NYTimes: Tangled Up in Spam

ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

IN SOVIET RUSSIA

[Joey+Patterson]

Spam entangles YOU!!!

Tangled in shoes

[Want+Some+Shoes]

I'm tangled in shoes!

Kudos to SA.

[clueless123]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

Re:Kudos to SA.

[WowTIP]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?

Am I just incredibly lucky with my two "real" email addresses?

If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

Re:Kudos to SA.

As soon as I put my email address on my web page I started getting spams from those pesky nigerian millionares.

Re:Kudos to SA.

[MeanMF]

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever.

If you email address is simple (e.g. first initial+last name+some number) and your domain name is that of a public ISP, then there's an excellent chance that the spammers will find you regardless of whether or not you ever use the address. Email addresses at work tend to be safer because spammers usually don't bother guessing at addresses in domains with so few valid mailboxes.

Re:Kudos to SA.

[domninus.DDR]

Ive tested something similar to this. Make a hotmail account with jibberish (rand(), 8 char isalnum() strings is what I used) for the name and see how long it takes to get spam. Out of ten tries my average was about 3 days.

Re:Kudos to SA.

[Corvaith]

With Hotmail at this point, I think they can just *use* gibberish and usually get through to someone.

Re:Kudos to SA.

Oh, they'll get through ...even if it's only another spammer.

Re:Kudos to SA.

[bubblegoose]

I felt the same way you did until about 6 months ago. I went two years without Spam. Then a coworker thought he would fill out one of those forms on a web page to have the site send me a link to the page. You know the "send link to a friend" that shows up on some pages. Some joke site I think.

From that point on the crap has hitting my mailbox, about 10 per day.

I still haven't figured out how to thank him for that damn link that started it all.

Re:Kudos to SA.

[jesser]

The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

One of the major costs of spam is that people are afraid to make their addresses available, making it much harder to contact people. I think it's sad that many geeks have become so used to spam that they think anyone who posts their e-mail address on a web page is stupid. Some geeks even go as far as to blame friends for spam they get when a friend isn't as careful with the geek's address.

Re:Kudos to SA.

Find some random gay porn sites, and _accidentally_ sign him up for them.

Works everytime. :D

Re:Kudos to SA.

[Jucius+Maximus]

"I felt the same way you did until about 6 months ago. I went two years without Spam. Then a coworker thought he would fill out one of those forms on a web page to have the site send me a link to the page. You know the "send link to a friend" that shows up on some pages."

I am wary of these thnigs too. I have various 'levels' of e-mail addresses. The actual real pop3 address practically nobody gets, except my parents, and a few technie friends. All of these people know better than to abuse an e-mail address.

The 'next' address is what most people I know get.

The webmail addresses are what I use if I do something related to 'the unwashed masses' . Those can get filled with spam, I don't care. I only check them once every few days.

For anything that is shown publicly, I always anti-spam-armour it, and make it some sneakemail address or unique address for my domain name.

Due to this strategy, I only get 3-4 spams or so per year.

Re:Kudos to SA.

[MacAndrew]

It's a matter of time.

Almost all my email woes are due to some stranger named "Johnny" who opted-in to a mail-me-crap list about three years ago.

I got a tolerable amount of messages to "Johnny" for a couple of years. Naturally unsubscribe requests got nowhere. Then, perhaps with the declining economy, it exploded. That address and "Johnny" are probably burned on some CD somewhere.

I get almost no spam otherwise. It's all to Johnny. (I tried to track him down, but he'd lost his job. For a while I had the system fowarding copies of his spam to him. Hmm.)

I did get a form of blind spam to me as adminstrator@[mydomain] and billing_contact@[mydomain]. It was the usual porn and getrichquick stuff. So that all gets blackholed alog with johnny. At least my spam is easy-to-identify, but I figure someday someone's gonna squeal. I've gotten a spam or two thanks ot a company I did business with and which went bankrupt. I know I didn't opt-in to anything there, because I never do. Thanks guys. Who do I complain to?

Re:Kudos to SA.

[jafiwam]

Heh. I assume you are honestly asking and not bragging about how little SPAM you get to make me jealous...

Here are the vectors for getting on lists that I know of;

- using a valid email address in newsgroups
- using a valid email address on a web page
- using a valid email address in form properties in a web page
- using a valid email address on a mailing list or web-forum
- using a valid email address for domain registration contacts
- using a valid email address to sign a web page up for a search spider
- having an email address that can be "brute forced" (i.e. almost all of them)
- your pal puts an email address in an "e-vite" or "e-greeting"
- getting a virus that spreads via email

And above all, being naive about the workings of the Internet, when only a few weeks of ignorance will permenently get the address out there "in the wild". Just about everybody is this at one at one time or another.

Some people cannot avoid having email addresses hung out there on the Internet, so getting on the lists is more or less inevitable if you are doing business or communicating on the Internet in any meaningful way. Since I cannot ignore what comes in the boxes I run, I MUST sort through whatever arrives. That makes SPAM a big issue for me.

Your usage of your email addresses is probably typical (not on web pages and so on..) but you are probably fortunate to both be clueful about it and not dealing with your email address publicly available out of necessity.

Re:Kudos to SA.

[IvyMike]

If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

Co-worker unknowingly installed spyware on their computer which harvested my email address out of their email software address book. Sucks.

Re:Kudos to SA.

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever.

Yes, that works to some extent. But spammers now will just guess email addresses. They try all sorts of common names when connecting to a SMTP server, until some work. You can disconnect them after a few bad addresses, but it's hard to stop.

Re:Kudos to SA.

[walt-sjc]

I've been using the same email address before spam really started. Back then, you didn't worry about giving out your email address. I had also registered several domains with my email address as the contact. That was back in 94. That email account is pretty useless now getting about 150 spams on an average day. It has an auto responder on it pointing people to a web form that they can use to email me to get my new address which doesn't get any spam (yet.) When my current address gets trashed, I'll probably have to do the same thing.

The problem is that spammers are still using my (and my ISP's) bandwidth as long as I use an autoresponder, which I want to do for obvious reasons.

BTW, even though SA is pretty good, it's not perfect. Depending on the settings, either I still get spams through or legit email gets nailed as spam. Some of the newer spam is so simple, just a short sentance and a URL, that it can't be realistically filtered.

Re:Kudos to SA.

[daveq]

Of course there are also those wonderful friends who send a bulk-ish email that doesn't hide the addresses of the thirty recipients. One of them is bound to be an account at freemail.com.

Not only does your spams-per-hour count begin to rise, but you have to suffer the geek's frustration: How could you have a friend so mind-numbingly ignorant of technical manners?

Every time I set up a new email address ("Okay, this one will be spam-free. Really.") spammers find a way to get it, whatever I may do to prevent them. It only takes one leak.

Re:Kudos to SA.

[SpikeSpiff]

The problem here is that spam comes from interactions with reputable sites and vendors.

It leads to walking a delicate line between keeping a "good" email address secret, and receiving emails that I want to get.

Examples of ambiguous sites:
E-commerce
Online resume posting
Legitimate content sites
/.

I want to get email from slashdot, except when I don't. Certainly, I want to receive email from amazon when my books ship.

Re:Kudos to SA.

actually, i don't think SA is all that great. frankly, i found running my own mailserver and blocking anything that's listed on ordb.org much more effective. for the rest, i still use SA, but i prefer blocking that crap as early as possible...

Re:Kudos to SA.

[Doom+Ihl'+Varia]

"The actual real pop3 address practically nobody gets, except my parents, and a few technie friends. All of these people know better than to abuse an e-mail address."

Are your parents willing to adopt or would you consider a trade?

Re:Kudos to SA.

[qengho]

send link to a friend

A couple of months ago I got fed up with the ridiculous amount of spam I was getting at my primary address. I sent a note to the people I give a crap about, telling them that my primary address would henceforth be a new account I had created in my own domain.

I explicitly begged them not to give the new address to "those stupid send this cool page to a friend" sites. Set up filters in my email client to segregate the old address, and so far, so good, although my Mom gave the new address to an e-greeting card site. Fortunately, the site in question doesn't harvest addresses, and I (respectfully but frantically) pointed out to her that e-cards fall into the "stupid" category, and told her how to make up a disposable address for greeting cards, using my domain name.

Having to go to these lengths to to keep my inbox clear of spam makes me homicidal.

Re:Kudos to SA.

[Fwonkas]

If you email address is simple (e.g. first initial+last name+some number) and your domain name is...

Tell me about it. I deal with that a lot. I mean, look at my email address. It's nice to have a simple one like that, but the amount of spam I get is ridiculous. 100+ a day. I also strongly suspect a particularly bitter ex-girlfriend of signing me up for all sorts of crap. I know she got my email into initial circulation with those damn "Someone's got a crush on you" crap. That's about when I started getting unreasonable spam, about 2 years ago.

On the bright side, OS X's Mail.app has an extraordinary spam filter. Very few false positives (about 2 in a couple months, I think). The occasional spam slips through, but only a couple a week. Considering the amount I get, it's been a great relief.

And to all you damn spammers out there, I don't know who the hell "JOE BLACK" is, unless you think I bear a strinking resemblance to Brad Pitt. In which case, thanks for the flattery, but fuck off.

Re:Kudos to SA.

[dJCL]

I get some of my address scraped off my sites. I posted on a site that was not really off the starting block yet an address and now get spam at it.

One solution I like: Go to OSnews.com and scroll to the very bottom. Click the last link on the page, the "notice to buld e-mailers" and there is a nice part about the billing the mailers. I'm implementing that soon. I also have a system in the works that gives a different e-mail address to each harverster and logs the address, but that is more for kicks than useful.

Best solution on the inbox - bayesian spam filter - dropped one onto my inbox and immediatly started losing spam, no false positive, few false negative(1-5%) and I can check if I missed something by looking in my "spam" folder.

My suggestion for a total solution: Rebuild the infrastructure for e-mail from scratch, recode it and re-design it. Create a trail that can be tracked, if the headers are forged, then it is detected and refused, make it so that the spammers have a hard time, but the user does not... Can it be done? I don't know, I'm not that good... Could it be tried, I'd suggest it, Having 2 locations to contact someone is not new, we just need to start somewhere.

Enjoy

Re:Kudos to SA.

[Analysis+Paralysis]

Pop over to the Scientology website and do one of their "on-line personality tests" in your friends name...for his profession put down "Venture Capitalist" or something else that suggests loadsamoney.

Did this for Alan Ralsky - wonder how much snail-mail spam he's received from them so far?

Re:Kudos to SA.

[FuzzyBad-Mofo]

If you ever put your resume on a job-seeker board, prepare for an onslaught of spam. It's a catch-22: You want your email address to be seen by a potential employer, unfortunately the spammers can easily scrape the sites for their email addresses. These bastards are truly the lowest forms of life.

Re:Kudos to SA.

[nelsonal]

I used my good address to buy something on ebay and paid via paypal, one of those two or the seller, or ebay's listing of addresses got my name on several lists. That and shortly thereafter I drank the punch and did a survey for a DVD for Colonize.

Re:Kudos to SA.

[cicho]

The parent is not "insightful" - it's shallow. If you're going to be so protective of your email address, you might as well ditch it altogether.

I work as a freelancer. My website hosts my CV, as do several online databases, where companies go to look for people of my profession. The CV of course includes not one, but several of my email addresses, because, in the long run, this translates directly into payable work.

I write software for fun (not profit). I even do email support, so my email address is again right there in plain html, and displayed by every software archive site I've ever uploaded my stuff to.

But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.

Re:Kudos to SA.

My address was spam free for a couple years - then a friend CC'd me to a large group of people (instead of BCCing). He emailed me about his band playing. That week I got a few other emails for bands in his city (on the other coast from me). Of course they got it from my friend's CC list.

Now, about a year later, my spam has increased to about 5 or 6 a day.

Re:Kudos to SA.

[Jace+of+Fuse!]

How could you have a friend so mind-numbingly ignorant of technical manners?

What pisses me off is when you try to explain to them why what they've done is such a big deal, they get frustrated and say "Shesh, it's just e-mail, get over it."

Dipshits.

Now I have an e-mail address nobody at all has except for maybe 6 very computer literate people. The rest of the world can blow me.

Anyone else that needs to contact me can contact me through one of the various instant message protocals. I refuse messages from people not on my list, so spam there is non-existant.

Re:Kudos to SA.

[Kalani]

These bastards are truly the lowest forms of life.

I find it amazing that you seem to have forgotten about eg: muggers, carjackers, etc.

Re:Kudos to SA.

[Aleaxander]

That is exactly the problem I had (though it was an address from '97), and I had the same solution. I have given my e-mail address out for years, to people in different parts of the world, and I always said that if they could remember the domain name that I own, an e-mail with almost any variation of my name would get to me. That was before SPAM. The days where I received 100 or more e-mails left me pulling out my hair, and god forbid the occasional week long trips or long weekends where I was not able to check my e-mail. For awhile I had two e-mail clients set up so that I had to scan my e-mail twice, just so I was sure I was not accidently deleting real e-mail (you know, you sort of zone-out hitting the delete button).

Anway, not wanting to miss an e-mail from an old friend somewhere in the world, I realized that setting up an automatic form letter e-mail reply telling them to go to a website-form where they could request my real e-mail address was the solution. I know that none of the spammers are getting that form reply (it simply says, "Sorry, but you've sent an e-mail to my junk mail account. Your e-mail will never be read.") but anyone who really cares will, and they will be able to track me down.

Here I tought I was the only one with this idea : )

Re:Kudos to SA.

rand(), 8 char isalnum() strings is what I used

That's an obvious first try algorithm. Perhaps the spammers used the same one?

Re:Kudos to SA.

[sporktoast]

I can think of one vector you forgot.

Having friends or relatives who forward glurge, petitions, or chain emails without using BCC or chopping the headers.

Eventually they can get forwarded into the hands of a spammer who harvests all the addressess in the header.

Re:Kudos to SA.

[Scarblac]

But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?

I refuse to stop using my real address wherever I want to because of spam. So the email address above this comment is my real home mail address. I also use it on Usenet (but I stopped posting). People who want to reach me must be able to do so, a bit of spam won't kill me.

That said, the guy who runs the incoming mail server here is rather aggressively anti-spam, dropping subnets when the only mail they ever send is spam, using RBL lists, etc. I get at most 10 spams per day. And I expect a lot of Mozilla's soon to be released spam filter.

Re:Kudos to SA.

[bluelan]

My mother-in-law sent me an online greeting card. That was the end of my spam-free days.

Re:Kudos to SA.

[jetmarc]

> I never use these addresses "in public"

I receive a lot of spam (50-100 msgs/day) on my "real" account (not the Hotmail one). This account is up since ~1991 and was frequent participator in usenet and mailing lists. Spam was not an issue back then, everybody had realnames and even home phone numbers in their postings/signatures. I still keep this account alife, because I hate it when people give out email addresses just to disconnect them a year later.

Re:Kudos to SA.

[tcr]

I've been through all your vectors at some time or another, and can appreciate your difficulty...

I have a number of domains, all reserved for projects (that mostly never get started :)

I don't want to ignore any mail, really, so I forward all of them to a spamcop.net address that I have. My spamcop account then forwards "clean" mail on to a mail server I have, which creates copies of the messages in mailboxes for different uses (laptop mail, desktop mail, mail archive, webmail/WAP access).

So far, the arrangement works pretty well - so I can recommend putting a filter in the chain somewhere.

Spamcop is also nice because you can look at your held mail messages through the web interface, and queue them all for complaint before wiping them.

Re:Kudos to SA.

[WowTIP]

If you're going to be so protective of your email address, you might as well ditch it altogether.

I don't know what you read into my post. I am not that protective about my addresses, I am not just using them when not necessary or outright foolish.

But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.

Point taken. But, is the address you send along your free software the same you use for communicating with family and friends? If not, you are principally using the same means as I do.

Re:Kudos to SA.

[will_die]

Besides pulling them for mail lists and other things, such as random generations and using know username with other domains.
Count yourself luckly they don't have your address, but if you say you don't get anything means you probably have a wierd name or address, but thoses spammers are percistent. When I got my past cable connection they had turned on the e-mail address of Friday, on Monday the installers came over and hooked it up, I checked my mail and already had spam.

Re:Kudos to SA.

[FuzzyBad-Mofo]

Alright, we'll put spammers right before the father-rapers, muggers, and carjackers. Happy?

Re:Kudos to SA.

[gandy909]

Don't leave out politicians and lawyers!

Re:Kudos to SA.

[Eggplant62]

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

Excellent point. However, I believe the real question is:

Who are the idiots who actually respond to spam email advertisements and buy the products associated with them?

Until that question is answered and the offending parties identified and re-educated as to the fact that buying from spamvertisers is a huge no-no, the spam problem will not go away.

Take the Boulder Pledge!

Re:Kudos to SA.

[cweber]

I refuse to stop using my real address wherever I want to because of spam.

Congrats, man! I am of the same opinion. And like you, I have a vigilant network admin who blocks spam senders and abused open relays. That makes the remaining amount of spam manageable. So maybe I am lucky, but as a matter of principle I refuse to give up rights, freedoms and territory to the bad guys because it is thought to be prudent to do so. It is not.

Re:Kudos to SA.

[msoftsucks]

Hotmail and other ISPs (namely AOL) sell their membership lists to make additional revenue. Their terms prevent such spamming for ordinary users, but they have other classes of users for which they charge a higher rate for the priveledge to spam. When you buy one of these accounts, you also get access to their membership.

Re:Kudos to SA.

That is so wrong. I have been trying to get myself removed for almost 4 years from their lists. Every time one of the groups removes me, I start getting mail from another division. This has lasted through 5 moves, and 3 different states. Once, I didn't even forward my mail, and moved from Texas to Washington. They still found me.

At last

[Mourgos]

now that it has been advertised in NYTmag, more people will become aware that spam is something they can actually stop. Can't wait for the new tricks spammers will use to disable anti-spam programs.

Re:At last

[qengho]

Can't wait for the new tricks spammers will use to disable anti-spam programs.

Wait no more. I got a spam today that purported to be an apology for how the sender got my address, something like "so sorry, but these stupid porn sites like [link] must have sent me a virus. I can't believe my kids are visiting sites like [another link] even though I never go to sites like [yet another link], blah blah blah."

I have to admire the creativity of spammers even as I wish for Bad Things to happen to them.

Re:At last

[The+Mgt]

But even if you use a filter such as SpamAssassin you still receive the spam. Even if it ends up in a different folder or is automatically deleted the spam has still been sent, the bandwidth and cpu time has still been wasted.
In a way it's just ignoring the problem.
If you want to forward your spam to Spamcop or similar you still have to actually look at it to be sure, and it's this approach which is more effective in making life difficult for spammers.

Re:At last

[H310iSe]

Ugh, not spam cops - those guys, I think, have become a little unhinged in their anti-spam hatred and have developed some kind of a demigod complex as a result. I helped run a mailing list generated from submissions to a website - they sent out mailings to people who opted-in for various sex clubs (I know, but sex does not automatically equal spam). We never hid who we were, where we were sending from, we told everyone why they got our mail (because they signed up at the website) and had a valid reply-to address as well as an unsubscribe feature.

Someone sent an email from us to spamcops saying we were spamming - I checked our logs and in one day one person sent us 4 unsubscribe requests - they never got another email but I wonder if it wasn't them. Anyway, we were totally shut down with no warning, two different sites (one hosted the website the other hosting the email program) yanked off the internet when spamcops complained to our ISP.

This is downright stupid. One, anonymous complaint (never did find out who did it so we couldn't very well remove them from our list!) and all our websites, over a dozen, art galleries, political sites, stores, and some 'adult dance club' sites (you do what you can to make clients now...) all went down. No warning. And no apologies from our ISP or spamcops when we pointed out they pulled our service with absolutely NO research, no attempt to contact us, no evidence whatsoever other than a sole complaint which could have been posted by anyone (um, competitors to the adult club jump to mind).

My ISP (Speakeasy) eventually got someone in touch with us who really did nothing more than empathize with how angry we were and promised to try and not do it again. That's it. There's a movement afoot to try and reign in this sort of insane overkill, one story here and an a nascent organization against overzealous antispammers is here.

For the record, we did not have confirmation on our opt-in list so theoretically someone could have signed up another (say a priest or something) for our mailing lists. We never got more than a couple new registrations a day so there was no systematic abuse, still, we fixed this and added confirmation (using mailermailer.com, I'm very impressed with them so far) after the complaint (no need to knock us off the web to get our attention, a simple email would have done) and, as I said, we had valid contact info if they had only bothered to ask...

Anyone else been a 'victim' of crazy blacklist providers?

Re:At last

[winnetou]

we told everyone why they got our mail (because they signed up at the website)

How did you know they signed up at the website? For your information, almost all pr0n spammer claim the spammee signed up at a website.

Anyone else been a 'victim' of crazy blacklist providers?

Sure, lots of people who think they can use any mail address they can lay their hands on, as a dump for their advertisements. You did not ask for permission to fill those mailboxes, you did not even know whether you were spamming minors with your pr0n.

Re:At last

I know, but sex does not automatically equal spam

we did not have confirmation on our opt-in list

You are part of the problem. It's not the non-subscribed subscribers' obligation to treat you nicely and politely request to be taken off your list. It's your obligation to get it right. Spam has been a problem for many years and it's constantly getting worse. Starting a websubscribed mailing list without confirmation is as ignorant as you can get these days. Porn sites come and go a dozen a second. They do this to hide their usually questionable modus operandi, part of which coincidentally is SPAM. Don't expect anyone to think "hey, another porn SPAM, lemme check if these guys made an honest mistake."

I'd feel inclined to join the lament about overzealous anti-spam-activists, but whenever someone complains about their actions in public, it's someone who obviously acted like a bull in a china shop and got what he deserved. The valid criticism on the other hand always stays in the realm of theoretical abuse scenarios.

Re:At last

[ajs]

There's not much that they're going to be able to do circa the release of the new SpamAssassin, which can personalize itself to a user's mail by training a bayesian filter based on the results of all of the other SA tests. I'm using the CVS version now, and have the following 3 behaviors implemented in prcomail based on the SA results:

1. If Razor2 and the Bayesian filter say it's spam, dump it. Razor2 is much more reliable than R1, and combined with the local "looks like spam", I'm willing to trust the result.
2. If SA scores it above a 20, dump it (amazingly the new version does this on a reasonable percentage of spam, and I've never seen a false positive or even anything that came close).
3. If SA scores it above 4, mark the subject and deliver to me.

This last rule allows me to quickly scan for friends, family and co-workers email addresses and then delete the lot of it (via a virtual mailbox in evolution). Fast, easy, painless.

I also auto-train the Bayesian filter and manually correct it on any false-negatives. It's gotten to the point that I haven't had to do that in a few weeks now.

Re:At last

[tcr]

You couldn't have written a better advertisment for SpamCop if you'd tried... :-)

Re:At last

[H310iSe]

I think the two responses defending spamcops were awsome, it's not every day that something that appears so obviously black to me may appear white to someone else. I truly don't understand how my post is an advirtisement for spamcops. Let's refresh:
1) there was a mailing list of under 3,000 people all of which I believe were on that list because they requested to be on it.

2) we made no attempt to hide our identity, we used standard gateways, had a valid reply-to email address, we were way out in the open (which ironically made us easy targets to get shut down, maybe someone was frustrated with the trying to bust real spammers to they picked on us?)

3) even if someone was signed up to the list without their knowledge that could not have been a widespread practice (the list wasn't that active!) and they had ample recourse. They could have freakin' called us, emailed us, sent smoke signals, anything. everyone who requested to be unsubscribed (we got between 1 - 6 per week or so) were.

4) in case you missed it, we weren't behaving like spammers (fake email headers, etc.) so when someone reported the email as spam, wouldn't it have been logical to think, hrm, maybe we should let these guys know someone complained instead of hrm, lucky for us these guys left us their home address, let's send out the cruise missles?

5) One Complaint Does Not Make Something Spam! This is tyrany of the minority. It's allowing a couple people (the complainer and the secret types at spamcops) to make decisions effecting thousands of other people (the webistes we host and the 3,000 other members of the mailing list who WANT to get the mail we send (I know because we send coupons out which the clubs get back in the hundreds). Come on people, think! this is about as anti-open-process, anti-democratic, anti-intelligent as it gets!

Did we do something wrong by not having a confirmation feature on the sign-up page? Yes, and it was out of ignorance (truly, I didn't think 'prank' signups would be a problem, and they may not have been, I still don't know who complained), not evilness. Is shutting off two sites, 12 servers worth, of internet accounts without a single minutes warning or any attempt to contact us to find a solution (we did implement confirmation about 2 weeks after this all went down) a reasonable response? I don't think so but maybe that's where we disagree?

Re:At last

[H310iSe]

Oh, one last thing, we weren't sending out porn, or advirts for porn sites. The sites we host are for local clubs (you know, lap dance places), they get low traffic (under a thousand hits a month) and a single email goes out once a week which are just coupons for free admission or events announcements. For the record, I took over as network admin and inherited the sites and the subscription services at that time. I didn't make a scene to the managment about the lack of confirmation because, like I said, they weren't getting enough traffic or sign-ups for me to be able to say hey, you should spend $xxx (or $x,xxx) to add confirmation to your mailing lists in case someone signs up a priest as a gag and they report you to spamcops and they shut off our internet service. It wasn't even something that crossed my radar screen given the other problems that existed (technical problems mostly, the servers were a total mess when I got them).

I patch and firewall my servers, code red (and slammer and nimda and all the others) never once made it on to any of them. My mail relays are closed. In all other ways I try to be a responsible net admin and I hate spam as much as everyone else; I was shocked, dumfounded, when all this happened. I still don't see myself as a spammer or vector for spam and I still am not convinced that this was anything other than someone who wanted to get us in trouble (the complaint might not have been valid, that is, the recipient might not have felt spammed).

The response was totally out of character with the offense. It's not so much spamcops that I blame, they get a million emails a day and it's not their job to research each one, it's my ISP who took spamcops word for it w/o even asking us what's going on that really pissed me off.

OK enough venting. Like I said, I'm really interested that something that seems so clear-cut to me could be seen in such a different way by others. Do you really think that the ISP terminating two sites' connectivity w/o warning was an appropriate response? If so, why don't we take everyone who gets infected with the next worm (b/c they didn't patch their servers) and immediately terminate their internet connection at the ISP. OOOH that DOES sound good doesn't it?

Seriously, there's too much authoritarianism masquarading as Good Figh Idealism running around on the web (and in the world) right now.

Re:At last

[meringuoid]

For the record, we did not have confirmation on our opt-in list so theoretically someone could have signed up another (say a priest or something) for our mailing lists.

Ah, so you sent out lots of emails at a time... that's 'bulk' email. And some of the people you sent them to hadn't asked for them... that's 'unsolicited' email. So you were sending 'unsolicited', 'bulk' email. And you're surprised you got nailed for spamming?

Why on earth didn't you have confirmation? If someone had signed me up (maybe out of malice, maybe simply by making a typo when they entered their email address) I wouldn't attempt to unsubscribe, I'd trace the sender and complain to their ISP. It's spam.

Read the story of Nadine to see what can happen if mailing lists leave out this essential confirmation step.

Register

[amentia]

No, I don't want to register!

Re:Register

Every time someone submits a story with an NYTimes link, add them to your enemy list. If enough people do this, people will start to become discouraged from posting anything from NYTimes.

I've gotten rid of 90% of spam

[trmj]

By simply filtering out all e-mails that have the word "Nigeria" in them.

Re:I've gotten rid of 90% of spam

[mcglk]

By simply filtering out all e-mails that have the word [REST OF MESSAGE ELIDED]

For some reason, I couldn't read that. Could you post it again, only inserting <!-- x --> after every character?

Re:I've gotten rid of 90% of spam

[ozbird]

By simply filtering out all e-mails that have the word "Nigeria" in them.

I think they've wised up to that - I seen versions of the scam claiming to be from "Sierra Leone" and "Cote d'Ivoire".

I'll be interested to see how the new Mozilla 1.3 mail filters work, but I don't want to try an alpha release.

