NYTimes: Tangled Up in Spam

ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

Kudos to SA.

[clueless123]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

Re:Kudos to SA.

[WowTIP]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?

Am I just incredibly lucky with my two "real" email addresses?

If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

Re:Kudos to SA.

[jesser]

The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

One of the major costs of spam is that people are afraid to make their addresses available, making it much harder to contact people. I think it's sad that many geeks have become so used to spam that they think anyone who posts their e-mail address on a web page is stupid. Some geeks even go as far as to blame friends for spam they get when a friend isn't as careful with the geek's address.

Re:Kudos to SA.

[daveq]

Of course there are also those wonderful friends who send a bulk-ish email that doesn't hide the addresses of the thirty recipients. One of them is bound to be an account at freemail.com.

Not only does your spams-per-hour count begin to rise, but you have to suffer the geek's frustration: How could you have a friend so mind-numbingly ignorant of technical manners?

Every time I set up a new email address ("Okay, this one will be spam-free. Really.") spammers find a way to get it, whatever I may do to prevent them. It only takes one leak.

Re:Kudos to SA.

[qengho]

send link to a friend

A couple of months ago I got fed up with the ridiculous amount of spam I was getting at my primary address. I sent a note to the people I give a crap about, telling them that my primary address would henceforth be a new account I had created in my own domain.

I explicitly begged them not to give the new address to "those stupid send this cool page to a friend" sites. Set up filters in my email client to segregate the old address, and so far, so good, although my Mom gave the new address to an e-greeting card site. Fortunately, the site in question doesn't harvest addresses, and I (respectfully but frantically) pointed out to her that e-cards fall into the "stupid" category, and told her how to make up a disposable address for greeting cards, using my domain name.

Having to go to these lengths to to keep my inbox clear of spam makes me homicidal.

Re:Kudos to SA.

[cicho]

The parent is not "insightful" - it's shallow. If you're going to be so protective of your email address, you might as well ditch it altogether.

I work as a freelancer. My website hosts my CV, as do several online databases, where companies go to look for people of my profession. The CV of course includes not one, but several of my email addresses, because, in the long run, this translates directly into payable work.

I write software for fun (not profit). I even do email support, so my email address is again right there in plain html, and displayed by every software archive site I've ever uploaded my stuff to.

But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.

Re:Illegal?

[meringuoid]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans. The fact that the spam is sent via open relays in Korea or bulletproof accounts in China, and received in Europe or Australia, is neither here nor there. Ralsky, for instance, lives in America, regardless of where the spam is routed; indeed, _his_ location is very well known nowadays ;-)

Re:Techical Solutions Are Required

[yakko+nef]

This is a horrible idea. I use email on a daily basis just to send myself notes. If I think of something at work I need to do at home, or vice versa, I send an email to myself instead of writing it down. Implementing a system which would require me to pay to talk to myself is bad. I already pay for my internet connection to be active telling me I have to pay an additional fee to use it is stupid.

Re:NO NO NO - for a different reason

[JonTurner]

>>1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.

The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile

Re:Always with the legislation...

[KjetilK]

Spam is a technical problem,

No, it is not. It is a social and economic problem.

1. Spammers do not have the social intelligence to see that what they are doing is destructive.
2. Spammers, at least some of them, are making money.

That's why you can't come up with a technical solution, because it isn't a technical problem.

Making it impossible to forge headers is not going to solve any of the problems above. It will only make it easier to report spam to ISPs, but it will not pressure them more to whack the spammers.

You can take technical measures to shift the cost onto the spammer, but if you do that, you must consider the side-effects.

Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.

Re:illegal

[fmaxwell]

1) use a "throw-away" email address when including them in your resume.

Most people can't even deal with a single address.

2) develop a more friendly "white list" system that makes it easy for you to "open it up" for your potentual employers. So when I send mail out to someone important, I'm just one click away from adding them to my "white list".

Listen Miss Cleo, you have no way of knowing who will respond to your resumé. It might be a company that you send it to. It might be someone at that company working from home. It might be someone at another division that you did not know about. If your resumé was posted on a web site, it might be anyone responding.

Come on guys, I thought /.ers were nerds and knew how to write programs.

My mail server and e-mail processing software implement filtering that would probably make your head spin. Despite having dozens of e-mail accounts and three different domains, I probably see less the one percent of the spam that's sent to my domains. I have autoresponders for retired addresses, auto-complaints for mail from Brazil (to mail-abuse@nic.br), and I use multiple blacklists. Some of my e-mail addresses accept blind copies from untrusted senders and some do not.

But the spam problem needs to be solved for everyone, not just computer geeks that hang out on Slashdot. When the risk of fines and jail time make it unattractive, then we will have really solved the problem.