Slashdot Mirror
Ask ISP Owner Barry Shein About the Spam Wars
Spam sucks. But it's worse for ISPs than for the rest of us, because they get bounces and complaints and other behind-the-scenes spam-caused messes the rest of us don't see. AOL talks of spam as "public enemy number one." Barry Shein, who started (and still runs) the world's first full-service dialup ISP, likens spammers to organized criminals, and calls spam "an organized, vicious, sociopathic thing" in this article, which spurred an interesting Slashdot discussion. So what should we do about spam? Ask Barry. One question per post, please. We'll post his answers to 10 of the highest-moderated questions sometime in the next week or so.
What is your e-mail address? I promise I will not sell it to third parties.
One of the greatest problems with spam-prevention techniques has to do with collateral damage. Can you see any solution to spam that either prevents or minimizes the damage to innocent bystanders, such as other users of a spammer's ISP?
I can't say that I don't give a fuck. I've just run out of fuck to give.
Tried it? Like it? Have problems with it?
I use Popfile at home. It seems like the perfect answer to spam. What's your take on Popfile and other Bayesian filtering methods?
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
What is the best way to discourage spammers from spamming? (Aside from Dave Barry's idea of a hunting season and selling tags)
If you could meet a spammer, what would you say? What would you do? What caliber would you use? Would you want someone to do it for you? Is $10,000 a head too much?
I would just have a blanket, three strikes you are out policy. If someone complains about the content of your email three times, no matter the circumstances, you are outta there.
As an ISP, you shouldn't have to be the front line of defense for some of the people who want to use your networks to deluge the email boxes of the world with their emails about penis growth, diets and discount shoes.
Craenor
Would you like to consolidate your student loans while watching my 18 year old roomate take a shower, and then purchase some long distance phone cards?
I think spam will be part of our lives, just like pollution, and nuclear waste. How can we learn to effectively ignore spam?
Consensus is good, but informed dictatorship is better
I bet they would think twice about selling me that toner for my printer then
Obviously the best step towards eliminating spam would be to make it a crime or easily punishable, but the nature of SMTP makes accurately tracking down the responsible spammer difficult at best and often time impossible.
What kind of changes would you make to the way email is handled to facilitate the elimination of spam?
Do you think that we can fight spam efficiently by still relying on the outdated STMP for mail delivery?
What do you think should enhance/replace it?
have you been defaced today?
I found the bit in the article about the distributed attacks interesting. I wonder how widespread the tactic is among spammers? - The cracking of machines to use for sending spam mail...
Who would I contact in the event my penis has not grown 9 inches after using these pills for 3 weeks?
g
Do you have any thoughts on these laws? I know that, as a non-lawyer, you probably can't do much for the actual wording, but what content would you have if it were totally up to you?
I can't say that I don't give a fuck. I've just run out of fuck to give.
What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?
Let me explain...
I sometimes hear that spam has significant costs in bandwidth and storage but I don't believe it. As far as I can tell, SMTP traffic is at most 2-5% of net traffic. And a quick calculation shows that an ISP's costs for storing its users' spam are fractions of pennies on the dollar. (*)
You've likened spam to a DDoS attack on your mail servers. Stories about being flooded with traffic sound impressive but computers are so fast now, it's hard to put anecdotes into context. So I'm looking for dollar amounts. For a customers paying b dollars per unit time, an ISP like yours has to spend c dollars per unit time on servers that can handle those customers' incoming SMTP traffic. If this is significant, I'm looking for c over a times b :)
Obviously admins to run the servers are an important cost. But for purposes of this question, suppose you wanted to do the bare minimum. Say you set up the SMTP servers to use just a few of the less-intrusive DNSBL lists, like sbl.spamhaus, relays.ordb, or list.dsbl, and then ignored them as much as possible.
The next most common argument I hear is that customers will abandon ISPs that don't fight spam. But every ISP has the same problem, so this is really a competitive advantage issue except for the small percentage of users who are actually driven off the internet by spam.
Then there's outgoing spam but I don't imagine that's too hard to recognize and stop quickly.