Re:I've gotten rid of 90% of spam

>URGENT ASSISTANCE - FROM USA
>
>IMMEDIATE ATTENTION NEEDED :
>HIGHLY CONFIDENTIAL
>
>FROM: GEORGE WALKER BUSH
>202.456.1414 / 202.456.1111
>FAX: 202.456.2461
>
>DEAR SIR / MADAM,
>
>I AM GEORGE WALKER BUSH, SON OF THE FORMER PRESIDENT OF THE UNITED STATES
>OF
>AMERICA GEORGE HERBERT WALKER BUSH, AND CURRENTLY SERVING AS PRESIDENT OF
>THE UNITED STATES OF AMERICA. THIS LETTER MIGHT SURPRISE YOU BECAUSE WE
>HAVE NOT MET NEITHER IN PERSON NOR BY CORRESPONDENCE. I CAME TO KNOW OF YOU
>IN MY SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY
>CONFIDENTIAL BUSINESS TRANSACTION, WHICH INVOLVES THE TRANSFER OF A HUGE
>SUM
>OF MONEY TO AN ACCOUNT REQUIRING MAXIMUM CONFIDENCE.
>
>I AM WRITING YOU IN ABSOLUTE CONFIDENCE PRIMARILY TO SEEK YOUR ASSISTANCE
>IN
>ACQUIRING OIL FUNDS THAT ARE PRESENTLY TRAPPED IN THE REPUBLIC OF IRAQ. MY
>PARTNERS AND I SOLICIT YOUR ASSISTANCE IN COMPLETING A TRANSACTION BEGUN BY
>MY FATHER, WHO HAS LONG BEEN ACTIVELY ENGAGED IN THE EXTRACTION OF
>PETROLEUM
>IN THE UNITED STATES OF AMERICA, AND BRAVELY SERVED HIS COUNTRY AS DIRECTOR
>OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY (CIA).
>
>IN THE DECADE OF THE NINETEEN-EIGHTIES, MY FATHER, THEN VICE-PRESIDENT OF
>THE UNITED STATES OF AMERICA, SOUGHT TO WORK WITH THE GOOD OFFICES OF THE
>RESIDENT OF THE REPUBLIC OF IRAQ TO REGAIN LOST OIL REVENUE SOURCES IN THE
>NEIGHBORING ISLAMIC REPUBLIC OF IRAN. THIS UNSUCCESSFUL VENTURE WAS SOON
>FOLLOWED BY A FALLING-OUT WITH HIS IRAQI PARTNER, WHO SOUGHT TO ACQUIRE
>ADDITIONAL OIL REVENUE SOURCES IN THE NEIGHBORING EMIRATE OF KUWAIT, A
>WHOLLY-OWNED U.S.-BRITISH SUBSIDIARY.
>
>MY FATHER RE-SECURED THE PETROLEUM ASSETS OF KUWAIT IN 1991 AT A COST OF
>SIXTY-ONE BILLION U.S. DOLLARS ($61,000,000,000). OUT OF THAT COST,
>THIRTY-SIX BILLION DOLLARS ($36,000,000,000) WERE SUPPLIED BY HIS PARTNERS
>IN THE KINGDOM OF SAUDI ARABIA AND OTHER PERSIAN GULF MONARCHIES, AND
>SIXTEEN BILLION DOLLARS ($16,000,000,000) BY GERMAN AND JAPANESE PARTNERS.
>BUT MY FATHER'S FORMER IRAQI BUSINESS PARTNER REMAINED IN CONTROL OF THE
>REPUBLIC OF IRAQ AND ITS PETROLEUM
>RESERVES.
>
>MY FAMILY IS CALLING FOR YOUR URGENT ASSISTANCE IN FUNDING THE REMOVAL OF
>THE PRESIDENT OF THE REPUBLIC OF IRAQ AND ACQUIRING THE PETROLEUM ASSETS OF
>HIS COUNTRY, AS COMPENSATION FOR THE COSTS OF REMOVING HIM FROM POWER.
>UNFORTUNATELY, OUR PARTNERS FROM 1991 ARE NOT WILLING TO SHOULDER THE
>BURDEN
>OF THIS NEW VENTURE, WHICH IN ITS UPCOMING PHASE MAY COST THE SUM OF 100
>BILLION TO 200 BILLION DOLLARS ($100,000,000,000 - $200,000,000,000), BOTH
>IN THE INITIAL ACQUISITION AND IN LONG-TERM MANAGEMENT.
>
>WITHOUT THE FUNDS FROM OUR 1991 PARTNERS, WE WOULD NOT BE ABLE TO ACQUIRE
>THE OIL REVENUE TRAPPED WITHIN IRAQ. THAT IS WHY MY FAMILY AND OUR
>COLLEAGUES ARE URGENTLY SEEKING YOUR GRACIOUS ASSISTANCE. OUR
>DISTINGUISHED
>COLLEAGUES IN THIS BUSINESS TRANSACTION INCLUDE THE SITTING VICE-PRESIDENT
>OF THE UNITED STATES OF AMERICA, RICHARD CHENEY, WHO IS AN ORIGINAL PARTNER
>IN THE IRAQ VENTURE AND FORMER HEAD OF THE HALLIBURTON OIL COMPANY, AND
>CONDOLEEZA RICE, WHOSE PROFESSIONAL DEDICATION TO THE VENTURE WAS
>DEMONSTRATED IN THE NAMING OF A CHEVRON OIL TANKER AFTER HER.
>
>I WOULD BESEECH YOU TO TRANSFER A SUM EQUALING TEN TO TWENTY-FIVE PERCENT
>(10-25 %) OF YOUR YEARLY INCOME TO OUR ACCOUNT TO AID IN THIS IMPORTANT
>VENTURE. THE INTERNAL REVENUE SERVICE OF THE UNITED STATES OF AMERICA WILL
>FUNCTION AS OUR TRUSTED INTERMEDIARY. I PROPOSE THAT YOU MAKE THIS
>TRANSFER
>BEFORE THE FIFTEENTH (15TH) OF THE MONTH OF APRIL.
>
>I KNOW THAT A TRANSACTION OF THIS MAGNITUDE WOULD MAKE ANYONE APPREHENSIVE
>AND WORRIED. BUT I AM ASSURING YOU THAT ALL WILL BE WELL AT THE END OF THE
>DAY. A BOLD STEP TAKEN SHALL NOT BE REGRETTED, I ASSURE YOU. PLEASE DO BE
>INFORMED THAT THIS BUSINESS TRANSACTION IS 100% LEGAL. IF YOU DO NOT WISH
>TO CO-OPERATE IN THIS TRANSACTION, PLEASE CONTACT OUR INTERMEDIARY
>REPRESENTATIVES TO FURTHER DISCUSS THE MATTER.
>
>I PRAY THAT YOU UNDERSTAND OUR PLIGHT. MY FAMILY AND OUR COLLEAGUES WILL
>BE
>FOREVER GRATEFUL. PLEASE REPLY IN STRICT CONFIDENCE TO THE CONTACT NUMBERS
>BELOW.
>
>SINCERELY WITH WARM REGARDS,
>
>GEORGE WALKER BUSH

Re:I've gotten rid of 90% of spam

Thanks for that amusing variation on the Nigeria 419 scam.

I've received about ten variations of this one now. It is infamous and has supposedly claimed lives: some individuals have travelled to Nigeria to pursue their funds.

Incidentally I receive about 100 spams a day. I think I may need to ditch my email address: a shame since I've had it since 1996.

Re:I've gotten rid of 90% of spam

[machine+of+god]

I just got that one for the first time the other day. I forwarded it all my friends so that they could have a laugh, since they have not gotten it either. Little did I know, but some of my friends are very stupid. I almost considered not telling them it was a scam as punishment for not having the sense to realize it.

Re:I've gotten rid of 90% of spam

Glad you liked it!!

Now do something about it - big demo in London on Saturday. 500,000 estimated to turn up - let's make it 1 million if we can:

http://www.stopwar.org.uk/

libtroll 0.01

Libtroll is a fast, platform indepedendant trolling library written in visual basic. It supports crapfloods, first posts, old ike, ??? profit, in soviet russia, and goatse links. Using libtroll, trolls can effortlessly generate lameness filter breaking trolls that get bites *and* modded up. This version only supports slashdot, future versions will support slashcode, phpnuke, postnuke, scoop, darkportal, and over 20 other slashdot clones.

download

Re:libtroll 0.01

It would be funnier if your link went somewhere.

NO NO NO

[johnburton]

>>> 2) a specific header entry should identify the email as unsolicited." NO NO NO There is no excuse for sending spam. I fail to see how marking it as junk makes it any better. So I can sort it from the mail I actually want? NO. Just stop people sending me crap I don't want.

Re:NO NO NO

Agreed. it seems to make as much sense as having letterbox unsolicited mail marked with "throw me in the trash"

Re:NO NO NO

[MrLint]

Too bad the spammers from all of APNIC are out of your reach een if forged headers are illegal. the only way to address thisis to have end to end certification certification of where the email is coming from.

Re:NO NO NO

[Noren]

I see this as a variant of the 'opt-out' strategy without some of the disadvantages- i.e. without having to place one's address on a list (and we all know what that would lead to...) This would make opting out simple for the user- I'm certain all major email clients would enable spam filtering by this flag as soon as it was established. This is an attempt at compromise, not as desirable to the user as an 'opt-in' rule, but better than simple 'opt-out' and harder for the spammers to argue with than 'opt-in'.

On the other hand, I doubt that any of this is enforcable in any event.

Re:NO NO NO

Am I being Naive when I say,should we not be going after the businesses that use the spam as an advertising channel?

Would it not reduce the spam if we could convince the orgs that are using it, that it would be a good Idea if they stopped.

Going after the spammers them self would not help. If there is still money in it for them. Remove their customers, and you remove the market for the spammers.

I know this would not get rid of all the spam out there. But it could reduce it some what.

Then again, it could be that I am living in a dream world. ;-)

RSC

Re:NO NO NO

[Jedi+Alec]

I don't want my e-mail client to filter it out. This means both my processing time and bandwidth are used to process spam. Let the mailserver(ISP)take care of it...

Re:NO NO NO

[1u3hr]

Another "no no" to me is the suggestion that all headers and thus senders be verifiable and real. This would mean the end of anonymity, which in some situations, such as ratting out a former business partner, or any number of reasons in countries like China or the US with intolerant governments. Bulk spammers already use real accounts sometimes, and just burn them, this wouldn't slow them down much.

However, a method to force identification of BULK email (more than, say, 100 similar messages) might have fewer undesirable side-effects.

SpamAssasin in large corporate use?

[stonebeat.org]

I was wondering how many large corporation are using SpamAssasin. And if not, why not?

Re:SpamAssasin in large corporate use?

[Webratta]

I don't work for a large corporation, but a state-wide ISP. I asked my boss, the chief technical officer of the company, why we weren't using Spam Assassin. He replied that while it is a very neat program and does a great job of filtering spam, the performance just isn't quite there yet. He's of the mindset that it needs some tweaking still before it can be a competitor to commercial products like what Brightmail offers.

Personally, I'd like to see more companies using SpamAssassin just to prove that it can stack up against other products, because I think it can work well if it's configured properly and you use spamd. I use it on my mail server at home and at last check it catches 98.2% of all spam message sent to my machine, and I haven't had any false positives since I set up my whitelists.

Re:SpamAssasin in large corporate use?

[winnetou]

I was wondering how many large corporation are using SpamAssasin. And if not, why not?

Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.

After checking the source IP address against lists such as Wirehub, Osirusoft (despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.

IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.

Re:SpamAssasin in large corporate use?

NYT are really greedy fucks... they refer to more articles on it, but the bastards are charging $5 to read it..... why do /.ers even bother to pump up te sales of NYT when others also carry the story.

Besides, there are way too many people out there that don't want to fill out these forms to read NYT for this very reason that their Email address will be scarfed.

We all know how lax the security is, and do you for one minute believe that NYT is going to protect your email address?

Re:SpamAssasin in large corporate use?

[bubblegoose]

We're not a large company (only about 150 people). But here is my experience with SpamAssassin.

We run an Exchange server. I didn't go with the free version, because we don't have the skill set to maintain it at our company. I have some Linux experience, but after 3 days of trying to get it to work I finally had to give up.

I installed Deersoft's SpamAssassin on my Exchange server. Kind of expensive (about $5000) and right now Deersoft customers are left hanging due to Network Associates purchase of Deersoft. NAI pulled the Deersoft version and are releasing it in Q2 2003.

Re:SpamAssasin in large corporate use?

[anon+mouse-cow-aard]

I'm not sure what "large" is.
We use Spam Assasing to evaluate incoming
mail for an (government) organization with about 4500 employees.
We implemented it before there were any real commercial alternatives. It is working well,
The interesting problem is people's understanding of what SPAM is.

We had many, many, many requests to add this or that to our black or white lists. Thing is... what to do is often not obvious... hmm... an HTML marketing newsletter from a random PC games web site... looks like spam to me, what? whitelist it? um... We have had some people asking us to blacklist a site, and other asking to white list it.
I've been looking at the Bayesian stuff for a while with envy. It may solve that problem.

I prefer looking in the archives...

[Jugalator]

... since archived material is considered so old that it doesn't require a registration. ;-)

http://archive.nytimes.com/2003/02/09/magazine/09S PAM.html

Re:I prefer looking in the archives...

Moderators gone bananas.... again!
Mod parent up! It is not offtopic.

illegal

illegal is great in theory, but there is no possible way to enforce that on a world wide basis.

white lists are the only way to stop spam.

Re:illegal

[fmaxwell]

illegal is great in theory, but there is no possible way to enforce that on a world wide basis.


It's impossible to enforce almost any laws with 100% effectiveness, but that does mean that we should ignore the problem. If some sleazeball in Florida hires a firm in Korea to spam me, put his ass in jail.

white lists are the only way to stop spam.

I'm amazed by this user-hostile suggestion every time I hear it. Suppose you post your resumé on Monster.com. Who are you going to whitelist? Suppose your friend changes ISPs and then tries to e-mail you his new address? It won't be whitelisted, so it will bounce. Suppose to fill out a tech support request form. You don't know the address of the person that will contact you (or even if they will be the same domain as the web site).

Re:illegal

There are two solutions to this problem. 1) use a "throw-away" email address when including them in your resume.

2) develop a more friendly "white list" system that makes it easy for you to "open it up" for your potentual employers. So when I send mail out to someone important, I'm just one click away from adding them to my "white list".

Come on guys, I thought /.ers were nerds and knew how to write programs.

Re:illegal

Simple solution to this problem.

When somebody not on your whitelist sends you an email, they will be notified that they are not on your whitelist. They can either:

1. Pay $1 for you to see their message anyway
2. Don't pay anything, realizing that you will never see their message.

Here's the kicker:

When I check my mail, any of the messages that somebody paid for me to see will be flagged. I then have 2 choices:

1. Recognize that the message is from a friend, and add him to my whitelist. The money he paid is AUTOMATICALLY REFUNDED TO HIM. In other words, it cost him nothing to email me.

2. Recognize that the message is spam. Then nothing happens, and I get to keep the $1.

Remember, the $1 per message amount could be changed, but as it stands I would make around $200 dollars a week, just from spam.

This way, spammers pay me for using my bandwith.

Re:illegal

[fmaxwell]

1) use a "throw-away" email address when including them in your resume.

Most people can't even deal with a single address.

2) develop a more friendly "white list" system that makes it easy for you to "open it up" for your potentual employers. So when I send mail out to someone important, I'm just one click away from adding them to my "white list".

Listen Miss Cleo, you have no way of knowing who will respond to your resumé. It might be a company that you send it to. It might be someone at that company working from home. It might be someone at another division that you did not know about. If your resumé was posted on a web site, it might be anyone responding.

Come on guys, I thought /.ers were nerds and knew how to write programs.

My mail server and e-mail processing software implement filtering that would probably make your head spin. Despite having dozens of e-mail accounts and three different domains, I probably see less the one percent of the spam that's sent to my domains. I have autoresponders for retired addresses, auto-complaints for mail from Brazil (to mail-abuse@nic.br), and I use multiple blacklists. Some of my e-mail addresses accept blind copies from untrusted senders and some do not.

But the spam problem needs to be solved for everyone, not just computer geeks that hang out on Slashdot. When the risk of fines and jail time make it unattractive, then we will have really solved the problem.

Re:illegal

[fmaxwell]

Simple solution to this problem.

When somebody not on your whitelist sends you an email, they will be notified that they are not on your whitelist. They can either:

1. Pay $1 for you to see their message anyway
2. Don't pay anything, realizing that you will never see their message.

You call that simple? Jeebus!

So what happens when someone sees your resumé inline and puts it into the stack of ten people to be interviewed. They e-mail you and get your extortion autoresponder ("pay me $1 or I will throw the e-mail away unread"). Simple: The list of candidates to be interviewed drops from ten to nine.

Remember, the $1 per message amount could be changed, but as it stands I would make around $200 dollars a week, just from spam.

No you would not. Your responses would go to the fictitious addresses that the spammers provided. 99% of the messages would bounce and 1% would go to people that never sent you the spam (but whose address was forged on the spam).

This way, spammers pay me for using my bandwith.

No, you just use more bandwidth and they pay you nothing. Now you receive their spam (bandwidth used). Then you send an autoresponse (outgoing bandwidth used). Then you get a bounce from the autoresponse (using yet more bandwidth).

If this is such a foolproof plan, why aren't you doing it?

Re:illegal

[anthony_dipierro]

Suppose you post your resumï½ on Monster.com. Who are you going to whitelist?

monster.com

Re:illegal

[fmaxwell]

Suppose you post your resumï½ on Monster.com. Who are you going to whitelist?

monster.com

That won't work unless you specifically make your resumé "confidential." Normally, your contact information is visible to potential employers so that they can contact you directly. The only time that e-mail is routed through monster.com is when you select the option labelled Save my Resume as confidential. In a buyer's market like this one, I'd recommend against doing anything that made one any less accessible to employers.

Re:illegal

[anthony_dipierro]

That won't work unless you specifically make your resumé "confidential."

Then the only way to stop spam is to make your resumé "confidential."

Do you really want a judge deciding that "I saw your resumé so I decided to offer you this job" is OK but "I saw your resumé so I decided to offer you this penis enlargement" isn't? What about "I saw your resumé so I decided to offer you this recruitment service," or "this resumé writing service?" Seems to me like a prior restraint on speech based on content.

The "false headers" laws have different problems. As long as they restrict the law to willful infringement attached to commercial speech, I guess I could see it as legitimate though. Otherwise I would argue that there's no mens rea, since historically e-mail does not have such a restriction, and/or that the law exceeds congressional power under the commerce clause.

Re:illegal

[fmaxwell]

Then the only way to stop spam is to make your resumé "confidential."

Kind of an ugly choice: Make your contact information less accessible to potential employers or be prepared for a deluge of spam.

Do you really want a judge deciding that "I saw your resumé so I decided to offer you this job" is OK but "I saw your resumé so I decided to offer you this penis enlargement" isn't?

Yes. Without question.

What about "I saw your resumé so I decided to offer you this recruitment service," or "this resumé writing service?"

Again, yes. If I feel the need to use such services, I can seek them out.

Seems to me like a prior restraint on speech based on content.

It's not the speech that is being restrained, just the delivery method. If those same advertisers wanted to use my postal mailing address to send me ads via the USPS, then I'd have no legitimate complaint. They would be paying the cost to deliver the ads to me. It would cost me nothing.

The "false headers" laws have different problems.

The main one being that they serve little useful purpose. False headers are not the problem and I'm sure that you, like me and millions of others, are quite capable of tracking e-mail even when it has falsified headers.

Re:illegal

[anthony_dipierro]

Kind of an ugly choice: Make your contact information less accessible to potential employers or be prepared for a deluge of spam.

It's one of the prices of living in a free society.

Do you really want a judge deciding that "I saw your resumé so I decided to offer you this job" is OK but "I saw your resumé so I decided to offer you this penis enlargement" isn't?

Yes. Without question.

Oh well, I don't.

It's not the speech that is being restrained, just the delivery method.

That's nonsense. You're allowing some types of speech to use that delivery method, but you're not allowing others.

If those same advertisers wanted to use my postal mailing address to send me ads via the USPS, then I'd have no legitimate complaint.

That's like saying it's OK for the government to prosecute people for criticising government officials over the internet, as long as it's not illegal for them to criticise them through the mail.

They would be paying the cost to deliver the ads to me. It would cost me nothing.

But if the cost is your complaint then you have to make illegal the messages offering to hire you along with the ones that want to sell you something.

Or better yet, just charge people to send you email, if that's what you want.

Re:illegal

[fmaxwell]

It's one of the prices of living in a free society.

That's like saying that being mugged is one of the prices of living in a free society. Am I free to paint an ad onto your car? Am I free to call you collect at 2:00AM to tell you about my MLM scheme? Am I free to fax ads to your fax machine (no, it's specifically illegal for the same reason that spam should be).

That's nonsense. You're allowing some types of speech to use that delivery method, but you're not allowing others.

It's not nonsense at all. If I'm paying for the delivery, it's only fair that I get to decide what can be sent to me.

That's like saying it's OK for the government to prosecute people for criticising government officials over the internet, as long as it's not illegal for them to criticise them through the mail.

First, you are mistaking commercial speech and non-commercial speech. Secondly, the taxpayers are the ones paying for the government official's e-mail. Very different and therefore a flawed analogy.

It's more like saying that a telephone soliciter can't call cell phones and toll-free numbers (where the recipients pays for the calls) but can call normal telephones. Or it's like saying that you can't send unsolicited ads to fax machines (because the recipients pay for paper, toner, etc.) but that you can send them in the mail with stamps that you buy. Gee, that is how the law works already, isn't it?

But if the cost is your complaint then you have to make illegal the messages offering to hire you along with the ones that want to sell you something.

I'm willing to pay the cost to receive job and interview offers, not spam. The former is implied when I post the resumé. Heck, I might even state it outright. There's no way that any "reasonable person" could view my resumé online and think "this guy must want me to tell him about herbal Viagra."

Suppose I post a message online that says "please, if you are a lawyer in Virginia, call me collect." I don't see that as an open invitation for random people who see the message to call me to tell me about breast enlargers, free credit reports, refinancing my mortgage, and how to become an Internet millionaire. Do you?

Re:illegal

[anthony_dipierro]

That's like saying that being mugged is one of the prices of living in a free society.

No, it's nothing like that.

Am I free to paint an ad onto your car?

No.

Am I free to call you collect at 2:00AM to tell you about my MLM scheme?

You should be.

Am I free to fax ads to your fax machine (no, it's specifically illegal for the same reason that spam should be).

Actually there's a huge difference in degree. But in any case, you should be allowed to do so.

It's not nonsense at all. If I'm paying for the delivery, it's only fair that I get to decide what can be sent to me.

Well, first of all, you're not paying for the delivery. You're paying for part of the delivery.

Secondly, you do get to decide what can be sent to you. If you don't want unknown people putting emails in your mailbox, don't accept connections from unknown people.

That's like saying it's OK for the government to prosecute people for criticising government officials over the internet, as long as it's not illegal for them to criticise them through the mail.

First, you are mistaking commercial speech and non-commercial speech.

You're not allowed to restrict commercial speech based on content either. If you'd prefer, it's like saying it's OK for the government to prosecute people for reporting government criticism over their commercial internet site, as long as it's not illegal for them to criticise them through their commercial mailing list.

Secondly, the taxpayers are the ones paying for the government official's e-mail. Very different and therefore a flawed analogy.

Huh? Who said anything about the government official's e-mail. I'm talking about a law saying you can't criticise government officials, to each other.

It's more like saying that a telephone soliciter can't call cell phones and toll-free numbers (where the recipients pays for the calls) but can call normal telephones.

But most recipients don't pay for email. At least not any more than they pay for local telephone service. Your analogy would work if the law only targetted people who pay a fee for every email they receive, or who pay based on how much bandwidth they receive. And then I would be forced to criticise the telephone law as well as the online one, which I have no problem doing. I don't agree with that law either.

I'm willing to pay the cost to receive job and interview offers, not spam.

That's great, but unfornately, not everyone has the same threshold as you. That's why I have no problem with a DNE (do not email) list, but I do have a problem with the government deciding what is proper speech, and what is not.

The former is implied when I post the resumé.

I'd say the latter is equally implied.

. Heck, I might even state it outright. There's no way that any "reasonable person" could view my resumé online and think "this guy must want me to tell him about herbal Viagra."

OK, but what about "this guy must want me to tell him about my recruitment service," or "this guy must want me to tell him how to improve his resumé?"

It's like the trespassing laws that most states including my own have. The government set up a standard about how to post no trespassing signs. If someone trespasses and you don't have a sign, you can only sue for actual, not punitive, damages.

If you want to sue spammers for the $0.0000001 they actually cost you, fine.

Suppose I post a message online that says "please, if you are a lawyer in Virginia, call me collect." I don't see that as an open invitation for random people who see the message to call me to tell me about breast enlargers, free credit reports, refinancing my mortgage, and how to become an Internet millionaire. Do you?

Well, personally I see the mere fact that you have an unrestricted email account as that open invitation. But to answer your question, no, I don't. But the resume case is an example of implied solicitation, not direct solicitation.

Re:illegal

[fmaxwell]

Let's get this out of the way first:

That's like saying it's OK for the government to prosecute people for criticising government officials over the internet, as long as it's not illegal for them to criticise them through the mail.

I really don't want to deal with this flawed analogy, but I guess I have to...

If I put up a web page criticizing government officials, it does not force anyone to incur a cost. Only those people that choose to visit the page will pay to download it. It will not cost the government money.

This is more like stating that you can't go to a government building and plug your PA system into an outdoor outlet that they pay for in order to criticize government officials. Or that you can't provide drinking water for protestors by opening a fire hydrant.

That's how free speech works. You can say just about anything that you like, but you cannot do it at someone else's expense.

Actually there's a huge difference in degree. But in any case, you should be allowed to do so.

While the cost per fax is higher, I do believe that the government acted properly in making ads sent via fax illegal. I guess we will have to agree to disagree on this one.

Am I free to paint an ad onto your car?

No.

Why should the government limit my free speech like that? Why can't I stencil an ad onto the side of your car? Because it would cost you money to fix, inconvenience you, and reduce the value of something you paid for? Sounds a lot like spam e-mail to me.

Well, first of all, you're not paying for the delivery. You're paying for part of the delivery.

Recipients pay for the vast majority of the delivery of spam through higher ISP fees. Sending it is far cheaper because the sender is not forced to save hundreds of thousands of copies of the message to disk. The spammer will often BCC the spam to 50 or more recipients at a time, so he sends it once and the ISP stores it 50 or more times on their hard drives. Then the users who retrieve it use 50 or more times the bandwidth that the spammer used in delivering it to the ISP.

Secondly, you do get to decide what can be sent to you. If you don't want unknown people putting emails in your mailbox, don't accept connections from unknown people.

First you claim that I can decide what can be sent to me, then you tell me that I can only decide who can send e-mail me.

I want unknown people putting e-mail in my mailbox. I want unknown people to reply to my for-sale ads. I want unknown people to send me offers of employment in response to my resumé. I want unknown people to contact me after a client refers me to them as a good consultant.

By the way, I read your whitelisting suggestion to a professional acquaintance just for a sanity check. You didn't do well...

But most recipients don't pay for email.

Who do you think is paying the cost of the bandwidth, servers, storage, and administration for e-mail if it's not the recipients? Many ISPs, in fact, estimate that spam costs individual higher ISP fees by several dollars each month.

That's like saying that patients don't pay for higher malpractice insurance -- because it isn't a line-item on their doctor bill.

OK, but what about "this guy must want me to tell him about my recruitment service," or "this guy must want me to tell him how to improve his resumé?"

If the recruitment service wants to discuss placing me in a job, yes, I would consider such a response to be reasonable. The resumé service is a wholly different matter. That's like me attending a public lecture you gave and using the question and answer session to tell you that you would be a more effective speaker if you would lose weight, wear nicer clothes, and trim your nose hairs.

Suppose I post a message online that says "please, if you are a lawyer in Virginia, call me collect." I don't see that as an open invitation for random people who see the message to call me to tell me about breast enlargers, free credit reports, refinancing my mortgage, and how to become an Internet millionaire. Do you?

Well, personally I see the mere fact that you have an unrestricted email account as that open invitation. But to answer your question, no, I don't. But the resume case is an example of implied solicitation, not direct solicitation.

