MIT Spam Conference Conclusions

RT Alec writes "The 2003 Spam Conference has concluded, reports InfoWorld. (related read: abstracts of the conference discussions). I was unable to attend the conference, but it appears all that was discussed was filters (client and server). I think the key problem is ISPs that do not block egress traffic on port 25. If you need to send mail through a different SMTP server than provided by your ISP, the admin of that server ought to provide you with a means of using it with authentication on a port other than 25 (you do have permission to use that SMTP server, don't you?). It is not too tough to set up an SMTP server to require authentication, or at a minimum to run off a different port. I am suprised that this is never mentioned as a cure for spam. If just AOL blocked port 25, this could reduce spam by 50% (I base this figure on close examination of the headers of the spam I receive). I was pleased to see that Barry Shein, president of The World (a Boston based ISP) was included in the talks. I am not sure by the abstract (see link above) posted if he mentioned blocking port 25. In a recent interview he did not mention it."

spambayes?

[spongman]

Did anyone there talk about Spambayes? I've been using this open-source spam filter for several months now and lurking on their mailing list and I have been really impressed at the lengths they've gone to to provide a mature framework for testing their statistical theories over many varied sets of spam/ham corpora.

While they started out with the bayesian algorithm described by Paul Graham they quickly discovered that the effectiveness of his algorithm tends to depend on the values of some quite sensitive tuning parameters and that diffrent people can get wildly differing degrees of success depending on their configuration and the types of spam/ham that they receive. Gary Robinson wrote an interesting critique of Paul's algorithm and helped the spambayes team incorporate his so-called chi-squared combining scheme (which apparently isn't bayesian at all) which doesn't seem to depend so much on 'magic' numbers and their testing framework showed that it works surprisingly well for both small and large sets of messages.

It's still under active development although most of the ongoing work is centered around the user interface components (POP proxies, Outlook plugins, etc...) whereas the actual spam classifier hasn't changed much in a while.

Well worth looking into if you're getting too much spam. Who isn't?

AOL the source? I think not.

[Powercntrl]

I think AOL is really being blamed for a lot of spam it shouldn't be.

Send spam using AOL's e-mail client and your account is nearly-instant toast, thanks to automated rate-limiting software.

AOL set up rate limiting sometime around 07/98. Yes, it was THAT long ago. Note, as another poster has said, this wouldn't stop someone from using AOL as their ISP and connecting to another SMTP server for spamming purposes, but considering how slow (not to mention expensive) AOL-provided net access is, I doubt any real spammer would use it for even that.

Since most of the /. readers are probably not still using AOL, here's what can be found at AOL keyword: Rate Limiting.

America Online has received an overwhelming amount of complaints concerning unsolicited commercial e-mail, or "junk" mail, and we are doing everything we can to protect our members' online experience. Because many junk e-mailers collect screen names from AOL chat rooms, we put a "Rate Limit" feature in place to deter junk e-mailers from collecting member screen names from chat rooms. The Rate Limit feature is also used to deter members from sending mass numbers of e-mail, Instant Message(TM) notes, or Buddy Chat(TM) invitations that can disrupt the normal member experience.

AOL imposes a rate limit on an AOL member's account for any of the following:

* When a member exceeds the acceptable number of Instant Message notes or Buddy Chat invitations they send in a given time period.

* When a member exceeds the acceptable number of chat room changes or "Who's Chatting" requests in a given time period.

When an account is rate limited, the ability to send Instant Message notes and Buddy Chat invitations or to see who's chatting in a room or move from room to room is blocked for a certain period of time or the screen name's connection to AOL may be disconnected.

While we are working hard to stop junk e-mailers, there are steps that we also encourage our members to take to avoid junk e-mail. For example, you can create a screen name (Keyword: Names) that you use when you enter chat rooms, then use Mail Controls to block all e-mail to that screen name. When you want to e-mail with someone you meet in chat, give them your regular screen name OR go back to Mail Controls, select the "Allow e-mail only from selected AOL screen names, Internet domains, and addresses" option and add your friend's name.

AOL considers the sending of mass numbers of unwanted, disruptive messages or the gathering of AOL screen names to be abusive online conduct and a violation of AOL's Terms of Service. Rate Limits have been put in place to curtail abuse and ensure an enjoyable online experience.

Lets get to the meat of the matter ...

[Ninja+Programmer]

As usual, nobody is reading the article, and hence everyone misses the real meat. Ignore the silly web-zine hack writers and just go here:

http://spamconference.org/

The talks are online.

Re:Barry Shein's modest proposal.

[rkent]

Basically, it boiled down to "Spam is currently in a gray area legally, so let's legitimize spam in order to divide the spammers into legal spammers (who pay handsomely for the privilege)

I also kind of got the impression that he thought the rate for this should be prohibitively high (did he say something like a penny per message, or am I making that up?). The point being, to put a system in place so that you are ABLE to charge for it so the magnitude of the problem is more clearly discernable.

Barry also mentioned many other "features" of spam from an ISP's point of view, not the least of which is that naive people hold their own ISP responsible for the mail they get, which is sometimes pornographic and exposed to children. I don't think he was seriously suggesting ISPs should let this go and furthermore profit from it, but rather that, if they were authorized and able to charge for it, they could flip the spammer's economic model and improve relationships between ISPs and their clients.

Re:Antivirals!

[Patrick13]

If you are using windows, and outlook, you can install SpamNet, made by Cloudmark.

I had to stop using Eudora, because I had so many filters (400+) to kill my spam that it took, literally, 5 minutes for my mail to appear in my inbox, which, needless to say was very frustrating and annoying.

Anyhow, I have been using Spamnet for about 7-8 months and, depending upon the time of day that I check my email it correctly blocked between 60% - 95% of my spam.

For example, since it is a peer based spam detection system, so the more users that vote that email from a particular sender is Spam, the more likely you will get it blocked. Eventually, it maps out and makes blacklists based on overall stats.

The point is, I took 2 days off for Xmas and when I checked my mail on the 27th, it filtered out about 295 of about 300 spam messages.

Re:Spamming vs. sending legit mail.

[platypus]

The best anti-spam method I've seen, bar none, is a friend of mine's opt-in method. His filters indicate the email addresses of people whose mail he's willing to accept, and dumps the rest in his spam folder.

I hope your friend isn't on a mailing list and ever wants help. If people reply directly to him, they may directly land in his spam folder. Ok, I'm exaggeriting, this can be solved with filters also.

A very annoying method people use is filters which auto-reply if your email is not in a positive list, giving you instructions how you should resend your mail.

You sometimes get these messages when replying to list-messages and cc'ing the original sender. Since I'm not on this world to accomodate these people's mail-filters, I just killfile them.