Slashdot Mirror
NYTimes: Tangled Up in Spam
ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled
Tangled Up in Spam.
The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."
I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.
now that it has been advertised in NYTmag, more people will become aware that spam is something they can actually stop. Can't wait for the new tricks spammers will use to disable anti-spam programs.
No, I don't want to register!
By simply filtering out all e-mails that have the word "Nigeria" in them.
Work sucked, until it became unemployment, when it became slightly more tolerable. -Tet
>>> 2) a specific header entry should identify the email as unsolicited." NO NO NO There is no excuse for sending spam. I fail to see how marking it as junk makes it any better. So I can sort it from the mail I actually want? NO. Just stop people sending me crap I don't want.
Sig is taking a break!
I was wondering how many large corporation are using SpamAssasin. And if not, why not?
Consensus is good, but informed dictatorship is better
... since archived material is considered so old that it doesn't require a registration. ;-)
S PAM.html
http://archive.nytimes.com/2003/02/09/magazine/09
Beware: In C++, your friends can see your privates!
illegal is great in theory, but there is no possible way to enforce that on a world wide basis.
white lists are the only way to stop spam.
The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited
Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?
So how much spam am I likely to get if I give in and register with NYTimes so I can read the article?
Two weeks ago, on my old email that I don't use anymore, I decided to "unsubscribe" from all these lists, thinking it would "confirm" the existence of my email address. However, the number of spams I get has reduced from 15-20 to 3-5 a day ! I'll have to see if it goes up again in a few weeks though...
now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...
Spam is a technical problem, so why can't we come up with a technical solution? For example, it should be impossible to forge headers, not illegal. Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA in the past when all that's required is what our community has always been good at: sitting down and thinking things out?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Filter any e-mails containign the phrase, "this is not an unsolicited message".
"Sic Semper Tyrannosaurus Rex."
Spam Spam Spam Spam
Where does it come from, Uncle Sam?
"Monty Python, don't you know,
When the madness was in full flow"
But what when the accursed stuff
Leads one to declare, "I've had enough!"?
"My son, spam's easy to fail,
When you stop using hotmail!"
-Mark
Looks like we have the supremes on our side; if we could just congress to issue some letters of marque and reprisal on the spamhausen, we'd be getting somewhere...
What a strange bird is the pelican, his beak can hold more than his belly can.
I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam. If you had to pay some amount of money -- event 1 cent -- for each message that is delivered, spam would stop being economical. And that's the only thing that's going to make it stop.
-Esme
Copy and paste this into a bookmarklet:
; nu mbers="0123456789";document.forms[1].login.value=" ";document.forms[1].passwd1.value="";document.form s[1].passwd2.value="";document.forms[1].email.valu e="";document.forms[1].birth_year.value="";documen t.forms[1].zip.value="";while(document.forms[1].lo gin.value.length1)document.forms[1].gender_check[1 ].checked=true;document.forms[1].birth_year.value+ =numbers.substring(strindex=Math.round(Math.random ()*9),strindex+1);document.forms[1].birth_year.val ue+=numbers.substring(strindex=Math.round(Math.ran dom()*9),strindex+1);document.forms[1].zip.value+= numbers.substring(strindex=Math.round(Math.random( )*9),strindex+1);document.forms[1].zip.value+=numb ers.substring(strindex=Math.round(Math.random()*9) ,strindex+1);document.forms[1].zip.value+=numbers. substring(strindex=Math.round(Math.random()*9),str index+1);document.forms[1].zip.value+=numbers.subs tring(strindex=Math.round(Math.random()*9),strinde x+1);document.forms[1].zip.value+=numbers.substrin g(strindex=Math.round(Math.random()*9),strindex+1) ;document.forms[1].country.selectedIndex=Math.roun d(Math.random()*236);document.forms[1].income_sele ct.value=Math.round(Math.random()*10)+1;document.f orms[1].industry_select.value=Math.round(Math.rand om()*36)+1;document.forms[1].title_select.value=Ma th.round(Math.random()*36)+1;document.forms[1].fun ction_select.value=Math.round(Math.random()*16)+1; document.forms[1].paper_select.value=Math.round(Ma th.random()*3)+1;document.forms[1].submit();
javascript:letters="abcdefghijklmnopqrstuvwxyz"
There shouldn't be any spaces in there, so cut them out if slashdot inserts them. When you get to the NYTimes "you must register" page, click the bookmarklet. It's not the most beautiful solution, but it does the job.
Sure all these programs help, but think about what creates spam in the first place.
There are clearly people out there willing to buy the things offered in spam. Obviously not that many, but enough to make a profit. I think that there should be more of an effort to target these people and tell them not to buy stuff from spam!
There is only so much a program can do to stop spam. As we've seen numerous programs have been made, Spam Assasin being one of the best (I use it), but the spam just keeps coming
Until there is no incentive to send spam in the first place people will do it despite any laws against it.
The one big feature missing for me in evolution is a spam filter. Fortunately, spamassassin works great even if you have to run it locally. Here are some instructions for evolution users who need to run it locally or are lucky enough to have spamassassin installed on their mail server.
Be careful what you outlaw. If the law is too broad, it could easily be used to prohibit not only headers in email messages, but in connecting to a web server. How would you like to have it be illegal to lie about what browser you're using? Or refuse to send a referer?
Who gets to ensure that mail headers are not forged and that mail is unsolicited/solicited? First, e-mail has no phsyical boundaries so should it be by local governments? There have been times when I signed up for something I forgot about, and I received e-mail many months later, thinking it was spam. If the users can't tell what is unsolicited or not, how will we know what is solicited mail?
The trick is to have 2 email addresses(I used to have 3 but the company hosting the third one went belly up). Private and Public, on the public one put everything, password confirmation, slashdot details, EVERYTHING, give this to all your friends, never check it, you don't have the time to wade through them all.
The other one(private) don't give it to anyone, never reply to anything sent to it and if asked deny ever having regestered it.
The first will get about 400 SPAMs a day, the second, only about 4 a week.
And thats how you beat the internet.
Read Errant Story.
