Spam Conference in Boston

bpfinn writes "Are you working on your own anti-spam solution? Would you like to compare notes with other coders? You'll get your chance at the Spam Conference in Cambridge on January 17, 2003. Among the speakers are: Paul Graham (of "a plan for spam" fame), ESR, John Graham-Cumming (of "POPFile" fame), and Matt Sergeant from MessageLabs. According to the homepage, this conference will be very informal: "no fees, sponsorships, proceedings, luncheons, contests, etc. Just a series of quick, concentrated talks, and then we all go off and get Chinese food." Slashdotters who are peeved about spam can register here."

Oh I didnt know

[brejc8]

What they should do is to advertise the event using popups.

Re:Oh I didnt know

[mark-t]

popups can be traced though... they use a p2p connection.

Heh

[Em+Emalb]

"Are you working on your own anti-spam solution? Would you like to compare notes with other coders?"

If you are, and would like the NATIONAL EXPOSURE only email can get you, call the number listed below. You will be giving MILLIONS the opportunity to receive your amazing breakthrough via email.

To unsubscribe (suckers!!) please click the link below.

Sweet!

[intermodal]

A conference where they actually confer and (As implied by going to eat together) discuss what they're talking about rather than just visiting booths. It's about time some of that hacker-ethic efficiency made its way to the computer conference world.

Re:Sweet!

[Zeinfeld]

A conference where they actually confer and (As implied by going to eat together) discuss what they're talking about rather than just visiting booths. It's about time some of that hacker-ethic efficiency made its way to the computer conference world.

Well that is pretty much how conferences start. They begin as a technical session with 5 experts talking and 50 people in the audience, then the next year there are more people and the program gets longer. The year after that there is an exhibition which the year after becomes an exhibition floor. After that the whole thing goes downhill and turns into a trade show.

That is exactly how the RSA Conference and Interop began.

I am somewhat disappointed by the means of choosing the papers, basically the first people to propose a talk. As a result the spam conference will only be discussing filtering approaches based on identifying the spam. The alternative approaches based on authenticating the genuine signal simply won't get a hearing.

The problem with filtering approaches is that they only work as long as the attacker does not have access to the filter. If the attacker does have access to the filter they can repeatedly test and modify their spam until it gets through. That is why the filtering built into Outlook fails, the attackers have access to the filter and can use countermeasures.

Filtering techniques are a hacker solution, they only solve the problem for the small community of hackers that use them. Once they are used generally they fail.

Re:Sweet!

[intermodal]

"I am somewhat disappointed by the means of choosing the papers, basically the first people to propose a talk. As a result the spam conference will only be discussing filtering approaches based on identifying the spam. The alternative approaches based on authenticating the genuine signal simply won't get a hearing. "

That's where the "confer" portion comes in. If that's your concern, go and say it over Chinese, or see if you can't get ahold of someone who is going to bring it up for you.

Re:SpamAssassin

[niker]

The reason why I'm using it (spam assassin) is because spam is a big issue in my e-mail accounts. :( That's all

security?

[2MuchC0ffeeMan]

umm...

since spammers and advertisers always stay one step ahead of technology, shouldn't users register to get in?

i know there's a few spam artists out there i'd like to keep out. any open source software or ideas they come up with and speak about may be directly spoken to the enemy.

granted, this is worst case scenerio, but oh well

Re:security?

[SweetAndSourJesus]

Yeah, but then you've got the whole "security thru obscurity" thing working. It's no good to come up with a spam-fighting technology that doesn't work if spammers know about it. That's why we have tools like SpamAssassin, where it doesn't matter if they're aware your're using it.

Haven't heard about this for a while

[Henry+V+.009]

Whatever happened to that idea where any message sender (with a white list to op certain ones out) would have to make a nummerically intensive calculation before delivering the message? Easy for single messages, but hard for a million.

Re:Haven't heard about this for a while

[Henry+V+.009]

Hardly. The question you ask is: Factor this large number. Or any question that is significantly easier to verify than to solve.

Re:Haven't heard about this for a while

[Henry+V+.009]

I'd imagine you would implement most of it client-side. The mail server would simply give you a list of messages, as well as challenge questions and the responses to challenge questions. The client software then decides whether to throw a piece of mail in the junk folder. That way there is no more demand on the mail server than before.

Moreover, mailing lists would simply ignore the challenge questions, and rely on user white-lists to let them through.

Re:Haven't heard about this for a while

[Henry+V+.009]

I gave the solution in another post on this thread. Almost all of this is implemented client-side. A spammer would need a super-computer to get the mail out even if he had an open-relay to use.

Re:Haven't heard about this for a while

[Henry+V+.009]

Oh no, I really don't want to waste your precious time arguing when you're so busy thinking about all sorts of ways to stop spam that will be so much more valuable than this piss-poor excuse for an anti-spam implementation.

Now, here is where you fail to understand the system.