My e-mail is hardly unrestricted. My server uses the following blacklists:

Country Blacklists
argentina.blackholes.us -- IP addresses assigned to Argentina
brazil.blackholes.us -- IP addresses assigned to Brazil
china.blackholes.us -- IP addresses assigned to China
hongkong.blackholes.us -- IP addresses assigned to Hong Kong
korea.blackholes.us -- IP addresses assigned to Korea
malaysia.blackholes.us -- IP addresses assigned to
nigeria.blackholes.us -- IP addresses assigned to Malaysia
russia.blackholes.us -- IP addresses assigned to Russia
singapore.blackholes.us -- IP addresses assigned to Singapore
taiwan.blackholes.us -- IP addresses assigned to Taiwan
thailand.blackholes.us -- IP addresses assigned to Thailand

Other Blacklists
orbs.dorkslayers.com -- see http://www.dorkslayers.com for more information
list.dsbl.org -- see http://www.dsbl.org for more information
relays.ordb.org - see http://www.ordb.org for more information
relays.osirusoft.com -- see http://relays.osirusoft.com for more information
sbl.spamhaus.org -- see http://www.spamhaus.org for more information
cybercon.blackholes.us -- cybercon.com is a notorious spammer haven.

I also publish, on my web page, the e-mail policies for my domain.

But we are making some progress. You agree that posting a message that says "please, if you are a lawyer in Virginia, call me collect" is not an invitation to telephone soliciters to call collect. That raises some interesting questions:

1. Should it be legal for the telephone solicters to call collect after seeing said message? If not, why?

2. Suppose the message said "call my cell phone." Would publishing that number give the telephone soliciters an invitation and legal right to call it?

3. What if it said "call my toll free number", would that be an "open invitation" to telephone soliciters to call that number?

4. How is an "unrestricted email account" an invitation to spammers while an unrestricted cell phone number or unrestricted toll-free number is not an invitation to telephone soliciters?

As to your comment about a government-mandated "no trespassing" sign for e-mail, how would it work? Suppose I posted one. Would that mean that no one could e-mail me? Or would it apply only to commercial solicitations?

I honestly think that the public "no trespassing" signs for e-mail would solve the problem as long as there was a stiff criminal penalty for ignoring said signs. But anything that relies on the general public having to identify, track down, and sue the spammers is destined for failure -- unless there is a guaranteed minimum judgement that makes such lawsuit profitable.

Re:illegal

[anthony_dipierro]

If I put up a web page criticizing government officials, it does not force anyone to incur a cost.

Likewise if you send someone an email.

Only those people that choose to visit the page will pay to download it.

Only those people that choose to download the email will pay to download it.

It will not cost the government money.

No, but it'll cost google money.

Am I free to paint an ad onto your car?

No.

Why should the government limit my free speech like that? Why can't I stencil an ad onto the side of your car?

Because the car is my property, and you're not allowed to damage my property without my permission.

Because it would cost you money to fix, inconvenience you, and reduce the value of something you paid for?

Not just that. The key is that you have no permission.

Sounds a lot like spam e-mail to me.

Email is sent with permission. If you don't want the email, don't accept the email. You are free to do that.

Recipients pay for the vast majority of the delivery of spam through higher ISP fees.

Such indirect damages, even if truly existing (I argue they are not), should not be regulated. The ISP, if anyone, is the one suffering the damages, and therefore only the ISP should have such a claim.

First you claim that I can decide what can be sent to me, then you tell me that I can only decide who can send e-mail me.

I think you know where your decision lies. At any time you can disconnect.

By the way, I read your whitelisting suggestion to a professional acquaintance just for a sanity check. You didn't do well...

What whitelisting suggestion? I think you're confusing me with someone else.

Who do you think is paying the cost of the bandwidth, servers, storage, and administration for e-mail if it's not the recipients?

The ISPs.

Many ISPs, in fact, estimate that spam costs individual higher ISP fees by several dollars each month.

Many record companies estimate that P2P filesharing costs consumers several dollars each CD.

That's like saying that patients don't pay for higher malpractice insurance -- because it isn't a line-item on their doctor bill.

Exactly. They don't pay for it, in a legal sense. If insurance companies illegally raise malpractice insurance rates, consumers can't then sue them for it. The hospitals have to sue, because they are the ones suffering the damages.

You agree that posting a message that says "please, if you are a lawyer in Virginia, call me collect" is not an invitation to telephone soliciters to call collect.

1. Should it be legal for the telephone solicters to call collect after seeing said message? If not, why?

Sure, it should be legal for anyone to call collect, as long as your contractual arrangement with your telephone company doesn't prohibit it (and you don't have a restraining order or some other special circumstances, harassment is still illegal).

2. Suppose the message said "call my cell phone." Would publishing that number give the telephone soliciters an invitation and legal right to call it?

Well, I'm not going to say whether it would give them a legal right, since I'm not a lawyer. But I can say that it shouldn't give them a legal right. They should ahve that right to begin with, as long as their contractual arrangement with their phone company doesn't prohibit it.

3. What if it said "call my toll free number", would that be an "open invitation" to telephone soliciters to call that number?

If you said it to a telephone soliciter, of course it would.

4. How is an "unrestricted email account" an invitation to spammers while an unrestricted cell phone number or unrestricted toll-free number is not an invitation to telephone soliciters?

It's not an invitation. What I'm saying is that no invitation is required.

As to your comment about a government-mandated "no trespassing" sign for e-mail, how would it work?

The easiest way would be a DNE (do not email) list, similar to the do not call lists that some states have.

Suppose I posted one. Would that mean that no one could e-mail me? Or would it apply only to commercial solicitations?

Due to the commerce clause, it could only apply to commercial emails. Presumably congress would make that only unsolicited commercial emails. And of course it would have to be only for willful infringement, at least for the first few years to give businesses time to adjust.

I honestly think that the public "no trespassing" signs for e-mail would solve the problem as long as there was a stiff criminal penalty for ignoring said signs.

Criminal penalties would definately have to be restricted to willful infringement. And even then, I'm not sure I'd want that. Maybe for a second or more offense.

But anything that relies on the general public having to identify, track down, and sue the spammers is destined for failure -- unless there is a guaranteed minimum judgement that makes such lawsuit profitable.

Even then it would still discourage most people, since John Doe suits generally can not be entered into in small claims court. That's why I feel that technical solutions are the most likely to succeed. And it seems that legislation is likely to discourage technical solutions. So if I had my choice I'd want a strong statement from the government that email is completely unrestricted, and that states must not get involved.

Re:illegal

[fmaxwell]

I see that, yet again, we find ourselves in disagreement over basic principles, rather than facts, and thus it is unlikely that we will ever see eye-to-eye on this issue. I believe that commercial speech that shifts costs to unwilling recipients should be illegal. You believe that the onus should be upon the intended recipients to use extreme technical measures to prevent the reception of the speech. So we are at an impasse. I will address a few points:

No, but it'll cost google money.

Only if Google chooses to crawl the page. That's the difference: The page does not automatically get fed into Google by the creator. Google goes out and requests it. Google opts-in.

Likewise if you send someone an email.

How do you know if the recipient will be picking up his e-mail via long-distance dial-up, receiving it on a cell phone, or by some other means that has a direct-to-recipient cost?

Only those people that choose to download the email will pay to download it.

And how do they decide whether to download it? They download part of it and then check the sender, subject, etc.? Sounds like downloading to me.

Because the car is my property, and you're not allowed to damage my property without my permission.

My mail server is my property, and you are not allowed to use it's bandwidth and storage without my permission.

The key is that you have no permission.

Spammers have no permission to send me spam.

Email is sent with permission. If you don't want the email, don't accept the email. You are free to do that.

My mail server does not have AI or enforce my views and I do not sit at a monitor 24/7 hitting "accept" and "reject" buttons as SMTP connections are established. My mail server cannot distinguish between an ad for a penis enlarger and a stranger replying to a car-for-sale web page. If you are going to say that the mail server should not accept messages from unknown senders, I'll say that your car should start itself and move out of the way if you don't want me to stencil an ad on it.

Rejecting e-mail from unknown senders is unacceptable to me, just as it is to 99.999+% of e-mail users. The law should protect us so that we don't have to decide between crippling our e-mail capabilities or receiving spam.

What whitelisting suggestion? I think you're confusing me with someone else.

I am apparently confusing you, but not with someone else. You wrote:

If you don't want unknown people putting emails in your mailbox, don't accept connections from unknown people.

That's whitelisting: a list of senders from whom you will accept connections.

Even then it would still discourage most people, since John Doe suits generally can not be entered into in small claims court.

We have a law on the books in Virginia that makes forged headers illegal (SB881) and lawsuits can be filed under that. But the discovery cost of such a lawsuit is extremely high so lawsuits are exceedingly rare. First, you have to find the sender. To do this, you need one or more subpeonas to identify who was using a particular IP address at a particular time, who owned a spamvertised web site, phone number, etc. Any of these subpeonas may fail to turn up the actual identity of the spammer. Even if you do get the identity, the chance that you will ever collect on a judgement against the spammer is extremely small. Thus, you have a high cost monetarily and in time for a relatively small potential judgement -- which you may not be able to collect.

Driving SUVs supports terrorism

Finally, something upon which we can agree.

Re:illegal

[anthony_dipierro]

Only if Google chooses to crawl the page. That's the difference: The page does not automatically get fed into Google by the creator. Google goes out and requests it. Google opts-in.

But you likewise opt-in by accepting the TCP connection request. I think google is an appropriate example, because while there is no one actually opting-in, there is an automated process in place which will transfer and store the data. By putting crap on the internet, you cost google money.

If I put up a web page criticizing government officials, it does not force anyone to incur a cost.

Likewise if you send someone an email.

How do you know if the recipient will be picking up his e-mail via long-distance dial-up, receiving it on a cell phone, or by some other means that has a direct-to-recipient cost?

No one is forced to pick up his e-mail via long-distance, etc. In fact, no one is forced to pick up his e-mail at all.

And how do they decide whether to download it? They download part of it and then check the sender, subject, etc.? Sounds like downloading to me.

How they decide is irrelevant. Again go back to the google example. How does google decide whether to download someone's shitty website? They have to download part of it and then check, blah blah blah.

Because the car is my property, and you're not allowed to damage my property without my permission.

My mail server is my property, and you are not allowed to use [its] bandwidth and storage without my permission.

Well, using is different from damaging, and I have your permission, you specifically set up a server to allow people to use your bandwidth and storage! The question then becomes who are you allowing, and for what purpose. This is where I draw analogy to trespassing laws, and suggest a Do Not Email list for those who wish to clarify what permissions they are allowing. Of course the de facto standard is that anything is allowed, so we need to take a few years easing into this.

My mail server does not have AI or enforce my views and I do not sit at a monitor 24/7 hitting "accept" and "reject" buttons as SMTP connections are established.

Nor does google's webcrawler.

If you are going to say that the mail server should not accept messages from unknown senders, I'll say that your car should start itself and move out of the way if you don't want me to stencil an ad on it.

But there's a huge difference. Your computer accepts messages because you specifically set it up to do so. I didn't set up my car so that people could stencil it.

I said: If you don't want unknown people putting emails in your mailbox, don't accept connections from unknown people.

That's whitelisting: a list of senders from whom you will accept connections.

I see. Well it wasn't meant to be a good solution or anything. Email is powerful because it allows anonymous communications. I don't have a whitelist in place, but I see spam as just one of the necessary evils of allowing anonymous communications.

My current sig: Driving SUVs supports terrorism

Finally, something upon which we can agree.

Actually, it's kind of tongue-in-cheek. I mean, yeah, driving SUVs contributes slightly to terrorism, but so does riding the bus. For that matter, so does writing this message.

Re:illegal

[fmaxwell]

But you likewise opt-in by accepting the TCP connection request. I think google is an appropriate example, because while there is no one actually opting-in, there is an automated process in place which will transfer and store the data. By putting crap on the internet, you cost google money.

My mail server is passive and Google is active. Google requests a file from a web page and gets it. My mail server requests nothing. It sits there waiting for incoming mail. It has no way to know if a TCP connection will result in spam or will be a "normal" message.

No one is forced to pick up his e-mail via long-distance, etc. In fact, no one is forced to pick up his e-mail at all.

No one is forced to turn on their fax machine, but the law recognizes that it is an unreasonable burden to tell fax owners to turn off their fax machines if they don't want fax spam. Therefore, they made fax spam illegal.

Well, using is different from damaging, and I have your permission, you specifically set up a server to allow people to use your bandwidth and storage!

You do not have my permission to send spam to me. I set up my server specifically to receive personal communications and not mass mailings. I'm sure that you will ask how a spammer could know that. It should be assumed given that the vast majority of Internet users do not wish to receive spam. This has been borne out in many surveys and studies. Even barring that, my domain name makes it clear that I do not wish to receive spam -- as does my web page.

The question then becomes who are you allowing, and for what purpose. This is where I draw analogy to trespassing laws, and suggest a Do Not Email list for those who wish to clarify what permissions they are allowing. Of course the de facto standard is that anything is allowed, so we need to take a few years easing into this.

Given that ISPs almost universally have policies against sending of spam to or from their domains, I don't see how you can say the de facto standard is that anything is allowed.

My mail server does not have AI or enforce my views and I do not sit at a monitor 24/7 hitting "accept" and "reject" buttons as SMTP connections are established.

Nor does google's webcrawler.

That's fine, since I'm not attempting to put anything onto Google's servers. There's a big difference between Google crawling my web site and downloading file after file and my mail server just sitting there waiting for an incoming message.

But there's a huge difference. Your computer accepts messages because you specifically set it up to do so. I didn't set up my car so that people could stencil it.

How do I know why your car is sitting there. Until there is a Do Not Deface list for cars, I think that we should assume that the de facto standard is that anything is allowed.

Well it wasn't meant to be a good solution or anything.

I am relieved to learn that. I believed that you were proposing such whitelists as a practical, reasonable solution.

Email is powerful because it allows anonymous communications. I don't have a whitelist in place, but I see spam as just one of the necessary evils of allowing anonymous communications.

My telephone allows anonymous communications, but I don't consider 2AM telemarketing calls to be a necessary evil. My fax allows anonymous communications, and I don't believe that reams of ads sent via fax are a necessary evil. The government has regulated commercial speech before when it is overly burdensome to the recipient. Spam seems to be a good place for such regulation.

As an aside, I don't think that e-mail is powerful because it allows anonymous communications. I think that it is powerful because it allows you to be easily contacted. I don't feel that it is a particular benefit to me to receive e-mails when the sender is anonymous (forged).

Actually, it's kind of tongue-in-cheek. I mean, yeah, driving SUVs contributes slightly to terrorism, but so does riding the bus.

I think that the Detroit Project makes a much better case for that than the government does with their claims that buying drugs (unless supplied by the CIA) supports terrorism.

For that matter, so does writing this message.

That's why I have a wood-burning PC.

Illegal?

[waytoomuchcoffee]

The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Re:Illegal?

I've just started receiving spam in Chinese! Some jerk in Taiwan is sending out all this spam on the off chance (1 in 6?) that person reads Chinese. Spam truly is a global problem now.

Re:Illegal?

[jforr]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Since when does everyone in France think that an American company, yahoo, will obey French laws and not sell nazi memorabilia?

Re:Illegal?

[meringuoid]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans. The fact that the spam is sent via open relays in Korea or bulletproof accounts in China, and received in Europe or Australia, is neither here nor there. Ralsky, for instance, lives in America, regardless of where the spam is routed; indeed, _his_ location is very well known nowadays ;-)

Re:Illegal?

[JaredOfEuropa]

The law aims to force spammers to make their spam easily identifyable, allowing simple filtering, and it makes circumventing those filters (like those random letters that appear in most spam subject lines) illegal. Is that a good thing? I think so, for two reasons:

First of all, it's a start. If the USA adopts this law, it may well be that many other nations follow suit, making life harder for spammers.

Second, it will help against spam originating from the USA. That guy Ralsky seems to be responsible for a sizable portion of all Internet spam. He is based in the USA, and taking orders from sites and companies in the USA. Even if his actual spam originates from an ISP in China, you'd still be able to take him to court for this.

Re:Illegal?

[jjo]

People don't assume this. What they do assume is that, by and large, people who try to get money from US residents are actually situated in the USA, regardless of where the e-email might have originated. Even those who are not in the USA will mostly use a US agency to get their money. That is their Achilles heel: Follow The Money.

Stop the flow of money from US residents, and you will be effectively making everyone in the world obey US law, with respect to spamming within and into the USA.

Re:Illegal?

[jdreed1024]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Um, that wasn't a troll. It's a valid point. If sending spam becomes illegal in the U.S., big fucking deal. Plenty of spammers are not in this country, and those that are will move offshore (c.f. KaZaA). Good luck prosecuting a bunch of spammers in some pacific island country...

Re:Illegal?

[MacAndrew]

Why assume that anyone anywhere will obey a US law?

It's about enforcement, and yes US law is enforceable, especially with the many countries that have or want beneficial relationships with the U.S.

Sure, lots of people will break the law, but without we wouldn't even have grounds to act against them.

Re:Illegal?

Because if you don't, we'll send our military over to your country and ass-fuck you until you're dead, or wish you were. Now shut the fuck up you fuck-tard.

Re:Illegal?

[waytoomuchcoffee]

That is their Achilles heel: Follow The Money

Playing devil's advocate here, you still have to prove they sent the spam out, which would be that system's Achilles heel. Else what would stop people from hiring an offshore spammer to send out fake spam from a competitor?

Re:Illegal?

[WCMI92]

"The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited
Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"? "

From inside the USA this makes sense.

Why? Because the only way for a spammer to make money by spamming US computers is to sell products to Americans. To do that one must put themself under US law.

I'd add another provision... Make the company that is being advertised as liable as the spammer.

Re:Illegal?

[osgeek]

A lot of countries follow the US's lead in making things illegal that they do, so it's worth it to set the precedent.

It also wouldn't hurt the US much at all to shut off non-complying countries' network access to the US. When they're ready to play nicely, they can play in our sandbox too.

Re:Illegal?

[waytoomuchcoffee]

I'd add another provision... Make the company that is being advertised as liable as the spammer.

As I stated above, that would just lead to people framing their competitors. The USA isn't going to abandon the rules of evidence in legal procedings, unless of course the spammer is a terrorist ;-)

Re:Illegal?

[waytoomuchcoffee]

Since when does everyone in France think that an American company, yahoo, will obey French laws and not sell nazi memorabilia?

Since Yahoo had a subsidiary operating in France, and was therefore a legal French company.

Re:Illegal?

[jforr]

Exactly the point I, and others are making. If you want to sell a product in the US, france, or some tiny island off the coast of australia, you need to follow the rules of that particular country.

Re:Illegal?

[waytoomuchcoffee]

Umm, good point. Well, too late to edit my original post lol. While there are still problems with this, I have to concede this would be a good first step.

Re:Illegal?

[Gleef]

meringuoid wrote:

Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans.

Actually, I'm an American and at least one third of the spam I get is sent from Korea, advertising in Korean, presumably for Korean products. This spam is completely unreadable by me (I have friends who can read Chinese and Japanese, but none who read Korean).

I don't see Korea caring what laws the US passes regarding forged headers. Might help with the rest of my spam tho.

Re:Illegal?

[daffmeister]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

I don't care if everyone in the world obeys US law. Everyone in the US would be a great start. Almost all my spam ultimately comes from US sources.

Even some in the US would be okay. Plenty of people will do things that are morally questionable as long as it's "legal". If you make it illegal then you'll stop 50% in it's tracks right there.

Re:Illegal?

[vandan]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

'cause you guys have the largest stockpile of "WEAPONS OF MASS DESTRUCTION" in the world.

Re:Illegal?

[BTWR]

Holy crap! A /.er admitting when (s)he was wrong! Kudos to you waytoomuchcoffee for being, or at least lacting like, an adult.

Re:Illegal?

[1u3hr]

Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans.

Several times a week I get a spam for credit cards, directing you to a site that says "only valid within the US". Yet these stupid assholes are sending this to my account, in Hong Kong, in the .hk TLD.

Re:Illegal?

[1u3hr]

The USA isn't going to abandon the rules of evidence in legal procedings,

Fine, so the prosecution would have to prove it. They couild fairly easily do that, putting Carnivore to some use. Or bring a much worse penalty on the forger.

Re:Illegal?

[winnetou]

Else what would stop people from hiring an offshore spammer to send out fake spam from a competitor?

The same laws that stop them from ordering stuff in their competitor's name: if caught their competitor will own their company, and they will be Bubba's new toyboy.

Re:Illegal?

It's easy to detect Korean spam. Spam assassin has a rule for it, too: "KOREAN_UCE_SUBJECT". They prefix the subject with "UCE" in their language.

Re:Illegal?

>'cause you guys have the largest stockpile of "WEAPONS OF MASS DESTRUCTION" in the world

Which ones? AOL cds, Hotmail Accounts or Microsoft Licensing Agreements?

Re:Illegal?

[Reziac]

I used to get a lot of for-really Korean spam (in non-English charsets, which kinda nixed the idea of it originating in America) but it went away for a long time... but just lately, it's back.

Used to get a lot from China, but that all went away too...

Except I do get one (in English) that I think is rather funny, from a Chinese furniture company. Comes maybe once a month and is very polite, with valid links to their business site. They even sent out Xmas greetings. Now that sort, I don't mind -- an honest business doing the equivalent of sending out the occasional flyer.

It's receiving the *same* "enlarge your penis" spam 50 times a day that gets old. My DEL key has developed big muscles.

Talking of spam...

[SnAzBaZ]

So how much spam am I likely to get if I give in and register with NYTimes so I can read the article?

Re:Talking of spam...

[allism]

The only spam I got after registering was from NYT, but it took SEVERAL e-mails and threatening to post a story on /. about not getting removed from their mailing list to get them to stop sending me stuff.

Re:Talking of spam...

[jesco]

... or you could have looked at the bottom of the mail where the unsubscribe links and privacy policy are printed. Considering that NYTis a fairly respectable company, these can be considered safe.

At worst, you may have caught NYT on a bad day.

Re:Talking of spam...

[The+Mgt]

Don't give them your real email address, then you definitely won't get any. I reregister with a different load of random gibberish every time and use an email address out of my spam folder.

Re:Talking of spam...

[Reziac]

I've had my NYT registration about 6 years now. I've not received ONE piece of spam from them or anyone I could attribute to them.

And they certainly do know where to find me -- when their login lost my cookie a while back, I complained to the webmaster. A human answered and told me where on their site to go to reset it.

I really don't know why NYT gets the brunt of everyone's annoyance re logins -- their system is one of the least-intrusive I've seen.

I also sometimes wonder how some people get so bloody much spam. I don't filter spam, yet I get less now than I did 5 years ago. This despite that my email addresses have been plastered all over my website (for business reasons) since 1998, and have occasionally been dragged thru newsgroups (mostly by sporgers) since 1993.

Re:Talking of spam...

[allism]

I unsubscribed at least three times using the instructions provided. They chose to ignore it.

Experiment

[Guillaume+Ross]

Two weeks ago, on my old email that I don't use anymore, I decided to "unsubscribe" from all these lists, thinking it would "confirm" the existence of my email address. However, the number of spams I get has reduced from 15-20 to 3-5 a day ! I'll have to see if it goes up again in a few weeks though...

Re:Experiment

I tried the same thing recently (mostly out of boredom, but some out of frustration) and had similar results. I posted a little article on my web site (which will not be posted here as my account is one of those bandwidth limited accouts and I would like to be able to access my site at the end of the month). It should be said, however, that YMMV.

Re:Experiment

I have done this for a 'daily service'. They had 'daily' even in the subject, but the mails was of no service for me. So I decided to unsubscribe. Well, the mailings have stopped, but after a week or so I got spam that was just a little bit different.

Re:Experiment

[Dave2+Wickham]

Same results for me when I tried it on forum@aagames.co.uk (don't use the account any more).

MIT's Post Servers...

[g_arumilli]

now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...

Re:MIT's Post Servers...

[sqlrob]

Nope, not a scale.

The largest scored spam I've gotten is somewhere around 32

Re:MIT's Post Servers...

[jdreed1024]

now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...

Some more clarification:
-it's not on a scale of 10 - the SA score can go as high as necessary. I got 27 the other day. Your threshold will be configurable (sometime next week) to "high" (3.0), "normal" (7.5), or "low" (12.0), or a custom number. You'll also have custom whitelists and blacklists.

Re:MIT's Post Servers...

[Alan]

IIRC I once got one in the 40s or 50s, some asian teen sex toner catridge html penis enlarging money saving viagra enabled weight lose and interest rate mail of some sort I guess....

Re:MIT's Post Servers...

[mobets]

I can't remember what it was, but I'm pretty sure I got at least one 300. The list of rules that applid was a page and a half long.

Always with the legislation...

[Sheetrock]

Spam is a technical problem, so why can't we come up with a technical solution? For example, it should be impossible to forge headers, not illegal. Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA in the past when all that's required is what our community has always been good at: sitting down and thinking things out?

Re:Always with the legislation...

Spam is not a technical problem. Return to your secondary school teacher for a refresher on critical thinking. Anyone with a trivial amount of technical knowledge knows how easy it is to forge and address on the internet. Would you outlaw a free OS and cheap hardware? Would you mandate that all email systems worldwide be upgraded to your "secure email standard"? I bet you'd even get a legal fight from MS on that (unless they were the only software vendor allowed to make this new system).

SMTP is working exactly as designed. IP is working exactly as designed. The power comes from the open nature of the protocols.

Spam is advertising with an extremely low cost of entry. Even a 14.4k internet connection and a $19.95 email list can spam thousands and thousands of addresses. If sending each email cost $0.001 for everyone worldwide, spam would disappear.

I don't have the answer, but with just a tiny bit of thought, I can easily see problems with this suggestion. That isn't to say that it wasn't a starting point. Together, we *can* find a viable answer, but I suspect the problem is bigger than anything that a trivial solution can handle. Perhaps a random password system for anyone not on your approved email list?

Here's a link to a working solution: http://www.uwasa.fi/~ts/info/spamfoil.html

Re:Always with the legislation...

[TGK]

I'd say the best technical solution I've seen to breaking the SPAM system is the use of the internets distributed nature against the spammer.

Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

In short, almost all of the traffic from a given point flows through a very small number of servers and routers at some point close to the source.

Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.

Thoughts anyone? I'm sure this idea has gaping flaws in it... what would have to be chnaged for it to work? What are the critical flaws? Is this a viable model or am I missing something major?

Re:Always with the legislation...

[fmaxwell]

Spam is a technical problem, so why can't we come up with a technical solution?

Because of the infrastructure costs associated with the existing protocols. How many mail servers are running on the Internet? How many clients are there that speak the existing SMTP protocol?

Redesigning SMTP to add encryption, identification, and authentication, is not a big problem. Deploying the new protocol is.

We should not have to undertake an effort that will disrupt business nationwide for months, if not years, just to avoid passing a law.

Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA

And let's not forget other laws, like the ones that make child pornography illegal and make it illegal to sell plutonium. Why is it that there is always some belief that laws are inherently bad? That some bad laws have been passed is no reason to abandon our entire legislative process and our form of government.

Re:Always with the legislation...

[KjetilK]

Spam is a technical problem,

No, it is not. It is a social and economic problem.

1. Spammers do not have the social intelligence to see that what they are doing is destructive.
2. Spammers, at least some of them, are making money.

That's why you can't come up with a technical solution, because it isn't a technical problem.

Making it impossible to forge headers is not going to solve any of the problems above. It will only make it easier to report spam to ISPs, but it will not pressure them more to whack the spammers.

You can take technical measures to shift the cost onto the spammer, but if you do that, you must consider the side-effects.

Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.

Re:Always with the legislation...

Yes, deploying a more trusted protocol will take several years to reach every corner of the Internet. Sounds like a good reason to start immedately.

The reason this could work is that the Internet is not as decentralized as you make it out to be. Between MSN/Hotmail, AOL/Netscape, Yahoo, Earthlink and the telcos/cablecos, you've got about 90% of personal mail accounts.

Your company will upgrade when they find that your salesdroids get less favored status at Hotmail, etc. Any larger company has the staff to go upgrade sendmail.

Most smaller companies have upstream ISPs that could relay from legacy SMTP to the secure version, or they just use the ISP relay directly.

It will take a while for the Chinese and the Koreans, etc but many sites block those domains entirely.

After a year or two, the big sites just shut off normal SMTP entirely. All the stragglers will get the right idea quickly.

Re:Always with the legislation...

[lseltzer]

>>Spam is a technical problem, so why can't we come up with a technical solution?

Because fraud is fraud, and forging headers is fraud. I'm not so sanguine about the other suggestion, but forging headers has no legitimate application and widespread illegitimate application. It should be illegal.