Let me know what I'm missing...
(*) Thumbnail calculations of spam storage follow. Let's say J. Average ISP Customer gets 20 spams a day at 10K each, and deletes them only every 30 days. That's an average of 20*10K*15 = 3 MB of storage. If the ISP replaces hard drives every two years on average and its total storage costs are ten times the actual medium costs (for labor, backup, redundancy, downtime), then at today's hard drive prices, that spam storage will cost the ISP 0.003 * 10 / 2 dollars, or about a penny and a half. Over that same year, J. Customer pays the ISP $100+.
Thank you for participating
One of the few measures that can be taken against spam is the use of blacklists (for instance via DNS). There are a lot of pro's and con's for the use of DNSBL's. How do you feel about these? Should DNSBL's be governmentally regulated? Do you use any DNSBL? Should an ISP enforce certain RBL's (let say, of open relay's) on its customers?
I'm not a complete idiot... Some parts are missing.
Do you think that a technological solution, whilst imposing to everyone else the, well, the thechnological solution, is better than a law, against the spammers, like, putting them into jail, or like?
From the article:
"The spammers are calling the shots, the spammers are in charge of my time, and they are in charge of the Internet."
In charge of the internet? Give me a break... Spam is definitely a problem, but spammers are _not_ running the show.
My guess is that the guy hasn't properly upgraded is mail servers (with more CPU power, memory, disk space, etc.) over the past few years and is currently suffering from e-mail overload (and blaming it on the spammers)...
If I was the president of the company that makes Viagra I'd be nervous.
What steps have you taken to prevent spam from entering your ISP's email system? Do you recommend any kind of spam filtering software to your customers that implements Bayesian filtering? If not, why?
Is it time to apply the computer-cracking laws to circumvention of anti-spam filters? After all, the two are identical in effect (break into somebody else's system without permission, and indeed against an express prohibition).
/. If the government wants us to respect the law, it should set a better example.
Do ISPs have the tools they need to prevent outgoing SPAM from their own customers? I look
at Sendmail and don't see anything that would allow you to throttle mail volume, check outbound messages for SPAM, restrict new customers etc. There isn't even anything built in that would warn you about a customer sending a million messages. It would seem that a few tools like that would be a big help to an ISP too small to develope its own.
It brings up a screen saying "user has 1 program running. Did you know that running too many programs can slow down your computer?"
I certainly am tired of deleting the penis elargement and Nigerian bank deposit e-mails, but where is the balance and how do we attain it, if ever?
Even if it's three strikes and you're out, I could find 3 addresses to complain about someone that i dont like for other reasons.
Then it becomes the isps responsibility to investigate otherwise they could face legal libability for cutting off someone account wrongly.
ISP's are in the best position to pursue spammers and demonstrate to courts the financial burden of dealing with spam.
With very few exceptions, we don't hear about ISP's taking spammers to court. What's up with that?
I am currently using a permission based solution to block spam, called Choicemail. It works great since I know that there are no filters trying to guess what is spam and what is not. People on my white list get in, people who aren't get sent a message asking them to identify themselves.
The only drawback is that some people may possibly feel slighted that they are forced to go through such a process. But so far no one has complained. In fact, most people seem to be intrigued by the concept. If this type of spam blocking catches on, people will begin to expect it. Sort of like having to knock on someone's door before entering their house. It is a custom so pervasive, we feel strange just walking into someone's home, even a friends, without first knocking.
Sorry for the length of this post, and now to the question: How do you feel about this type of spam blocking?
(Disclaimer:of course, this is said firmly tongue in cheek, I don't approve or condone physical violence against spammers, etc. etc. yadda yadda yadda)... =)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
"hein estimates that about 30 percent of staff expenses at his 20-person company is now spent either putting in spam filters, or talking to customers on the phone about spam, or about false positives -- legitimate e-mail that gets erroneously tagged as spam and blocked."
If this were true and a third of staff expenses were due to spam, either all ISP's would be going out of business or basic dialup would cost $50 a month. That or in all the years he's run his ISP he hasn't hired a decent sysadmin who has a clue about setting up spam filters.
really, i think we'll see an end to spam when it is no longer an effective means of marketing. as long as it is working, we can expect to see spam. so, isn't the responsibility on us users?