All about NY Times - Spam, Registration and unbiased news unlike CNN
Also on
Programmers who wrote Kazaa.....
Three Estonians programmers wrote Kazaa code
Kazaa looks for salvation
The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited.
I don't know what is meant by unsolicited -- and I doubt that there are good definitions that are practical. Nor do I want any single e-mail ever to be treated as spam because some unsophisticate forgot to (or didn't have the software) to make the e-mail unsolicited.
I *DO* want the anti-spam laws to have teeth and very few exceptions -- for that, the criteria for spam should be sufficient to permit adequate filtering (to be useful), not be content-based (to be constitutional), and should be relatively objective (to be practically enforeceable).
Thus, in lieu of forcing headers to identify whether an e-mail is solicited, i would punish falsely identifying an e-mail as non-broadcast. That is to say, an e-mail is not broadcast if it was sent to, say, fewer than 200 different addresses that had not specifically opted-in by affirmative request to receive it.*
Then, we simply get most e-mails clients to flag routine e-mails as non-broadcast, and you have a decent result.
*the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.
when people say SpamAssassin is good - they should really be talking about 2.5
that is the version with the Bayes fully in it and it is head and shoulders above the previous versions IMO
There are some odd things afoot now, in the Villa Straylight.
The uneducated guy that send this story in, need to know that was instrumental in taking Chaos theory from an obscure science in Santa Fe into something that almost every scientific discipline benefits from. Incl CS. .
Help fight continental drift.
I don't know about the other things the author mentioned, but forged headers should be illegal.
I know /.ers have a habit of commenting without reading the article (ya think?) but this article is worth reading.
I am not sure if you have to register with NYTimes (I registered years ago) but its worth registering for free if needed. Its a well thought out article.
Tequila: It's not just for breakfast anymore!
I know what you mean. You'd think that this piece were copied from something Glenn Reynolds wrote or something.
Here is a link to a text-only version of the article.
Article
Its effective.. as stupid as that sounds, if it wasnt they would not be wasting $$ on it.
Id love to see the types that do fall for spam, but they must be out there.. somewhere..
---- Booth was a patriot ----
I've been using Cloudmark's SpamNet for the past few months and it's been working quite well.
The smart thing that SpamNet does, is that it relies on its users to determine if something is spam or not. If some email lands in your inbox and a few hundred SpamNet members have proclaimed it spam, it most likely is, and it gets immediatly filtered out. This has the net effect of a few user's needing to filter out a few message ocassionally, while the vast majority of messages are filtered out for all users. Although SpamAssassin seems quite good, it's still based upon filtering rules and spammers are constantly tweaking their emails to try to get around them. Since people are still better at determining what's spam and what's not, I find that its accuracy is generally better.
SpamNet isn't perfect though, as far as I know, it only works with Outlook on Windows and doesn't have a Unix, Linux or Mac version. It also sometimes filters out valid bulk mailings, but overall, I would definitely recommend it.
I should be able to ask Hotmail (or whoever) "I have message #xyz from your domain. Does it originate from a user in good standing?" If the ISP gets too many queries for an individual account, it will stop vouching for it.
Likewise, you need a database of "ISP's in good standing". I.e., who is known to play by the rules with MSSMTP?
Verification would serious server resources, but better that than spam.
-mse
Who steals my .sig, steals trash.
Fiat Lux.
SpamAssassin's a great idea, but for the non-technically minded user, POPFile's the best choice. Bayesian filters, learning, kickass UI, and a Windows installer (and Perl for other platforms.)
>>1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited
Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.
The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile
I own a domain and so can give each site a different email address (foo@mydomain, bar@mydomain, fum@mydomain, etc.) so that I can tell if they squeal. I get the NYT's very nice daily headline summaries, so they certainly know how to reach me. In eight years I have not seen even one spam with the nytimes email. I wish I could say the same of others....
:)
Granted there is always the risk that they could be hacked, as their main page was some time agi, but what's life without risk?
The only headers that should be preserved are perhaps the Received: lines which show that route that the message has taken. Still, I can think of a legitimate reason to muck with these - if a company network has a sufficiently complicated internal structure, these headers might reveal some information that they don't want widely available.
Hi, :) :(
I said that here once (I think). Instead of
simply filtering out the spam -- which cannot
be a permanent solution from general conside-
rations, since spammers are adaptive too --
act against it. Send them a false credit card
number with some made-up name. People say that
thus one may cause trouble to someone innocent.
The chances are practically zero, methinks.
If many people do that, the spammers will be
flooded and drowned. It is a PITA to do it
manually, but surely there must be a way to
automate it mozilla ?
.
If they advertise web-pages, DOS them with
continuous downloads. Actually, I do this
once in a while with wget. Again, one person
doing it can contribute nothing, but many
ones CAN. If 1% of the "victims" download
each a 10 000 copies of the page, the spammer
will pay for bandwidth more than the eventual
profit from gullible fools will be. And the
spammer can do practically nothing against
a multitude doing this. This approach is
scriptable.
.
Finally, there are the spammers that do not
give any web forms or pages. I got such one
today, from the last dictator of Congo's son
The pro-active defense does not work then
.
It seems that the real final solution will be
not what I describe here, but creating subnets
of trust that reject email from the outside
unconditionally.
Go figure.
Is this thing on? Hello?
what he is saying is like requiring gun manufacturers to come up technical solution to prevent guns being used to murder people instead of just making murder illegal. the author of that comment is just making broad, pandering statements about the power of technology and how smart we all are. he isn't proposing a solution. he is not saying how it would be phased in. it's just worthless anti-government grand standing.
Gliek's is the best anti-spam article I've seen. I read this article yesterday and then emailed David Price, my Rep, and John Edwards, my Senator, urging them to support national prohibitions or regulations of spam. I urge you to do the same. Politicians bow to pressure. Apply enough citizen pressure and you can overcome even lobbyists.
I am not an expert on much, but I have written servers of various kinds and have some understand of SMTP and networks. Corrections to my naivite are welcome :-)
Seems to me that the problem could be self correcting if there were no forged headers. If spam could always be traced back to its originator, or to a bad relay who accepted forged headers, then only 1% of the recipients would have to reply to flood the miscreant's mailbox.