Re:Always with the legislation...

[bobintetley]

Err... I think the routers have quite enough to do shunting mind boggling numbers of packets around without trying to analyse packets containing SMTP protocol email messages - the amount of processing power required (on top of what the backbone already suffers) would be absolutely phenomenal.

It is theoretically possible (aside from the fact that most routers are dumb hardware devices dedicated to shuffling packets around and unable to analyse content which means hardware changes), but given how many data packets flow through these bottlenecks, the net would be a much slower experience.

Oh, and who do you contact when legitimate mail gets dropped as spam?

Re:Always with the legislation...

[fmaxwell]

Yes, deploying a more trusted protocol will take several years to reach every corner of the Internet.

And cost billions of dollars and lead to massive disruptions.

Sounds like a good reason to start immedately.

It would take a long time to saw your arm off with a steak knife, too, but that does not mean that you should start doing so immediately.

The reason this could work is that the Internet is not as decentralized as you make it out to be.

Yes, it is. I'm a perfect example. I have a SOHO business cable connection and run a small mail server that serves three domains.

Between MSN/Hotmail, AOL/Netscape, Yahoo, Earthlink and the telcos/cablecos, you've got about 90% of personal mail accounts.

So what? You don't have mine. You also have tunnel vision. How many users in Australia are served by those ISPs? How many in the U.K. are? The Internet actually extends to countries other than the U.S. You may have stumbled on web pages with letters that you don't recognize. Those pages are often from other countries.

Any larger company has the staff to go upgrade sendmail.

Many larger companies don't even run "sendmail". They run expensive, proprietary mail servers that better meet their needs. And an "upgrade" could mean a horrible cost in time and dollars, not to mention the disruption that is likely to occur.

Most smaller companies have upstream ISPs that could relay from legacy SMTP to the secure version, or they just use the ISP relay directly.

I thought that the idea was to get rid of relaying, not require it. How does this hypothetical protocol help anyone if I leave an open relay on my "old-style" SMTP server and some spammer exploits it? In your scenario, my legacy SMTP server would relay through my ISP's "trusted" server and the spam would all go through.

In summary, the problem is a behavioral one. Blaming the protocol for spam is like blaming knives for the death of Nicole Simpson. Spam is theft and it should be illegal.

Re:Always with the legislation...

[Spoing]

I like your idea of indexing the common paths back to typical senders and using that cone of paths as one way to validate. If that could be pulled off, I'll be very happy. It might work well as an extra bit of logic for the Bayesian filters that are being tweaked right now.

I'm less psyched about filtering at the router (mail server). Two words: arms race.

Having each mail server filter on content along the chain would work in the short run, as soon as it became too effective, the spamers would think of ways to eeek by the ratio. Lower the ratio, so would the spammers till you end up filtering out mail that is legitimate.

(That, and I'd hate to have to spec a system that would do that filtering without adding substantial delays!)

Beyond adding a cone of paths like you first described, and figuring out other technical ways to deal with this, I see a couple things that will probably be required in the future;

1. Change or replace our existing email systems so that when the headers (the past routing information) is forged, it is obvious. Then, discard the forgeries.

   (Ob comment: Yes this is a big deal, involves pain, is likely not backward compatable, and should be thought out very carefully.)

2. Search, locate, and find companies who buy spamming services and sue the hell out of them. Optionally: Have Guido/Jimmy/... 'ave ah talk wit im'.

Re:Always with the legislation...

[osgeek]

Spam is a technical and a behavioral problem.

If you've got *real* technical solutions to the problem that won't seriously curtail the ease of use of email as it exists today, then go for it. I really doubt that a reasonable one exists.

The behavioral problem is that there's a definite misdirection of financial and labor burdens upon the recipient of spam that should be illegal no matter what technical solutions are achieved.

Re:Always with the legislation...

[Jordy]

Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

Actually, it wouldn't due to the multihomed nature of most networks.

Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.

First, routers are meant to do one thing, route traffic. They do not have the memory or CPU power to do much more than that.

Second, "identical" and "near-identical" messages are very different things. It is fairly cheap (processor/memory wise) to determine if two messages are identical. It is quite another task to determine if they are nearly identical.

Third, there are many instances where identical or nearly identical messages sent out in bulk are not spam. Mailing lists like bugtraq or linux-kernel have very large subscriber lists, but are are not spam. If the head of IBM sends a message to all his employees, it is not spam. If my car insurance company sends out a bunch of messages warning people once a month that their policy will expire if payment isn't received, it is most definitely, not spam.

Re:Always with the legislation...

[fermion]

Your statement is not incorrect. Spam, like most things, is a technical problem. A technical solution might be possible. However, the issue would still boil down to coding, implementing, and enforcing standards. In either case we will still have to define what spam is and enforce rules that insure spam is not sent or delivered.

In the technical realm this might take the form of statements defining the characteristics of software allowed to connect to the network. There would have to be some authentication to insure the software was compliant, and some mechanism to revoke the authentication of software that was not compliant. If the software was modified, it would automatically lose it's privileges and have to go through a new round of authentication. When the standards changed, all software would be invalidated and people would not be able to connect until they had an undated copy of the software. To simplify this process, we might have automatic updating of the software. This entire process would, of course, be overseen by some worldwide body of regulators.

OTOH, a legal solution might look like a law stating that commercial email headers must be valid and truthful, contain a valid physical address and phone number of all companies associated with the product, and only contain statements consistent with generally accepted advertising standards. There would be some monetary damages associated with each email sent, and payable to the owner of each server that the mail transgressed.

You are correct in assuming that the US congress would never pass something so simple and effective. They would be much more likely to try to pass a law specifying the legal technological means by which spam may be sent. This is of course what the DMCA and the like try to do. Rather than allowing the free market to reconfigure the business landscape to be consistent with current technology, they create socialist limitations on technology to protect vested business interests.

Re:Always with the legislation...

[TekPolitik]

Spam is manifestly a social problem, not a technical one. I can't even begin (in a forum such as this) to go into why the entire concept of it being impossible to forge headers is impossible on the modern Internet.

Re:Always with the legislation...

[Jordy]

Redesigning SMTP to add encryption, identification, and authentication, is not a big problem. Deploying the new protocol is.

We should not have to undertake an effort that will disrupt business nationwide for months, if not years, just to avoid passing a law.

The SMTP protocol has been updated over the years many times in a backwards compatible way. Not only that, but encryption and authentication have been in SMTP for years via TLS.

Identification has been available in many forms for a while via S/MIME or PGP. Of course, you could go the easy route and simply move messages from people that aren't in your address book to a folder where you can authorize them or not. For the "average" person who only gets mail from their friends, this works fine.

Look, if we wanted to modify SMTP in a method that created a trust hierarchy whereby each server would add to their received line a simple signature that could be authenticated, we could without breaking the protocol.

The problem has nothing to do with SMTP. The problem is the rest of the infrastructure simply doesn't exist and it is not trivial to build one.

Are you going to build a white-list with public keys from mail servers you trust explicitly? Who is going to maintain this list? How does someone get added to it? How much is it going to cost to get added? Etcetera, etcetera, etcetera.

If you go the individual identify route then the same questions apply. Who is going to maintain a list of individual identities? What happens when a user loses his key? What about the privacy issues? Cost? Complexity?

Re:Always with the legislation...

[martyros]

No, spam is a moral and social problem, not a technical one; that's exactly why we need legislation on it.

Saying spam is a technical problem is like saying a gun is a technical problem. Sure, gun is technology; and one solution to protect yourself from random people with guns would be to wear body armor. That's now how we deal with guns though; we deal with the murderer or thief who uses the gun inappropriately.

Similarly, there's nothing wrong with e-mail technically. The problem is with people who are willing to piss off 9,999 people to make one sale. They *know* for a fact that most of the people who receive their mail don't want it -- otherwise, why would they forge headers, and keep their spam a moving target, difficult to filter?

Re:Always with the legislation...

[Phroggy]

Legitimate opt-in mailing lists are not spam, but may look very much like it. I know which mailing lists I've signed up for, and which ones I haven't; they both have opt-out links, although I'd be surprised if the one on the spam worked. How will a router tell the difference?

Re:Always with the legislation...

[puppetluva]

Wrong. . .SPAM is a social problem, not a technical one. If the technology changed, there would still be parts of society that would try to circumvent it.

If you have thieves next door who hop the fence and steal your stuff, raising the height of your fences won't stop crime.

In other words, technology can't solve social problems. . .although it may reduce their symptoms.

Re:Always with the legislation...

[anon+mouse-cow-aard]

SPAM is NOT a technical problem. I guess one could consider missles a technical problem for commercial airliners, or burglars to be a technical problem for homeowners. I am sure enterprising technical solutions could address these technical promblems, but:

• How much is an anti-missile system on every airliner going to cost ? (or an anti-spam engine on every mail server.)
• Should not activity which is actively destructive to (electronic) society at least be illegal?
• If someone came up to your children and walked along beside them on the way home from school, showing them dirty pictures, and inviting them to come play, they would be arrested in a heartbeat. Why is the same behaviour not illegal on the internet?

  That they do not know who they are mailing to only makes the problem worse.

The measures Mr. Gleick proposes are rational ones. All they do is make it easier to figure out who is sending the mail. Legitimate businesses will not mind being found. For those companies that insist on this business model, a simple filter on a single header will solve the problem for the 99.9999% of the population who do not answer in any event. Once the response rates start to drop because of those two measures, SPAM itself is very likely to decline.

Re:Always with the legislation...

[repetty]

"Spam is a technical problem..."

You think spam is a technical problem?

Re:Always with the legislation...

[Fwonkas]

Why is it that there is always some belief that laws are inherently bad?

Also the belief that laws have no teeth. I remember a few months ago on the Daily Show during the sniper shootings, they showed a clip of Ari Fleisher (however that's spelled) or someone saying that laws limiting the ability of psychos to aquire firearms won't work, because they'll always find a way around it (sounds like some arguments about spam, eh?). It cut back to John Sterwart - "THAT'S RIGHT! LAWS ARE USELESS AND INEFFECTIVE!" Freakin hilarious.

Re:Always with the legislation...

[Jeremi]

Spam is a social exploit (people wasting other people's time and resources in an attempt to gain profit) made practical by a technical problem (lack of authentication in email protocols).

Everybody happy now?

Re:Always with the legislation...

[edstromp]

This is almost exactally what spamcop.net does.

You give spamcop a copy of your spam. Spamcop then hunts down the offending server(s). If enough people compain about those particular servers, they (the servers) become black-listed, so that if you filter your email w/ spamcop, email from those machines won't get through.

Re:Always with the legislation...

No, it is not. It is a social and economic problem.

Malicious hacking (cracking) is not a technical problem, it is a social and economical problem.

1. Crackers do not have the social intelligence to see that what they are doing is destructive.
2. Crackers, at least some of them, are making money.

That's why you can't come up with a technical solution, because it isn't a technical problem.

Making it impossible to exploit security holes will not solve the problem, It will only make it harder for legitimate users of the system.

You can take technical measures to shift the cost onto the cracker, but if you do that, you must consider the side-effects.

Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.

Ummmm.... I don't think so. make it really hard for spammers to operate, and, since they are trying for economic gain, most will stop, and go find some other way to make money.

Re:Always with the legislation...

"Similarly, there's nothing wrong with e-mail technically."

Wrong, it is very easy to abuse without penalty that is what is wrong with it.

It is very hard to abuse a gun without penalty. People are likely to see you doing it, identify you, and sue, call police or 'abuse' their guns right back at you.

This analogy is not perfect because most ways of abusing guns are also illegal (murder arson etc) where spam itself is not illegal. But to say that there is nothing wrong technically with email is like saying that there is nothing wrong with microsoft's security, if all the hackers/virus writers would just stop abusing a vulnerable system there would be no problem.

Sorry. but you can't have it both ways.

Re:Always with the legislation...

Mail fraud is a technical problem,

No, it is not. It is a social and economic problem.

1. Con artists do not have the social intelligence to see that what they are doing is destructive.
2. Scammers at least some of them, are making money.

That's why you can't come up with a technical solution, because it isn't a technical problem.

etc.

what's the point of having an overbearing government if they're not even going to keep me from overflowing my quotas when i leave for a week?

SPAM = TERRORISM! and sometimes pedophilia

Re:Always with the legislation...

[anthony_dipierro]

Because fraud is fraud, and forging headers is fraud.

Fraud is already illegal, so why do we need a new law, then?

Forging headers may be fraud. But it may not be.

Re:Always with the legislation...

[Paul+Jakma]

An excellent idea, and such a system already exists, see the Distributed Checksum Clearing house:

http://www.rhyolite.com/anti-spam/dcc/

There's also Vipul's Razor:

http://razor.sourceforge.net/

Which works on a similar principle, but by checksum of reported spam mails rather than by volume. The more times a checksum is reported (and who by) the more likely it is to be spam - beyond a certain level checksums will be considered spam. Razor catches a good amount of spam for me.

The best way to fight spam imo is to employ a mix of anti-UCE tools, ie DNSBls to block connections + rbl-milter to 'tag' mail based on a very wide range of DNSBls + Spam checksum clearing house (eg Razor) + a content filter to rate mails according to content and whether they have headers inserted by aforementioned anti-uce tools.

Re:Always with the legislation...

Because fraud is fraud, and forging headers is fraud. I'm not so sanguine about the other suggestion, but forging headers has no legitimate application and widespread illegitimate application. It should be illegal.

Wrong! Forging headers can be perfectly acceptable. If I own domain EXAMPLE.COM, and I want to send out mail through my ISP who forces me to use their outgoing SMTP mail server, I simply forge the headers so it looks like it is from ME@EXAMPLE.COM. Unfortunately, "forging" is the term used to describe changing headers, even in a legitimate situation.

Re:Always with the legislation...

I agree with most of that....
However Making it impossible to forge headers would solve most of the problem.

Re:Always with the legislation...

Why look at the email? Why not just look at the IP address pattern of the traffic? Spammers routinely send through numbers of open relays or open proxies: look for that kind of pattern for email. Once you know the sources you can then figure out if it is a legitimate mailer or a spammer - block the spammer.

I'm sure this is not a 100% solution. Wouldn't 95% be good enough to try it?

Re:Always with the legislation...

[jafac]

What I don't get, is why don't the stupid ISP's block all spam, and then allow some spam to pass through as long as the sender has given them a cash kickback, and as long as the header is valid (to verify the origin and measure payment).

Not really a great solution on the USER end, but it enforces economics onto the spammer, and gives the ISP an additional revenue stream.

The same ought to be done for banner ads as well.

Then the ISP could pay bulk viewer rates to pay-per-view sites, and insert their own banner ads onto such sites - so content sites can get paid, ISP users see ads, and ISPs can generate revenue on the markup, and they could also sell premium accounts that are adless and spamless.

Sounds like a win-win situation to me, for everyone but the poor people who can't afford the premium accounts - who will likely just block ads and filter spam on their own.

Garunteed Way to Block Most Spam

[Cyno01]

Filter any e-mails containign the phrase, "this is not an unsolicited message".

Re:Garunteed Way to Block Most Spam

[neur0maniak]

Heh, I did that one, I blocked "do not reply", and I missed a few online receipts, because their e-mails were sent with "do not reply to this message" on the last line of each notification email...

Re:Garunteed Way to Block Most Spam

[Jucius+Maximus]

Another good way is to block mail that has a @hotmail.com reply-to address, but isn't actually from hotmail.

Re:Garunteed Way to Block Most Spam

[Cyno01]

or @yahoo.com or @aol.com that aren't from either... I frequently get spam to my hotmail account from Cyno01@yahoo.com and vice versa, its weird to see that your spamming youself.

Re:Garunteed Way to Block Most Spam

For a while 50% of the spam in my yahoo spamhole was from [bogusaddress]@yahoo.com.

You'd think this sort of spam would be trivial to blackhole, but often it didn't even make it into the spam folder.

Spammage

[Big+Mark]

Spam Spam Spam Spam
Where does it come from, Uncle Sam?
"Monty Python, don't you know,
When the madness was in full flow"

But what when the accursed stuff
Leads one to declare, "I've had enough!"?
"My son, spam's easy to fail,
When you stop using hotmail!"

-Mark

Re:Spammage

Stop using Hotmail? Hell, NO! It is the single greatest invention since sliced bread! What other address would I use for all of those "registration required" sites? :-)

Yoda says, "mmmm. Spam find you not, if sign your real address up you do not!"

Interesting free speech point

[jenkin+sear]

Towards the end of the article, Gleick makes a really interesting point- he says that as commercial speech, spam isn't entitled to any particular first amendment protection:

The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''

Looks like we have the supremes on our side; if we could just congress to issue some letters of marque and reprisal on the spamhausen, we'd be getting somewhere...

Re:Interesting free speech point

[TheOldFart]

If they are on "our" side and none of "us" want this [spam], who are "they"? It feels an awful small minority if you ask me. Why those who represent us don't take this into account? That is, of course a rhetorical question. I just had to ask...

Re:Interesting free speech point

[Sir+John+Nipples]

Looks like we have the supremes on our side

Diana Ross will be a formidable ally indeed.

Re:Interesting free speech point

[matuscak]

Maybe they were on our side in 1970. Given the current makeup of the court, I wouldnt be surprised if a contemporary ruling was quite different.

Re:Interesting free speech point

[anthony_dipierro]

The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''

Hmm. NBC does this to me all the time (sends unwanted commercials into my home).

Re:Interesting free speech point

Well... Except for TV ads, since not looking at those is equivalent to stealing.

Techical Solutions Are Required

[esme]

As much as I'd like to see spammers prosecuted for fraud (and think making various deceptive tactics illegal is a good short-term approach), legal and social approaches are doomed to failure. The number of people you can spam is so vast, that even if only one in a million takes the bait, it's still profitable -- that's a powerful economic imbalance that you don't find anywhere else. And it's going to make people forge headers, spam from overseas, etc. to get around any legal and social roadblocks.

I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam. If you had to pay some amount of money -- event 1 cent -- for each message that is delivered, spam would stop being economical. And that's the only thing that's going to make it stop.

-Esme

Re:Techical Solutions Are Required

[yakko+nef]

This is a horrible idea. I use email on a daily basis just to send myself notes. If I think of something at work I need to do at home, or vice versa, I send an email to myself instead of writing it down. Implementing a system which would require me to pay to talk to myself is bad. I already pay for my internet connection to be active telling me I have to pay an additional fee to use it is stupid.

Re:Techical Solutions Are Required

[esme]

I don't think ISPs need to charge their users per email. Since most users receive more email than they send anyway, they would generate a net income for the ISPs. They could set a quota -- even a fairly high one like 100 emails per day -- that users get included with their access.

That said, if you don't want to pay to talk to yourself, you might try a different system like a PDA or something web-based. Just because it inconveniences you, doesn't mean it wouldn't be worth it -- after all, I don't know anyone who uses email who isn't inconvenienced by spam. So even if 10% of people were inconvenienced by the new system, it would still be a drastic improvement.

-Esme

Re:Techical Solutions Are Required

[RetroGeek]

I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam.

Well, somewhere someone has to pay for the bandwidth. All of spam emails want you to go somewhere, and that somewhere is a server. If we ALL clicked on the links, then that server would be effectively DoS, plus the company would have to pay for the bandwidth.

So instead of ignoring spam, hit the company's web server. Several times...

Re:Techical Solutions Are Required

[esme]

The only problem with this is that they are probably doing *something* at that website to make money. Especially if it's just ads, you'll be shoveling cash their way by doing this.

Probably the worst is that their site gets nuked, and they have to switch to a new hosting company. But these are spammers we're talking about -- they're used to moving around. So it might not make much difference.

-Esme

Re:Techical Solutions Are Required

[Random+Feature]

You'd have to be much more granular than this.

A charge per email sent VIA THE ISP'S MAIL SERVER, perhaps.

I don't agree with the concept in general, but if you're going to propose it, be specific. I send a lot more than 100 emails a day through my ISP but they sent via my employer's mail server, not theirs.

Re:Techical Solutions Are Required

[rthille]

There's no reason to involve money (dollars) to stop spam, make them spend CPU cycles instead. Take a look on google for 'hashcash'. Basically, it involves the sender computing a function that takes a long time to figure out, but is very easy for the receiver to verify. So, if i want to send you mail, I spend ~10 cpu seconds, and you verify that I spent the time, and you accept the mail. If I don't compute the function, you sideline/reject the mail. Whitelists can be used to prevent always needing to compute the function. That way I can accept mail from anyone who might be willing to send me mail, if they are willing to spend the CPU cycles. However, since spammers would need to spend 10 seconds per message, they could only send about 1000 messages per day. That wouldn't be economically viable for them...

Re:Techical Solutions Are Required

[Curt+Cox]

I've advocated didgital postage for several years on precisely the same grounds. Like here:
http://slashdot.org/comments.pl?sid=26155&c id=2833 606

People reject it out of hand because:
1) they think it would have to be centralized
2) they think they would have to pay more

Both notions are dead wrong. Imagine the following:

1) Every email client mints their own postage
2) An email client always rejects email without postage
3) It includes plenty of postage in the rejection email

At minimum, this would force spammers to provide valid return addresses. Of course it would be cumbersome until well integrated into the popular email clients.

Once spammers start needing to read rejection emails, they have lost the war. Digital postage can be made almost arbitrarily expensive to obtain in CPU cycles without significantly hampering actual users. Actual users can usually spend an hour of CPU time generating a stamp to contact someone for the first time. Spammers can't.

I may have gotten the deatils wrong, but I'm firmly convinced that digital postage is the only way to end spam.

Re:Techical Solutions Are Required

[Jedi+Alec]

* Insert remark about Beowulf Cluster of Spanservers making useless calculations here *

Re:Techical Solutions Are Required

[bluelan]

I don't believe this will work. Any calculation that can be done on a general purpose PC in a reasonable amount of time can be done in a fraction of the time on specialized hardware. If there is sufficient demand, then some company will make a postage crunching chip and sell it to spammers for $400.00. Well, maybe $423.00. You get the idea.

Anyhow, the net result will be useless overhead for sending e-mail, and the creation of a new industry in postage minting hardware.

The only solution to this problem is legal. Spammers must make money to support their spam. Track the money, and you find the perpetrator. If what he has done is illegal, fine him into bankruptcy, confiscate the homestead under the RICO act, and send the guy who sent the mail to jail for a couple years. If it's a corporation covering for someone living overseas, fine the company into bankruptcy. That will remove the profit motive.

Spam isn't like drug dealing. The victim isn't complicit with the crime. It won't be a hard crime to prosecute. According to this FAQ about the ROKSO, it's likely that fewer than 150 people and organizations account for 90% of the spam we get, and we know who they are. Let's get some laws in place so we can do something about them.

Re:Techical Solutions Are Required

[chialea]

>Any calculation that can be done on a general purpose PC in a reasonable amount of time can be done in a fraction of the time on specialized hardware.

While this is true, unless you have a large vector-rpocessing machine, the proposal for memory-limited functions as "postage" should foil you. It's actually quite interesting, as it has only a factor of 4 (I believe) difference in time between the fastest PCs and other machines and PDAs, which is quite impressive.

The idea is to make spamming less economically viable, not impossible.

Lea

Re:Techical Solutions Are Required

Not really a geek so forgive if obvious, but why is there not a utility that allows you to generate 10,000 no thank you responses? Can't we spam the spammers?

Re:Techical Solutions Are Required

[Reziac]

And if it were a per-email-sent fee, pity the larger mailing lists -- some have over 200,000 subscribers. Even at a penny apiece, all of a sudden that's a damned expensive mailing list. It would certainly spell the end of free mailing lists everywhere.

Re:Techical Solutions Are Required

[rthille]

Hey, if someone wants to spend lots of money to send me spam I'm just going to round-file, that's fine. I hope they send lots! :-)

Re:Techical Solutions Are Required

[rthille]

But then I can up the length of the hash collision so that it _still_ takes the spammers 10 seconds to compute. The computation is scalable. Sure, it might take someone with an old 486 a long time to send me a message, but it's not like the dedicated hardware is likely to be more than 1000 times faster than a modern cpu. 10000 cpu seconds is a long time (~3 hours), but I don't think it's likely that the hardware co-processor is really going to be 1000 times faster...

You don't have to.

[Erpo]

Copy and paste this into a bookmarklet:

javascript:letters="abcdefghijklmnopqrstuvwxyz"; nu mbers="0123456789";document.forms[1].login.value=" ";document.forms[1].passwd1.value="";document.form s[1].passwd2.value="";document.forms[1].email.valu e="";document.forms[1].birth_year.value="";documen t.forms[1].zip.value="";while(document.forms[1].lo gin.value.length1)document.forms[1].gender_check[1 ].checked=true;document.forms[1].birth_year.value+ =numbers.substring(strindex=Math.round(Math.random ()*9),strindex+1);document.forms[1].birth_year.val ue+=numbers.substring(strindex=Math.round(Math.ran dom()*9),strindex+1);document.forms[1].zip.value+= numbers.substring(strindex=Math.round(Math.random( )*9),strindex+1);document.forms[1].zip.value+=numb ers.substring(strindex=Math.round(Math.random()*9) ,strindex+1);document.forms[1].zip.value+=numbers. substring(strindex=Math.round(Math.random()*9),str index+1);document.forms[1].zip.value+=numbers.subs tring(strindex=Math.round(Math.random()*9),strinde x+1);document.forms[1].zip.value+=numbers.substrin g(strindex=Math.round(Math.random()*9),strindex+1) ;document.forms[1].country.selectedIndex=Math.roun d(Math.random()*236);document.forms[1].income_sele ct.value=Math.round(Math.random()*10)+1;document.f orms[1].industry_select.value=Math.round(Math.rand om()*36)+1;document.forms[1].title_select.value=Ma th.round(Math.random()*36)+1;document.forms[1].fun ction_select.value=Math.round(Math.random()*16)+1; document.forms[1].paper_select.value=Math.round(Ma th.random()*3)+1;document.forms[1].submit();

There shouldn't be any spaces in there, so cut them out if slashdot inserts them. When you get to the NYTimes "you must register" page, click the bookmarklet. It's not the most beautiful solution, but it does the job.

Re:You don't have to.

lol, that looks exactly like something exploiting a well-known but still unpatched Windows vulnerability. :-)

Re:You don't have to.

Or you can register normally and help the NYT pay James Gleick's salary as well as their bandwidth bill, by allowing the NYT to get a better grasp of who their readers are.

But this Slashdot, where information wants to be free unless it's your own.

Re:You don't have to.

[csnydermvpsoft]

Or, just register for an account, using a throwaway address - then you don't have to mess with any crap anymore.

Re:You don't have to.

[Erpo]

Or, just register for an account, using a throwaway address - then you don't have to mess with any crap anymore.

That's exactly what the script does, but I assume you mean check the 'remember me' option to prevent future login hassles. That's certainly one way to avoid future work, and people who want to take that route are free to do so. On the other hand, if you don't want NYTimes setting unique ID cookies on your machine, or you don't want to spend 15 seconds filling in bogus data every time you visit the site after clearing out your cookies, then this script is for you.

Re:You don't have to.

[1u3hr]

I used a Sneakemail.com address to register with the NYT a year ago. Not one single message came through since the confirmation. The cookies I don't mind, I see nothing sinister in keeping a record of which stories I read, especially as there is no way for them to link it with any identifying information. If it makes their marketing people happy, lets them charge more for ads (which I don't see anyway, having blocked most ad domains), that's fine.

Better than our local paper which went to a subscription mode. Annoyingly, being in a rural area, I can't get daily delivery either, which would include the web subscription free.

The real way to get rid of spam

[KevinIsOwn]

Sure all these programs help, but think about what creates spam in the first place.

There are clearly people out there willing to buy the things offered in spam. Obviously not that many, but enough to make a profit. I think that there should be more of an effort to target these people and tell them not to buy stuff from spam!

There is only so much a program can do to stop spam. As we've seen numerous programs have been made, Spam Assasin being one of the best (I use it), but the spam just keeps coming

Until there is no incentive to send spam in the first place people will do it despite any laws against it.

Re:The real way to get rid of spam

[An+Onerous+Coward]

Wonderful idea. Rather than fighting spam through legislative or technological means, we'll simply convince all the stupid, desperate people in the world not to fall for silly cons.

Except, wait. We can't do that because they're too stupid and desperate to get the hint!
</rant>

Seriously, though. I wish everyone were capable of being able to spot shady deals. But to do so requires an uncommon amount of common sense. I don't think you could train most people quickly enough. Come to think of it, I don't think you could train some people at all.