Say that Bob wants to send a message to Alice. In fact, Bob even uses an open relay. Alice has a list of computationally intensive questions that she has uploaded to her mail server. When Bob wants to send a message to Alice, his mail server (the open relay) queries Alice's mail server, and gives Bob one of Alice's questions. Bob can then choose to include an answer to the question with his message or not.
Once Bob's message reaches Alice, her client software looks at the answer to the question. If the answer is not there, or is incorrect, the message is sent to junk mail.

Now imagine that Trent is an evil spammer. He sends out a million messages around the world every day through an open relay. Unfortunately, he doesn't have the computing power to answer a million different questions. He still sends out a bunch of spam from the open relay. And it all gets to the various Alices of the world. But none of the messages have correct answers on them, so they all get filed in Junk Mail.

Re:Haven't heard about this for a while

[Henry+V+.009]

A solution that would allow relaying would be to store Alice's (and everybody else's) questions on some sort of centralized server. You wouldn't need to change the mail server software at all then.

Can you think of any more holes in the idea? It would help if you took enough time on your objections to avoid the ones with obvious answers.

Re:Haven't heard about this for a while

[littleRedFriend]

I'm sure someone came up with this idea already. But these spammers have lists of E-mail adresses, mostly coming from automatic E-mail harvesters.

If everyone put a couple of pages with a few hundred thousand fake E-mail adresses (automatically generated) wouldn't that make these lists less valuable.

It would increase the amount of spam at first, but given enough fake adresses, it would come down in the end. It's a number game, to put someone who "owns" 1 million real E-mail adresses out of business, you would need to post some 100 million fake ones for him to harvest. That is no more than 2.5 Gb of HTML and some coordinated effort.

mmmm...

Re:Haven't heard about this for a while

[Henry+V+.009]

The central server is only for the challenge questions. Mail still gets relayed.

Focus

[The+Bungi]

I do hope they focus on the bandwidth problem. We've all seen the recent stories here about the slimeball spammer who's return rate is something to the tune of 0.000001% for 100 million messages. Or some such statistic. And yet he's swimming in $$.

The better spam filters get, the more horsepower these fuckers are going to put into plying their trade. That 100 million herbal viagra batch didn't work? Oh, OK, let's send out 1 billion messages then.

Their capacity to add processing power to their operations will grow exponentially as the efficiency of spam blocks increases. But there's only so much bandwidth to go around. Ergo, suffer the ISP (mine and yours, not theirs). Something's gotta give.

I shudder to even contemplate it, but unless their revenue stream is cut off, this is going to continue. And that means educating users to NOT FUCKING BUY ANYTHING SOLD THROUGH SPAM. Until then, well...

Re:Focus

[viscous]

I happen to agree that the bandwidth eaten by spam is the ultimate problem, and that filtering doesn't really address that. But out of fairness I thought I would mention the counter-argument made by the proponents of filtering:

If you get enough of the large ISPs and electronic mail services to filter all their customer's mail - enough to eliminate (say) 95% of the spam currently getting delivered - then the spammers will only be making 5% of the sales they are currently making. Which may be enough to drive them out of business.

I don't believe it will work, but that's the party line I expect you'll be hearing at the conference.

Re:Focus

[MacAndrew]

I shudder to even contemplate it, but unless their revenue stream is cut off, this is going to continue. And that means educating users to NOT FUCKING BUY ANYTHING SOLD THROUGH SPAM. Until then, well...

Yes, but ... the crowd that's buying herbal Viagra is a tough one to reason with by definition. Then there are the "get rich quick" suckers -- just try explaining basic math to them.

There's an old saying that some people will buy anything. Spamming is about locating them. The rest of us get caught in the overspray.

Re:Focus

[sfe_software]

I happen to agree that the bandwidth eaten by spam is the ultimate problem...

For me personally, bandwidth isn't an issue. I'm on DSL, my servers are locked up tight and not contributing to the problem... for me, the problem is that 95% of the time my "New Mail" alert goes off, it's all SPAM. I don't care about the bandwidth issues; doesn't affect my home connection much, and doesn't affect my server's connection at all. It's my time.

My solution? Well, I haven't found a perfect solution, but (given that bandwidth isn't my main concert) Mozilla's bayessian (sp?) filtering is working well so far. Hopefully the next major Moz release will handle this better.

Currently (1.3a) it marks SPAM as "Junk" mail automatically. After only a few days it easily recognized SPAM. After a week there have been NO false positives. After 2 weeks it seems to be dead-on accurate.

Hopefully the next Moz release will let me do more with it (such as NOT playing my "New Mail" sound, marking them read, moving them to a Junk folder, etc). So far 1.3a is showing serious promise, at least in the filtering part. It uses Bayessian filtering (based on the Plan for Spam article linked above -- a good read if you haven't seen it), and is quite good so far. I would personally be happy if, using the Mozilla current implementation, I could never see mail Mozilla sees as "Junk" mail.

My point was simply that for me, bandwidth isn't the problem -- and I run several (not open-relay) mail servers -- rather, the problem is the time I spend manually filtering SPAM from real mail (running several domains). Bayessian filtering is perfect, as it's based on the individual user. It's what got me to try Mozilla mail again in the first place (first time since M12), and already, just having it mark them as "Junk", it's saved me a ton of time.

