Slashdot Mirror

← Back to Stories (view on slashdot.org)

NYTimes: Tangled Up in Spam

Posted by michael on from the spam-musubi-is-good dept.

ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

13 of 394 comments (clear)

  1. At last by Mourgos · · Score: 5, Interesting

    now that it has been advertised in NYTmag, more people will become aware that spam is something they can actually stop. Can't wait for the new tricks spammers will use to disable anti-spam programs.

  2. Illegal? by waytoomuchcoffee · · Score: 5, Interesting

    The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

    Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

  3. MIT's Post Servers... by g_arumilli · · Score: 5, Interesting

    now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...

  4. Always with the legislation... by Sheetrock · · Score: 4, Interesting

    Spam is a technical problem, so why can't we come up with a technical solution? For example, it should be impossible to forge headers, not illegal. Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA in the past when all that's required is what our community has always been good at: sitting down and thinking things out?

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:Always with the legislation... by TGK · · Score: 5, Interesting

      I'd say the best technical solution I've seen to breaking the SPAM system is the use of the internets distributed nature against the spammer.

      Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

      In short, almost all of the traffic from a given point flows through a very small number of servers and routers at some point close to the source.

      Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

      I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.

      Thoughts anyone? I'm sure this idea has gaping flaws in it... what would have to be chnaged for it to work? What are the critical flaws? Is this a viable model or am I missing something major?

      --
      Killfile(TGK)
      No trees were killed in the creation of this post. However, many electrons were inconvenienced.
  5. Interesting free speech point by jenkin+sear · · Score: 4, Interesting
    Towards the end of the article, Gleick makes a really interesting point- he says that as commercial speech, spam isn't entitled to any particular first amendment protection:


    The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''


    Looks like we have the supremes on our side; if we could just congress to issue some letters of marque and reprisal on the spamhausen, we'd be getting somewhere...
    --
    What a strange bird is the pelican, his beak can hold more than his belly can.
  6. Techical Solutions Are Required by esme · · Score: 4, Interesting
    As much as I'd like to see spammers prosecuted for fraud (and think making various deceptive tactics illegal is a good short-term approach), legal and social approaches are doomed to failure. The number of people you can spam is so vast, that even if only one in a million takes the bait, it's still profitable -- that's a powerful economic imbalance that you don't find anywhere else. And it's going to make people forge headers, spam from overseas, etc. to get around any legal and social roadblocks.

    I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam. If you had to pay some amount of money -- event 1 cent -- for each message that is delivered, spam would stop being economical. And that's the only thing that's going to make it stop.

    -Esme

  7. Re:SpamAssasin in large corporate use? by Webratta · · Score: 4, Interesting

    I don't work for a large corporation, but a state-wide ISP. I asked my boss, the chief technical officer of the company, why we weren't using Spam Assassin. He replied that while it is a very neat program and does a great job of filtering spam, the performance just isn't quite there yet. He's of the mindset that it needs some tweaking still before it can be a competitor to commercial products like what Brightmail offers.

    Personally, I'd like to see more companies using SpamAssassin just to prove that it can stack up against other products, because I think it can work well if it's configured properly and you use spamd. I use it on my mail server at home and at last check it catches 98.2% of all spam message sent to my machine, and I haven't had any false positives since I set up my whitelists.

    --
    Beef! Beef! Beef!
  8. Another cool anti-spam tool by yiingineer · · Score: 5, Interesting

    I've been using Cloudmark's SpamNet for the past few months and it's been working quite well.

    The smart thing that SpamNet does, is that it relies on its users to determine if something is spam or not. If some email lands in your inbox and a few hundred SpamNet members have proclaimed it spam, it most likely is, and it gets immediatly filtered out. This has the net effect of a few user's needing to filter out a few message ocassionally, while the vast majority of messages are filtered out for all users. Although SpamAssassin seems quite good, it's still based upon filtering rules and spammers are constantly tweaking their emails to try to get around them. Since people are still better at determining what's spam and what's not, I find that its accuracy is generally better.

    SpamNet isn't perfect though, as far as I know, it only works with Outlook on Windows and doesn't have a Unix, Linux or Mac version. It also sometimes filters out valid bulk mailings, but overall, I would definitely recommend it.

  9. I rarely ever get spam. by cpaluc · · Score: 4, Interesting
    Heres how:
    1. Spend 10 bucks, buy a domain name (eg xyz.com).
    2. Set up a few email aliases to point to your real email. eg:

    joe@xyz.com ---> you@hotmail.com

    temp123@xyz.com ---> you@hotmail.com

    spam123@xyz.com ---> you@hotmail.com 3. Never give out 'joe@xyz.com' to anyone except friends/family.
    4. Use the other emails for signing up for things on the web or in usenet.
    5. When you get your first spam addressed to 'temporary21@xyz.com', delete the email address (no more spam from that source!).

    I find this method works extremely well. By using aliases in this way you effectively hide your real mailbox. Even if your hotmail account starts receiving spam you can just get a new one and point your aliases at it. Also, if you change ISP you don't need to change your email address.

    If you use it to forward to a hotmail account it might be better if the hotmail account name isn't a dictionary word or name (ie. use a random string for an account name that the 'bots won't guess.

    You're screwed if your 'trusted' address gets out there but if you're careful you'll at least get much more use out of it before needing to kill it.

    1. Re:I rarely ever get spam. by LocalH79 · · Score: 4, Interesting

      Spamgourmet does exactly what you propose, and is much more effective.

  10. Re:Kudos to SA. by domninus.DDR · · Score: 5, Interesting

    Ive tested something similar to this. Make a hotmail account with jibberish (rand(), 8 char isalnum() strings is what I used) for the name and see how long it takes to get spam. Out of ten tries my average was about 3 days.

  11. A new breed of email is on the horizon by mcrbids · · Score: 4, Interesting

    If we can pull it off.

    With Bind 9, we finally have a decent, working implementation of DNSSEC. This will allow for a new breed of secure, verified websites and email, and (Finally!) makes a RBL actually mean something.

    How's that you ask?

    Well, one of the biggest problems with SPAM is the forged header, open relay issue. It's a complicated issue, and one that doesn't have an obvious, "in your face" kind of answer.

    DNS is designed to tell you where to go, and SSL/Certs make sure that you got there. Why aren't they joined together? The fact that you are the DNS server for a domain makes it clear and obvious that you are an authoritative designator for where you are supposed to go - why have this wholy separate and dis-jointed SSL/Cert that can't even be made to work consistently?

    If an ISP can issue DNS-SEC certs with impunity, we might actually see a reason to have encrypted and ISP certified email.

    And suddenly, the ISP is back in charge again, able to validate every email going out as coming from one of it's customers. Revoke the cert and their email becomes unreadable.

    Now, we have an email system with a powerful mechanism built in that is:

    1) Standards compliant
    2) Easy to implement
    3) Clearly laid out
    4) Cheap
    5) secure
    6) private - using the ISP's cert to identify yourself doesn't mean that the ISP can read your email! (like they can now - the command is "mail -u _username_")

    What's not to argue with? The issue of locking down an open relay becomes a non-issue - an ISP could simply identify an "s-mail" server (secure mail) that will only relay for those holding a valid cert at that ISP.

    Roaming wouldn't be an issue, nor would open relays or forged headers.

    A brave new world? Yep. One I'd like to live in? Yep. One that's coming? We can only hope...

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.