equivalent of oil without paying the oilman for it. How can the administration not do something about this?
Some of these Internet oilmen are in Texas, a state I know you love and cherish. While I'm sure your advisors keep telling you that it's the hippies in the liberal-land of California that are behind this Internet thing, they're wrong. Those left-wing Silicon Valley jerks only build the equipment that the Internet oilmen use, like making the pumps and the hoses, they don't actually run the Internet oil business. Texans could run the Internet wells, if only your administration gives them a chance and does something about these profit-terrorists we call SPAMers.
Hell, if you're willing to suspend civil liberties for guys like Jose Padilla, why not just forget the legal process and let the tribunals deal with these losers? They are enemy combatants Mr. President, traitors in the war on profitability, and I'm sure you can find a nice deep hole for them somewhere. I've got addresses and phone numbers Mr. Bush, and I'm ready to help the fight on terrorism!
I recommend this free proggy.
:)
Its lets you easily and quickly scan your inbox for spam, clean it out, and send a message back to the spammer that the spam bounced because your email address is invalid - resulting in your addy being taken off their list (hopefully)
But even if they don't take me off their list, it still makes getting rid of the spam much quicker, AND gives me the satisfaction of thinking that at least the spammer has to deal with all of the bounced emails I fling back at him.
This space available.
I've contacted a number of sites running open relays that were used to joe-job one of my domains. A few were legitimately careful but got caught by Exchanges's configuration files or had non-servers hijacked (e.g., one had a Cisco router hijacked!), but most didn't know or care that their mail server was an open relay.
Because of this and the infeasibility of the per-message solutions, I think it's time to start hitting open relays with statutory penalties. Something on the order of $100-200 first offense, $200-500 second, $500-1000 on third and subsequent offsenses, collectable through the victim's local small claims court. To minimize baseless complaints (and allow companies to ensure that they're not running an open relay) the courts could require confirmation that a site is running an open relay via an approved testing service, basically what a lot of the blacklist sites already do with test messages.
It should go without saying that any fines and court costs could be passed on to the upstream site that sent the spam. Maybe they were hacked - it really doesn't matter. Either you were authorized to send mail through that relay or you weren't. In the first case your contract specifies the damages (if any), in the latter case it's already a criminal trespass case.
Shutting down the open relays won't eliminate spammers, of course, but it should reduce the damage caused to innocent third parties and the true spammers will be universally blacklisted.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is not my sandwich.
But Barry's stance was that since the vast majority of cusomters just wanted all the spam gone, the right thing to do was to accept a certain level of false positives. Unannounced--no warning that you would have legitimate mail returned to your friends with the unhelpful '200 UCE not accepted' or even '200 No thank you' replies (I don't remember the actual number, sorry)--with no "opt-out-of-the-spam-blocking" option for other customers.
One theory I have for The World's problms is that spam-blocking doesn't scale with customers, so The World is hit by it worse than larger ISPs. It seems like the support costs of dealing with customer complaints would scale with customers, though. But, for example, there apparently is (was) a pattern of spammers taking a list of plausible user names and emailing every name on the list @ the target host. Since that list of names is the same length whether it's theworld.com or aol.com, but the number of customers is different, the cost-per-customer for dealing with that (bandwidth / etc.) is higher for the smaller ISP. But nobody at The World was willing to comment on this sort of customer scalability issue (although they mentioned that particular spam scenario because they had a fairly aggressive response to it to avoid bandwidth--they stopped accepting connections from that IP for an hour or two if it was detected, which meant legit mail from that IP was often delayed and sometimes bounced if it kept getting reblocked).
Anyway, the upshot is, I have very little sympathy for somebody who thinks it's a good idea to let legitimate email get blocked as spam because it reduces customer support costs. It's just moving the problems somewhere else where the customers don't know about them.
When the RIAA/BSA quotes ridiculous numbers for the amount of money lost through piracy you just laugh at them. But when people quote similarly outrageous numbers for the amount of CPU cycles/bandwidth/man-hours lost on spam y'all sympathize.
Spam is not the end of the world. It's just one of those things that geeks love to hate.