Re:Focus

[IntlHarvester]

You don't get it. The product being sold by spam isn't Herbal Viagra or College Diplomas -- it's the spam itself.

It's a pyramid scheme. It's not about selling the product. It's about convincing people to pay you to sell their product through spam, to buy your address lists, or buy your spam software.

It's not about the people stupid enough to buy, it's about the people stupid enough to think "With all this spam, someone out there must be buying."

A large percentage of spam doesn't even have a valid contact address/url/phone. It's purely about claiming to prospective clients that you can deliver X messages or have Y valid addresses.

So, go ahead and convince grandma not to buy any spam prodcuts. Great. Meanwhile these guys are on a sales arms-race that will eventually render standard netmail useless.

Spam Conference...

[VistaBoy]

Because we're having a conference on spam to begin with already means that the spammers have won. Besides, what keeps spammers from attending the conference and figuring out how all the spam guarding stuff works?

Re:Spam Conference...

[intermodal]

that would be a bad thing how? the more time they spend trying to figure out ways around, the less time they have to actually send spam.

Re:Spam Conference...

[glwtta]

Besides, what keeps spammers from attending the conference and figuring out how all the spam guarding stuff works?

We'll all talk really quietly.

Re:Spam Conference...

[mlknowle]

> Because we're having a conference on spam to begin >with already means that the spammers have won. >Besides, what keeps spammers from attending the >conference and figuring out how all the spam >guarding stuff works?

What do you suggest? That we ignore a very real problem because we don't like it? Spam isn't going to go away if we pretend it doesn't exist! This conference isn't about secret techniques that spammers can't know about - it is about designing better protocals and gateways which are more immune to spam - stuff they'd learn about anyway. It's about *colaboration*, not giving out secret spam info

Re:Spam Conference...

[babbage]

Let them attend, I say. Let them heckle from the back of the room, saying "aw hell that won't work, if you do $this then I can just do $that." Hey presto, the researchers get a better awareness of the failure points, and the solutions ultimately developed are that much more robust.

Think about it -- this is exactly the same argument that favors open source software over proprietary equivalents. "With enough eyes all bugs/security holes are shallow." Without exposure to real life spam & spammers, how is anyone ever going to know if new techniques work? If the conference is attended by both pro- and anti- spam advocates, we'll all get to the meat of the issues that much faster -- you might as well be confronted with the problems while a bunch of experts are in the same room to hash out a solution...

Re:Spam Conference...

[bugbear]

A good spam solution will have to work even if the spammers know how it works. I believe that Bayesian filtering, which is what a lot of the speakers at the conference will be talking about, is such a solution. Spammers can't outweight the incriminating words they need to use in their sales pitches with innocent words, because the very innocent words (names of friends, terms used in one's work, etc.) are unique to each user.

Re:Spam Conference...

[Jucius+Maximus]

"Besides, what keeps spammers from attending the conference and figuring out how all the spam guarding stuff works?"

A lot of anti spam tools are already open source for easy dissection. Besides, a good anti spam routine should be the same as strong encryption: A knowledge of exactly how it works should only prove that there is no optimised, 'most efficient' attack.

Until anti spam techniques reach this level (bayesian filters like in the new mozilla, perhaps?) then we will be on the defence.

Re:Spam Conference...

[Eric+Damron]

I don't agree that it means that spammers have won. It only means that they are enough of a pain in the ass to warrent holding a conference.

Let them attend. The only real solution is one that even if they are fully aware they still can't do anything about it.

Prevent SPAM instead of trying to deal with it....

[8BitWimp]

Its ironic that this conference (and other discussion groups) are focusing on dealing with, filtering, and otherwise trapping SPAM. It appears that the only solution to eliminating SPAM is to develop a completely new architecture for handling email which would simply not provide mechanisms for the broadcast of SPAM, and the hijacking of mail servers. Spammers are just as ingenious as the folks valiantly trying to filter it. Until we consider a new approach, we will just be battling an ever growing volume of SPAM mail.

An Anti-Spam Solution?

[Lucas+Membrane]

There is no such thing as anti-spam, thank goodness. If there were, and if the spammers sent it spam, the spam would be gone, but copious gamma rays and neutrinos would result, and the bystanders would all die from the radiation.

Re:An Anti-Spam Solution?

[geekoid]

if the event took place on the spammers box, I really wouldn't have much of a problem with that... ;)

The only spam conference needed...

[MillionthMonkey]

This problem is not difficult to solve. All you need is a "conference" of enraged global villagers marching up the road to Alan Ralsky's house equipped with dynamite, pitchforks, Bayesian filters, and burning torches! We could bring some diplomas from prestigious nonaccredited universities to get the fire going. And afterwards everyone gets Chinese food.

OK, maybe it wouldn't solve the problem, but it would make great reality TV. Wouldn't you rather watch a spammer get lynched than sit through yet another gold digger beauty pageant on FOX?

where have i seen this before

[Dylan_t_p]

could it be here?? here?

oh well since it's about spam only makes sense to post it more than once.

Register for the conference.... via email?

[NineNine]

Doesn't this seem just a bit fishy to anybody else?

Re:Register for the conference.... via email?