Re:The real way to get rid of spam

[Sir+John+Nipples]

I think that there should be more of an effort to target these people and tell them not to buy stuff from spam!

And how would you propose to do that? Perhaps a mass-email campaign?

Re:The real way to get rid of spam

[KevinIsOwn]

Think of what I said like communism. It's a great idea, but it just never seems to work when implemented ;)

evolution users

[asv108]

The one big feature missing for me in evolution is a spam filter. Fortunately, spamassassin works great even if you have to run it locally. Here are some instructions for evolution users who need to run it locally or are lucky enough to have spamassassin installed on their mail server.

Re:evolution users

[bobintetley]

You can use the keyword filters to fairly effectively reduce spam on evolution. By looking for subjects starting with "FREE" I managed to get rid of about 80% - further checks for "viagra", "penis" and "teens" pretty much got rid of the rest. Occasionally I get an odd one, like "chicks and donkeys" or something but I just add new rules as they come. Generally one gets through about once a month.

Careful what you outlaw

[crow]

Be careful what you outlaw. If the law is too broad, it could easily be used to prohibit not only headers in email messages, but in connecting to a web server. How would you like to have it be illegal to lie about what browser you're using? Or refuse to send a referer?

Re:Careful what you outlaw

How would you like to have it be illegal to lie about what browser you're using? Or refuse to send a referer?

It took me a second, but I finally realized that you weren't talking about reefer.

F-U-C-K---Y-O-U-!

Fuck jewes,fuck socialists,fuck niggers,fuck jeltsin, fuck gays,fuck
russia, fuck equal rights,fuck old people,fuck hippies,fuck police,fuck
ugly girls,FUCK YOU!!!

Who gets this job?

[fobside]

Who gets to ensure that mail headers are not forged and that mail is unsolicited/solicited? First, e-mail has no phsyical boundaries so should it be by local governments? There have been times when I signed up for something I forgot about, and I received e-mail many months later, thinking it was spam. If the users can't tell what is unsolicited or not, how will we know what is solicited mail?

Re:Who gets this job?

[feenberg]

It isn't that hard to determine if the header are forged or misconfigured, the problem is distinguishing the two cases. Lots of legitimate mail comes from misconfigured hosts. If there were a law forbidding forged headers, probably most of the legitimate ISPs would manage to fix their headers, and the rest of us could use mechanical filters to reject the rest.

I get four a week.

[actor_au]

The trick is to have 2 email addresses(I used to have 3 but the company hosting the third one went belly up). Private and Public, on the public one put everything, password confirmation, slashdot details, EVERYTHING, give this to all your friends, never check it, you don't have the time to wade through them all.

The other one(private) don't give it to anyone, never reply to anything sent to it and if asked deny ever having regestered it.

The first will get about 400 SPAMs a day, the second, only about 4 a week.

And thats how you beat the internet.

Re:I get four a week.

[enos]

What's the use of having an email address if you don't give it out to any of your friends? It's like asking a hot date to call you, but you won't give her your unlisted telephone number.

Re:I get four a week.

Why not just say you don't have an email account instead of distributing and never using? And the only mail you get on the private account is 4 emails a week.

Very odd solution indeed.

Re:I get four a week.

[allism]

This sounds a little like what one of my co-workers does. Any time he signs up for something, he uses 'dave@yahoo.com' as his e-mail address. I feel really sorry for Dave...

Re:I get four a week.

[TheRaven64]

And thats how you beat the internet.
Ah I did wonder, I was having reall problems with the Boss at the end...

Re:I get four a week.

[Sarcazmo]

If you just want a fake email address that is "valid", use whatever@example.com

example.com is an official internet blackhole, sanctioned by RFC. It is what everyone is supposed to use in books, demonstrations, etc, similar to 555-XXXX phone numbers on TV.

Re:I get four a week.

[Junta]

Better strategy.... But requires having control of your own mail server...

I run my own mail server. I have Postfix configured to forward username-@the.server to username@the.server by default. So, for example, I registered with amazon username-amazon, and it gets to me. If this email is ever put on a list, I'll complain to amazon, and then create a .forward-amazon and have it put mail in /dev/null. Alternatively you could use procmail or maildrop in the dot-forward file to perform per-extension filtering or bounce messages to explain why the mail will never be read, in case legitimate mail tries to come into that box, perhaps with a random, unique extension provided for them to try a legitimate box. Not only do you have an effective mechanism for filtering out unwanted mail by source and outdated email, you also have a way to track how your email gets out. It has worked quite well. Last week I got three spams, and blocked that address. Aside from that and a couple of other incidents in the past year (about 8 or 9 spam mails total), the signal to noise ratio in that mailbox is excellent.

Re:I get four a week.

[wbm6k]

Sounds great... but don't you think the spammers might catch on eventually and just send to:

username-amazo@the.server
username-amaz@the.server
username-ama@the.server
...
u@the.server

figuring that somewhere in there they'll hit the real address? (And they'll figure it out even quicker once they notice they have both username-amazon@the.server and username-yahooGroups@the.server in their mail-lists)

Any technological solution (widely employed) will eventually be caught up to by the spammers, perpetuating the SPAM arms race, and bringing us down to their level (as the article alludes to).

NYtimes has unbiased news unlike CNN

All about NY Times - Spam, Registration and unbiased news unlike CNN

Also on /.:

Programmers who wrote Kazaa.....
Three Estonians programmers wrote Kazaa code

Kazaa looks for salvation

Broadcast, not unsolicited

[werdna]

The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited.

I don't know what is meant by unsolicited -- and I doubt that there are good definitions that are practical. Nor do I want any single e-mail ever to be treated as spam because some unsophisticate forgot to (or didn't have the software) to make the e-mail unsolicited.

I *DO* want the anti-spam laws to have teeth and very few exceptions -- for that, the criteria for spam should be sufficient to permit adequate filtering (to be useful), not be content-based (to be constitutional), and should be relatively objective (to be practically enforeceable).

Thus, in lieu of forcing headers to identify whether an e-mail is solicited, i would punish falsely identifying an e-mail as non-broadcast. That is to say, an e-mail is not broadcast if it was sent to, say, fewer than 200 different addresses that had not specifically opted-in by affirmative request to receive it.*

Then, we simply get most e-mails clients to flag routine e-mails as non-broadcast, and you have a decent result.

*the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.

Re:Broadcast, not unsolicited

[wbm6k]

*the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.

Thus making it impossible for any individual to prosecute, since you only see one recipient for a given email in your mailbox, and trying to sort all your received spam by source would be an absolute nightmare.

If you make forging headers illegal, then a single email with an invalid "from" is an obvious, enforcable violation.

Re:Broadcast, not unsolicited

[werdna]

you are mistaken... most litigation to date involving spammers involves ISPs who have been able to prove broadcast of mail, and seizure of records demonstrating that the e-mail had been broadcast. Proving broadcast is essential to damages anyway -- even with statutory damages, you need to show a degree of harm to get the judge to throw the book at a defendant.

moreover, i didn't criticize punishing false headers, just making "unsolicited" the punishable element, which makes spammers out of all of us, and makes a complicated litigable issue out of every spam case -- almost all of my incoming and outgoing e-mail is "unsolicited" in some sense.

esp SA 2.5

[AssFace]

when people say SpamAssassin is good - they should really be talking about 2.5

that is the version with the Bayes fully in it and it is head and shoulders above the previous versions IMO

Re:esp SA 2.5

[TheRaven64]

I'm not convinced. At the Swansea University Computer Society we're still running an old version (2.41, newer versions need a new version of perl, which breaks other things...) an I regularly get 10 or so spams being filed in my spam folder. About 1 a month gets let through and I've had no false possitives.

Re:esp SA 2.5

[AssFace]

sounds like you probably don't scan enough spam for it to matter one way or the other.

if you get spam at the level of hundreds a day, from what I have seen after using multiple different versions, 2.5 kicks ass far more than the others.

Re:esp SA 2.5

[TheRaven64]

How stable is 2.5 at the moment? I'm not that keen on rolling out something on a server that's going to break (people always complain when that happens, most unreasonable).

Re:esp SA 2.5

[AssFace]

I'm currently only using it for myself, but I've not had problems with it.

That said, I do see a mail slip through on occasion with an error in the procmail log that says:
procmail: Program failure (-9) spamassassin

or something to that effect.

when that happens, it always recovers the data (the incoming mail) and just puts it in the inbox.

I'm not entirely sure what causes that - but I think it is less a problem of spamassassin and more of it timing out and my host (pair.com) killing.
I am just running the sa perl, from what I hear the spamd that in c is much faster and more effecient, but I can't use it since I'm currently on a shared machine and not root on it.

When I started I was filtering out 500 e-mails a day and had about 10 getting through daily (that was with version 2.4).
Then I watched the logs and made some changes (basically saw that some of my addresses that I have were getting all spam and no content, so I just always dev null some of them), and I upgraded to 2.5.
Now I regularly get 150 e-mails a day, and I'd say on average 130 of those are spam.
Out of all of that, the only stuff that slips through is the -9 err, and I've never had a false positive.

I have it set to yank anything that is of a score 4.0 or more, and I have important people in the whitelist.
I filter mail out into spam and nonspam (the nonspam folder is all mail that I read that is good and the spam folder is anything that sneaks through and shouldn't be there - again, due to that -9 err). Then every week I run a cron script that runs the bayes learning scripts against the spam and nonspam folders.

I really am impressed with spamassassin and personally have yet to experience anything negative.
I get a lot of spam, but it is all to me and I have the advantage of scripts to scan through it and also the advatage of time to occasionally look over manually (my spam gets filtered out into a "caughtspam" file that I can then run "frm caughtspam" on if I want to quickly look it over in an easy to read mailbox format).

I would gladly donate money to the spamassassin group if they had something setup to accept that, but for now, I just use it and look every now and then at the Changelog and see if anything is in there that looks vital to me - or if I'm bored I upgrade :)

Chaos Theory anyone?

[bstadil]

James Gleick, is more technically educated

The uneducated guy that send this story in, need to know that was instrumental in taking Chaos theory from an obscure science in Santa Fe into something that almost every scientific discipline benefits from. Incl CS. .

Re:Chaos Theory anyone?

[orangesquid]

I should know, I'm in the middle of his book right now :) :)

Re:Chaos Theory anyone?

[Sir+John+Nipples]

Chaos notwithstanding, when Gleick says something like:

Although headers will be forged, inspecting the HTML source of junk mail usually reveals a genuine domain name

it makes you wonder how much he knows about computers, rather than theoretical physics.

Re:Chaos Theory anyone?

[nomadic]

Yep, Gleick is one of the premier science writers alive, kind of funny how the submitter just threw out the name without realizing who it was.

Reminded me of that Conan O'Brien skit where Andy is reminiscing about that GREAT little local breakfast place he found, pancake house or was it house of pancakes?

Re:Chaos Theory anyone?

Mail headers are usually forged or spoofed in spam.
Most spam is HTML.
HTML has links in it, which will have a URL of a real machine. He's not the one who's confused or doesn't know his stuff.
I'd say Gleick knows his stuff real well - I remember reading something about him being involved in one of the first community computing projects in New York in the early 90's. (I may be wrong about the details, but it was something really progressive in it's day)

Forged Headers should be illegal

I don't know about the other things the author mentioned, but forged headers should be illegal.

READ the article

[Pharmboy]

I know /.ers have a habit of commenting without reading the article (ya think?) but this article is worth reading.

I am not sure if you have to register with NYTimes (I registered years ago) but its worth registering for free if needed. Its a well thought out article.

open 5ource r0x0rz.

bc 1.06
Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
scale=25000
sqrt(sqrt(2))
1.1892071 15002721066717499970560475915292972092463817413019 002224719\
46666822691715987078134453813767371603 739477476921318606372636178984\
77567853608625380 17775070151511403557092273162342868889924175446071 9\
0871050384997255910500983710449201548457356745 8090483994093090003497\
7959080384896588430050411 9871700937907982098462523537398128174081811\
3780 82855201484221006095893241244593103505751919630294 13832634742802\
798244080228008217292720586153666 39370400238207308545653067447714859\
888733457627 18678381165470458727612711126998867843493017586142 497017\
00541314551438919987437667621785161783177 987307048236318734734842180\
53715698684263648276 105622847799586289633293928168787475865603473791\
9964594007561544437157418903039869712943062486253 5173412915359753112\
1544674615908647760651744595 7055930979119465756398917686972170262497\
4753336 29918606531157083493680769804948170607437684746785 58652825501\
418464979248909951563378299859508764 35323966214778965479104541869346\
618613961452185 63917026341604354229856108549326870868151717454045 545\
48531544526636504944019710337617953456424766 552816295172649366879479\
51036518107744982125138 761661340148199686747394077600288553371849754\
68 54815019229716721173113248608110210121258893903751 4478889744791331\
5291594143959713794842180258725 4018156357895522961871250053798259915\
6122046918 54605420376995311733285509656036372119940623227260 44020003\
149221432149857297973092169612299568949 19646712822010257214109160409\
901168420400365699 52873769554560279984457347340632778582449773361833 \
10886695128334515215165129210241135773187170786 644848964141894347893\
74805476956128739575859748 450703629203132825255297223387618655295760\
03553 92079618178724557632468820998367177998089417491686 1191540469301\
9126587060246857751337673373820854 8169001292545468245289432144487702\
1294928551511 63237766773559402659230087980647343973738527232446 92826\
108136775534771912438573641024245256095269 21952629935015973523847830\
542406960658682401465 67453451124591288886991684357767642560409114990\
10917048563417167420507433528383707989434164318725 884739130529850712\
60348119595464785522285093257 735590346500026916493632949115086477464\
44590774 18095868473311198122989269564183230349586377140301 7366660778\
3768686607582714836077979812781701344 8375291822737480958496977561043\
6106959772566160 49514458221213527859270297608124363941459394041101 24\
292402434902991279182809554574321988247462627 45492656438230232155785\
346484316050808647237502 49801592029855566655958908654984763015387239\
274 84168037058128133333970537210068213915754595612352 916618248559570\
03958930934200198441180754640241 533506472493824769330065184875328270\
32961955084 28156370572397770557792141350903859146735371121611 5279620\
3472936395322266070046818694056482189233 9463853265642033099898123662\
8948646108717449896 2511536570624880501960785081268875545352169467212\
495866017692764469075590835051156325279851929332 08795535416004889789\
879375113096532005138617546 60195255600307730906692488664558219440047\
280359 41569123947347269776844239565780381392307120675846 604383033333\
92959632473537384507038961402633691 286689909487110757546132154147185\
80946221090531 90682306033088610766493414160198589650868570091681 7734\
7889614121625440158044081354249446004298101 4775688641465919333572863\
2718859096624284441197 7129230388799932396711358512609400882024121916\
6 16724610515814317667818515615351604097586757525690 42438798815881269\
479050773519401385543259646252 80724853932749628328378475515388241948\
706627385 07768359459708179608912108284820777351065349964416 938518464\
32012546959301545531684551320283789269 517900820700049329200857289827\
96504866009236463 74954168571922560670663944390216359206349025623685 9\
5746258239727539289440299063087735050683709593 6347117436592311659210\
6715272130071138849955298 1413928245728750872865708588702495381930919\
3874 88687164082458992115619664035358062981306476521319 19835140349031\
856531562581891486078598313729451 84526978102429749510799115578274404\
294904201951 61958413839389399221732173754583444188878373049845 658787\
15216844190356549971831187186748530837127 386922588872500718733848464\
55692251125504076431 524302252986679424877010000296131154908241005737\
4461217350920360555949201791349627768734464380522 0391077348871020186\
5294040511618882603395073206 3327384259744143529043448944035077539873\
1650254 68755159457055267513925347947701731127357889493866 84980073901\
898464799509877999097064035948758736 47836311243500990031439308622007\
975113121289378 00391206100830174081569732350299607726689280034329 578\
82888668934295292762884344946665008451210328 148112313543013664865230\
61499949930158741205017 208144292594861066528813416573196825791124411\
56 41997012060839814232045258535244684350825310791565 0290667765064906\
9700125134316712404227727124696 3166249067458766181197378402612691178\
1381207964 40786559308906002827030723531535734559244388764705 49124616\
788328676166448519265396413861835093656 90144972626295175726334631623\
840278651994354555 10837269439451956787903848985417629671585426630133 \
39502418155964447069601985547367201869739198789 953890707563669113726\
94727412385359026711550891 230604028652822285835656857948559527412527\
54316 77933393877006881914281286353559830832974216433580 9936894710485\
9381129706869537666825211007056168 8688988792468128821048618185821351\
5251113607210 98409222753068207169829157997615067799291373615226 67569\
256072261404583216003041576165495919972582 84413220675994900000760229\
715786476435247445889 63746287556191436553754758232529704395484082216\
99923515287114427218343226901322150867412931676753 484565329342947905\
33604864234236460431221411775 232083777417300397762932320233073318213\
65988394 93188026815026787675217460759335457846331267355125 5765575824\
9310113928562352194247993565224701048 7664079023404405917663982503332\
2835341650704764 42067138245094873396994864008244336391375723031760 82\
721731894008254778350965951945983694446476980 41933281226346282020753\
928939733907147947546216 65191607232659347102406866766046138830533773\
811 92181776181191339930722251810233840830895678838113 610807616267854\
57986425211948917718327965803133 979747405986114294894753868420155633\
70198351381 04285734975548398296710003160888945435573976937889 4940698\
3964381237254312355712281159386025475941 4208839138178798804502405288\
6013119443435728034 5958699983588623603582665715396185796757899220605\
289512877769472864197466975157052190907509997241 22012747193769946819\
331179303364146064413048619 30788106671610218084317475160866246224055\
692852 86653016416711892605253817776309930663717946545589 891424846667\
72456780119132116748171812086794530 173308221909748003136263335750768\
10032420553008 56095165397743348342146159845260641588481315559147 7711\
4132934912057704589193209235074370901683240 7427395776799622566579232\
7106996206262320809135 9388390163278574933581142569455119443070711081\
0 72152169856830759206302967138905570372429791674149 37760828346941137\
589384671088071313263462970645 72519001227975829763903650637089098831\
544804698 54556081981641667771023372533052780731744918394028 048086608\
22964355786854842604322792395373158444 909530735404939458850431760980\
84573258638763529 29914132465758514352113345202795389934328328236757 2\
7178314390503142250472943206096993061789427938 5318048850889760796712\
7476869709971105327183222 9124285384717371486376408625324901198105402\
4380 47069661968704584930039792476252619102710426052156 33356772295221\
868907943567979541753648674320606 72199700066051562836184396287523177\
865306197847 93094916396493152215749052044199199548353842438940 949408\
85299634998548947507506228648808014670040 012645373658973624984452397\
76063023968206673052 965619543688943426532007546549223459628892835934\
8708317051650141705471352516973036066892644752880 2773332642829840841\
3978746224487442538902230393 9559565409712917357380278372648881250746\
5444049 85190720017437824511188680767434519366967546743421 56348801131\
791038594431288022806252603424828178 56917366342730485530670305892457\
462950161480261 40899064521119064190660736266114146160924487930332 718\
43010506590189832452287831713834291449447592 065545934488390973778005\
25626009374417702916271 817276669435013670895184103740920009723954243\
00 66482875376506879193016239676764024193629764833397 3663903998405801\
2090231436179627256772200788340 7827879824893133872678641875730730049\
8454666447 47839943577642115752781344890272219373089837208504 37360053\
182028947135672408536602613385605853353 39622787713920974067058108447\
709488651696997352 48471624569168310875186460135160479142667459162811 \
48867293935940062920526357048866734784087287289 018277672970038107997\
66935994986540526567597623 081491892343298429676953657139605552941278\
16586 28481204659552798454040937948593095138199470546107 2765143569104\
2148746363199025691254361983027822 0931692200730546082690187785358135\
7998416863584 10606174655193530215600674212809923781613457318079 18041\
147280186274070120233242339318061289801466 58426087332829562120643461\
872538214768885499445 32715734008259091321154388931240867701571917509\
29382674121969833483590061391103110982170696065552 597102765531098215\
56513768253062735618942815878 486741996617294120964090554368759204552\
90077908 21993315431600691334596735071152610400195598083033 5598215856\
6549414470453434278973159890447309506 6225096008808251041639945368583\
2115897387411421 11213023081015691085144717119905219919183184657598 79\
133351757572968775306342792688316493676866084 93450943737974065154368\
605700908353353873473174 93966854997922700454309153444224805690339830\
060 73249561452573811783157384929530406182776100625594 815608394014392\
08041446596440409190249436732700 848713942768045621882921530094791386\
63065139512 97019969686395088897631044724080510469839804202397 9991958\
4268119274757805011523713106044904898251 7434736636634572961720528223\
1466619322215675828 0448473869313344553149051396252892709682869538264\
903255426009055732470625329850279486980451132640 04894094221630778110\
247977450241190038917464541 01862232408390425443825074578573537956601\
919550 69794485373579880760051565672821146463804895551462 384021874419\
44081609141596788583588818299971372 003077247314645274777450060316480\
15798487547076 32723383204249498123009231051678830169113751550422 1349\
1781303007990780305341351931458568086968980 0082345547356888041717861\
8681200549007114472152 5976523499411173769760875624470514877222147557\
0 00534459235637979155593692353200702631822730053741 14037513224360615\
867086466618743136580301842782 18358014044072002968904867221558909468\
145760092 18295445177641560347764846687693058167121763033176 268724569\
45886893874399923344406394839645056553 181410145801203399123469963828\
95589851598301239 38803203743575563692562192743561241575719104974293 3\
0312664353003767190550669009513028754715040071 2237358449156178728238\
3328307169320175671152574 1378631677892051807672986496844035559961502\
3204 34393063652832178775185194432087615964740107448476 84868199829342\
492358738817986941560753192593859 01551502936985442243650727711658996\
199389516966 30344265409886447541243745606168339070528776934447 462350\
04089393141992803724949830047915036650572 092515037866014802666753177\
42704104301676711476 763296313442115692407194499982591252024794714284\
5089070494566556725672241632055195666134133258497 4520609714431257697\
9856903486947075601264403415 7870153025829510052088368636349319630477\
4122661 78801136340649638457391724738823560547562289546677 38081945931\
172683891371372242598645291491719155 81656981818426879203420099581863\
309586425564305 57728120097808040284134091387292493753890809886403 394\
73711808479224573766607525673860366483735404 183493906823093986223030\
64598516693666282010100 052987951885797379548736587568786087247403765\
69 46378264029196673555240970641514367875693601141883 2314318417352791\
6291740709636799978319056976466 8347905673080323071352342734883009644\
2817311351 44158529072012219633669837807734374502146364879406 88126659\
367595282860143140605320468935499459811 45923139970802136789284323060\
102000820378904358 91640934542975080415121021160987222187442418385996 \
34133341318291180357407734435888105695080501790 142339237646919342813\
56813503690093291504958887 339770871514114435003454385605765219191495\
10076 41693797988331786582992402043603883798584358251715 6103445735113\
7378089281492521487429518315798023 3154314252730442213715617041624589\
2881491463608 61521615435040595459605021727122493113086764626564 98246\
099157600502561464180359655752909817526200 39876523996567619294153760\
425302909394278060365 07259812239845079085520778144498058104067746952\
34255154913912531089293050701410113527970355196308 242219480833517459\
08960638432857328463063839759 794446906871690557084144075439460438175\
01797273 54020886015774069838692557501529297843252048463096 9206668650\
2158883378346694473773005726946568332 3262251567567802291299832718334\
7998193460716829 44386450635264367727038887359210839385376550512676 97\
160553816880980442341388846561083819053586543 05110398488179732744444\
125539923541172065540155 14883105576487509803405594953799037114407487\
100 67235509781133547932286036303023775456845416410194 059592725045555\
36248712018454421939172934608510 807602126586882196509106278325155966\
05504147527 28106963295831250181039274820264249036096036936941 0389692\
1121433220158610356467955988576645487268 6905960708066212436570575987\
1129594035191422421 6576008269742425521569326703747777053782978374334\
003164903782677192266221771834481134439764761411 21601250999312873831\
056052542283480356717402801 19870718355717620953275467245453116395591\
668910 72296842692124673249714094718578388138174316300880 604579047687\
62688505236838743584900552087305381 403394912669933900350593847151451\
80371779554464 29182906809755045768309238169538761686669910267038 6522\
6037539619687655870319108078621338091885471 1348928748371305557085971\
5461466103954836762916 1022335343062984859328474127839717635343351452\
7 99525206073550788274388716530212655855625801111013 06029064583984069\
526816375398257149150999624174 46411974494209007906723699310263715178\
153543040 33884821682519604312065586570303995552088655776705 988252771\
22305008225285393434965217241046926158 051054068908786646460095049929\
83704734197764774 07799445610640747511667222207602820764121878112002 9\
5307928580454809799108142080445385813423094831 9399338533107737666062\
2551818104310744768670783 3588343577423293762351006466212604626553973\
7389 02662340416775906044456694180700269258854443926314 70918887738677\
387725467893573981474749074439617 30404040202520015236482607837236195\
832298716797 32084461036800862377415535362463712364747205024424 534718\
88675643027196885955606179150142999439127 197281727396271895135098815\
98038330345294367226 457455107276161637759413365571771711616457371187\
2764099581329188509959586138800668241222334130855 7373264049781906203\
5324271243869882072940323577 8080732181562412099870067274363513125312\
2980203 66458524628977279877159643098398332644533966622195 28386413838\
096860707550058412375214870396385508 35345527009937596615676899106768\
180040119758982 21512898387304938641827529678459656896106141122235 674\
58625078138843083717329308787538683232924934 826328884614097177615079\
18146711711547689727307 448673066965921891169260064429334341821774261\
20 29440343948307930222497969742588593425301762375937 9309309620080570\
4883111051954019482387440830449 1402749717128214524369657310025385103\
2985770488 47929019435356828769514493680305216134996336430312 55534786\
564833842619629792923395872651398237144 14837002248357751592371663251\
549960612372010008 80207358088274673694904073569544149133375263000172 \
83549370849586568615682429372291404027534104184 944115728192694524040\
87312004170191148810321060 174005978762715997317395453390364986996115\
35735 79526324703834382793478731830972509770843118674104 9988293820103\
4850018933223138964290101009721321 6969831872306569053419342930578114\
5239973367646 75557856102648230958694618393772775762536840090595 31353\
001193825674329794843695209957427477681783 43239113347044974001243249\
185055661168014458323 77489765429280737182489514361924757084725087318\
31282854292931657668598862587673813311093847020796 675901661321684558\
25697652100187636263456196346 988983706428301601956935339390001904475\
72443976 60395416661691688222201460946123733535005821001392 1896983251\
0746707125532685260609117387591796359 4075217016986995246738452320120\
9022575447764335 26770711564619169027228500979004643408614014769475 24\
441111817204785859214979787018550825029826786 49566422846224046333270\
044921526008493347782912 74336160662567235622878672594233809472297015\
685 88473737694604587853593952212886772583688944890111 013759635668535\
59067548158111612301778521582297 679731806190641353752281136230340909\
96781782379 56898192504011133235072025978701592175212943013295 7568282\
3035722114497622581860218212714892179571 3758534191190388020983579830\
2969125592406867288 3825971613224368445054392498341881930981997720800\
375575686274128160784743012987892569448681624222 58173642917071698822\
481440442290216668365558512 79612368756969454949729090295419262084926\
858089 51232689130023648099871367983730644859240785216597 612551778156\
63285008848899846908910376743424847 737761778516595830672578468844299\
36492165538871 27705872638995384002179747086563349209397581957729 7749\
9874731054424579383905158475463838952839530 8636427500595642019903095\
1325169745093739462537 9599467214712029401419925495644744922632929377\
7 08467267587262762583214179558698894891298085166707 70910728107772484\
723072456199250290130636541681 57535088090882966955592209154276253820\
001643393 89878577307262932296821225681139069482670620021470 350463474\
43527968147470996327381625294999671515 343695819391059302499915521010\
56665671625894635 51627127915917687092167406237650393515219559260324 2\
9933254320114422973639879200743190041813181412 5407105240521699226468\
2320673766419385830130692 0804407131236894459708057895581383748532688\
5189 57306177127663437989652061543375024588556754022655 67005204869531\
888515698130327010952842331127201 85534617515679000022370901717496890\
340866801107 10607068279682496659269206521586465266960354655802 678595\
22736757344691152078796808176223766620618 443040808713152759751727705\
59697946274747605421 127325855598636263273573581508742271836277078816\
5154683184296981930317827498691998550471293220241 7419120239936309491\
3579778233177341521288447051 7561193416036716068338050687896497262817\
0641673 48732853523562982894678902315041114717891364389153 40879104307\
308306666271165253460467493089929175 67178735028905420900132243187479\
441667323120170 79592381383492071110051130421024618450755967374685 544\
22804638717689644728746660101073392663655588 702307030996135069128441\
84844202692756082385369 182200854953992314688245441474613701996217546\
23 27472233807126070028595128644350019390827244796478 6082275784375443\
5042662157446598485568255457063 4436429039554160779162279216017013979\
3023275739 22398184203064597253041051350729744958331598358388 49810728\
030039050731702389142821351521711562531 85534847231992763058516460422\
889265384692202972 86015341581659352989195485499450093664295244850865 \
23437389001127278095563705904343722567308058253 900532227272489618189\
40357404916787651999480766 196275372732158965758508205361297895262683\
55613 55898285452582243255540080454629771926265414616937 4171333710442\
4379295092691574735801793231609436 7793549524780766981914688852642598\
9052404602137 35432611230972515961346897209626909943320763464868 31671\
404203508017768937870261874373382469375357 36264649176978751651725826\
785987328536546532356 74035724337920059542677068166580801305671078201\
02029564681709710667018880259316809022378240215308 795547018918038545\
64882289823994407137960051608 911986946447340641850404191496369062385\
74131188 27566191222967881917338629343523355459221919678344 0557750543\
0937035091416552612114787110078439923 0625721251024692947430980823358\
1849863686593759 45080575935016746312853929413572292771967511250010 50\
486069225571425122149286243089711881344316066 94540551359121655107039\
624912049036922610203923 29622140099102546407738247996394642581877728\
021 67283793163613123591568072661720163463920607593340 222250489950129\
24293880316278099585183021916120 840992463472856434470933957905564051\
89960874055 43218192455803214193068714650208345880479586438733 8831012\
5347428895705262274946417686369041465402 1526293284116452365835018119\
1475813396814006696 0066247707121872748590742816819636582392077995656\
110721731279721400031128419925367245855765073527 86385174135693531693\
837045744120793696177111202 05418114539950888177105763502704195616064\
574439 32635559768064705050854392901382288483044906358936 363123593283\
81762954344060455832455361970652105 299795610423202669728726541457385\
82526174404200 87771100050432709063884587952928887687236347976988 2784\
0248306705001267441726410192379967684918107 3093942912835417401716034\
2920608241166049608253 6755677479183987687525896864016157864427287829\
7 63820367842580394107142773031049464071963786359235 54989937940264791\
798528742758698334748265914422 14120847199443368103126438306917127504\
263867531 98687570291225533801983985392267146411109569259403 344581383\
84103171802749365074103131630079169916 274641741937758594269476884892\
75347934126680007 25425041886089524896543986753701312431586053634831 7\
2838031913483928843197841947873632519522899125 2072258010416417753538\
4667590052892729221111684 0579199876184299159028481985769645485459745\
8301 91320299174279770727457889779594067077535196596833 31745655526100\
406409598310780078991341588712300 89760864326848949667017593063598666\
839335905854 14076899857760549225913768331342576559165022521542 094692\
25875170676249632281553934714458523505331 838988533244468899085220111\
72554576431497405976 269840593065044992229435666410152220627204843008\
7083150429304701488627710631153872450345174910361 0500409516265557016\
1796122514434675465142986201 7783614902272782585283696789152490883370\
7591697 82824505101616030872270652259396107321970542690045 16902956655\
590070742450566566687040891423362167 84607029560233935600810863190890\
370778283220841 61696006598325344413764076795857835698796668161242 564\
82848743062835565449777344764837705215169647 657209833522612080517964\
47444737630143395025610 145136455214456268535389449303448277625360759\
83 65278929651241061577725862365146084048471984904643 5630642771858974\
6559313224918700814209262165539 5419506941267688204544462147244537396\
8155534579 95287987181973578662556481792582396034970401303575 83096420\
439720720160078820067551110119920143989 65962686991383113964186010535\
348843012173230377 13079500949263052765935023304596912872902911642697 \
22477122912509355685192694740904066585153899842 947242858305211598305\
98397746056156066962040039 813765680749405643169694250818153517301293\
52848 40816410701139029679802821513808078167590723778214 0377463055642\
1165196107135098163500034878209107 2211618618600409543685419678101442\
2803672005725 39963734469474261695074004549051028365369452497983 06396\
005898672973255504760150980693264061238069 62751436850660969300403601\
098544252654028665781 82615685220671594845121670589507947929740400021\
05872669435295969677510540196970880529808148519888 948516950483114474\
03864683427661087407481417245 269264064708007272364747767520484303826\
54891430 17063931629351990335881284515187350479093586243540 7780426010\
7343037271565948409112820534650047098 2239744286037176855814120378901\
9222010507048339 80969508903159918385310581529775852909381758476376 78\
925049433009280613739711925850286487676967862 31089106837099546598965\
110240670289349340431079 72815695898866291651263458076673943274640382\
161 61801006978259996643236989918722450738690545733062 808720202390837\
51071449326348756288526731913622 194498649111343705401578533103072896\
49408576116 02318367494306667039254994908130600362623455671084 6457438\
0028537103530638225461147934140109639850 5328882727952390012293701503\
3446101687158554530 7296485883254066274351218046158684815172679597438\
780804352633362553790665433301794379208612052009 44447902287535787250\
468904846336483760802414628 50776621282862593310968602235924287507820\
329648 49436224438481768905657870977321746136398741932608 450483371716\
54589399571103201218027492421004507 040121705850513959943009636337536\
78751200341952 91972609401446865876494590652270682706711105761960 4777\
6667591503097491220483134678673898025892734 6036944654299941802956216\
8291235173188116904023 8870068674559784136578573070159652559596939730\
6 86507327720797402259536672845996484293935365095571 11272775550933173\
612804019124026922478892886662 41702164072927257769112370301531756705\
635688437 60041674899279490593605352271256849996683523692754 716082046\
94052390831765009884746435554988817227 674716662977971456534017227824\
76561010129627424 01969240795672758386908207374832022885696910966079 2\
0293701297229060326414594425780892440578809990 3960470877804587264622\
8651260880425707457511417 3654893795114016566370541684111404523969308\
3439 01600587047680831356924319360578450298300189568596 09617517104431\
502647948425654218506641236157764 90714447739259220055650108945124098\
627086002172 69244468587162773129999441054675429358516218797655 598612\
27322483643436860439349483892721129860213 545435644061488298667107960\
90060964108204954248 704380316520524480194226460005140491883808412458\
4210091228541316390607397113586392276861032721946 3423807114131680987\
8437725993440198624241583062 2326168572677061610012675337898573974984\
2628484 31674036200859178971136158209705752910143797212097 46524363771\
126837029959691890629301378496211171 82349812280284862925432567764055\
532096149294411 02523321576473712066579816625563015856670411214523 317\
55847427110541600538119079667422361192120907 779331403228246292368252\
45960666989363137298154 403839271741245078677012665280694246266147662\
59 47636400253716974920737516111143946802045490