SMTP is lame, it has no built-in ways to white-list, or black-list people or things. All that stuff is left to some imaginary higher level layer in the eyes of SMTP. Thats great in theory, but then what is to stop the use of bandwidth in the first place? To make things worse is the fact that most open relays are because of inexperienced administrators. Lets face it, bad people will always look for a way to get in your face be it email, chat, junk-mail, tv commercials, whatever.
The ultimate solution is not going to be passing anti-spam laws to send spammers to jail. No, what we need is strong protocals that support the notion of privacy. Fundamentally SMTP will never be secure by itself. You add in stuff like pgp to make email secure for ytour eyes only, but SMTP itself is very insecure, it sends the email on the public network. Places your emails passed by forwared it to another place that eventually gets it to your email server. Don't blam the spammers, blame the IETF for certifing a bad protocal.
It isn't a lie if you belive it.
Out of interest, how much could prices be cut if you weren't funding continuaal spam bombardment?
Really, cryptography is the answer. Stop receiving unsigned messages. This will not stop unsolicited messages from coming, but can effectively block "From:" spoofing once enough people start submitting their keys to public servers. Then common spammers can then be tracked NOT based on faked From: or even servers...
I have a yahoo account with SMTP access (it costs a few bucks a year) and hardly every get any spam. About 95% of spams just pile up in my bulk mail folder at yahoo and I never even see them on my email client at home. I sometimes check to make sure none of it was actually real mail but so far it's all been spam. So yeah, what was getting to be a real pain in the ass is now no longer any problem at all. If yahoo can do that for me I'm more than happy to pay a little for the service.
Sounds kinda like what we hear day in day out from the RIAA, MPAA, etc...right?
..AA is complaining about and what slashbots are saying about spammers. The ..AA are upset because their business model was formed in a time when informations physics was not well understood and now are coming to the realization that without Digital Restriction Mechanisms they will not be able to continue charging outrageous prices for little plastic discs. Slashbots and users everywhere are upset because spammers are interfering with their ability to communicate and get work done.
I'm glad to hear someone responding with a level head. I hate spammers just as much as the next guy, but responding apropriately is important - there's a distinction between what the
Solving the first problem requires changing our laws to reflect how information should be "sold" (not as a physical good, but as a "useful information" finding service). Solving the second problem is a little less straightforward -- for spam that isn't already illegal (e.g. the nigerian money scam), new laws against commercial spam could conflict with our rapidly eroding first ammendment rights. The solution to the spam problem, I think, is a technical one. When you stop and think about it, spammers and their victimes both have the same problem: low response rates -- spammers don't like it that only 0.01% of their victims respond (they'd prefer 1%, or even 100%), and victims dont like the fact that they're only interested in 0.01% of the spam they get (or less), the rest being junk.
From a spammer's point of view, this problem would be best solved by maintaining vast demographic databases containing information about their victims, allowing them to target only those who are most likely to respond. This is not acceptable to the average internet-savvy individual. Privacy is important. From a user's point of view, this problem would be best solved by making spam unprofitable. How do we do it? Two simple steps:
1. Modify SMTP servers to autoverify return addresses. When a user's account at an ISP gets an email, fire off a verification message back to the originator. When the originator acknowledges that it sent the message, put the message into the user's mailbox. This kind of verification is being done today, but mail protocols need to be modified to make it an automatic function rather than manual so newbies (or zealous spam deleters) don't accidentally delete a verification message and end up having their original message dropped. Since mail software would only respond positively to a verification message when it was the originator, spammers would be unable to "bounce" verification messages off of other hosts. With this automatic address verification in place, allow users to identify spam, as they're the only spam filter with 100% accuracy, and then flood the identified spammers. I envision a "punish this spammer" button next to each email that delets the spam and sends the spammer 100KB of garbage data. It's satisfying, it's quick, and it's an easy way to cut down on mail you don't want.