[Rik+van+Riel]

Maybe it is a spam conference after all and not the anti-spam conference people seem to assume ;)

My spam solution

[archnerd]

I use SpamAssassin, combined with some scripts available here. Since I implemented this system last month, I have gotten exactly one piece of spam, and it got through because the body contained nothing except a URL.

Re:My spam solution

[WPIDalamar]

One word... Spamassasin

I've been using it for 2 months ... today, the first spam since I started using it got through.

How to End Spam in Four Easy Steps

[mark_space2001]

1. Declare Spammers are terrorists.

2. Fly a C130 "Ghost" Gunship over their house.

3. Open Fire.

4. Enjoy "Miller" brand beer in a Spam Free world.

Re:How to End Spam in Four Easy Steps

[floydigus]

'Enjoy "Miller" brand beer'

1. Not sure 'beer' should be associated with Miller.
2. Not sure enjoyment of Miller is possible when used as a beverage.
3. Though maybe possible for washing hair.

Re:How to End Spam in Four Easy Steps

[NeoSkandranon]

IIRC its called the Spectre gunship. Nice idea though.

What's so difficult?

[evilviper]

What is so difficult about blocking spam and e-mail worms? Just have a shared word that must be in the subject line (or else it gets filered out) and give that word to anyone you want to allow to contact you. Here on slashdot you could tell people about it in your sig, and never get a single piece of spam again, and what makes it better than whitelisting, even your friends, if infected with an e-mail worm, will not pass it to you, as the worm has no way of knowing the shared word.

And people are spending millions to block spam and worms why?

Re:What's so difficult?

[JoeBuck]

If you propose to include your magic word in slashdot programs, the spammers will soon write scripts to find such magic words and spam you anyway.

Don't underestimate the intelligence of the enemy. For example, does not currently parse base64-encoded MIME attachments, so suddenly spammers are all base64-encoding their spam.

Re:What's so difficult?

[smoon]

Sure, and then the spammers will figure a way to 'sniff' smtp traffic for nefarious purposes -- how about 'inserting' spam in legitimate e-mail automatically. How you like them spam filters now?

And sure, this _might_ require hacking into some high-security NOC. On the other hand, it might just be a simple dns poisoning attack and a rogue smtp server that forwards mail after altering it.

Ultimately no victory against spam can be had until we have one of:
1: Fundamental change to how SMTP/e-mail works, and get everyone to switch (unlikely).
2: Grassroots movement to boycott the businesses that profit from spam, to the point of putting them out of business. (unlikely until _everyone_ is 'online' and disgusted with spam)
3: New legislation that causes massive fines for businesses that profit from spam. (unlikely in the U.S. given the political corruption we suffer from).
4: Vigilante gangs rampaging through businesses that profit from spam, lynching spammers (or at least giving them a good thrashing), and massive correctly targeted cracking attacks against their computer systems.

Re:What's so difficult?

[evilviper]

You don't really need it.

As soon as a significant number of people are filtering their e-mail, spam will stop outright. And THAT really would reduce traffic.

Re:What's so difficult?

[evilviper]

How would they know what the word is? They can't very well include the entire text of you slasdot post in an e-mail...

It would be far easier for spamers to work around slashdot's e-mail obfustication than for them to pull one word out of a sig.

There really is no way speammers can get around this one... Which is in stark contrast to EVERY OTHER SPAM FILTERING OPTION.

Re:What's so difficult?

[evilviper]

It's not a PITA for anyone. Just a word in the subject line. How difficult is that? Hell, you've already got to rember that Fred is "superd00d384@obsecure.net", why is a small word so much more difficult?

It CAN'T be stopped, PERIOD, and I don't know why people keep saying that... You must not be thinking about it. There is no way for them to harvest the shared word. With an e-mail address, it has a standard form "user@host.domain" that is easy to pick out. A shared word looks like any other word in a message. There is no one way everyone will tell it to each other, so there's no reliable way to get around it.

In addition, most spam you get, is a result of spamers guessing usernames at popular domains (hotmail.com). So anything that requires just a bit more than a username to send mail will stop most spam.

Whitelists won't work, as the spammers can just spoof the source address to something most people will subscribe to (eg. daily dilbert), or possibly the users' own address. Filters don't work, as a spammer can generate a completely different piece of mail for each user if they needed to.

Nothing else works. This is bullet-proof.

Re:What's so difficult?

[evilviper]

You make it seem like it is trivial for spamers to take over secured servers and routers. It's not.

These types of attacks you mention have far more serious implications than the ability to read your e-mail. If someone could accomplish them, they would already be doing so.

1. There's nothing wrong with SMTP (when it comes to spam)
2. So competitors can spend out loads of spam under the guise of their own competitor, and get record business.
3. There are enough laws. And they don't help when anyone can route their traffic through anonymous proxies, and send it from out of the country.
4. Sounds like fun, but not too likely.

Darn

[anotherone]

I was hoping that this would be a conference for spammers rather than anti-spam coders...

Then we could destroy them all in one place.

Finally a cause the entire internet community could rally around.

Cloudmark SpamNet DOES work...