So why is it not possible to prevent forged headers? Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender? As long as you can trace these backwards, at some point you will hit a forged header or the originator. If the header is forged, that means the the next relay did not verify headers, and is a worthy target of complaints about spam, as good as the originator, in fact.
If only 10% of SMTP relays and ISPs enforce this, that would seem to me enough to flood spammers with complaints.
Why would this not work? Worst I can see is it would take a few months to become widespread enough to have an effect, and early adopters would have a slight processing overhead increase, due to having to check for forged Received-From: headers.
Infuriate left and right
>>2) a specific header entry should identify the email as unsolicited
I can see some problems with this. If I send a message to my mother out of the blue is that unsolicited?
I haven't read the article (I don't like the NYT and avoid it when I can) but I'm sure the idea is that this applies to commercial email, but that's a dangerous distinction to make if you ask me.
1. Spend 10 bucks, buy a domain name (eg xyz.com).
2. Set up a few email aliases to point to your real email. eg:
joe@xyz.com ---> you@hotmail.com
temp123@xyz.com ---> you@hotmail.com
spam123@xyz.com ---> you@hotmail.com 3. Never give out 'joe@xyz.com' to anyone except friends/family.
4. Use the other emails for signing up for things on the web or in usenet.
5. When you get your first spam addressed to 'temporary21@xyz.com', delete the email address (no more spam from that source!).
I find this method works extremely well. By using aliases in this way you effectively hide your real mailbox. Even if your hotmail account starts receiving spam you can just get a new one and point your aliases at it. Also, if you change ISP you don't need to change your email address.
If you use it to forward to a hotmail account it might be better if the hotmail account name isn't a dictionary word or name (ie. use a random string for an account name that the 'bots won't guess.
You're screwed if your 'trusted' address gets out there but if you're careful you'll at least get much more use out of it before needing to kill it.
Is this the same James Gleick that wrote Chaos: Making a New Science?
Well, it has never been successfully tested.
The most important Q, if gov't help is going to mean anything.
Enforcement is currently a state problem, for the dozen or so states that have antispam laws. Even if they can establish jurisdiction, they have to locate the offender. An asst. attorney general I chatted with in Washington state described an almost comic crusade to get ONE spammer who set up under a different corporate name every week. They used three private investigators to track him (successfully), suggesting to me their investigatory resources were limited. Anyway, they couldn't afford to do this with everyone, and this one example was located in-state!
I was surprised the author didn't really talk about state laws at all. They're kind of the laboratories for the eventual federal effort, and state law/enforcement will be complementary.
Once there is a law on the books the "cyber" aspect of it is only as issue for tracking. Postal mail and telephone calls have "no physical boundaries," too, and actually it is the crossing of state lines taht is an obvious source of federal jurisdiction. The rest is standard law enforcement. The FTC, which the author briefly visited, was busy enough with outright fraud, where it already has jurisdiction, just as it does over fraudulent TV ads and newspaper ads and product labeling and so on. I can say that I've seen some very good work by the FTC, even leading to jail terms for the guys who just won't give up. (The jail term I saw was for criminal contempt of court.)
I think they're going to need to provide a private enforcement action, as with the fax law. The gov't resources would still be needed to track down and prosecute the really tough ones, such as the WA case I described. We already have some relevant experience from the anti-junk fax law.
Recognizing spam -- good Q. I don't have any trouble recognizing 99% of it. For teh false positives, it should be possibly to allow the merchant to provide evidence of opt-in, and if enough complaints are tallied there would be further action.
Seems to me that the problem could be self correcting if there were no forged headers.
So the headers trace back to a fly-by-night ISP in Gangdong-gu, Korea. What are you going to do about it?
Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender?
Because some people use services like pobox.com which forward incoming mail but must use their ISP's mail server to send mail. Your proposed solution would put that useful service, and many like it, out of business. (No, you can't trust reply-to headers to work. Many packages wrongly reply to the purported from: address rather than the reply-to.)
The big problem I have now, new in the last two months or so, is that many of the spams are now uuencoded text bodies... so the filters don't work on them. They are reconstituted by the client (Eudora in my case), after passing through the filters.
Unfortunately the filters (e.g. Spam Weasel, Eudora,etc.) don't have an "automatically reject if no text components" option.
Can you provide evidence of opt-in really? Some company maybe have purchased a list, but where does that list come from originally? It goes beyond just who is sending the e-mail, right?
Change to something like IM2000 (http://cr.yp.to/im2000.html), spam vanishes in a poof. Keep around with the current broken system, and we'll have ever more draconian laws in ever more futile attempts to suppress it.
Check out an online service called SpamArrest.
For about $20, you route your incoming domain email through their whitelist email servers. Anyone who's not on the list is automatically sent an email with a link for people who want to be added to the whitelist. The link takes you to a page where you have to type in a word that you see on the page (the word is in a graphic and is partially obscurred to twart spammer countermeasures).
Of course, a spammer could just click on the link and add his name, but is he going to do that for all 60,000 emails he just sent out? Probably not.
Can't one of the karma-whores post the full article?
Come on, I know we won't slashdot it but I am just
too lazy and paranoid to register
and switch on cookies in my browser.
There are also philosophical problems with such a scheme which others can explain...
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Okay, switch to plan B. We don't just call it illegal, we call spamming a "terrorist activity." If the spammers don't stop, we shall make war on their routers, launch cruise missiles against their ISPs, and freeze the financial assets of known spammer cells.
Just once, just ONCE I'd like to see the constant erosion of personal liberties work in MY favor!
You want the truthiness? You can't handle the truthiness!
For what it's worth, an ever-so-slightly longer version, lacking a few bits of Times editing, is posted here, at my own site. And may I say how helpful and fascinating the many Slashdot discussions of this subject have been?
Spam is a technical problem, so why can't we come up with a technical solution?
...
I don't know, why can't "we"? "We"'ve been trying for nearly a decade, and haven't made the slightest dent in the onslaught.