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Why hasn't any large ISP or enterprise seriously considered whitelisting mail? The traditional blacklist idea -- when I see spammers I'll no longer accept their mail -- is so easily overcome that many spammers don't even wait one generation to change addresses. Instead, bounce all mail you don't recognize, with a note to the sender on how to inform the system that you are a real user. Nearly all spammers loose their incoming account immedately, so this seems the natural choice. There's some more detail on this method at the TMDA project.
who will be up against the wall first?
A) Spammers
B) the IRS
C) Lawyers
D) Microsoft Lawyers
No body ever said Government was perfect (and I defy you to find an institution that is), but dammit, it's the only thing we have to bring order and law to a world of chaos. The anti-government, anti-regulation libertarian rhetoric that has captured the popular mind in the last couple of decades has got to come to an end before the spam problem will be solved.
<a href="http://www.joblessjimmy.com">Work is dumb and so is Jobless Jimmy.</a>
As far as I know, most spam originates from a relatively small number of smtp servers which are open for posting without identifikation. Where there ever efforts of blacklisting these servers and denying to accept mail from them, and if yes, with which results?
Or alternatively blocking whole ip-ranges of ISPs which deny to cooperate on this issue?
Unless either government regulations occur or ISPs enter a strong mutual agreement over spam restriction, I forecast that in a few years nobody will have open mailboxes. If you want to exchange email with someone, you exchange addresses then configure your mail program to accept them.
That the efforts of spammers are secretly funded by a covert group known only as the "USPS" in an effort to render the e-mail a useless form of communication and force people to resort to slower, antiquated pay models for sending information. Have you heard this rumor?
Sigs are bad for your health.
You're not funny.
Do you think that there will ever be a long-lasting technological solution (e.g. Bayesian filtering systems) to spam or do you feel that any technological counter measure will be circumvented fairly rapidly?
FREE 30 day supply of HGH 1000: Look Younger and Lose Weight in 3 Weeks!!!!
Visit Our Site
As seen on NBC, CBS, CNN, and Oprah! The health discovery
that actually reverses aging while burning fat, without
dieting or exercise! This proven discovery has been reported
on by the New England Journal of Medicine. Forget aging and
dieting forever! And it's Guaranteed!
Change your life forever!
100% GUARANTEED
Piss On Our Site
That was classic intercourse!
I was just thinking about this... what if there was a national "do no email" list? I'm just wondering if something like that would be effective.
All spammers would have to (by law) query the "national do-no-email" database before sending out their crap.
I'm just wondering if something like that would be an effective way to cut down on the noise out there?
sad robot making broken music
Sorry, if someone emails me, asks a question, and I reply, there's no reason in the world I should have to jump through any hoops (get on their "whitelist") so they can get my reply. I refuse to do it.
Whitelists are not just a way to get rid of spam; they're a hell of a great way to annoy people who are already busy enough.
My 2.
Do you think new laws that allow ISPs and end-users to collect damages from spammers on a per-message basis can be effective tools to reduce spam?
WARNING: there is a trojan on your
Ah, here is the reference. Diplomat shot dead in Prague
Much has been made of the problems of blacklisting. Do you see whitelisting as a viable alternative, and (if so) what form do you think that it will take?
For one, I would like to see more people actively making the distinction between unsolicited "spam", and legal (albeit questionable) "direct email marketing". I say this because I work for a marketing company that does some email advertising, and I've also worked in the abuse department at a local ISP so I've seen both sides. The difference being that the spam mentioned in the article comes largely from unsecure, hijacked mail servers. Not so say that spam is the fault of some system administrator who didn't properly configure their SMTP server, but a lot could be done right there to slow down the constant barrage of penis enlargement offers. Oh, and the company I work for DOES in fact honor the opt-out links in all our ads. If you don't want to receive email from us, you won't. Unfortunately, if one of us has you on our list, 100 others do already.... Again, I just want to see people differentiate between illegal, unethical mail server hijacking, and more legal methods. A solution to stopping one type won't necessarily work to stop the other.