[cca93014]

Been running this for a few months now on MS Outlook (I know, I know) and it does work.

www.cloudmark.com

It uses a moderation system not dissimilar to Slashdot (but maybe without the weird 2+2=5 maths) and in my experience DOES work. YMMV. I've yet to have it filter a legitimate message, and it picks up about 70% of spam into my Inbox...

Re:Cloudmark SpamNet DOES work...

[ceejayoz]

Cloudmark's a reputable company - they were featured on Slashdot a while back.

Their plugin actually uses an open source project, Razor - it's quite good, except for legitimate mass mailings (for some reason, it always filters Amazon.com stuff - I'm an affiliate, I need that! - and my Daily Dilbert... most likely someone signed up, forgot they did, and keeps blocking it... grr)

Re:Cloudmark SpamNet DOES work...

[ostiguy]

That has been my experience with cloudmark too - legitimate messages I have signed up for get moved. That is part of the problem with letting end user types filter spam - spam is not necessarily all the messages you just don't want to read. People often don't read what they agree to, and thus don't realize that a lot of commercial email they volunteered for.

Still, I think there is a much brighter future in this model than the RBL model.

ostiguy

Re:Cloudmark SpamNet DOES work...

[spongman]

i'll bet he pays cloudmark to keep his SPAM from being killed.

I don't trust any serivce that requires lists like this - they're open to corruption and mistakes.

Use something like spambayes an open-source bayesian spam filter that allows you to define what is and isn't spam.

Re:Cloudmark SpamNet DOES work...

[sfe_software]

That is part of the problem with letting end user types filter spam...

This is why I like Bayesian filtering, as it's completely user-dependant. Meaning each user defines what he/she defines as "Junk".

I use Yahoo mail, and it's "Bulk Mail" filtering uses BrightMail. It blocks all mailings from RedHat -- ones I signed up for -- and yet lets mail from "notifications@mailsweeps.com" through.

Mozilla mail, OTOH (version 1.3a) with Bayesian filtering has been flawless. The first few days I tried it, it had a few false positives. After a week, no false positives but a couple missed SPAMs. Now (a month later) it seems to be about 100% accurate. Because it learns what *I* consider to be SPAM, and only I.

It's so simple it's pathetic. See the "Plan for Spam" link, it's a good read if you haven't read it. Now, hopefully the next Moz release will actually mark the Spam as "read", and move it to a "Junk" folder (now it only marks it as Junk -- it still plays the new mail notification, etc). I would trust it to move my SPAM to a Junk folder, where perhaps once a day I would verifiy that no false positives were found. After a while, I'd probably just trust it's judgement.

Key being that it's based on *you* -- it finds word patterns in what you consider to be SPAM, and bases it on noone else's judgement; it's completely personalized, and IMO the only solution (as far as client-side filtering goes anyway). For me, it's the solution I've been looking for. Now I just hope the Moz team completes the feature nicely (which I trust they will).

Re:Prevent SPAM instead of trying to deal with it.

[SnakeStu]

I've been promoting this notion for a couple years at least, while at the same time offering a spam filtering tutorial for Pegasus users. I've seen others also promoting the same general concept, sometimes with more details. However...

"One's feelings waste themselves in words; they ought all to be distilled into action[s]... which bring results."
Florence Nightingale

To see this happen, somebody needs to do it rather than talking about it. A technical demonstration, at the very least. And if I'm missing something and there's something like this in the works, it needs publicity, development support, testing, etc. to take it "out of the lab" and moving toward common use.

Repeat repeat repeat article

[Rik+van+Riel]

If this conference is anti-spam, why are they using slashdot to spam for this conference ?

This thing must have been featured 3 or 4 times on slashdot now...

Re:Prevent SPAM instead of trying to deal with it.

[8BitWimp]

I would suggest a second and parallel email channel be introduced. Leave the current sendmail system in place. Those desiring better email and no spam will migrate to the new channel. Those who don't care can remain on the SPAM channel.

Great for Spammers...

[toupsie]

What could be better for a professional Spammer than attending an Anti-Spam Conference? Learn all the techniques and issues you will have to encounter in the upcoming months. I would be on the look out for people wearing too many gold chains reaking of hottub clorine wanting to make your penis larger in less than 7 days while offering you a Micro RC Car.

Re:Prevent SPAM instead of trying to deal with it.

[blamanj]

It appears that the only solution to eliminating SPAM is to develop a completely new architecture for handling email...

Not true. The simplest solution is economic. If raise the cost of sending e-mail by as little as one penny / thousand e-mails, most spam becomes uneconomical. Poof, the spammers go out of business.

Re:Darn Indeed!

[SwedishChef]

Where are my moderator points when I need them!!! Thanks for this. :)

They should probably call it..

[Anonvmous+Coward]

... an anti-spam conference. Nobody would want to exchange business cards at pro-spam conference.

Poster child

[GeckoFood]

Now if they could just get Bernard Shifman to show up...

I use popfile

[TerryAtWork]

I actually publicize my email address to get more spam now, just to watch PF smack it!

Re:I use popfile

[Jucius+Maximus]

"I actually publicize my email address to get more spam now, just to watch PF smack it!"