Note that post-delivery filtering ignores the main problem of spam -- the cost to the ISPs and mailhosts, who need bigger pipes and bigger servers to deal with the massive loads of incoming spam. The cost of these pipes and servers is, of course, passed along to us, the customers.
For example, it should be impossible to forge headers
Sure, we'll just design new protocols, get everyone in the world to agree on them, create implementations, debug them, and then deploy them everywhere. That should only take, oh, say, a few more decades!
Why rely on a legal solution
Who said anything about relying on it? What's wrong with a multi-pronged attack? Technical solutions have (so far) got us nowhere. Surely it can't hurt (much) to try some other approaches.
Furthermore, spam is not entirely a technical problem. It's also a social problem. Many (possibly most) spammers refuse to admit that what they're doing is wrong. After all (they argue), if it were wrong, surely it would be illegal? So, making it illegal will completely undermine that argument.
the people who have brought us such brilliant solutions as the DMCA
And the people who brought us laws against dueling and slavery and junk faxes. Yeah, not all laws are perfect, and many lawmakers are stupid or corrupt. But to go from that to "we shouldn't have any laws" is just silly.
If we can pull it off.
With Bind 9, we finally have a decent, working implementation of DNSSEC. This will allow for a new breed of secure, verified websites and email, and (Finally!) makes a RBL actually mean something.
How's that you ask?
Well, one of the biggest problems with SPAM is the forged header, open relay issue. It's a complicated issue, and one that doesn't have an obvious, "in your face" kind of answer.
DNS is designed to tell you where to go, and SSL/Certs make sure that you got there. Why aren't they joined together? The fact that you are the DNS server for a domain makes it clear and obvious that you are an authoritative designator for where you are supposed to go - why have this wholy separate and dis-jointed SSL/Cert that can't even be made to work consistently?
If an ISP can issue DNS-SEC certs with impunity, we might actually see a reason to have encrypted and ISP certified email.
And suddenly, the ISP is back in charge again, able to validate every email going out as coming from one of it's customers. Revoke the cert and their email becomes unreadable.
Now, we have an email system with a powerful mechanism built in that is:
1) Standards compliant
2) Easy to implement
3) Clearly laid out
4) Cheap
5) secure
6) private - using the ISP's cert to identify yourself doesn't mean that the ISP can read your email! (like they can now - the command is "mail -u _username_")
What's not to argue with? The issue of locking down an open relay becomes a non-issue - an ISP could simply identify an "s-mail" server (secure mail) that will only relay for those holding a valid cert at that ISP.
Roaming wouldn't be an issue, nor would open relays or forged headers.
A brave new world? Yep. One I'd like to live in? Yep. One that's coming? We can only hope...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Why is this in the NYT magazine and not the front page of the NYT. Perhaps /. readers should be emailing (or snailmailing, or faxing) NYT to get this on the front-page. Something that costs ISPs billions(?) of dollars per year would be extremely relevant to the readership of the NYT.
I'm a stereotypist.. if all the previous comments this guy made got a -1 modpoint, why should this one be any brighter?
I have no problem with registering. It's when it expires in a short amount of time, and you have to reregister. Lather, rinse, repeat.
That fly by night ISP must get its internet connection from somewhere. And it isn't as easy to set up a fly by night ISP as a fly by night account on an ISP.
I must need education on pobox.com. If they originate the first Received-From: header, isn't that good enough? It's either a valid connection from one of their customers or it isn't. Are you saying that because the Received-From: header is not a valid To: address, the scheme wouldn't work? I am not thinking of the SMTP relay replying to the email, never, only verifying the chain of Received-From: headers and rejecting a relay if the most recent is wrong. I know you can't rely on headers in general, they can all be forged, and you can send mail without any headers, or at least very few. But the Received-From: header check would still fail if the most recent was forged. And all you have to do is reject email if the latest one is forged. Nothing to do with replying. Now if a recipient doesn't like the email, he can always complain to the oldest (or oldest valid) Received-From: header, whether or not that is the riginator or the originator's ISP. And if 1% of the recipeinets do, ISPs will be much mre careful about signing up fly by night accounts.
Infuriate left and right
If you use MS Outlook (we are forced to at work), try out Spammunition. It's a free Bayesian spam filter that's integrated right into Outlook. Works really well. No spam problems any more. This bayesian approach really works.
Well, I just finished perusing the article, and I partially disagree with Gleick. His proposed two-part solution is:
a ve-been-a-long-time-ago.com.
;)
1) Forging Internet headers should be made illegal. The system depends on accurate information about senders and servers and relays; no one needs a right to falsify this information.
2) Unsolicited bulk mail should carry a mandatory tag. That alone would put consumers back in control; all the complex technological challenge of identifying the spam would vanish.
First, I don't think part 1 will really help. Sure, it would be nice if all email contained accurate headers, but I think he's specifically referring to the headers that document the path the email took to reach a victim's inbox. The problem is that, as long as spammers continue to forge headers, they can evade prosecution. It's like saying that bank robbers should not be allowed to wear ski masks while committing the crime. Sure, tellers can still remember the approximate height/weight/build of the robber, and might even be able to get a peek at the getaway car, but such a law would only increase penalties for spammers that are identified and prosecuted, not make indentifying and prosecuting them easier. And that's what part 1 is really for -- identifying and prosecuting spammers who violate part 2.
I don't think that will work either. Of course, I would have supported part 2 at least before I read the article, but Gleick makes some interesting comments with regards to licensing agreements. What about all the people that go to web sites, fill out forms (a la NY Times), and click "I agree" to get access to the content they wanted in the first place? MS uses licensing agreements for critical updates to give them the legal right to access any windows user's machine and delete programs they don't like. There's no reason to believe that web sites (or other entities) wouldn't use "terms of service" agreements to get "permission" from web users to send commercial email.
If part 2 were implemented, all internet users would get (in addition to the forged headers we receive now) would be a bunch of emails without the UCE flag claiming that we signed up to get the email when we clicked "I Agree" at i-dont-remember-visiting-this-site-but-it-could-h
Here's another idea:
1. Contact and educate sysadmins who run email servers that are spam-friendly. To qualify as "spam-unfriendly", an email server must add a header to every message passing through with the IP address of the machine from which it received the email. If every mail server were "spam-unfriendly", recipients would be able to positively identify the IP address of a given emal, and the ISP in turn would be able to identify the person who sent the email (if the need were there).