So what should we do about spam? Ask Barry.
Kill them. Seriously, knee cap them and let them die from the blood loss, and maybe arrange for enough telemarketers to flood their house with calls that they can't possibly get an open line to 911.
It sounds like he's let his life get consumed by spam. Spam is a huge problem but its also pretty obvisous he's gone into obsession mode and isn't sounding rational anymore.
He may also just really not know what hes doing with regarding spam filtering. I know other ISP's have had spam problems in the past but with the new spam filters that are out there its gotten a lot more manageable.
Either way I pity someone who does nothing day after day but fight spam. That's no way to live.
If you wanna get rich, you know that payback is a bitch
...are being developed and/or deployed by ISPs to combat spam?
I always thought that a good way to combat this plague would be to allow a user to review a message, mark it as spam, then send a "user does not exist" message back to the originating account through the user's mail server. (Sort of like a "telezapper" for email.)
While this would not work to stop all spam, it would significantly cull the spammers' ability to maintain a quality list of active email addresses. Selling known active email addresses is a big part of unsolicited emailers' revenue, so this tactic could well hurt them in the wallet, where it counts.
In hindsight, if you could start afresh and redesign the protocols and software on which email is based, and influence any relevant ISP policies & user education, how would you do things differently to deal with the problem of SPAM?? And, of these areas, which is the weakest link in the spam-war?! Not part of the question: Why don't all webmasters add SpamBot traps to their websites....?
Vacancy for signature. Apply within.
FREE 30 day supply of HGH 1000: Look Younger and Lose Weight in 3 Weeks!!!!
Visit Our Site
As seen on NBC, CBS, CNN, and Oprah! The health discovery
that actually reverses aging while burning fat, without
dieting or exercise! This proven discovery has been reported
on by the New England Journal of Medicine. Forget aging and
dieting forever! And it's Guaranteed!
Change your life forever!
100% GUARANTEED
Marmite Our Site
That was classic intercourse!
Neither is Steeve Coogan.
Many posts talk about proposed changes to society, government, and technology to lessen the spam problem. However, an ISP has more insight into the problem than many others, and I thought I'd ask a question to tap that insight:
Given today's society, technology and infrastructure, what can an individual do that would be effective in reducing not only the personal strain of spam, but also lessen an ISP's burden.
What kind of strategies have you seen work. For instance, in particularly bad instances I'm prone to send an e-mail to spam@isp.net, abuse@isp.net, or admin@isp.net, but usually never even get a response. Is there a better thing to do? Are there things that are absolutely the wrong thing to do (such as replying to a spam)?
In short, what would you like to see users do in response to spam today?
I am disrespectful to dirt! Can you see that I am serious?!
With bayesian filters strongly suggesting per-user preferences and smtp having a less-than-optimal way of dealing with such, do you see a future protocol emerging to replace smtp that would be less spam-friendly?
I know qmtp was proposed some time back, but that one's actually more spam-friendly(as it LOWERS smtp's latency).
Such a SUMTP (Spam-Unfriendly-Mail-Transfer Protocol) would probably clarify some headers like how to encode pgp/ s/mime keys and suchs ideas as the habeas swe headers in a less easy to prge manner...
Perhaps even supplying key-signed headers? So forged headers could be trivial to trace? What do you think of such an idea, or any ideas to use technology, on a server-wide base, to reduce spam or otherwise make it harder to send spam, without limiting the individual user's freedom ?
"Want a BIG Penis?"
Experience the results you've always wanted
with a MASSIVE scientific breakthrough:
Our Doctor-Approved Pill Will Actually Expand, Lengthen
And Enlarge Your Penis. 100% GUARANTEED!
Best of all...
There Are NO Agonizing Hanging Weights, NO Tough Exercises,
NO Painful And Hard-To-Use Pumps, And There Is NO Dangerous Surgery Involved.