Actually I thought of a better thing to do:

Whenever I get a spam where they have some sort on 'confirmation tag' in it using a URL with my e-mail address, I extract it, change my address to uce@ftc.gov (which is the FTC's spam collection address) and THEN load it in my browser.

Basically I am getting the automated system to send spam to the authorities.

Round 2?

[big_groo]

Ding!

Get out those AOL CDs and bags of dog poo!

hehe...

Happy New Year Ralsky.

Re:Prevent SPAM instead of trying to deal with it.

[Christopher+Thomas]

It appears that the only solution to eliminating SPAM is to develop a completely new architecture for handling email which would simply not provide mechanisms for the broadcast of SPAM, and the hijacking of mail servers.

How about just properly configuring the existing mailservers?

The hijacking problem is mainly with mail servers misconfigured as open relays.

No switchover needed.

As was pointed out in the last round of spam-article comments, you can't eliminate the header-forging problem, as at some point you have to trust the server that's supplying you with mail. So a new scheme would not help with this.

In summary, I don't see how switching to a new scheme would help.

I would watch out

[CaptainSuperBoy]

I would watch out for spammers crashing the party and trying to cause serious problems. If you read some of the rants from these people on nanae, you can see how they would be capable of causing trouble for the anti-spammers gathered at the convention. There are a ton of spammers and it only takes a few of them to file false police reports, harass attendeees, etc. They've shown again and again that they are immature. Just look at how Ralsky harassed that guy who took pictures of his house. Many prominent anti-spammers have received death threats, this shows the level of hatred that some spammers have.

Re:I would watch out

[CaptainSuperBoy]

I've never heard of anti-spammers sending death threats. Care to back that up?

Things that make you go "Hmmm."

[Chris+Mattern]

> Slashdotters who are peeved about spam can register here.

For which they want your email address--and add that it shouldn't be too heavily shielded against spam. Hmmm....

Chris Mattern

Re:Prevent SPAM instead of trying to deal with it.

[CaptainSuperBoy]

Again and again it's been proposed, and every time it is calmly explained to the proponent why it's totally unworkable. What's your idea, micropayments, public key authentication, etc.? People are always glad to hear someone's solution to all spam, but understand it's probably been posted and debunked already.

Semi-off-topic: best Bayesian filter for Outlook?

[Jeremi]

I'm using AGMSBayesianSpam under BeOS to filter out spams from my email and it does a really nice job -- but my poor benighted Windows/Outlook using friends want to use a nice Bayesian Spam filter too, and I don't know what to recommend to them.

Can anyone recommend a Bayesian Spam filter that (a) works with Outlook and Outlook Express, (b) is dead simple to install and use, and (c) works really well? I'd love to be able to point them at a URL.

Pretty useless for spammers.

[Christopher+Thomas]

What could be better for a professional Spammer than attending an Anti-Spam Conference? Learn all the techniques and issues you will have to encounter in the upcoming months.

How would this help them? People have known how the RBL, for instance, works for years, and yet it's still quite effective.

Likewise, filtering based on content still works despite being around for a while because spam mails ... have to contain spam.

In summary, I don't see what they'd learn that would be of use to them.

Re:Repost?

[dacarr]

Sort of - there was an article earlier about it. Of course, now that ESR has confirmed, they had to rehash teh article. =^_^=

Re:Semi-off-topic: best Bayesian filter for Outloo

[sien]

Popfile works reasonably for Outlook and Outlook Express.

Trusted mail servers and TLS

[Nonesuch]

We've been talking with the Open Group on a couple of different approaches to implement the concept of "trusted servers" for SMTP.

One approach would be to use TLS with certificates signed by trusted anti-spam certification agents, and give TLS mail priority over plain-old cleartext SMTP.

Basically, nearly all current anti-spam techniques (one exception being whitelisting) work on the concept of "marking down" certain messages or sending hosts as being less trusted. Our goal is to use TLS and other approaches to apply the concept of "elevating trust", of elevating the trust level of certain hosts and messages.

NOT offtopic at all

[EvilStein]

Someone 4 posts down was modded +4 Insightful for saying the same damn thing. Geez, wake up..

Anyway, this is correct. Spammers already troll anti-spam lists looking for information on new anti-spam techniques just so they can slip around them.

Re:SpamAssassin

[danny256]

Does it work with web based hotmail or outlook express?

Re:Semi-off-topic: best Bayesian filter for Outloo

[ceejayoz]

Not quite what you're looking for, but the upcoming 1.3 release of Mozilla runs on Windows, imports contacts & messages from Outlook / Outlook Express, and will have Bayesian spam filtering.

I transfered over to the alpha recently, loving it so far.

My plan for spam

[gad_zuki!]

>And that means educating users to NOT FUCKING BUY ANYTHING SOLD THROUGH SPAM

Why the carrot and not the stick? Imagine spam honeypots luring the people who answer spam into giving up their credit cards and posting them publicly. Or listing names of people who visit honeypot sites like animalsexxxxxxx.com through a spam click. Make sure to report them to their employer if this is done during 9-5.