2. Create a double opt-in/opt-out system. That is, in order for one person to legally send a commercial email message to another person, the recipient must have _opted in_ to receive that message. In addition, anyone may _opt out_ of future messages at any time. This would protect those who accidentally opted in to receiving spam by clicking "I Agree" on a web site by letting them undo their mistakes.
Of course, this system would never work. At its core, every system for combating spam is based on making either the act of spamming or employing someone to spam less profitable. This scheme, along with many others, rely upon US law to do this by associating a legal, financial penalty to bothering people with spam. Spammers can evade the system by going off-shore and continuing their business.
One system that I think has a lot of promise is creating a mail client that sends 50KB (or more) of data to every web site mentioned in an email that the user marks as spam. If everyone were to use such a client, spammers would effectively end up DDoSing their own e-commerce site. Performing the act that bothers so many people (sending out batch emails when 99%+ of the target audience is not interested) would be directly and unbreakably bound to suffering a denial of service attack thus preventing the less than 1% of victims who end up responding from being able to make a purchase. In a system like this, spammers have two options:
1. Send "spam" only to those people who they have a good reason to believe would be interested.
2. Give up.
I'll deal with two possible objections right now:
Well, if everybody used a spam filter like spamassassin, spamming would become unprofitable and spammers would stop. Also, ISPs networks wouldn't be taxed by all that extra traffic being sent.
Nope. Spamassassin is good for now, but its fundamental effectiveness relies upon there being detectable differences between spams and legitimate emails. For example, the email:
Hey dude, what's up? How was the boating trip? Hey, I know you've been shopping around for DVD players lately, and I saw a sale on them over at amazon.com. You should check it out -- they have some awesome deals on multi-disc boxes.
could be from a legitimate source. It could also be a spam. If you can't categorize this email, how can you expect a computer to do it?
As for the end effect on ISPs networks, there's not much that could be done about that as far as I can see, since the whole system is based on using all of the bandwidth available to the spammer's (or the spammer's client's) web site, or at least using enough of it to cost them a bundle.
Could malicious users take advantage of this system to lauch DDoS attacks against innocent web sites? In other words, doesn't it provide black hats with 100:1 bandwidth multiplication (1/2KB email results in 50KB directed at the target web site)?
Yes, yes it does. This is the only reason why I think the system, as described, shouldn't be implemented. I've thought of various ways around that (e.g. combining the spam-unfriendly email server concept with this system so that spam-friendly email servers (if there are any in the message path) or the spammers themselves take the beating, or limiting the maximum 'punishment payload' size to the size of the spam to prevent bandwidth multiplication), but none of them have struck be as being The Best Solution yet.
That doesn't mean I'm going to stop chewing on the problem, though.
No, really. It must be an IE thing.
I've been using Mozilla since forever. I also miss popups, and I put a long list of ad sites in the proxy box.
Besides, I'll just Google for the article. I'm not going to give the terrorist loving bastards at the NYT a hit.
But most importantly of all, we cannot forget that American consumers are responsible for spam. That's right, spam is OUR fault. It is our fault because no matter how many messages are filtered, and no matter how many websites are closed for spam complaints (or get DDoS'd by rampaging slashdotters), they still make money. They make money because of that infinitesimally small group of consumers who buy stuff from spammers. That small percent is what makes it all worth it to them.
The day that spammers' profit margins drop to nil because consumers refuse to buy from spammers is the day that spam vanishes from our inboxes forever. No laws, no filters, no problems.
Unfortunately, as P.T. Barnum would put it, "There's a sucker born every minute..."
At our school, we don't earn a degree when we graduate—we earn pi/180 radians
There are many perfectly reasonable reasons why you would want to provide an alternative to the default value for many SMTP headers. It's when you lie and mislead by using values that *other* ISP's use in their own headers that you are said to have "forged" them. Bogus "Received" headers can be considered "forged headers" as well, as they are not added by the MTA per the SMTP specification, they are crafted by hand to make it *look* like they were added by an MTA.
These are forgeries. Providing alternative (but still "correct") values for some SMTP headers are not.
(Technically, instead of mucking with the From header, you might want to consider adding a Reply-To and/or Errors-To header instead.)
Well, you can already be sued in any place you have a "presance" in, which is interpreted pretty broadly. In other words, just fine the spammers if they're in the US. If they physically leave the country, well, good riddance...
Hi John,
...
I got this from my friend who works at the mall - check this girl, she's hot!
Spam is not a technical problem.
It is generated by the most complex processing system known (The Human brain) and obeys to one of the simplest known principle (or absence thereof: greed).
That's a pretty potent combination.
Certainly not one for a machine to match.
No AI based solution will ever be able to reliably block spam, it's like handwriting recognition: I can't even read my own handwriting sometimes!
Spam is a human problem that has two sides:
- Some nutters will stop at nothing to sell you something (expecially if the numbers look good).
- Some idiots will genuinely think a girl called Sangria has the hots for them - type in your credit card here darling.
Don't worry: if you've read that far, then you're probably not that dumb.
Of course the solution is legal.
Here in the UK, I used to receive a fair amount of junk mail. There is however an opt-out list which I subscribed to and all I get is a few of them a year for the guy who used to live here before me.
So, yes, forged headers should be illegal.
And no, an 'Unsollicited mail' one is not a solution:
Why?
Because of this:
"Hi Tee, I am your long lost cousin in Australia - I found your e-mail on your web page, So good to be in touch again..."
A header that says whether or not the email is advertising is a better idea. If the values of this field follow an agreed classification, you could actually filter IN *voluntarily* things you are genuinely interested in.
The inforcement problem about spam will eventually be resolved. Europe is getting bigger and more integrated, the USA are a big chunk too. Now if these two and, say Japan or Taiwan agreed to block any other network that does not adhere to the guidelines, there will be a lot of pressure from inside those banned countries to make them adopt compatible legislation.