WE GUARANTEE GENUINE LASTING RESULTS! VIG-RX PILLS WILL
WORK FOR YOU 100%, OR YOU GET 100% OF YOUR MONEY BACK!
BIG PENIS HERE
NO MORE EMAIL HERE
What legal pursuits do you feel would be appropriate to deal with spammers? What penalties? Prison time? Just fines? Given that some spammers make large sums of money from their spamming activities, what scale of fines would be appropriate?
Carpe Diem
Sure it'd be a short term hit on the number of hosts you could exchange mail from, but eventually I think anyone who wanted to talk to anyone would have to get on.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
ISPs have tried to rely on 'common carrier' defenses in the past. However, if they start blocking SOME email, can they be held liable for mail that they DON'T block?
And can you selectively give up common carrier status? If you block some email but host anyone's web page, for instance, can you be sued successfully for objectionable content on those web pages?
Standard Disclaimer: I disclaim everything, even this disclaimer.
SPAM solution made easy: 1 spammer, 5 cords of rope, 5 hourses, and fireworks. Be creative.
My company is small and we do not do any international business, or very little... I want to block anything that comes from outside the US, as all my spam seems to come from asia, nigeria, and eastern europe.
Is there any way to do this?
What is the most evil thing you have seen, so far?
Reply-to impersonation?
Embedded hypertext identifiers?
I'm sure it's much worse than that.
What would you do to stop that evilest of evil practises?
In the fight against spam, do the commercially available products & services provide real value, or do you find that freely available solutions do as good (or almost as good) a job? As a followup, it would be interesting to hear about a particular product or technique that worked well for your situation, and one that flopped.
Stop by my site where I write about ERP systems & more
What is the best part of being The President of The World?
In the past many heavy spammers that were uncovered have been subscribed to everything possible via snail mail, loading their mailbox. Do you promote "getting back at" spammers in any way possible?
The simplest way is to charge to send email, 10p (or cents) per email. No great hardship if you can afford to run a computer. Payable in advance and your account is decremented as it is sent.
One million emails, of course you can send them sir - once you have paid the $10,000 fee upfront.
That would knock it dead!
How do you protect those companies who are using legal means of targeted email marketing? I see many people who believe that they are receiving spam when they have either knowingly or unknowingly opted into these lists, which makes it perfectly legal. However, these people report them to their ISP and these companies get blacklisted unfairly. For many companies this is their bread and butter, and although what they are doing is completely legal and legit they suffer because of spammers. My idea was to have an Internet Direct Marketing Agency. With this agency direct email marketer's must register and have an "Internet Advertiser's ID". This ID would be paid for on a yearly basis and based upon the advertiser's volume. The fees would be spilt among the ISPs who had mail sent through their network, to pay for this excess bandwidth usage (a per transaction tax, essentially). Additionally, an email proxy would check incoming "spam" for that ID and if it did not check and match to the email server's IP it would be tossed as spam.... make sense?
I used to be a MS fan but then I was brainwashed. Now I see the Light. Mac OS X pwns u.
There have been several stories on Slashdot regarding ``hashcash''. Would adding some kind of 'cost' (e.g., computational) to email be a possible solution? Would you be willing to try it out?
More references on the idea:
I believe that a bigger hammer is all that's needed to win the spam wars.
Who's with me?
Got a product/service for me to try? Send me a message.
SD
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
Every time a story about p2p piracy is posted the highest rated comments claim the ISP should just carry data and be legaly forbiden from doing anything with it. When spam stories are posted, people claim it should be the ISP responsibility to remove those of their customers who send it.
What in Your opinion should the policy be here?
Greetings Barry,
You do not know me but I am a a stockholder of Nigerian Plumbing, Inc. The government is about to shutdown our company to steal our funds in the continuing war with the rebels. We need someone such as your self to hold our money for us in your bank account. Of course, we will reward you for your help. We would like to transfer $1 billion nigerian kronars to your account. We will let you keep 20% in return for you help. Think! You will recieve $100,000 us dollars for your help. Please contact me at your earliest convience.
Sincerely,
Dr. Untoo Abotoo.