"big press"

[crashnbur]

The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press.

I know what you mean. You'd think that this piece were copied from something Glenn Reynolds wrote or something.

Text Version of Article

Here is a link to a text-only version of the article.

Article

Re:Text Version of Article

Bah humbug.

Real Article

There is an excuse

[nurb432]

Its effective.. as stupid as that sounds, if it wasnt they would not be wasting $$ on it.

Id love to see the types that do fall for spam, but they must be out there.. somewhere..

Another cool anti-spam tool

[yiingineer]

I've been using Cloudmark's SpamNet for the past few months and it's been working quite well.

The smart thing that SpamNet does, is that it relies on its users to determine if something is spam or not. If some email lands in your inbox and a few hundred SpamNet members have proclaimed it spam, it most likely is, and it gets immediatly filtered out. This has the net effect of a few user's needing to filter out a few message ocassionally, while the vast majority of messages are filtered out for all users. Although SpamAssassin seems quite good, it's still based upon filtering rules and spammers are constantly tweaking their emails to try to get around them. Since people are still better at determining what's spam and what's not, I find that its accuracy is generally better.

SpamNet isn't perfect though, as far as I know, it only works with Outlook on Windows and doesn't have a Unix, Linux or Mac version. It also sometimes filters out valid bulk mailings, but overall, I would definitely recommend it.

Re:Another cool anti-spam tool

[Junta]

SpamNet is based on and shares a userbase with razor (razor.sf.net) which was designed with *nix in mind. SpamAssassin, in fact, incorporates razor (and, by extension spamnet) into the mechanisms it uses to detect spam. Though SpamAssassin does filtering, it also uses razor (SpamNet) and blacklists (mail-abuse.org and ordb.org) to supplement those filtering mechanisms.

Re:Another cool anti-spam tool

Personally, I have good experience with bogofilter --- once it is trained, that is!

Re:Another cool anti-spam tool

[AndroidCat]

Sounds like Slashdot. Mod that spammer down! :^)

Re:Another cool anti-spam tool

[Skapare]

One person's spam is another person's treasure. That, of course, relates to the content of the message, as opposed to the behaviour of the sender. You might get the same thing from the same sender as I do, and you might consider it spam (various reasons) while I might have actually signed up to get it. Many companies have been known to augment their mailing lists with extra addresses, so this can even happen even though I signed up and you never did. And so it goes that for you it would be spam, and for me it would not be (although if I found out the sender was doing that, I'd sure be quite a bit more than piss off at them).

I really don't like the idea of other people ... or programmed logic for that matter ... making the decision for me what is or is not spam based on its content. The real issue with spam is not what the content is (with a few exceptions for some recipients), but the behaviour of the sender. For example suppose you post a message on an online message board that you're looking around for a place to buy a new motherboard that was just announced by its manufacturer. Then shortly afterwards you get an email from The Motherboard Palace stating that they have just received a big shipment of that new motherboard you wanted, and are offering a 20% discount on orders placed within 24 hours of the mailing. Now is that spam? What if they mailed it also to 999,999 other people without you knowing that? Now is that spam?

Re:Another cool anti-spam tool

most people can look (tv ads, google, etc.) if they need to get things. the infinitesimal fraction that actually *wants* to learn more about xyz product inconveniences the vast majority who does not want to hear about it.

if someone wants to buy something, they can look it up.

Re:Another cool anti-spam tool

[cruachan]

I'll second that one. SpamNet's a really effective piece of software that works - I don't think I've seen a single false positive in th e6 months I've been using it and it filters 98%+ of all the spam I get.

As I understand it a neat trick about it's eyeballing mechanism is that to get generally flagged as spam an email has to be flagged by several individuals, the individual's contributions being weighted by how well their flagging of spam has agreed with the concencous of what is spam before.

Need MSSMTP

[bromoseltzer]

The technical solution is not to charge for sending email, but to make the protocol robust. SMTP is laughably insecure. A More Secure SMTP might let the email receiver get a known ISP to vouch for the email sender before accepting a message, for example.

I should be able to ask Hotmail (or whoever) "I have message #xyz from your domain. Does it originate from a user in good standing?" If the ISP gets too many queries for an individual account, it will stop vouching for it.

Likewise, you need a database of "ISP's in good standing". I.e., who is known to play by the rules with MSSMTP?

Verification would serious server resources, but better that than spam.

-mse

Who steals my .sig, steals trash.

Re:Need MSSMTP

[esme]

A new SMTP (I have a hard time equating "MS" with "More Secure", for some reason...) that had a mechanism to verify the sender's status would be good. In fact, it would be pretty much required to implement a pay-to-send system, because the SMTP would need to get the authorization to debit whatever account was going to pay for the message. The list of people who had valid accounts would defacto be the same as your "ISPs in good standing".

But I think adding the monetary element is crucial, because of the economics. In a trust system, I suspect there would be constant attacks of people hijacking trusted mail servers and using them to spam. It would, after all, still be profitable. There would also probably be people who had built up a level of trust who would then blow it all on one big spamfest. These would be corrected eventually, but the number of ISPs around the world is pretty large, so I suspect there would still be a lot of spam leaking throught the cracks.

-Esme

Re:Need MSSMTP

[Reziac]

I don't know any of the technical details, but there was once an ISP in the Los Angeles area which effectively did this: when you sent one of their users an email, their server queried the originating ISP for valid domain and username. If there was no match, the email was bit-bucketed.

I found out about this because I used to have a spamblock in my email address (thus: user_nospam@myisp.com), and as a result none of my mail to that domain got thru. Ooops!

Go with POPFile.

[TDScott]

SpamAssassin's a great idea, but for the non-technically minded user, POPFile's the best choice. Bayesian filters, learning, kickass UI, and a Windows installer (and Perl for other platforms.)

Re:Go with POPFile.

[Phantasmo]

POPFile's a great idea even for the technically minded user! It works very well on the user end, and can be used to categorize messages (i.e. I have personal, church, mailing list and spam categories with the messages being sent to my inbox, church, bulk and trash folders respectively).

I just wish that I could get Sylpheed to understand custom headers - I have to use ugly subject modification.

Re:Go with POPFile.

[mr.+methane]

Popfile is wonderful. It even runs very nicely on a windows machine, and after a few days, it makes essentially zero mistakes.

Re:Go with POPFile.

[Koozie]

I have been using popfile for a month now and it's doing a pretty good job of catching SPAM for me. I think it is currently running around 95% accuracy rate.

One nice feature I notice about popfile is that is decodes those SPAM messages that are mime encoded and looks for matches.

Pros:

Easy Setup for Windows Users

Web GUI for setup / configuration

Subject Modification - easy filtering for Outlook Express - also provides X-headers for filtering

Works with any pop3 email client

Cons:

pop3 downloading is slower

I also like to look to see which kind of words have a higher probablity of being SPAM than normal mail. You would be surprised.

http://popfile.sourceforge.net/

Re:NO NO NO - for a different reason

[JonTurner]

>>1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.

The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile

* ZERO *

[MacAndrew]

I own a domain and so can give each site a different email address (foo@mydomain, bar@mydomain, fum@mydomain, etc.) so that I can tell if they squeal. I get the NYT's very nice daily headline summaries, so they certainly know how to reach me. In eight years I have not seen even one spam with the nytimes email. I wish I could say the same of others....

Granted there is always the risk that they could be hacked, as their main page was some time agi, but what's life without risk? :)

Outlaw "forged" headers?

[Crispy+Critters]

Whaddya mean outlaw "forged" headers? Most email I send had "forged" headers on it, because I am not sending it from a mail server. So, duh, I put in a "forged" From: line so replies go to the mail server, rather than to a machine that doesn't even listen on the SMTP port. What about masquarading in sendmail, will that be illegal too?

The only headers that should be preserved are perhaps the Received: lines which show that route that the message has taken. Still, I can think of a legitimate reason to muck with these - if a company network has a sufficiently complicated internal structure, these headers might reveal some information that they don't want widely available.

Don't be just passive recipient of spam

[Maimun]

Hi,
I said that here once (I think). Instead of
simply filtering out the spam -- which cannot
be a permanent solution from general conside-
rations, since spammers are adaptive too --
act against it. Send them a false credit card
number with some made-up name. People say that
thus one may cause trouble to someone innocent.
The chances are practically zero, methinks.
If many people do that, the spammers will be
flooded and drowned. It is a PITA to do it
manually, but surely there must be a way to
automate it mozilla ?
.
If they advertise web-pages, DOS them with
continuous downloads. Actually, I do this
once in a while with wget. Again, one person
doing it can contribute nothing, but many
ones CAN. If 1% of the "victims" download
each a 10 000 copies of the page, the spammer
will pay for bandwidth more than the eventual
profit from gullible fools will be. And the
spammer can do practically nothing against
a multitude doing this. This approach is
scriptable.
.
Finally, there are the spammers that do not
give any web forms or pages. I got such one
today, from the last dictator of Congo's son :)
The pro-active defense does not work then :(
.
It seems that the real final solution will be
not what I describe here, but creating subnets
of trust that reject email from the outside
unconditionally.

Re:Don't be just passive recipient of spam

You wrote: "Send them a false credit card
number with some made-up name. People say that
thus one may cause trouble to someone innocent.
The chances are practically zero, methinks.
If many people do that, the spammers will be
flooded and drowned"

DUDE - GET REAL - thats downright fraud... it's very clear that this is illegal and can get you in jail.

But SPAMMING the spammer, that's a different story, and it's easy to do that, and highly encouraged. But I wouldn't put false credit card numbers in these forms pages, unless you want the authorities to knock on your door.

A lot of spammers have forms pages... some just giving people an opportunity to request further information (and of course farm for more Email addresses). These are things I look for. There are lots of them out there..... and I take FULL advantage... so here is what you do... First, download the forms page and put on your own server. replace the ACTION line with a call to your own CGI. But save the original action line.

Add another SUBMIT button and a text field to the page. Put in like 10,000,000 in the text field, then write your CGI to use "pattern substitutions" in each of the field lines and put in REAL 'honeypot" mail addresses.... then submit it 10,000,000 times.

I would also put in a 1 sec delay, so you wont DDOS their server (that would be illegal), and you are doing them a favor by giving them zillions of valid Email addresses THAT WORK. But causing them a LOT of work weeding them out.. but heck, thats why they put it up there, right?

So spam your spammer today.

Re:Don't be just passive recipient of spam

Good troll. I see you've stuck to the definition, even has that single piece of misinformation!

but on the same page...

[DuctTape]

I find it ironic that on the same NYT page that talks about spam being ubiquitous, there's the paper's pop-up ads running amuck.

Go figure.

MOD PARENT DOWN!

what he is saying is like requiring gun manufacturers to come up technical solution to prevent guns being used to murder people instead of just making murder illegal. the author of that comment is just making broad, pandering statements about the power of technology and how smart we all are. he isn't proposing a solution. he is not saying how it would be phased in. it's just worthless anti-government grand standing.

spam

[sstory]

Gliek's is the best anti-spam article I've seen. I read this article yesterday and then emailed David Price, my Rep, and John Edwards, my Senator, urging them to support national prohibitions or regulations of spam. I urge you to do the same. Politicians bow to pressure. Apply enough citizen pressure and you can overcome even lobbyists.

Re:spam

There are TOO MANY laws already. here is an interesting site... deaa.org

It's a spammer site, but they advocate "playing by the rules" and call anti-spammers Cyber terrorists... (Whotta joke). It's good reading...

Me ditto

[A+nonymous+Coward]

I am not an expert on much, but I have written servers of various kinds and have some understand of SMTP and networks. Corrections to my naivite are welcome :-)

Seems to me that the problem could be self correcting if there were no forged headers. If spam could always be traced back to its originator, or to a bad relay who accepted forged headers, then only 1% of the recipients would have to reply to flood the miscreant's mailbox.

So why is it not possible to prevent forged headers? Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender? As long as you can trace these backwards, at some point you will hit a forged header or the originator. If the header is forged, that means the the next relay did not verify headers, and is a worthy target of complaints about spam, as good as the originator, in fact.

If only 10% of SMTP relays and ISPs enforce this, that would seem to me enough to flood spammers with complaints.

Why would this not work? Worst I can see is it would take a few months to become widespread enough to have an effect, and early adopters would have a slight processing overhead increase, due to having to check for forged Received-From: headers.

what is unsolicited?

[lseltzer]

>>2) a specific header entry should identify the email as unsolicited

I can see some problems with this. If I send a message to my mother out of the blue is that unsolicited?

I haven't read the article (I don't like the NYT and avoid it when I can) but I'm sure the idea is that this applies to commercial email, but that's a dangerous distinction to make if you ask me.

I rarely ever get spam.

[cpaluc]

Heres how:
1. Spend 10 bucks, buy a domain name (eg xyz.com).
2. Set up a few email aliases to point to your real email. eg:

joe@xyz.com ---> you@hotmail.com

temp123@xyz.com ---> you@hotmail.com

spam123@xyz.com ---> you@hotmail.com 3. Never give out 'joe@xyz.com' to anyone except friends/family.
4. Use the other emails for signing up for things on the web or in usenet.
5. When you get your first spam addressed to 'temporary21@xyz.com', delete the email address (no more spam from that source!).

I find this method works extremely well. By using aliases in this way you effectively hide your real mailbox. Even if your hotmail account starts receiving spam you can just get a new one and point your aliases at it. Also, if you change ISP you don't need to change your email address.

If you use it to forward to a hotmail account it might be better if the hotmail account name isn't a dictionary word or name (ie. use a random string for an account name that the 'bots won't guess.

You're screwed if your 'trusted' address gets out there but if you're careful you'll at least get much more use out of it before needing to kill it.

Re:I rarely ever get spam.

[LocalH79]

Spamgourmet does exactly what you propose, and is much more effective.

Re:I rarely ever get spam.

[Phroggy]

Even better:

• joe@xyz.com ---> you@spamcop.net ---> you@hotmail.com
  
• temp123@xyz.com ---> you@hotmail.com
  
• spam123@xyz.com ---> you@hotmail.com

Or, since Hotmail sucks and Spamcop's webmail doesn't:

• joe@xyz.com ---> you@spamcop.net
  
• temp123@xyz.com ---> you@spamcop.net
  
• spam123@xyz.com ---> you@spamcop.net

Spamcop only costs $30/year, and makes it easy to report spam, in a clear and consistent way that makes it easy for ISPs to take action. Shouldn't you do your part to help prevent spam, instead of just blocking it?

(I'm not affiliated with Spamcop, I just really like their service.)

Re:I rarely ever get spam.

Actually it's even easier. Here's how:
1. Spend 10 bucks, buy a domain name (eg xyz.com).
2. Set up the following e-mail address: abuse@xyz.com

You can give this out to anyone, family, friends, post to usenet, slashdot, etc and you'll never get spam. It's cheap, and it's 100 percent effective

Re:I rarely ever get spam.

[megabyte405]

As mentioned in another reply to this message, spamgourmet.com works. But I personally use a combination of spamgourmet (always free) and another service which is free, but you can pay to have limits and ads removed.
<br>
For services that I sign up for (and expect to get useful email from), I give them an address from Sneakemail.com <a href=http://sneakemail.com>here</a>. This provides those redirectors that parent comment uses. These are set up to always allow email through, unless you tell it otherwise. You can make a new address at sneakemail at any time, and should make a new one for every service you sign up for. They keep a list of the addresses you made with them and a string that you use to identify that email. Two plusses to this: you can disable any one that gets sold, and you can report the seller of the address because you only used that email one time to sign up for one thing.
<br>
For things that really shouldn't be sending me email at all, save for a confirmation, (like freebies, webhosts, etc) I use the abovementioned <a href=http://spamgourmet.com>SpamGourmet.com</a> . Addresses there are (in default configuration) are created more simply, and are more limited. You sign up for an account, then when signing up for something, give them the address (for example) trollweekly.1.slashdotuser@spamgourmet.com where trollweekly is an identifier for that email, 1 is how many emails to that address will get through unless you change it at spamgourmet, and slashdotuser is your username. A nice thing there, they add a little message to the end of the subject of all emails routed through there like (1 of 5 allowed) indicating how many more will get through. If you're worried that people will figure this out and just make up things.20.slashdotuser@spamgourmet.com you can use their advanced mode. But frankly, no automated process will do that, so it's very unlikely.<br>
<br>
no relation to the services except as customer. it's a pity I didn't find those services before my email got out there. Hope this helps someone who didn't let their email out. (who let the email out? ;-)

Re:I rarely ever get spam.

What happens when grandma sends you an online greeting card though?

Re:I rarely ever get spam.

[cpeterso]

I have my own domain name, but I use a different email address for every web site, such as amazon@xyz.com or slashdot@xyz.com. Anything sent to xyz.com ends up in my inbox, so creating new email addresses is easy. And when I do get spam to my slashdot@xyz.com, I know who sold their email list to a spammer and I can block just that email address.

Re:I rarely ever get spam.

I like the idea of using that sort of 'catchall' email forwarding but my DNS provider (zoneedit) doesn't also offer the blacklisting ability. I'd be interested to know who you use (or are you using your own mail server to achieve it)?

Re:I rarely ever get spam.

[japa]

Heres how:
1. Spend 10 bucks, buy a domain name (eg xyz.com).
2. Set up a few email aliases to point to your real email. eg:

It's easier to use sneakemail. it's a service that masks your real email, allows you to create new email addresses to give out. You can attach comments to those addresses so the minute you get mail, you know for example where the email address was used. Here's an example: From: "david_holkins-at-yahoo.com |news-10-2002/1.0-Allow|"
The original from is david_holkins@yahoo.com. The spam was sent to my news address, address I had created on Oct 2002. Using these addresses I have busted one website for giving my address out though they first claimed they had nothing to do with it. When the address starts to get enough spam you either add filters to it (at sneakemail) or just delete it.

Re:I rarely ever get spam.

Two problems with that approach:

First, the spam is still being generated: it's still being posted to the addresses that you've created, even if you're no longer accepting responsibility for them. You've just added to the volume of undeliverable mail batting around the 'net. I call it irresponsible to do that without accepting at least some of the burden of handling it.

Second - it's only temporary. Your trusted address will get out there. And even that's ignoring the philosophical 'obfuscating-your-address-is-bad' objection.

Re:I rarely ever get spam.

[cpeterso]

I don't run my own mail server. I just use the Rules Wizard in Outlook. :-)

Re:I rarely ever get spam.

To the mod that modded this troll, I have meta-moderated you unfair. This means you are less likely to moderate in the future. Next time, please learn to read either the post, the post context, or the moderator guidelines.

Anonymous MetaMod

----------
QWERTYUIOP
ASDFGHJKL
----------

James Gleick?

[Selfbain]

Is this the same James Gleick that wrote Chaos: Making a New Science?

Re:James Gleick?

[LogicFlow]

That was a great book. Got it several years ago at a thrift shop, havn't let go of it yet.
It's what got me into mathmatics, and by extention C.S.

Re:James Gleick?

[gleick]

Older and sadder, but pretty much the same.

Re:Who gets this job? FTC, states, citizens

[MacAndrew]

The most important Q, if gov't help is going to mean anything.

Enforcement is currently a state problem, for the dozen or so states that have antispam laws. Even if they can establish jurisdiction, they have to locate the offender. An asst. attorney general I chatted with in Washington state described an almost comic crusade to get ONE spammer who set up under a different corporate name every week. They used three private investigators to track him (successfully), suggesting to me their investigatory resources were limited. Anyway, they couldn't afford to do this with everyone, and this one example was located in-state!

I was surprised the author didn't really talk about state laws at all. They're kind of the laboratories for the eventual federal effort, and state law/enforcement will be complementary.

Once there is a law on the books the "cyber" aspect of it is only as issue for tracking. Postal mail and telephone calls have "no physical boundaries," too, and actually it is the crossing of state lines taht is an obvious source of federal jurisdiction. The rest is standard law enforcement. The FTC, which the author briefly visited, was busy enough with outright fraud, where it already has jurisdiction, just as it does over fraudulent TV ads and newspaper ads and product labeling and so on. I can say that I've seen some very good work by the FTC, even leading to jail terms for the guys who just won't give up. (The jail term I saw was for criminal contempt of court.)

I think they're going to need to provide a private enforcement action, as with the fax law. The gov't resources would still be needed to track down and prosecute the really tough ones, such as the WA case I described. We already have some relevant experience from the anti-junk fax law.

Recognizing spam -- good Q. I don't have any trouble recognizing 99% of it. For teh false positives, it should be possibly to allow the merchant to provide evidence of opt-in, and if enough complaints are tallied there would be further action.

No, no, no...

[fmaxwell]

Seems to me that the problem could be self correcting if there were no forged headers.

So the headers trace back to a fly-by-night ISP in Gangdong-gu, Korea. What are you going to do about it?

Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender?

Because some people use services like pobox.com which forward incoming mail but must use their ISP's mail server to send mail. Your proposed solution would put that useful service, and many like it, out of business. (No, you can't trust reply-to headers to work. Many packages wrongly reply to the purported from: address rather than the reply-to.)

How They're Evading Filters Now

[Fringe]

The big problem I have now, new in the last two months or so, is that many of the spams are now uuencoded text bodies... so the filters don't work on them. They are reconstituted by the client (Eudora in my case), after passing through the filters.

Unfortunately the filters (e.g. Spam Weasel, Eudora,etc.) don't have an "automatically reject if no text components" option.