Of course it takes guts (something politicians rarely have), technical awareness (ditto) and time (Well fortunately we have plenty of that - it's only our patience that's running out.)
Check this site it's hot: http://www.aptilis.com/
(Sorry couldn't help...)
Teebo.
All of the Congressmen now carry BlackBerries.
I hope they won't keep ignoring the problem until some Saddam conspires with major (North? :-/ ) Korean spamhouses, e.g. bulk-"un"subscribing the pagers of U.S. government by "opting out" on their behalf as a reprisal for Operation Desert Spam.
is called Faster, and it should be required reading for everybody on the planet.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Sounds like Sneakemail.com, which does have additional benefits.
Spamgourmet lets you create disposable email which forward a specific number of emails before disintegrating. And if you get penis enlargement spam at your nytimes.20.yourname@spamgourmet address, you know where it came from.
>> it might be better if the hotmail account
>> name isn't a dictionary word or name (ie.
>> use a random string for an account name that
>> the 'bots won't guess.
Alas, but such a name will be recognized as spam by the spam-spotting-statistical tools and so can only be used to send messages and never used to send a message. For example, buffy0412xxxmeb13mxy@hotmail.com (as Mr. Gleick himself suggests in the NY Times article) is obviously a spammer and is either doomed to be black-holed or deleted by an intended recipient.
Mmm.... Burger....
"the author, James Gleick, is more technically educated than what we've come to expect from the big press."
Maybe because after many years as a reporter, he founded Pipeline, one of the first big ISPs.
I think it would be great if you could actually prosecute someone for forging headers. Unfortunately you don't know who that person is, now do you?
But how would you ever determine is something is unsolicited? After all, there are a lot of registration websites that have a tendency to quietly flag you as willing to accept spam from them. If I missed it, does that still make it UCE? If it does, how do I now remove myself from all the lists that I am now on...
Spam has a solution and it doesn't have to be so drastic as to put in this kind of legislation or use whitelist only maling lists. We just haven't figured it out yet.
No registration needed for this link
A M. html?ex=1045704785&ei=1&en=2560fd607d65a46 1
http://www.nytimes.com/2003/02/09/magazine/09SP
I think that the router should not use this information to shut anybody off. Rather, it should use this information to reorder its routing priority tables. Thus the router will serve its most spam-free peers first, handling the heavy spam forwarders only when it has time. Eventually consumers will leave ISPs with poor throughput, so ISPs will have a much stronger incentive to track down and terminate their members who spam.
I wasn't impressed. I can remain spam free by not giving out my e-mail address on websites or public forms. My main e-mail address is given only to those I trust. All others use a spam@... address. Ah, the joys of owning one's own domain.
I stay spam free with little effort.
Now, if Spam Assassin involved ninja and hence, ninja action being carried out on actual spammers, I'd be damned impressed.
So what was the e-mail with a score of 27?
"Hello, I am a Nigerian prince who is selling XXX-brand diet pills that also have the side effect of enlarging your penis. Also if you forward this email to five other people and tell them to each send you a dollar you can make money fast."
*ducks*
Or you could just have an authentication system implemented systematically as part of the protocol, such as with Spam Interceptor.
Ace
He's my freaking personal hero. Mod him up!! (or something).
Well, you should try SpamAssassin 2.50-cvs with the Bayesian filtering.
;)
I have it configured to use AutoWhiteLists, and I had to tweak the scores assigned to the various bayesian filter rules a bit (they didn't have enough weight by default).
Since then, every single mail I've gotten has been correctly identified as either spam or not spam. It is *amazing* how accurate the bayesian filters are. When no other SA rules identify the mail as spam, you still see that the BAYES_90 rule was activated (90% chance the message is spam).
Just don't forget to use sa-learn-spam and sa-learn-nonspam so that the Bayesian filters are more accurate! Luckily, I haven't deleted a single mail (spam or not) since Nov 2001, so SA had a large base of spam to learn from
Just make a local page on your box, load, and forget for a few days. Email might not cost 'em much, but I'm betting they pay for bandwidth for their web sites. And if the site itself isn't spamming, but somebody promoting it is, you can bet that the actual spammer is gonna hear from the web site operator pretty fast so long as you include the entire url.
m l]
m l]
For dialup connections:
[html]
[head]
[meta http-equiv="refresh" content="10"]
[/head]
[frameset cols="100%" rows="*" ]
[frame name="main" src="http://www.spampage.com"]
[/frameset]
[/ht
For broadband connections:
[html]
[head]
[meta http-equiv="refresh" content="1"]
[/head]
[frameset cols="100%" rows="*" ]
[frame name="main" src="http://www.spampage.com"]
[/frameset]
[/ht
Check out where Gleick quotes Feynman on the inherent risk of Shuttle flights. Prescient, that Feynman.
We dont need rules on *how* to send uncolicited mail - anything that is codified like a header that lets all spam be ignored *will* be ignored by spammers who will continue to cloak their identity and do everything they do today.
Stopping spam at the receiving end doesnt prevent it from using storage space and bandwidth that your ISP has to pay for. The only way that does is by stopping it from being sent - with strictly enforced anti-spam policies which ISP's use to disconnect any services to anyone sending spam.
The ONLY rule we need is DONT SEND UNSOLICITED MAIL, and the only way to enforce it is for ISP's to disconnect all services (connectivity, hosting, dns) to anyone found sending spam. And since so far, many ISP's dont seem willing to take such a hardline, and actually enforce their AUP's (maybe they like the money spammers are willing to pay them, the only way to force them to do so is to force them to choose between their spammers and their non-spamming customers - one good way to do that is SPEWS
The only way to stop spam is to make it so no ISP anywhere is willing to sell service to spammers.
as commercial speech, spam isn't entitled to any particular first amendment protection
It doesn't matter if it's entitled to protection or not - it's theft.
The first amendment guarantees the right to say whatever you want - it does not guarantee the right to an audience, or to force people to pay to hear you. (Both of which apply better to spam than "commercial speech.")