2. Protect your personal information online. It's all well and good to say that you won't buy from a retailer that advertises with spam, but what if they have the best deal? What if you forget that they victimized you when you're running around the department stores one day before christmas and you're going crazy trying to find the perfect gift on a tight schedule? What if you decide to compromise your ethics "just this once"? The fact is, advertising works. It doesn't have to make you want to buy the product; it just has to make you aware that it exists. Part of putting spammers out of business is punishing them for sending irrelevant spam. The other part is making sure their sales and commission checks stay low. If there's one thing that would please me more than knowing Alan Ralsky had been kidnapped from his home, stripped naked, lacerated with steel wool, and salted for a full month, it's the thought of him having to sell his expensive home, pawn off his nice cars, and move back into a trailer park for the remaining long and poor years of his life.
Ironic, isn't it? It seems that something as simple as this will do more then micropayments, filtering, or some of the other ideas floating about.
BTW, your link didn't work, I did a search and found this: http://www-106.ibm.com/developerworks/library/l-sp amf.html
Is that the article?
Computer Science is Applied Philosophy
1. Make spammers pay. By law. To all parties involved, i.e. the recipient, and the ISP(s) as well.
2. Enforce the law.
3. Watch as spam becomes less b magnitudes. (or Profit; it's the same thing...)
Everytime CmdrTaco mentions how much spam he gets (in a sort of passive agressive brag about how widespread his email address is since he's soo famous), be non-plussed and go to another site. Oh wait, I guess it's not a drinking game really..
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
The World happens to be my ISP and I sympathize with Barry Shein and respect his views.
But I darn well DO care about false positives.
A few months ago "sent" me pictures from Shutterfly, an online photo-printing service that I rather like. Of course when you "send" pictures, what actually happens is that Shutterfly sends an automated email with a link in it; you click on the link, see the pictures in low-res and get to order prints. If you get the email, that is. The World was bouncing them, because something about them made it think they were spam.
A few weeks ago, I was trying to register online for a conference I want to attend. When you register, the site sends you an automated confirmation email. Again, The World was bouncing them.
I can deal with spam by deleting it. But how can I deal with email that's been improperly bounced? Unless the person who sends it happens to mention it to you, you never find out.
When I contacted The World, their response was that they couldn't do anything UNLESS I COULD SEND THEM THE BOUNCED MESSAGE, INCLUDING HEADERS.
Sounds like an Irish bull, doesn't it? "If you fail to get this, please send it to me so I can find out why it didn't get there..."
"How to Do Nothing," kids activities, back in print!
There's a lot of suggestions being posted about how we can deal with spam... but is anything actually being done? Let's start a site where we can pool all these ideas, have letters ready to be sent to our congressmen, and the tools to filter email.
If there's a place already doing all of these things, then let's all join it and actually do something. Every damn week there's an article on here about a spammer, and every single time there's hundreds of posts about what we can do about it. so let's do it!
I'm on christmas break... so i've got the time to get started on a site if anyone wants to give me some suggestions & whatnot. I'm ready to do it.
Bryan
I remember how I stopped getting everyone forwarding me crap messages, just reply to all and say this is stupid stop sending me this crap, and eventually everyone caught on that I was an insensitive jerk and stopped.
I think we all did this. Everytime someone new in my family gets a computer (usually an aunt or grandma who finds sappy forewards worth sending on), they ask me for my email address. I made up a new address just for them. dont_send_me_forewards@mydomain.com.
A lot of the time, they don't even understand it, but it works out fine. I know that it's an account that I only use with my family, so i can delete anything with fwd: and still keep the few decent ones.
No mod to SMTP is needed. This can already be done. It's just a matter making a mod to the implementation. When it gets RCPT commands, one per destination address, what it does is after accepting the first one, refuse all subequent addresses with a 4XX code. A correct mail server will requeue the mail for all the soft-rejected addresses. Spamware will usually move on. Of course one disadvantage with this is that even more bandwidth is taken up. But that's countered by the fact that the retries are more often from legitimate mail. In fact I've even considered making an SMTP daemon hack that always rejects all mail with a 4XX code once or twice, keeping a little DB of what it has done. Then on the 2nd or 3rd try, it can be let in. Until spammers catch on and start making spamware do requeues, this should reduce the spam volume. It can also slow down your mail, too.
now we need to go OSS in diesel cars
....when the don't enforce antispam AUPs.
People can whine all they want about micropayments, and unforgeable headers, and TDMA - but guess what, it doesn't mean squat.