Then we'll see the obligatory news articles about hackers co-opting spam. Something tells me that all the spam marketers and companies that use spam won't be much of a problem when Joe Blow is worried about hackers and losing his job over spam.

slightly OT-postini spam relay

[Maskirovka]

I receive about four spams per day, but as opposed to deleting them, I look at their headers, run a trace tool, and notify the service providers and upstream ISPs. This usually limits the amount of spam I get from a specific asshole for a while. There's one that keep bugging me however: exprodmx15.postini.com (the 15 changes to diff numbers periodically).

According to the website, postini is a spam filtering company. Doesn't it seem a little bit strange that they'd host a spam relay? Exodus (postini's primary provider) doesn't seem to care too much, since postini is a well to do business. Postini sends an automated response that says "this message is only passing through postini's mailserver. it's not our problem". My first thought would be that postini is running open mail relays as a form of gaurilla advertising to spam busters, but it seems a little bit far fetched. I don't keep a list of addresses or domains, but postini is the only one that i've noticed for about a month that keeps reacuring.Is this sort of thing normal?

How I got rid of spam:

[NFW]

I started playing with procmail and grep and the whitelist idea, and after a day or three I cooked up this monstrosity.

If you email me, and you're not in my whitelist, you get a message from my "secretary" asking you to confirm your email address. If you're a spammer, you never see that message. If you're a human being, you either reply to the confirmation request (if the message was important) or you ignore it (if the message wasn't important, in which case I'm happy not to hear from you).

The only problem is those damn Nigerian bank scammers. They actually read their replies. i've heard from two of them in the six or seven months I've been running this whitelist contraption.

But anyhow, spam is no longer the annoyance it once was. I still look forward to strong laws against spam, because I know my bandwidth is being wasted (and other peoples' too), but at least I don't have to see it.

I used to look down on the whitelist approach, because in a sense it is admitting defeat - they're still out there burning up bandwidth, and this doesn't help catch them. But, I'm so glad to be free of spam... Every time I check my email and find no spam, it feels like victory. For me, the great annoyance of time wasted dealing with spam far outweighs the minor inconvenience of increased bandwidth consumption.

Y'all can play games with spam and spammers if you want to, but for me, for now, it's yesterday's problem.

Re:How I got rid of spam:

[NFW]

I don't claim that it's a permanent solution (hence the note about "for now"), but "fundamentally broken" radically overstates the magnitude of the trivial potential problem that you bring up.

First, the human problem: When one bit of spam gets through the whitelist, the spam victim removes the 'from' address from the whitelist, and the spammer needs to find or create a new whitelisted address for each of the million+ target addresses. It wouldn't be enough to sell CDs with millions of addresses, they would need to be address pairs (one target address, one or more whitelisted 'from' address). While destination email addresses are long-lived, the whitelisted addresses would be shortlived and all but useless.

Then there's the technical problem: most spam is sent with a single 'from' address and multiple 'rcpt to' addresses. This is how relay abuse gets done - the message data gets transmitted once (or relatively few times) with MANY recipient addresses, so as to reduce the spammer's need for bandwidth. (It fucks over the relay owner, but who do spammers care?) Sending large amounts of spam with from addresses customized on a per-recipient basis would require spammers to acquire and maintain huge amounts of bandwidth - an amount roughly equal to the amount that they currently steal. Possible, but unlikely.

Call it "fundamentally broken" if you wish, but the bottom line is the signal:noise ratio in my inbox... it's approaching NaN. That makes me happy.

Yes, spammers can pretend to be whoever they want, but that takes work, and spammers and fundamentally lazy, so I'm not worried.

If whitelisting catches on in a very big way, spammers might start working on ways to get around it, and if they have any significant success I will to what it takes to stay one step ahead of them in the inbox arms race. But if whitelisting doesn't, spammers won't, and I'll continue to ignore the spam problem while I enjoy my spam-free inbox.

Re:Semi-off-topic: best Bayesian filter for Outloo

[Gaza]

Try Spambayes, even though it is early in development I didn't have any problems getting it to work. After some initial training it catches about 99% of my spam without one false positive.

http://spambayes.sourceforge.net/applications.ht ml

Re:Our only hope

[spongman]

these are easy to circumvent by just putting some random numbers (hapaxes) at the bottom of the spam.

better to use something like spambayes that learns from your actions and doesn't depend on external decisions, corruption and mistakes.

Re:Semi-off-topic: best Bayesian filter for Outloo

[spongman]

yup, spambayes get's my vote too. the integration with outlook is excellent and once you've got it set up you don't even notice it (apart from the fact you're not getting all that spam anymore).

Re:Prevent SPAM instead of trying to deal with it.

[LL]

> only solution to eliminating SPAM is to develop a completely new architecture

Take a look at DJB's im2000 concept

http://cr.yp.to/im2000.html

LL

Re:Prevent SPAM instead of trying to deal with it.

[Christopher+Thomas]

An email message (or packet) should be authenticated at its source as coming from a valid, certifyable and traceable source.

The problem with this is twofold: First, you're going to have a very difficult time getting people to agree on trustworthy sources, and second, you get the same problem as we have with DNS - the people who hold the keys have far too much power.