The whole "free speech" argument is a red herring.. spam is as deserving of "free speech" as any other type of harrassment - which is to say NONE.
If you're a company and want a good spam solution check out BrightMail, or someone that resells their service. It's not the cheapest, but it REALLY works. No false positives and no overhead.
BrightMail monitors many, many, email addresses for customers and others that they seed. When an email hits a number of those addresses quickly it is forwarded to their NOC. A person looks at it and decides if it is spam. If it is the message is blocked from all other customers. It works very well.
Spam is not about content. Not everyone even agrees what constitutes spam when they are evaluating it based on content, so how can a program or a recipient community do this? What makes mail spam is stuff like sending it unsolicited and in bulk. It won't matter what the content is.
I have signed up with some companies for announcements about their products. While that company may not be spamming, their content could have a lot of the same wording as another company selling similar products, but is sending it to harvested addresses. The latter is spam, but the former is not. How do you tell based on the content?
Tools that evaluate a message based on content are probably going to classify both messages the same way. If they are both classified as spam, then one of them will be "collateral damage". If they are both not classified as spam, then the other will be "leaky pinky". So I still prefer to block spam on the basis of the behaviour of the sender.
now we need to go OSS in diesel cars
IMO, the solution is use both legislation and technology. The legislation needs to target people that send spam, and people that cause it to be sent. It needs be broad enough to catch spammers who use off-shore agents to do their dirty work, and companies who get spammers to do their advertising.
The technology needs to be there because no legislation will stop all of the spam. Even if the legislation was universal across all jurisdictions (not plausible), and strictly enforced everywhere (not plausible), there will still be some people who think they can get away with spamming, or who don't think or care about the consequences.
The legislation needs to be part of the solution because technical solutions have an inherent risk of collateral damage; e.g. email being incorrectly labelled as spam. This is not acceptable for some email users. Furthermore, spammers will continue to be a step ahead of anti-spam technology for the forseeable future. IMO, the only hope is a "intelligent" email agent that does a better job than a good (human) personal assistant.
Paul Ford (http://www.ftrain.com/) suggests "[a]n imperfect alternative to fighting spam which no one will implement, but which would be more satisfying than existing proposals". Basically the idea is for the Spam Filter to reply to each and every spam with a randomly generated fake reply. The full article is at http://ftrain.com/spam_quick_idea.html.
One critical flaw is that routers are Layer 3 ("Network") devices while emails are Layer 7 ("Application") data.
The lowest level you could block an email at is Session (and that's being optimistic), which means it has to be done in software.
Routers have a simple job: encapsulate frames into packets, and forward those packets between networks (that's what the "Inter" in "Internet" refers to) to be assembled into segments. The router itself has no idea what the contents of a given message are; that is verified by Session-level software on the sending and receiving hosts.
Imagine it from the router's point of view: all it knows is that this packet is coming from 100.101.102.103 and going to 65.66.67.68, and that it has a few bytes of data -- the rest of the message may well be forwarded by completely different routers.
In summary, the Network layer is an inappropriate level to attempt to detect spam.
All's true that is mistrusted
If we had free healthcare in the US, and they paid for penis enlargments...NO MORE BIG PENISES BY MAIL!
also if they lowered the age of consent, no more overpriced pictures of IMPORTED LOLITAS!
and if some states got read of their adultery laws, NO MORE LONELY HORNY WIVES!
and if some other states legalized sodomy, NO MORE SLASHDOT!
It's a link to the article without registration ... via the archives (very clever :)
OK, don't shoot them, but maybe conduct a poll. Find out why they are stupid enough to purchase anything offered through an unsolicited commercial e-mail. Find out if they actually believe that anything purchased through an e-mail will increase their penis/breast size, allow them to lose a ridiculous amount of weight, make an impossible amount of money or get the best mortgage rate around.
And then shoot them. A lot.
Please don't humanize the morons around me. It makes me very uncomfortable.
Here's an essay on a proposal for eliminating spam.
In some ways, making forged e-mail headers illegal is both a technical and legal approach to at least part of the problem. I currently use SpamCop and the Open Relay databse to filter my incoming mail. This combination does a reasonable job of fordcing all incoming e-mail to my server to have an unforged header. That is, the mail must actually be from who it says its from and can't have been sent through an open relay. SpamCop does a fairly good job of weeding out the spam that still meets these requirements. Making forged headers illegal would allow every U.S. ISP to do the same without someone saying that not being able to send spam with forged headers violates their right to spam. This setup traps and rejects a spam or two (on average) every day for me.
The only problem is, this is done at my expense (sendmail is so much fun and so intuitive to administer) and at the expense of the people who maintain the SpamCop and ORDB databases. Also, I still get the random loser who gets a list of e-mail addresses and fires off a Nigerian money scam e-mail to me from time to time. Nothing will stop idiots from believing that they can get rich quick from something like this including requiring unforged e-mail addresses. My solution to these is to just forward the e-mail to SpamCop and note in my "personal attachment" that the person sending the e-mail should be prosecuted for fraud and that the originating ISP should also be prosecuted if they don't do enough to stop the problem.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Strange -- I've had the same NYT login since 1994.
In the script I was working on today, users are able to RSVP themselves and friends to an event. The friends then receive an e-mail that appears to be coming from the person who used the script.
This is necessary, because if the e-mail had come from the domain of the person whose site contained the script, either (1) the recipients might not recognize the address and they'd ignore the invitation without reading it, or (2) it would get flagged as spam by some program.
If there's some kind of draconian, DCMA-type law against headers, then simple CGI scripts will land all sorts of people like me in prison. So, if they're going to pass a law, they'd damn well better do it sensibly...or better yet, don't do it at all, because it could never be enforced anyway.
Shame on Google.
When I said
... I meant the Received: header, and my experience has been that the server which adds this header includes the IP addresses of both itself and who sent it. Thus an SMTP server could verify this header when receiving a message. If an SMTP server receives a connection from 1.2.3.4 with a message whose Received: header says 5.6.7.8, then the server would reject the message, possibly logging a non-compliant server.
Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender?