Until ISPs actaully ENFORCE antispam AUPs, spam will keep getting worse.
It's more like people leaving their doors open, and complaining about people walking through their house all the time.
No, it is nothing like that.
It's trivial to implement basic anti-spam measures, such as whitelisting.
Boy, what a great idea - email is useless because of spam, so the fix is to simply make email useless altogether! Brilliant!
Here's a newsflash for you: Spam is a social problem, not a technological one. You can't use a technological solution to fix a social problem.
On the other hand, I do agree that SPAM is a growing problem in general. I believe we block over 50% of the email that would potentially go through our servers as SPAM. Thats really sad.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
When I purchase things from the internet, I use a hotmail account. It's the account I set up because I knew it'd get spam. So, it's weird -- I don't really count the spam I get there as spam, because it's expected.
The yahoo account I use for mailing lists gets no spam. I'm sure at some point, some spammer will find the address, but in the last year of using it, no spam at all. It's kind of creepy to have an email with no spam. Especially when it's just used for mailing lists.
And me, being a dumb-ass, just put my email on my site. And I figure that now that I get so much spam, there's no point in hiding my email on the site.
I really like screwing with telemarketers, I'm still fond of the time I made one cry. But in the last year or so, I've just been saying "Take me off your list, and send me a written copy of your do-not-call policy". Which usually means being hung up on.
riding round the world on an old motorcycle
Simple. Sue the spammers. Make them pay.
If you are unwilling to spend time and effort to drag them into court, then stop your whining
i say some crazy mofo just wack a few.. then the problem might go away.
people who use e-mail for business, for example customer support
Actualy e-mail for most of these people has already gone away due to spam and other abuse of the inbox. Try e-mailing your bank if you don't believe me. Most likely the contact information is not an e-mail box. It is an online web form that has to be filled out. The days of an open inbox are over for many people. I have abandoned several inboxes and have moved some of my contact info to a web form. It is not subject to bulk deliveries of any kind.
It also will not accept any attachments so it doubles as a virus filter.
If you have to send me an attachment, fill out the form and ask for a single use FTP drop location.
I know it's cumbersome, but I no longer have to waste time weeding my inbox. No legit mail gets canned due to a deny list or other false positive.
The truth shall set you free!
If gives you huge satisfaction when you click the "process mail" button and you see all the spam being deleted and bounced.
csw
Yes. Stop whining about burglary and live with it. Stop whining about battery and live with it. Stop whining about embezzlement and live with it. Stop whining about murder and die with it.
Spam will destroy the Internet if it is not stopped. The call to "just live" with theft is irresponsible.
I feel the need to reiterate and elaborate on some of these points. The current solution to U[C|B]E, client side filtering, is not working, it's not fixing the problem, it's not a viable solution, it's a temporary stop-gap that is coming to the end of it's life.
One of the reasons for all the articles on the wealth and success of bulk emails is that bulk email is still a growth market, for the bulk emailers creating the image of success is an effective sales tool. So the number of bulk emailers is growing as is the number of Corperate will to use them. The number of Internet users is also growing. Couple these two facts with a quick reference to the Metcalfe/Reed laws on Network Effect and the explosive growth is getting unreal. We've experienced a 16% growth in inbound email within the last month. The issue exhibits O(2^N) growth.
This poster [cluge (114877) ] is right the problem is growing faster than the hardware of Moores-Law, which is offering growing at O(N^2) per 18months, consider the difference and maths for a few moments.
It is unsustainable divergence.
This is is the reason that client side filtering is not a long term cure, at best it only a temporary stop gap, however the problem is actually worse, client side filtering cures the symptoms not the cause, much as the back bone traffic remains.
Now factor in the reverse charging model that U[C|B]E uses and that for some email servers 90% of email is U[C|B]E. That is a 10 fold cost increase for somebody. In many ISP's this cost has been hidden inside good times and Moores law. If not hidden from the ISP it certainly is from the consumer, who ultimatly pays.
However there is a sustainable solution, the introduction of a core network of trusted directory servers vouching for a network of authoritative MTA's which can and will vouch there users. This system is also vastly superior to the current black lists, which are fundamentally ineffective for the reasons revealed.