/sarcasm off
Seriously, though... Are you suprised by the lack of government invlovement in shutting down spammers? Sure, some of them are selling a product, but most are illegal scams. Should they be doing more or are they doing something that we don't know about? Or do we need to come up with more money for Congress than the DMA does?
How similar do you think spam and telemarketing are?
In terms of theft, spam seems more serious (stealing bandwidth) than telemarketing (stealing time). Do you think that with the recent no-call list proposal's in the house of reps, anti-spam legislation will be given more credence?
It's all going according to
There's plenty of talk about passing laws against SPAM, replacing SMTP, and all sorts of other things that other people can do to reduce the amount of SPAM we recieve. My question is what can we the users do to reduce SPAM? More specifically, what that most people don't do now would make the most difference if we all started doing it? Even better, what that most people are capable of doing (email users with little or no technical expertise), would make the most difference? Perhaps the best strategy is not to evangelize the most effective methods, but the reasonably effective methods most likely to be widely implemented.
Convert RSS to HTML - integrate webfeeds into your website
I'd argue this collateral damage has destroyed the usefulness of email even more than spam has. It's simply an unreliable medium these days -- you never know if your mail got there or not, because it could have been silently dropped with no bounce message sent. Thus whenever I send reasonably-important emails now, I use either the phone or AIM to confirm it was received.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
It's not like spam is a new problem, so why has it taken so long for ISPs to start making serious noises about getting it under control? Why isn't there a technical solution in place between at least the major ISPs to interdict the flow of spam?
Seriously, I got 56 messages yesterday, of which all but 2 were spam.
One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors - Plato
would it be easier to make a new 'spam free' protocol rather than put out filters that nobody will use?
a new protocol would have newer programs be able to read it, isp's can switch over one at a time, and the system can be backward compatible.
current administrators could put filters in place, put security measures on smtp servers, but they don't... a new protocol would enforce these things manually.
Runnin' On Empty
AOL Bill
$20--Total
breakdown
$15 Providing AOL Services
$5 Anti-Spam measures.
So, uh, what's the site?
Ok, here's the plan, setup an open relay (on purpose), but instead of actually sending out email, just log the IP address and act like you sent message (forge the log files, etc). You could setup scripts to monitor this so you know when someone uses your server as a spam relay. You have the evidence in your logs and can go after the spammers that way. Although not all connections to the open relay will be directly from the spammer, most should be. Could be an interesting project.
SPAM solution made easy: 1 spammer, 5 cords of rope, 5 hourses, and fireworks. Be creative.
I wrote a software application called suprasphere, which is currently in beta. It seems to solve the problem of SPAM and is open source, but is not backwards compatible with email and other Internet standards. Do I have a chance? It seems everyone wants to have their cake and eat it too. They want the benefits of a widespread ubiquitous network, but then complain about its current composition.
I broke with SMTP, POP, NNTP, IRC, FTP, etc. specifically because of the security concerns. In trying to encrypt all Internet traffic, I figured that I would have to confront the network effect regardless, so then why support all those standards when it wouldn't lead to compatibility anyway?
Suprasphere allows you to create your own authenticated "spheres", where you can decide exactly who can do what inside your own sphere. It's designed to allow independent ISP's to build their own AOL-like services, which will interoperate with all other ISP's that run the software (whereas AOL/Yahoo/MSN are single network instances, not an "internetwork"). The difference, of course, is that suprasphere is all authenticated and secure. You can still create a sphere where unauthenticated people can leave messages, or you can require that everyone must authenticate against one of your known contacts first. Then, you create a "suprasphere" that pulls from many of your subscribed spheres, which can be filtered based on keywords, date/time, or other meta information, such as the current voting tally/score of an asset. In this model, you can check your email by building a suprasphere comprising all of your individual contacts. When you post a message to that "email" suprasphere, it will ask you to which of the currently built spheres you want to send the message.