Re:How They're Evading Filters Now

[balamw]

Spamassassin has various tests for this type of behavior. e.g.

Message text disguised using base-64 encoding BASE64_ENC_TEXT

However with the current default scores that alone would not flag a message as spam.

Balam

Re:How They're Evading Filters Now

UUencode? Man, I haven't seen that in years! Hands up, everyone who tried to piece together a large file they received by FTP by mail, split into 20 uuencoded chunks...

Re:How They're Evading Filters Now

ooh, ooh!

Proof of opt-in

[fobside]

Can you provide evidence of opt-in really? Some company maybe have purchased a list, but where does that list come from originally? It goes beyond just who is sending the e-mail, right?

Re:Proof of opt-in

[MacAndrew]

I've noticed that the really good outfits seem to send a confirmation email that you have to reply to make it official. They could keep your reply with headers, and the authentication email could travel with a list if it is sold. I wish they wouldn't sell or share lists anyway, because it makes unsubscribing essentially impossible unless you can go after the publisher of the list -- I imagine those guys are especially slippery.

Anyway it's the merchant's decision whether to take the risk of bogus 3rd party opt-in. Perhaps they should be allowed one good-faith query email?

Then there's the approach I prefer -- universal opt-in or at least opt-out that would cover solicitations of any sort. (Maybe nonprofit newsletters that many of us subscribe to can be held to a laxer standard?)

Realistically, the crooks aren't even going to go to the trouble of defending themselves with anything more than a form response.

There are a lot of details to work out but PLEASE DO SOMETHING!

Re:Proof of opt-in

The idea of requiring people to "opt out" is totally flawed. The european system is far better. Requiring spammers to only use "opt in" is the ONLY way.

How many spam messages do you get that spout... "This is a one time mailing".... how can you opt out of that? It's a ONE TIME MAILING.... Duhhh!!! - COME ON WORLD... Wake the fuck up...

Internet mail architecture sucks

[cdegroot]

Change to something like IM2000 (http://cr.yp.to/im2000.html), spam vanishes in a poof. Keep around with the current broken system, and we'll have ever more draconian laws in ever more futile attempts to suppress it.

Re:Internet mail architecture sucks

[winnetou]

Change to something like IM2000, spam vanishes in a poof.

Could explain the difference between "There is a message for you at im2000://$URL1 " and "Visit http://$URL2 "?
What's worse, you can't read your email off-line unless you prefetch your im2000 email, thus verifying the im2000 mailbox is read.

SpamArrest is far, far cooler

[artemis67]

Check out an online service called SpamArrest.

For about $20, you route your incoming domain email through their whitelist email servers. Anyone who's not on the list is automatically sent an email with a link for people who want to be added to the whitelist. The link takes you to a page where you have to type in a word that you see on the page (the word is in a graphic and is partially obscurred to twart spammer countermeasures).

Of course, a spammer could just click on the link and add his name, but is he going to do that for all 60,000 emails he just sent out? Probably not.

Re:SpamArrest is far, far cooler

They guys are a joke. I took a look at them for a job a while back. The guy I was looking at replacing had been working for them for less than 90 days. What's that tell ya? They got a real expensive downtown Seattle high-rise and a whole lotta blank answer when it goes to discussing their business model or future. These guys are a flash in the pan. Poof and one day they will be listed as a new "Hall of fame inductee" on f'ckedcompany.com.

Re:SpamArrest is far, far cooler

[artemis67]

They guys are a joke. I took a look at them for a job a while back. The guy I was looking at replacing had been working for them for less than 90 days. What's that tell ya?

Absolutely nothing. Every company I've ever worked for has had someone leave in less than 90 days.

They got a real expensive downtown Seattle high-rise and a whole lotta blank answer when it goes to discussing their business model or future. These guys are a flash in the pan. Poof and one day they will be listed as a new "Hall of fame inductee" on f'ckedcompany.com.

Maybe, maybe not. Two things, though:

One, they aren't the only company doing this; I've heard of (but haven't seen) some other companies doing the exact same thing, and

Two, the idea is great and will survive, regardless of the particular company. I, myself, had been working on a very similar idea, but considered their approach to be more elegant.

Personally, I think that the one flaw in their business plan is that they are trying to route all of the email through their pipe and base their revenue stream on a subscription model. Big mistake. They should have set a compteitive price on their SMTP server, tossed it out there and let each company worry about maintaining their own whitelists. That's where competition is going to enter in and eat their lunch. Besides, they are going to have an enormous amount of spam traffic on their internet connection that they'll be paying for.

Re:SpamArrest is far, far cooler

Absolutely nothing. Every company I've ever worked for has had someone leave in less than 90 days.

True enough. It was difficult to convey the guy's giggle when asked why he was leaving. I took it as a bad sign. At the time they had only 4 employees total and I figured if 1 out of those 4 didn't want to be there why would I?


Personally, I think that the one flaw in their business plan is that they are trying to route all of the email through their pipe and base their revenue stream on a subscription model. Big mistake. They should have set a compteitive price on their SMTP server, tossed it out there and let each company worry about maintaining their own whitelists. That's where competition is going to enter in and eat their lunch. Besides, they are going to have an enormous amount of spam traffic on their internet connection that they'll be paying for.

Interesting you should say that. I asked about both the subscription route, (only my question was concerning consumer vs. corp. markets) and routing everything through their pipe. It was at this point that blank uneasy answers started coming forth. At that point it my BS meter started to peg and I wasn't buying the answers I was getting.

My gut tells me they won't make it, or are at a minimum, not the answer. Just my .02 opinion. YMMV.

Re:SpamArrest is far, far cooler

[winnetou]

but is [the spammer] going to do that for all 60,000 emails he just sent out?

Probably not, but not for the reason you are suggesting. The spammer won't do it because those 60,000 bounces have just overflown the mailbox of some poor shmuck whose email address was forged.

Re:SpamArrest is far, far cooler

[Netzkind]

And of course this is the most stupid idea I have ever seen!
Ever subscribed to an online-service, or had a membership _somewhere_?

I really hate those guys who use this kind of service, and try to subscribe to one of our bulletin-boards.
"Hey, i tried to register, but I don't receive mail from you!"

Hell yeah, and you never will, because I am not willing to click a link for every one of those people who think they are sooooo smart by using this kind of "anti spam feature".

The solution? Bouncing mails are now sent to /dev/null for some obvious reason

Re:SpamArrest is far, far cooler

[artemis67]

Well, they do allow you to manually enter the email addresses of emails you want to receive. Whether or not the user properly manages his own account is another issue.

Re:SpamArrest is far, far cooler

[Pete]

artemis67 says:

Check out an online service called SpamArrest.

It's probably a bit late for those who were reading the comments initially, but you would be advised to stay well away from SpamArrest. They're spammers. :)

(and no, that smiley is just to indicate irony - I'm absolutely serious about SpamArrest being spammers)

See

1. here,
2. here, and
3. here.

Pete.

The article please!

Can't one of the karma-whores post the full article?

Come on, I know we won't slashdot it but I am just

too lazy and paranoid to register

and switch on cookies in my browser.

FIRST LINUX LAPTOP POST

Yeah, bitches... Andre-3K here. Got the dual boot action going on. Ya'll can't harm me. Ya'll cain't HARM me. It's over.

Humble as a mumble in the jungle of shouts and screams... Guess I'll hafta reroute my dreams.

Peaskie-weeskie.

O
U
T
K
A
S
T

Bad idea

[Goonie]

This is near-impossible, technically. By the time the traffic flows through the "core routers", it's just a bunch of IP packets which the system doesn't even try to interpret at a higher level. Reconstructing the messages, running spamassassin on them, and selectively blocking them would put an insane CPU load on the routers. They would effectively be acting as mail relays, not routers.

There are also philosophical problems with such a scheme which others can explain...

Re:Bad idea

[kevinatilusa]

As an alternative, why not use the ISPs themselves to delete spam? For example, Someone sends out a spam message to 100 million addresses including 10 million AOL users. 100 people on AOL forward the message to a server complaining it is spam. AOL then deletes the message automatically from all the remaining mailboxes and sends a message to the sender explaining what happened.

Of course, it seems likely that spammers would use some sort of random process to make all the messages different, but it would seem to be much more time consuming and difficult.

By Jove, you're right!

[An+Onerous+Coward]

Okay, switch to plan B. We don't just call it illegal, we call spamming a "terrorist activity." If the spammers don't stop, we shall make war on their routers, launch cruise missiles against their ISPs, and freeze the financial assets of known spammer cells.

Just once, just ONCE I'd like to see the constant erosion of personal liberties work in MY favor!

the Author's version of the article

[gleick]

For what it's worth, an ever-so-slightly longer version, lacking a few bits of Times editing, is posted here, at my own site. And may I say how helpful and fascinating the many Slashdot discussions of this subject have been?

Re:the Author's version of the article

[Ignominious+Cow+Herd]

Yeah, Helpful and Fascinating are the middle names of Many Slashdotters. Seriously, awesome book Chaos.

Re:the Author's version of the article

[mjh]

For what it's worth, there's another antispam technique that might merit some of your consideration. The technique is effective because spammers want anonymity. They want to continue to use fake return addresses. And that can be exploited. I use one such system called TMDA. As a consequence, I'm not afraid to advertise my email address on slashdot (for example).

TMDA isn't really an antispam system, per se. It's an automated whitelist management system, with a bunch of really useful extra features thrown in for the heck of it. But at its heart, TMDA forces you to have a real working email address in order to get into my mailbox. Now of course, spammers might choose to respond by using real return email addresses. Personally, I think that would be a very positive development. In the mean time, it's a pretty effective technique.

TMDA has some competition, too. Active Spam Killer does similar things, although I haven't used it.

Re:the Author's version of the article

[Invalidator]

I read the article and was glad that you made it clear how expensive (time+money) spam is to society.

Further, I thought you might find it interesting/ironic that, just shortly before your article appeared online, I was spammed by .. the NY Times! And, they do not deny it:

"This e-mail was sent to you on behalf of the New York Times newspaper by a third party, which obtained your address through an opt-in list of addresses.

In any event, we have contacted our colleagues at the newspaper and they are placing your e-mail address
on their Do Not Send list."

(my italics)

The "third party" used by the Times is a subsidiary of Scott Hirsch's edata.com spam dynasty. For further reading about Hirsch & co.

Re:the Author's version of the article

[Reziac]

Two problems with the system:

If your business relies on "regular everyday users" emailing you, they will NOT do this two-step dance just to send email. They don't understand it and they'll simply go away.

Second -- when I've tried to email people who use such a system, about HALF the time, my reply to the confirm message gets bounced back to me. Now what??

Re:the Author's version of the article

[mjh]

They don't have to do the two step every time. Just the first time. And you can customize the response that you send so as to explain it to them in as clear of terms as you think necessary. From personal experience, the least technically saavy emailers I know (aunts, older cousins, and in-laws) have managed to navigate the system without having to call me. You can speculate as to what you're customers will/won't be able to understand, but experience suggests that even the least technically saavy people can handle it.

As far as what customers will and won't do? Have you ever used Voice Response Telephone Units (VRUs)? You know, those things that answer the phone and say "press 1 to speak to sales, 2 to speak to ..." etc. Customers will engage in LOTS of extra effort if it means lower costs, better reliability, etc. TMDA (et al) translates very effectively into those metrics, and isn't anywhere near the extra effort associated with VRU's. A huge number of businesses already use a two step process when a customer requests a password change, or when a customer subscribes to a mailing list, or ... Maybe it's just me, but I think customers can easily handle this process.

Still, even if you're 100% correct that these problems are insurmountable. That just means that TMDA (et al) have a non-zero false positive rate (certain customer's legitimate emails won't get delivered). But non-zero false positive rates haven't kept all kinds of other antispam techniques from being brought to the table for evaluation, comparison, etc.

And that's my point. TMDA (et al) merits some discussion w.r.t. its effectiveness in blocking spam. Especially, if we're going to say that having a real email address is an important tool in combating spam.

Re:the Author's version of the article

[Reziac]

Unfortunately, when you're dealing with instant-decision customers, a two-step process even just *once* is enough to discourage them.

I have an announcements mailing list that folk can sign themselves up for -- but cannot send mail to. Despite a honkin' loud page they get stopped by before they can sign up, some people STILL try to send mail to the list. The mailing list then automagically informs them that they done wrong, and where they should have sent mail if they expect me to actually see it. In four years, and perhaps 50 such attempts, only ONE person has followed through and used the correct email address to contact me. (I know about the others because the list goes thru a BBS where the sysop is a good friend, and he forwards the screwups to me.)

Anyway, my point being, I think this is indicative of what would happen if I were to use any sort of two-step process for initial contacts -- I'd lose ~98% of my potential cusomters immediately, since they would NOT follow through.

It's a matter of knowing your market. If you're only interested in hearing from a Select Few [g], and have no reason for your mailbox to be available to the general public, then a two-step spammer-trap makes sense. If you need to be instantly available to all comers, it can kill your business.

Actually, I don't get enough spam to worry about it. In the past 8 hours, I've received 28 emails at my ELN address, of which 8 were spam -- that's about typical. The BBS filters on valid usernames and valid header info, so shotgun and bad-header spam doesn't get thru there (I get maybe 1 or 2 a month).

Re:the Author's version of the article

[mjh]

Well you certainly know your market better than I do.

Out of curiosity, if when they posted something to that read only mailing list, do you think you'd get any better response if the reply came back and said, "Oops, you sent this to the wrong place. You can send it to the right place by just hitting reply, and telling me again what it was you wanted"? (Or perhaps something less costic.)

The TMDA process is really that simple: you need to confirm, to do it, just hit reply. But I don't presume to know your customers. All I can say is that I've yet to encounter someone who couldn't handle it.

And all of that being said, I still think that TMDA (and other similar systems) should be part of the antispam discussion. If only because it might be better for others who have a different market than you.

Re:the Author's version of the article

[Reziac]

Actually the mailing list error thingee is painfully polite... tho what I'd really like to do is whap those folk upside the head with a clue-by-four. The things we put up with for money. :)

But yes, for other markets that don't rely on instant gratification syndrome for contact, systems like TMDA can work just fine. That's the nice thing about having options... we don't have to like or use one another's systems :)

Never (yet) with the legislation

[Xtifr]

Spam is a technical problem, so why can't we come up with a technical solution?

I don't know, why can't "we"? "We"'ve been trying for nearly a decade, and haven't made the slightest dent in the onslaught.

Note that post-delivery filtering ignores the main problem of spam -- the cost to the ISPs and mailhosts, who need bigger pipes and bigger servers to deal with the massive loads of incoming spam. The cost of these pipes and servers is, of course, passed along to us, the customers.

For example, it should be impossible to forge headers

Sure, we'll just design new protocols, get everyone in the world to agree on them, create implementations, debug them, and then deploy them everywhere. That should only take, oh, say, a few more decades!

Why rely on a legal solution ...

Who said anything about relying on it? What's wrong with a multi-pronged attack? Technical solutions have (so far) got us nowhere. Surely it can't hurt (much) to try some other approaches.

Furthermore, spam is not entirely a technical problem. It's also a social problem. Many (possibly most) spammers refuse to admit that what they're doing is wrong. After all (they argue), if it were wrong, surely it would be illegal? So, making it illegal will completely undermine that argument.

the people who have brought us such brilliant solutions as the DMCA

And the people who brought us laws against dueling and slavery and junk faxes. Yeah, not all laws are perfect, and many lawmakers are stupid or corrupt. But to go from that to "we shouldn't have any laws" is just silly.

A new breed of email is on the horizon

[mcrbids]

If we can pull it off.

With Bind 9, we finally have a decent, working implementation of DNSSEC. This will allow for a new breed of secure, verified websites and email, and (Finally!) makes a RBL actually mean something.

How's that you ask?

Well, one of the biggest problems with SPAM is the forged header, open relay issue. It's a complicated issue, and one that doesn't have an obvious, "in your face" kind of answer.

DNS is designed to tell you where to go, and SSL/Certs make sure that you got there. Why aren't they joined together? The fact that you are the DNS server for a domain makes it clear and obvious that you are an authoritative designator for where you are supposed to go - why have this wholy separate and dis-jointed SSL/Cert that can't even be made to work consistently?

If an ISP can issue DNS-SEC certs with impunity, we might actually see a reason to have encrypted and ISP certified email.

And suddenly, the ISP is back in charge again, able to validate every email going out as coming from one of it's customers. Revoke the cert and their email becomes unreadable.

Now, we have an email system with a powerful mechanism built in that is:

1) Standards compliant
2) Easy to implement
3) Clearly laid out
4) Cheap
5) secure
6) private - using the ISP's cert to identify yourself doesn't mean that the ISP can read your email! (like they can now - the command is "mail -u _username_")

What's not to argue with? The issue of locking down an open relay becomes a non-issue - an ISP could simply identify an "s-mail" server (secure mail) that will only relay for those holding a valid cert at that ISP.

Roaming wouldn't be an issue, nor would open relays or forged headers.

A brave new world? Yep. One I'd like to live in? Yep. One that's coming? We can only hope...

Re:A new breed of email is on the horizon

[Panaflex]

So ISP's are now going to be CA's as well? Or will Verisign wrap up the market with authentication DNS servers as well?

Pan

Wha?

[cvanaver]

Why is this in the NYT magazine and not the front page of the NYT. Perhaps /. readers should be emailing (or snailmailing, or faxing) NYT to get this on the front-page. Something that costs ISPs billions(?) of dollars per year would be extremely relevant to the readership of the NYT.

Mod down - troll?

I'm a stereotypist.. if all the previous comments this guy made got a -1 modpoint, why should this one be any brighter?

Re:You don't have to.-Circular registration.

I have no problem with registering. It's when it expires in a short amount of time, and you have to reregister. Lather, rinse, repeat.

Yes, but ...

[A+nonymous+Coward]

That fly by night ISP must get its internet connection from somewhere. And it isn't as easy to set up a fly by night ISP as a fly by night account on an ISP.

I must need education on pobox.com. If they originate the first Received-From: header, isn't that good enough? It's either a valid connection from one of their customers or it isn't. Are you saying that because the Received-From: header is not a valid To: address, the scheme wouldn't work? I am not thinking of the SMTP relay replying to the email, never, only verifying the chain of Received-From: headers and rejecting a relay if the most recent is wrong. I know you can't rely on headers in general, they can all be forged, and you can send mail without any headers, or at least very few. But the Received-From: header check would still fail if the most recent was forged. And all you have to do is reject email if the latest one is forged. Nothing to do with replying. Now if a recipient doesn't like the email, he can always complain to the oldest (or oldest valid) Received-From: header, whether or not that is the riginator or the originator's ISP. And if 1% of the recipeinets do, ISPs will be much mre careful about signing up fly by night accounts.

Re:Yes, but ...

[fmaxwell]

That fly by night ISP must get its internet connection from somewhere.

So what if the fly-by-night ISP in Gangdong-gu, Korea gets their connection from some larger ISP in Gangdong-gu, Korea? It might be easier to tell that without forged headers, but what good would the knowledge do? The spam will keep coming and you'll complain to ISPs that may not read English and probably do not care.

Besides, forged headers have nothing to do with how the average person responds to spam. They would have no idea as to how to interpret headers, forged or not. Those of us who fight the spam problem every day are seldom fooled by forged headers. The only thing we don't have is the throwaway e-mail address of the sender, but that hardly matters. We have the IP address and the time the spam was sent, so that's good enough.

I must need education on pobox.com. If they originate the first Received-From: header, isn't that good enough?

pobox.com does not handle outgoing mail. They only handle incoming mail. If you sign up for their service, you continue to use your ISP's SMTP and POP server, but you list your From: address as the one supplied by pobox.com. When a message comes into pobox.com for you, it is forwarded by them to the address of your choice.

You initially asked:

Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender?

Suppose you had a pobox.com account and your ISP was Earthlink. The most recent Received-From line in e-mails sent from you would be some mail server at Earthlink while the sender would be your pobox.com address. Thus the mismatch -- even though the e-mail is perfectly legit.

Another example: When I would send personal e-mail from one of my client sites, they had a firewall configuration that would not let me access outside SMTP servers (but I could access my POP3 server). So I would use their SMTP server for outgoing e-mail even though my return address would be my normal personal e-mail address.

Try Spammunition

[BlackjackGuy]

If you use MS Outlook (we are forced to at work), try out Spammunition. It's a free Bayesian spam filter that's integrated right into Outlook. Works really well. No spam problems any more. This bayesian approach really works.

license agreements

[Erpo]

Well, I just finished perusing the article, and I partially disagree with Gleick. His proposed two-part solution is:

1) Forging Internet headers should be made illegal. The system depends on accurate information about senders and servers and relays; no one needs a right to falsify this information.

2) Unsolicited bulk mail should carry a mandatory tag. That alone would put consumers back in control; all the complex technological challenge of identifying the spam would vanish.

First, I don't think part 1 will really help. Sure, it would be nice if all email contained accurate headers, but I think he's specifically referring to the headers that document the path the email took to reach a victim's inbox. The problem is that, as long as spammers continue to forge headers, they can evade prosecution. It's like saying that bank robbers should not be allowed to wear ski masks while committing the crime. Sure, tellers can still remember the approximate height/weight/build of the robber, and might even be able to get a peek at the getaway car, but such a law would only increase penalties for spammers that are identified and prosecuted, not make indentifying and prosecuting them easier. And that's what part 1 is really for -- identifying and prosecuting spammers who violate part 2.

I don't think that will work either. Of course, I would have supported part 2 at least before I read the article, but Gleick makes some interesting comments with regards to licensing agreements. What about all the people that go to web sites, fill out forms (a la NY Times), and click "I agree" to get access to the content they wanted in the first place? MS uses licensing agreements for critical updates to give them the legal right to access any windows user's machine and delete programs they don't like. There's no reason to believe that web sites (or other entities) wouldn't use "terms of service" agreements to get "permission" from web users to send commercial email.

If part 2 were implemented, all internet users would get (in addition to the forged headers we receive now) would be a bunch of emails without the UCE flag claiming that we signed up to get the email when we clicked "I Agree" at i-dont-remember-visiting-this-site-but-it-could-ha ve-been-a-long-time-ago.com.

Here's another idea:

1. Contact and educate sysadmins who run email servers that are spam-friendly. To qualify as "spam-unfriendly", an email server must add a header to every message passing through with the IP address of the machine from which it received the email. If every mail server were "spam-unfriendly", recipients would be able to positively identify the IP address of a given emal, and the ISP in turn would be able to identify the person who sent the email (if the need were there).

2. Create a double opt-in/opt-out system. That is, in order for one person to legally send a commercial email message to another person, the recipient must have _opted in_ to receive that message. In addition, anyone may _opt out_ of future messages at any time. This would protect those who accidentally opted in to receiving spam by clicking "I Agree" on a web site by letting them undo their mistakes.

Of course, this system would never work. At its core, every system for combating spam is based on making either the act of spamming or employing someone to spam less profitable. This scheme, along with many others, rely upon US law to do this by associating a legal, financial penalty to bothering people with spam. Spammers can evade the system by going off-shore and continuing their business.

One system that I think has a lot of promise is creating a mail client that sends 50KB (or more) of data to every web site mentioned in an email that the user marks as spam. If everyone were to use such a client, spammers would effectively end up DDoSing their own e-commerce site. Performing the act that bothers so many people (sending out batch emails when 99%+ of the target audience is not interested) would be directly and unbreakably bound to suffering a denial of service attack thus preventing the less than 1% of victims who end up responding from being able to make a purchase. In a system like this, spammers have two options:

1. Send "spam" only to those people who they have a good reason to believe would be interested.

2. Give up.

I'll deal with two possible objections right now:

Well, if everybody used a spam filter like spamassassin, spamming would become unprofitable and spammers would stop. Also, ISPs networks wouldn't be taxed by all that extra traffic being sent.

Nope. Spamassassin is good for now, but its fundamental effectiveness relies upon there being detectable differences between spams and legitimate emails. For example, the email:

Hey dude, what's up? How was the boating trip? Hey, I know you've been shopping around for DVD players lately, and I saw a sale on them over at amazon.com. You should check it out -- they have some awesome deals on multi-disc boxes.

could be from a legitimate source. It could also be a spam. If you can't categorize this email, how can you expect a computer to do it?

As for the end effect on ISPs networks, there's not much that could be done about that as far as I can see, since the whole system is based on using all of the bandwidth available to the spammer's (or the spammer's client's) web site, or at least using enough of it to cost them a bundle.

Could malicious users take advantage of this system to lauch DDoS attacks against innocent web sites? In other words, doesn't it provide black hats with 100:1 bandwidth multiplication (1/2KB email results in 50KB directed at the target web site)?

Yes, yes it does. This is the only reason why I think the system, as described, shouldn't be implemented. I've thought of various ways around that (e.g. combining the spam-unfriendly email server concept with this system so that spam-friendly email servers (if there are any in the message path) or the spammers themselves take the beating, or limiting the maximum 'punishment payload' size to the size of the spam to prevent bandwidth multiplication), but none of them have struck be as being The Best Solution yet.

That doesn't mean I'm going to stop chewing on the problem, though. ;)

Re:license agreements

[Nathaniel]

Gleick said:
"2) Unsolicited bulk mail should carry a mandatory tag"

Erpo replied with:
"If part 2 were implemented, all internet users would get (in addition to the forged headers we receive now) would be a bunch of emails without the UCE flag claiming that we signed up to get the email when we clicked "I Agree" at i-dont-remember-visiting-this-site-but-it-could-ha ve-been-a-long-time-ago.com."

The most obvious trait of spam is that it is sent to a great deal of people. This is the detail that we should require be included in the header, so we can filter on it. This is also true of mailing lists, but we'll know which mailing lists we've subscribed to and want to whitelist.

I think the header for part 2 should be "Precedence: bulk", which is already standard. This header should be required when sending out N messages that are substantially similar (to get around just adding a few random characters at the end). N should be set to something like 50. This would allow people to set up simple filters that whitelist the mailing lists they've subscribed to, and discard all other email with the "Precedence: bulk" header.

Someone could be demonstrated to have violated this requirement if N different people complain about a message which is substantially similar. This addresses concerns about a single person claiming that they've received an email which violates the requirement.

Suppose we pass a law that make forging Received or From headers illegal, and makes it illegal to send a message that is substantially similar to 50 or more people, but requires that at least 50 people receiving the message complain to the FCC in order for any prosecution to occur. With such a law in place, it would actually help to have people forward spam to the FCC. They could collect those messages and work to prosecute people who send spam.

People would still be able to forge Received and From headers for testing, as long as they weren't going to annoy so many people that 50 of them sent a complaint to the FCC.

When some ligitimate new mailing list operator forgets to add the "Precedence: bulk" header they can be reminded to configure their listserv correctly, and very few of their subscribers are likely to forward the message to the FCC because it won't be considered spam.

If spammers had to construct substantially different messages for every 49 people they want to reach, they wouldn't be sending nearly as many messages each day.

This is a remarkably simple law that is easy to understand and easy to comply with. It would help provide information that could optionally be used to improve existing filtering, and it provides for a mechanism to assist in prosecution of those who spam without exposing those who admin to liability.

Additionally, this doesn't suffer from some unrealistic precondition like changing the email client everyone uses, or replacing the email infrastructure worldwide.

If you see a downside (other than simply disagreeing about what N should be set to), let me know.

Re:license agreements

[Nathaniel]

Oops, Obviously I should have said 'FTC', not 'FCC'.

what's a bookmarklet?

No, really. It must be an IE thing.

I've been using Mozilla since forever. I also miss popups, and I put a long list of ad sites in the proxy box.

Besides, I'll just Google for the article. I'm not going to give the terrorist loving bastards at the NYT a hit.

Re:what's a bookmarklet?

[Erpo]

No, really. It must be an IE thing.

Actually it's a mozilla thing (IE might support it too). A bookmarklet is a little javascript doodad in bookmark form that sits in your button bar (along with Home in mozilla).

Where spam really comes from

[Cbs228]

Spam isn't a legal problem-- it's a social problem. It is the result uncontrolled avarice, of people wanting to make money at any ethical cost. There will always be these kinds of people who will steal our time (and our bandwidth) regardless of any laws against them. There are also people (Sysadmins of certain Far East networks come to mind) who are willing to look the other way for a few extra dollars.