And unless all servers on the planet agree on a set of athentication servers, you'll still be able to inject spam into the system from remote relays (c.f. the china problem right now).

I'm not convinced this approach is practical. It's great in principle; I just don't think any likely implementation would work very well.

Spam, New England style

[Alien+Being]

City by the sea
Cradle of revolution
All spam overboard

What? No One from Hormel?

[thumbtack]

If there is going to be a Spam conference there has got to be a representative from Hormel, the makers of Spam. They even have a Spam Museum, Spam Recipes and much more on their Website. You can even order online, if you don't want anyone to know you are a closet Spam Freak, or read Spam Trivia.

Regardless of what you think of Spam, someones eating those 6 BILLION cans they have produced since 1937.

Spamprobe.

[Pig+Hogger]

http://spamprobe.sourceforge.net/

I've installed 3 weeks ago, and only 1 spam went through, and I've got only 1 false positive, out of over 700 messages received in that time.

Bad idea

[Animats]

They distribute a set of MD5 hashes of E-mail addresses, as an opt-out list. Bad idea. Now, a spammer can get that list, run their lists against it, find all the people who opted out, and use that as a mailing list for stuff like phone line blockers, alarms, and similar products that would appeal to the anti-spam demographic.

Re:Bad idea

[Animats]

In order for that to work for the spammer, they would have to have your address to begin with.

Not necessarily. They could take a big list of people's names, suffix them with "@aol.com", "@msn.com", "@yahoo,com", etc. and test them against the database. Trying variations on names is also cheap. It's just like a dictionary attack on encrypted passwords, only easier.

But nobody will do this, because the database is dinky and nobody cares about it. The DMA has an opt-out database for spam by DMA members, and that actually gets used.

It's probably a "Joe Job"

[Elias+Israel]

Some spammers have realized that the outrage that follows their mailings is a resource that they can use against their enemies.

They do this by forging the headers in such a way that it appears that a "white hat" has actually been responsible for the spam in some way.

Then when the zealous, but unsuspecting user examines the headers, they end up directing their perfectly understandable opprobrium towards the spammer's enemies (anti-spam groups and companies, usually) instead of the spammer themselves.

It's called a "Joe Job" and it's the new price of admission for anti-spam activists.

Elementary Physics

[hacksoncode]

You're forgetting that spam has all the "substance" of an electron on a diet. You'd be lucky to light a match with the energy released by even a million spams a day colliding with anti-spam.

Re:Prevent SPAM instead of trying to deal with it.

[SnakeStu]

Thanks for the feedback. The inline frame is relatively new and there is already an alternative for browsers that don't support inline frames. A way to manually bypass it for a browser that supports inline frames but does so in a troublesome way is a worthwhile idea (even if rudely presented). I'll add that when I get a chance. It might be useful for my short stories as well, as they gain illustrations.

But you know how to contact them

[billstewart]

They've got a web site. They've got a press relations person named Joann joann@postini.com, and in Cyberspace, everybody's the press. They're ostensibly looking to hire people. You've got expertise they obviously need. And either they're Evil, in which case you won't mind blocking them, or they're Good Guys but have some bad customers they haven't caught, in which case they probably want to know, or they're clueless or overloaded, in which case their PR person ought to know.

Send spammers to teergruben and DNSloops

[billstewart]

A "teergrube" is a tarpit for email, which responds to smtp correctly but v..e...rrrrrr...yyyyyy.....ssssss..llll...oooo...w wwwww....lllll...yyyyyyyyyyy, and is designed to accept mail for a large number of bogus addresses that you arrange for spammers to find. It really doesn't burn much bandwidth to make a spammer take five minutes to send an email message, because you're spending most of the time waiting before sending back the next line of response, and some implementations can keep a lot of suckers busy in parallel. Most spamware, and most real email systems, can only keep a given number of sessions going at a time, so the more simultaneous sessions that are talking to teergruben, the less actual email they can send. If you want to get fancy and track the things down, that's fun too, and the teergrube can hold the spammer's session open long enough to get ahold of their ISP (if they've got a responsive ISP)

Different ways to help spammers find them are to put them on web pages, or to have a spider-trap just waiting to generate them for web crawlers, or of course to be sure to unsubscribe them to all the spam unsubscribe addresses you've got, as well as the yes-tell-me-more addresses. They're more fun if you've got a lot of domain names to play with, but even if spammers kill off dangerous domains, you can trick some of them by doing addresses from lots of different thirdlevel domains, like alice@aardvark.example.com, alice@aardwulf.example.com, ... alice@zymurgy.example.com, bob@aardvark.example.com, ... And just to make things fun for the harvesters, you might as well make sure they've all got web pages pointing to a couple of other subdomains on your system.

If you want to get fancy with DNS, you can also set some of your subdomains to point to known open relays, if you happen to know anybody. Instead of having the spammer deliver all the email directly to aardvark.example.com, you can tell them that aardvark.example.com is at an IP address that's that misconfigured machine in Korea that's been spamming you, and have _them_ get teergrubed also.