My bad
Infuriate left and right
I host a few web sites for friends on my servers residing on my dsl line. I'm learning how to properly run a mail server right now, and am going to be going live with it fairly soon. The mail server will receive email for the web sites, which are in the same ip block, adjacent ip addresses. Some of my friends know how to set up their mail clients to download the email from my server (imap), and some won't know the first thing about it, as they use aol for their internet connectivity.
In both situations, using www.PieceOfMetal.com as one example, and www.WindowBreakersAndInstallers.com as the second example, their customers will be sending them email, to sales@pieceofmetal.com and sales@windowbreakersandinstallers.com. My friends will be downloading to their a)mail clients, or b) their aol account.
Still with me?
Now taking the aol user (window guy) as the first example, he doesn't want anyone to know that he is obviously stunted in the brain for using aol. So when responding to his customer inquiries via email, he doesn't use his aol account as his return address, he uses his sales@windowbreakersandinstallers.com return email address in emails that he replies to.
Is the above action considered a forged email? Would this fall under the jurisdiction of and in violation of any laws already passed regarding "forged"?
If he takes it a step further, and takes out all references to aol in the header, and replaces it with his sales@windowbreakersandinstallers.com email address, an email address which works, and which identifies him, and with this procedure not being used to send anything unsolicited, is this considered "forged"?
I actually used to do the first example above myself some years ago (about 5 or 6 years ago) because I had a working web site that received a lot of traffic, but I couldn't figure out how to get the damn aol info out of the headers. I was able to use the web site email address as a return address though. The web site was hosted at a hosting provider, and with my limited experience at that time, it's what I knew how to do. I was also stuck with the aol account, and didn't have the bucks for a different isp. That was around the time when a pokey ass pentium 1 cost around $2500 (with what was it, 4 mb ram?), and you had to mortgage the house for a couple hundred hours of compuserve.
Overclocking? Back then, the hot shit was the chips that could double/triple a processor, taking a 486/25 to a 486/50, and a 486/33 to a 486/dx100
Now that was overclocking!
The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers.
sure. then the spammers evolve to beat your antispam. then you evolve more, and defeat their anti-anti-spam. after a few cycles, you need a Beowulf cluster to run all the rules and an AI to filter the remains and untag false positives. Then, since spammers are *making money*, they buy TWO beowulf clusters and THREE AIs to beat you...
then, while you are speccing out a new beowulf cluster of beowulf clusters, you realize that you will always lose, because the spammers are making money. In fact, you have already lost, because they are making you spend money too.
what can we do to end this anarchic "whoever has the biggest guns makes the rules" condition? If only we could organize our society, and make rules to improve our lives so we are not at the mercy of the unscrupulous....
sometimes government DOES need to step in and set limits on massively unwanted behavior.
Better idea: ditch SMTP/POP protocols in favour of new systems which makes spam advertising less cost-effective. For example, instead of forwarding all email to recipient, how about a protocol that stores the message on the sender's box and forwards only a "you've got mail" header? Spammers would then have to store billions of messages on their own systems or use up CPU resources to create on-the-fly content. Best of all, the sender's address could never be forged or else the recipient wouldn't be able to receive the content.
I have being using an e-mail address for months without recieving a single unsolicitated e-mail, until I signed up for the Motley fool and I get a advertisement for a printer which has no reply address. Any one have similar problems with dealing with Motley fool?
Assuming that'll never happen ('illegal' never stopped a spammer, and they'd never comply with a suicide-tag), an easier way would surely be to provide header analysis in email clients, or mail servers, or both.
If I (as a user or mail server admin) could detect (a la Spamcop) forged or rewritten headers and discard/bounce those messages as fake, most of the immediate problem is addressed. Why don't mail clients/servers offer this out of the box?
That step achieved, those messages from non-forged addresses can be filtered and, if spam, automatically actioned with the source ISP - that should be the role of anti-spam software, IMHO.
See Also: SneakeMail
This ought to be something an individual user could set up without much work : just delete all email that does not contain a keyword from a list of keywords. So work related email must contain the name of the 'fizzy-pop' project, mail from friends contains some other keyword, perhaps their name. Everything else gets sent back to the sender with an explanation. This would make it just about impossible for a person unknown to you to send you any email at all.
At the college I graduated from (And a number of others, I know Columbia University uses a similar system), you are assigned a netID. Your netID consists of your initials and then a number. (For example, mine was atd7. If you have a common set of initials, the number can be in the 50s or higher.)
Needless to say, the address namespace at school has in the past year or two been the victim of brute-force dictionary-based attacks on our namespace.
The moment one of these emails doesn't bounce, BOOM. Your email is valid and the spam starts rolling in.
retrorocket.o not found, launch anyway?
To stop spam will require doing things which are illegal in every country and repugnant to anyone with a conscience. The penalty for sending spam must become so horrifying (for the spammer, personally) that he or she just wouldn't dare. "Civilized" western societies are incapable of this kind of retribution, prefering to play with legislation or technical non-solutions, so we drown in spam, laws against it, and expensive solutions which claim to, but don't, eliminate it.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Suppose we pass a law that make forging Received or From headers illegal, and makes it illegal to send a message that is substantially similar to 50 or more people, but requires that at least 50 people receiving the message complain to the FCC in order for any prosecution to occur. With such a law in place, it would actually help to have people forward spam to the FCC. They could collect those messages and work to prosecute people who send spam.
I like the idea, but I don't think this method would work. Law enforcement would have to trust spammers to not munge the headers in order to give investigators the ability to track down and prosecute violators.
Your post gave me another idea, though. What if, in addition to legally mandating bulk mail tags and correct headers, the government were to set up 'spam sting' operations. The idea would be to advertise the presence of an unprotected open relay hosted at a (financially compensated) university or business. All spam sent through that server would be checked for compliance with spam laws, and offenders would be prosecuted.
The idea would be to make illegal spamming not impossible, but so risky as to not be worth trying (because spammers would not know which servers were sting traps and which were merely poorly-administrated). Of course, this would only curb annoying spam sent from within the jurisdiction of the government implementing the spam laws/stings, but it's a mostly harmless step in the right direction.
The original article is owed that.