But most importantly of all, we cannot forget that American consumers are responsible for spam. That's right, spam is OUR fault. It is our fault because no matter how many messages are filtered, and no matter how many websites are closed for spam complaints (or get DDoS'd by rampaging slashdotters), they still make money. They make money because of that infinitesimally small group of consumers who buy stuff from spammers. That small percent is what makes it all worth it to them.

The day that spammers' profit margins drop to nil because consumers refuse to buy from spammers is the day that spam vanishes from our inboxes forever. No laws, no filters, no problems.

Unfortunately, as P.T. Barnum would put it, "There's a sucker born every minute..."

Re:Where spam really comes from

[Fwonkas]

Unfortunately, as P.T. Barnum would put it, "There's a sucker born every minute..."

Exactly. Sure, it's a social problem, but we use laws to deal with social problems all the time, with varying degrees of sucess.

So I agree with pretty much everything you said, but the social problem is apparently unsolvable. And I'll be honest, I don't care how suckers are out there, or whether we're educating them all (we can't), I don't want to deal with spam. So let's get rid of it any way we can: legally, technically and socially. Sure, each solution on it's own will fail, but let's shotgun it. We'll never get rid of it all, but even a 75% reduction will make checking email less of a chore.

"forged" != "changed"

[Fastolfe]

There are many perfectly reasonable reasons why you would want to provide an alternative to the default value for many SMTP headers. It's when you lie and mislead by using values that *other* ISP's use in their own headers that you are said to have "forged" them. Bogus "Received" headers can be considered "forged headers" as well, as they are not added by the MTA per the SMTP specification, they are crafted by hand to make it *look* like they were added by an MTA.

These are forgeries. Providing alternative (but still "correct") values for some SMTP headers are not.

(Technically, instead of mucking with the From header, you might want to consider adding a Reply-To and/or Errors-To header instead.)

Re:NO NO NO - for a different reason

Well, you can already be sued in any place you have a "presance" in, which is interpreted pretty broadly. In other words, just fine the spammers if they're in the US. If they physically leave the country, well, good riddance...

My name's Sangria I have the hots for you!

[tjamme]

Hi John,

I got this from my friend who works at the mall - check this girl, she's hot! ...

Spam is not a technical problem.
It is generated by the most complex processing system known (The Human brain) and obeys to one of the simplest known principle (or absence thereof: greed).

That's a pretty potent combination.
Certainly not one for a machine to match.

No AI based solution will ever be able to reliably block spam, it's like handwriting recognition: I can't even read my own handwriting sometimes!

Spam is a human problem that has two sides:

- Some nutters will stop at nothing to sell you something (expecially if the numbers look good).

- Some idiots will genuinely think a girl called Sangria has the hots for them - type in your credit card here darling.
Don't worry: if you've read that far, then you're probably not that dumb.

Of course the solution is legal.
Here in the UK, I used to receive a fair amount of junk mail. There is however an opt-out list which I subscribed to and all I get is a few of them a year for the guy who used to live here before me.

So, yes, forged headers should be illegal.
And no, an 'Unsollicited mail' one is not a solution:
Why?
Because of this:

"Hi Tee, I am your long lost cousin in Australia - I found your e-mail on your web page, So good to be in touch again..."

A header that says whether or not the email is advertising is a better idea. If the values of this field follow an agreed classification, you could actually filter IN *voluntarily* things you are genuinely interested in.

The inforcement problem about spam will eventually be resolved. Europe is getting bigger and more integrated, the USA are a big chunk too. Now if these two and, say Japan or Taiwan agreed to block any other network that does not adhere to the guidelines, there will be a lot of pressure from inside those banned countries to make them adopt compatible legislation.

Of course it takes guts (something politicians rarely have), technical awareness (ditto) and time (Well fortunately we have plenty of that - it's only our patience that's running out.)

Check this site it's hot: http://www.aptilis.com/

(Sorry couldn't help...)
Teebo.

Will Congress wait until it's too late?

Odd forces have conspired to create paralysis in the government on the matter of spam.

All of the Congressmen now carry BlackBerries.

I hope they won't keep ignoring the problem until some Saddam conspires with major (North? :-/ ) Korean spamhouses, e.g. bulk-"un"subscribing the pagers of U.S. government by "opting out" on their behalf as a reprisal for Operation Desert Spam.

His more recent book

[devphil]

is called Faster, and it should be required reading for everybody on the planet.

Using a domain ...

Sounds like Sneakemail.com, which does have additional benefits.

Better than your own domain name

[antonrojo]

Spamgourmet lets you create disposable email which forward a specific number of emails before disintegrating. And if you get penis enlargement spam at your nytimes.20.yourname@spamgourmet address, you know where it came from.

A problem with random strings

[HWheel]

>> it might be better if the hotmail account
>> name isn't a dictionary word or name (ie.
>> use a random string for an account name that
>> the 'bots won't guess.

Alas, but such a name will be recognized as spam by the spam-spotting-statistical tools and so can only be used to send messages and never used to send a message. For example, buffy0412xxxmeb13mxy@hotmail.com (as Mr. Gleick himself suggests in the NY Times article) is obviously a spammer and is either doomed to be black-holed or deleted by an intended recipient.

Re:A problem with random strings

[cpaluc]

Can't hotmail be set up to use a custom "From" or "reply-to" address? I haven't actually used hotmail for years, i use the above scheme with my ISP's mailbox. The only way the above scheme works is if the _actual_ mailbox name always remains hidden.

Warren Burger

[SteveHeadroom]

Mmm.... Burger....

Technically educated? He founded Pipeline

[yelvington]

"the author, James Gleick, is more technically educated than what we've come to expect from the big press."

Maybe because after many years as a reporter, he founded Pipeline, one of the first big ISPs.

I agree with #1 but not #2

[tacocat]

I think it would be great if you could actually prosecute someone for forging headers. Unfortunately you don't know who that person is, now do you?

But how would you ever determine is something is unsolicited? After all, there are a lot of registration websites that have a tendency to quietly flag you as willing to accept spam from them. If I missed it, does that still make it UCE? If it does, how do I now remove myself from all the lists that I am now on...

Spam has a solution and it doesn't have to be so drastic as to put in this kind of legislation or use whitelist only maling lists. We just haven't figured it out yet.

No Registration Needed

[BCTECH]

No registration needed for this link

http://www.nytimes.com/2003/02/09/magazine/09SPA M. html?ex=1045704785&ei=1&en=2560fd607d65a46 1

Two refinements: sampling and QOS filtering

[hains]

Although a router does not have time to analyze every packet, it could periodically route copies of a few thousand packets to an analyzer machine. This machine could

1. reconstruct messages from the packets
2. look for e-mail messages
3. apply its spam rules to those messages
4. return a few bits of result information to the router.

I think that the router should not use this information to shut anybody off. Rather, it should use this information to reorder its routing priority tables. Thus the router will serve its most spam-free peers first, handling the heavy spam forwarders only when it has time. Eventually consumers will leave ISPs with poor throughput, so ISPs will have a much stronger incentive to track down and terminate their members who spam.

I looked at Spam Assassin.

I wasn't impressed. I can remain spam free by not giving out my e-mail address on websites or public forms. My main e-mail address is given only to those I trust. All others use a spam@... address. Ah, the joys of owning one's own domain.

I stay spam free with little effort.

Now, if Spam Assassin involved ninja and hence, ninja action being carried out on actual spammers, I'd be damned impressed.

Re:I looked at Spam Assassin.

so if you're spam-free, why did you even bother looking?

what software could possibly ever impress you? especially if you have absolutely no need for such software?

would you like to shop for lawn mower tires? NONE OF THOSE ARE VERY IMPRESSIVE EITHER!

What was the e-mail?

[shellac]

So what was the e-mail with a score of 27?

"Hello, I am a Nigerian prince who is selling XXX-brand diet pills that also have the side effect of enlarging your penis. Also if you forward this email to five other people and tell them to each send you a dollar you can make money fast."

*ducks*

Or

[Ace905]

Or you could just have an authentication system implemented systematically as part of the protocol, such as with Spam Interceptor.

IN SOVIET RUSSIA

Spam assassinates YOU

James Gleick? THE James Gleick?

[apropos]

Is that *THE* James Gleick??? We're not worthy, we're not worthy.

He's my freaking personal hero. Mod him up!! (or something).

Re:NO NO NO - for a different reason

Well, you should try SpamAssassin 2.50-cvs with the Bayesian filtering.

I have it configured to use AutoWhiteLists, and I had to tweak the scores assigned to the various bayesian filter rules a bit (they didn't have enough weight by default).

Since then, every single mail I've gotten has been correctly identified as either spam or not spam. It is *amazing* how accurate the bayesian filters are. When no other SA rules identify the mail as spam, you still see that the BAYES_90 rule was activated (90% chance the message is spam).

Just don't forget to use sa-learn-spam and sa-learn-nonspam so that the Bayesian filters are more accurate! Luckily, I haven't deleted a single mail (spam or not) since Nov 2001, so SA had a large base of spam to learn from ;)

My response: hammer the spammers

[NineNine]

Just make a local page on your box, load, and forget for a few days. Email might not cost 'em much, but I'm betting they pay for bandwidth for their web sites. And if the site itself isn't spamming, but somebody promoting it is, you can bet that the actual spammer is gonna hear from the web site operator pretty fast so long as you include the entire url.

For dialup connections:

[html]
[head]
[meta http-equiv="refresh" content="10"]
[/head]
[frameset cols="100%" rows="*" ]
[frame name="main" src="http://www.spampage.com"]
[/frameset]
[/htm l]

For broadband connections:

[html]
[head]
[meta http-equiv="refresh" content="1"]
[/head]
[frameset cols="100%" rows="*" ]
[frame name="main" src="http://www.spampage.com"]
[/frameset]
[/htm l]

Re:My response: hammer the spammers

[MillionthMonkey]

If you're going to do a DoS attack, at least do it right, with an army of infected machines taking orders from you over IRC. Even a script kiddie knows you don't hammer away at someone from your own IP using a browser and an HTML frameset. Being charged as a cyberterrorist for doing something like that would generally be considered extremely lame.

Also, the situation on the other end isn't necessarily what you think it is. The URL often doesn't point to the spammer's own server. Spammers have nothing of any worth to sell themselves, so they approach stupid small businesses like pornographers, credit services, etc. The sales pitch is that the spammer is selling web page hits, not emails, and they only have to pay for actual page loads to their site. So he makes a fraction of a penny off them every time a request hits the server with his URL parameter attached. You should at least remove all URL parameters so that nobody profits from your DOS attack.

Re:My response: hammer the spammers

[NineNine]

The point is not to DOS them. That's bad. Look, this is how it works... Most spammers are spamming a program where they get paid a percentage of whatever sales are of a dick enlarging cream, a credit card, etc. Some spam a website that pays per click. Either way, the sites doing the paying are always being cheated, so they're on the lookout for cheaters. By doing this, it looks like they're using a "hitbot". If affiliate X is suddenly getting 1000 hits a second from the same IP address, the affiliate assumes cheating, the spammer is banned from the program and not paid. Happens all the time. If you'd like to be sure you're hurting the spammer, add a "&MSG=This_is_a_spammer" to the end of the URL. It's not illegal in any way, and the spammer gets hurt where it counts... the pocketbook.

Also, Genius: The Life ... of Richard Feynman

[JordanH]

And, don't forget his excellent biography of Richard Feynman. Probably of interest to many typical /. readers... (hmmm... Check out what he has to say about The Microsoft Monopoly. Also, probably of interest to the typical /. reader.)

Check out where Gleick quotes Feynman on the inherent risk of Shuttle flights. Prescient, that Feynman.

WRONG ANSWER

We dont need rules on *how* to send uncolicited mail - anything that is codified like a header that lets all spam be ignored *will* be ignored by spammers who will continue to cloak their identity and do everything they do today.

Stopping spam at the receiving end doesnt prevent it from using storage space and bandwidth that your ISP has to pay for. The only way that does is by stopping it from being sent - with strictly enforced anti-spam policies which ISP's use to disconnect any services to anyone sending spam.

The ONLY rule we need is DONT SEND UNSOLICITED MAIL, and the only way to enforce it is for ISP's to disconnect all services (connectivity, hosting, dns) to anyone found sending spam. And since so far, many ISP's dont seem willing to take such a hardline, and actually enforce their AUP's (maybe they like the money spammers are willing to pay them, the only way to force them to do so is to force them to choose between their spammers and their non-spamming customers - one good way to do that is SPEWS

The only way to stop spam is to make it so no ISP anywhere is willing to sell service to spammers.

Re:Interesting free speech point - NOT

[schon]

as commercial speech, spam isn't entitled to any particular first amendment protection

It doesn't matter if it's entitled to protection or not - it's theft.

The first amendment guarantees the right to say whatever you want - it does not guarantee the right to an audience, or to force people to pay to hear you. (Both of which apply better to spam than "commercial speech.")

The whole "free speech" argument is a red herring.. spam is as deserving of "free speech" as any other type of harrassment - which is to say NONE.

BrightMail

[NetJunkie]

If you're a company and want a good spam solution check out BrightMail, or someone that resells their service. It's not the cheapest, but it REALLY works. No false positives and no overhead.

BrightMail monitors many, many, email addresses for customers and others that they seed. When an email hits a number of those addresses quickly it is forwarded to their NOC. A person looks at it and decides if it is spam. If it is the message is blocked from all other customers. It works very well.

Spam is not about content, it's about behaviour

[Skapare]

Spam is not about content. Not everyone even agrees what constitutes spam when they are evaluating it based on content, so how can a program or a recipient community do this? What makes mail spam is stuff like sending it unsolicited and in bulk. It won't matter what the content is.

I have signed up with some companies for announcements about their products. While that company may not be spamming, their content could have a lot of the same wording as another company selling similar products, but is sending it to harvested addresses. The latter is spam, but the former is not. How do you tell based on the content?

Tools that evaluate a message based on content are probably going to classify both messages the same way. If they are both classified as spam, then one of them will be "collateral damage". If they are both not classified as spam, then the other will be "leaky pinky". So I still prefer to block spam on the basis of the behaviour of the sender.

Re:NO NO NO - for a different reason

[bigsteve@dstc]

The solution is not legislation, it is the creative use of technology

IMO, the solution is use both legislation and technology. The legislation needs to target people that send spam, and people that cause it to be sent. It needs be broad enough to catch spammers who use off-shore agents to do their dirty work, and companies who get spammers to do their advertising.

The technology needs to be there because no legislation will stop all of the spam. Even if the legislation was universal across all jurisdictions (not plausible), and strictly enforced everywhere (not plausible), there will still be some people who think they can get away with spamming, or who don't think or care about the consequences.

The legislation needs to be part of the solution because technical solutions have an inherent risk of collateral damage; e.g. email being incorrectly labelled as spam. This is not acceptable for some email users. Furthermore, spammers will continue to be a step ahead of anti-spam technology for the forseeable future. IMO, the only hope is a "intelligent" email agent that does a better job than a good (human) personal assistant.

A Dithyramb for Spam

[jason_hutchens]

Paul Ford (http://www.ftrain.com/) suggests "[a]n imperfect alternative to fighting spam which no one will implement, but which would be more satisfying than existing proposals". Basically the idea is for the Spam Filter to reply to each and every spam with a randomly generated fake reply. The full article is at http://ftrain.com/spam_quick_idea.html.

Quick lesson in the OSI theory

[Theatetus]

What are the critical flaws?

One critical flaw is that routers are Layer 3 ("Network") devices while emails are Layer 7 ("Application") data.

The lowest level you could block an email at is Session (and that's being optimistic), which means it has to be done in software.

Routers have a simple job: encapsulate frames into packets, and forward those packets between networks (that's what the "Inter" in "Internet" refers to) to be assembled into segments. The router itself has no idea what the contents of a given message are; that is verified by Session-level software on the sending and receiving hosts.

Imagine it from the router's point of view: all it knows is that this packet is coming from 100.101.102.103 and going to 65.66.67.68, and that it has a few bytes of data -- the rest of the message may well be forwarded by completely different routers.

In summary, the Network layer is an inappropriate level to attempt to detect spam.

The government could help us...

If we had free healthcare in the US, and they paid for penis enlargments...NO MORE BIG PENISES BY MAIL!

also if they lowered the age of consent, no more overpriced pictures of IMPORTED LOLITAS!

and if some states got read of their adultery laws, NO MORE LONELY HORNY WIVES!

and if some other states legalized sodomy, NO MORE SLASHDOT!

MOD PARENT UP!!

this is "Offtopic"??

It's a link to the article without registration ... via the archives (very clever :)

Find out who is buying the garbage and shoot them.

[splorp!]

OK, don't shoot them, but maybe conduct a poll. Find out why they are stupid enough to purchase anything offered through an unsolicited commercial e-mail. Find out if they actually believe that anything purchased through an e-mail will increase their penis/breast size, allow them to lose a ridiculous amount of weight, make an impossible amount of money or get the best mortgage rate around.

And then shoot them. A lot.

A Penny an Email

Here's an essay on a proposal for eliminating spam.

Re:NO NO NO - for a different reason

[DaveAtFraud]

In some ways, making forged e-mail headers illegal is both a technical and legal approach to at least part of the problem. I currently use SpamCop and the Open Relay databse to filter my incoming mail. This combination does a reasonable job of fordcing all incoming e-mail to my server to have an unforged header. That is, the mail must actually be from who it says its from and can't have been sent through an open relay. SpamCop does a fairly good job of weeding out the spam that still meets these requirements. Making forged headers illegal would allow every U.S. ISP to do the same without someone saying that not being able to send spam with forged headers violates their right to spam. This setup traps and rejects a spam or two (on average) every day for me.

The only problem is, this is done at my expense (sendmail is so much fun and so intuitive to administer) and at the expense of the people who maintain the SpamCop and ORDB databases. Also, I still get the random loser who gets a list of e-mail addresses and fires off a Nigerian money scam e-mail to me from time to time. Nothing will stop idiots from believing that they can get rich quick from something like this including requiring unforged e-mail addresses. My solution to these is to just forward the e-mail to SpamCop and note in my "personal attachment" that the person sending the e-mail should be prosecuted for fraud and that the originating ISP should also be prosecuted if they don't do enough to stop the problem.

Re:You don't have to.-Circular registration.

Strange -- I've had the same NYT login since 1994.

CGI Scripts Forge Headers

[FireBreathingDog]

I've written several CGI scripts--most recently today--that would technically be in violation of a ban on forged headers.

In the script I was working on today, users are able to RSVP themselves and friends to an event. The friends then receive an e-mail that appears to be coming from the person who used the script.

This is necessary, because if the e-mail had come from the domain of the person whose site contained the script, either (1) the recipients might not recognize the address and they'd ignore the invitation without reading it, or (2) it would get flagged as spam by some program.

If there's some kind of draconian, DCMA-type law against headers, then simple CGI scripts will land all sorts of people like me in prison. So, if they're going to pass a law, they'd damn well better do it sensibly...or better yet, don't do it at all, because it could never be enforced anyway.

Re:CGI Scripts Forge Headers

[MrLint]

well yes it woudlhave to be actually draconian. i dont think that 'forging'headers for non UCE is going to be a problem.

I was not clear

[A+nonymous+Coward]

When I said

Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender?

My bad ... I meant the Received: header, and my experience has been that the server which adds this header includes the IP addresses of both itself and who sent it. Thus an SMTP server could verify this header when receiving a message. If an SMTP server receives a connection from 1.2.3.4 with a message whose Received: header says 5.6.7.8, then the server would reject the message, possibly logging a non-compliant server.

Re:I was not clear

[fmaxwell]

If an SMTP server receives a connection from 1.2.3.4 with a message whose Received: header says 5.6.7.8, then the server would reject the message, possibly logging a non-compliant server.

Let's disect an example Received: header:

Received: from smtp-server.cox.rr.com ([24.163.111.127]) by Mail6.mgfairfax.rr.com with Microsoft SMTPSVC(5.5.1877.537.53);
Sun, 31 Dec 2000 09:13:39 -0500

The server name smtp-server.cox.rr.com is supplied by the server that sends the message. It does so in the HELO/EHLO portion of the SMTP protocol exchange:

HELO smtp-server.cox.rr.com

The IP address ([24.163.111.127]) is the actual IP address that delivered the message to the server that wrote the Received: header. In this case, the server that wrote the header was Mail6.mgfairfax.rr.com.

So, do we have a match? The only way to tell is to do a DNS lookup on the address and see if the name matches what the server said its name was.

But that's where things can get ugly. There may be no DNS entry for the server. So a lookup on the IP address results in no name found. There are simple configuration issues where the SMTP server is configured to use a different name than what is shown by DNS. For example, suppose that an ISP had 20 mail servers with names of smtp1.isp.com through smtp20.isp.com. The servers might all be configured to report their identity as smtp.isp.com. The ISP might do this to hide the number of servers that they run or just as a convenience so that all servers are configured the same.

So, was the message from a spammer? Nope. It was a listserver at CNET which sent it to my bigfoot.com address which forwarded it to an e-mail address at my ISP. You will note that the topmost Received: header says nothing about CNET or bigfoot. Why? Because it is showing a relay within my ISP where the mail is transferred from a national server to a local one.

Besides, most spam is sent with no forged Received: headers. So it does little good to look for forgeries there. Sorry. I wish you had a winner there, but I am afraid that you don't.

Is this a forged header?

I host a few web sites for friends on my servers residing on my dsl line. I'm learning how to properly run a mail server right now, and am going to be going live with it fairly soon. The mail server will receive email for the web sites, which are in the same ip block, adjacent ip addresses. Some of my friends know how to set up their mail clients to download the email from my server (imap), and some won't know the first thing about it, as they use aol for their internet connectivity.

In both situations, using www.PieceOfMetal.com as one example, and www.WindowBreakersAndInstallers.com as the second example, their customers will be sending them email, to sales@pieceofmetal.com and sales@windowbreakersandinstallers.com. My friends will be downloading to their a)mail clients, or b) their aol account.

Still with me?

Now taking the aol user (window guy) as the first example, he doesn't want anyone to know that he is obviously stunted in the brain for using aol. So when responding to his customer inquiries via email, he doesn't use his aol account as his return address, he uses his sales@windowbreakersandinstallers.com return email address in emails that he replies to.

Is the above action considered a forged email? Would this fall under the jurisdiction of and in violation of any laws already passed regarding "forged"?

If he takes it a step further, and takes out all references to aol in the header, and replaces it with his sales@windowbreakersandinstallers.com email address, an email address which works, and which identifies him, and with this procedure not being used to send anything unsolicited, is this considered "forged"?

I actually used to do the first example above myself some years ago (about 5 or 6 years ago) because I had a working web site that received a lot of traffic, but I couldn't figure out how to get the damn aol info out of the headers. I was able to use the web site email address as a return address though. The web site was hosted at a hosting provider, and with my limited experience at that time, it's what I knew how to do. I was also stuck with the aol account, and didn't have the bucks for a different isp. That was around the time when a pokey ass pentium 1 cost around $2500 (with what was it, 4 mb ram?), and you had to mortgage the house for a couple hundred hours of compuserve.

Overclocking? Back then, the hot shit was the chips that could double/triple a processor, taking a 486/25 to a 486/50, and a 486/33 to a 486/dx100
Now that was overclocking!

Re:NO NO NO - for a different reason

[nehril]

The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers.

sure. then the spammers evolve to beat your antispam. then you evolve more, and defeat their anti-anti-spam. after a few cycles, you need a Beowulf cluster to run all the rules and an AI to filter the remains and untag false positives. Then, since spammers are *making money*, they buy TWO beowulf clusters and THREE AIs to beat you...

then, while you are speccing out a new beowulf cluster of beowulf clusters, you realize that you will always lose, because the spammers are making money. In fact, you have already lost, because they are making you spend money too.

what can we do to end this anarchic "whoever has the biggest guns makes the rules" condition? If only we could organize our society, and make rules to improve our lives so we are not at the mercy of the unscrupulous....

sometimes government DOES need to step in and set limits on massively unwanted behavior.

Re:NO NO NO - for a different reason

[Jetson]

Build software that "learns" what is spam and what isn't

Better idea: ditch SMTP/POP protocols in favour of new systems which makes spam advertising less cost-effective. For example, instead of forwarding all email to recipient, how about a protocol that stores the message on the sender's box and forwards only a "you've got mail" header? Spammers would then have to store billions of messages on their own systems or use up CPU resources to create on-the-fly content. Best of all, the sender's address could never be forged or else the recipient wouldn't be able to receive the content.

Off-topic: Motley fool spamming

[edxwelch]

I have being using an e-mail address for months without recieving a single unsolicitated e-mail, until I signed up for the Motley fool and I get a advertisement for a printer which has no reply address. Any one have similar problems with dealing with Motley fool?

Re:Off-topic: Motley fool spamming

I'm getting about 10 Norton Systemworks emails a day in an aol account. Is Symantec going out of business? Or coming up with a new release and they need to unload old stock or faulty product? I must have deleted several hundred of the Norton systemcrap emails already.

Hey Symantec, it'll be a cold day in hell before I buy anything you sell. It's the resellers? Still your product shitheads.

Impractical, but there's another way

[Clovert+Agent]

The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Assuming that'll never happen ('illegal' never stopped a spammer, and they'd never comply with a suicide-tag), an easier way would surely be to provide header analysis in email clients, or mail servers, or both.

If I (as a user or mail server admin) could detect (a la Spamcop) forged or rewritten headers and discard/bounce those messages as fake, most of the immediate problem is addressed. Why don't mail clients/servers offer this out of the box?

That step achieved, those messages from non-forged addresses can be filtered and, if spam, automatically actioned with the source ISP - that should be the role of anti-spam software, IMHO.

Sneakemail

[tweakt]

See Also: SneakeMail

Why not try a keyword filter ?

[tomatobasil]

This ought to be something an individual user could set up without much work : just delete all email that does not contain a keyword from a list of keywords. So work related email must contain the name of the 'fizzy-pop' project, mail from friends contains some other keyword, perhaps their name. Everything else gets sent back to the sender with an explanation. This would make it just about impossible for a person unknown to you to send you any email at all.

Ugh... Too true, too true...

[Andy+Dodd]

At the college I graduated from (And a number of others, I know Columbia University uses a similar system), you are assigned a netID. Your netID consists of your initials and then a number. (For example, mine was atd7. If you have a common set of initials, the number can be in the 50s or higher.)

Needless to say, the address namespace at school has in the past year or two been the victim of brute-force dictionary-based attacks on our namespace.

The moment one of these emails doesn't bounce, BOOM. Your email is valid and the spam starts rolling in.

No one is prepared to do what it REALLY takes

[mnemotronic]

To stop spam will require doing things which are illegal in every country and repugnant to anyone with a conscience. The penalty for sending spam must become so horrifying (for the spammer, personally) that he or she just wouldn't dare. "Civilized" western societies are incapable of this kind of retribution, prefering to play with legislation or technical non-solutions, so we drown in spam, laws against it, and expensive solutions which claim to, but don't, eliminate it.

sting operations

[Erpo]

Suppose we pass a law that make forging Received or From headers illegal, and makes it illegal to send a message that is substantially similar to 50 or more people, but requires that at least 50 people receiving the message complain to the FCC in order for any prosecution to occur. With such a law in place, it would actually help to have people forward spam to the FCC. They could collect those messages and work to prosecute people who send spam.

I like the idea, but I don't think this method would work. Law enforcement would have to trust spammers to not munge the headers in order to give investigators the ability to track down and prosecute violators.

Your post gave me another idea, though. What if, in addition to legally mandating bulk mail tags and correct headers, the government were to set up 'spam sting' operations. The idea would be to advertise the presence of an unprotected open relay hosted at a (financially compensated) university or business. All spam sent through that server would be checked for compliance with spam laws, and offenders would be prosecuted.

The idea would be to make illegal spamming not impossible, but so risky as to not be worth trying (because spammers would not know which servers were sting traps and which were merely poorly-administrated). Of course, this would only curb annoying spam sent from within the jurisdiction of the government implementing the spam laws/stings, but it's a mostly harmless step in the right direction.

Re:sting operations

[Nathaniel]

"I like the idea, but I don't think this method would work. Law enforcement would have to trust spammers to not munge the headers in order to give investigators the ability to track down and prosecute violators."

It would help, in that the behaviour would now be clearly illegal, and there would now be a risk involved, so spammers would need to choose to either comply with the law or take special efforts to be sure they got all the forging details right and hid their tracks, which would be quite difficult if people wanted to set up traps.

Why has the author not been moded up to a

The original article is owed that.