It's most like Usenet in its interface and architecture, but supports multimedia message types and is authenticated to support moderation and workflow. You can post an audio file, a poll, an IM session, a contact, binary file, weblink, etc. You can create your own custom asset types (maybe "bugreport", or "gene sequence"), and then describe the customized interface for that asset type using XUL. Incidentally, this gives you field level database access control, where one class of user may only be able to see certain fields of one of your asset types. It will find out what fields are required to display based on the XUL definition, and only return those fields to the client.
What chance is there for something that is not backwards compatable with the current Internet standards, which still solves some of the current problems in some cases by specifically breaking compatibility?
The problem with Spam is that there is minimal retaliation. You can send the prepaid envelopes back to the junk mailers and they get charged for that. You can slam the phone on telemarketers or play a catchy tune with the buttons why they try their pitch. the problem with spam is you can't get them back. Even if you filter, you still have to do something that does no damage to them.
There currently seems no real effort from governments to cure the disease of spam. In my opinion the only way to solve the problem is to make it too expensive for these scumbags to operate - as soon as they start losing money they will crawl off to start a new scam. Bandwidth costs money, so why not organise large numbers of people to "visit" the sites advertised in this way? If a site spends money to spam, then has to pay for a few hundred gigs of bandwidth a day with virtually no sales, I'm thinking they might* get the message their racket won't work out. What say you?
*spammers are stupid.
Code, Hardware, stuff like that.
spam works... that's the root of the problem.
do you think there is anything that can combat this?
simply telling people that nothing will add three inches may not work as well as we hope for... stupid people are gullible.
Runnin' On Empty
I promise that the spammers will have suffered. :-)
In related news: spamassassin 2.5 with bayesian filtering has reached BETA and works fine on my system.
See http://www.spamassassin.org
Moritz
If you had known back in the early 90s that spam was going to be the problem it is now, what steps would you have taken then to protect yourself and others from it?
For instance, what changes would you have advocated in the mail protocols and what standard procedures would you have told other ISPs to use to prevent spammers from getting a foothold in the first place?
My ISP gives me the usual drill on don't give out your email address, request opt-out of lists, and so on. None of it helpful, as I recently found an unused mailbox filled with 3+ years of spam. Personally, I had visions of these people being gutted by Jack the Ripper.
I've wondered if the ISP could build a decent filter, without encumbering themselves or valid email. What can an ISP realistically offer to help customers block spam?
A feeling of having made the same mistake before: Deja Foobar
My simple answer to spam is control of information. The more your address is out there, the more spam you get. Two years ago I created a second email address. This address (in hotmail, no less) is specifically for mailing lists and opt-in lists. The other address (ISP address) is only given to human correspondance. It's amazing how I'm not bothered by spam anymore...
My simple question is... why doesn't everyone else do this? Ignorance is bliss.
Most spammers forge the return addresses. At best, your bounces would go to /dev/nul, but at worst, they might bomb some poor sap whose email was forged in the from line.
Michael Loves Me!
What is the lobbying force that is keeping congress from legislating a national no-spam database?? I can't imagine a few spammers could generate enough pressure to override action on such a universal, not to mention expensive problem.
As for the overseas spam... The major US ISP's limit all overseas sources that have been detected as sending high volumes of emails (say 100,000 per min) to 500 emails per hour. Then if that source wanted to get unblocked they would have to solve the problem on their end. Spammers make money from huge volumes of mail... slow them down=put them out of business
Do you have any statistics on how much of your ISP's bandwidth is consumed by spam? (And for comparison's sake, other stuff like p-2-p and Quake servers.)
"Draco dormiens nunquam titillandus."
i will aslo tell spammers which addresses do exist, thus saving them time and money.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Should end users set up their SPAM filters to bounce the offending messages, or should they just get quitely filed into the SPAM folder?
I used Mailwasher for a while, which gives users the options of generating bounce messages while filtering. There is some personal gratification in making it look like my email address doesn't exist. But does it actually help, or does it just add to the ISP's bandwidth requirements?
purchase a "replacement" diploma while securing my international drivers license? All while making $15,000 a month at home with no effort?
I don't give out my email address to anyone I don't know well, and I change it every year. I tell people who need to get in touch with me to call.
All this is because I started getting 50 spams a day. Right now, it's impossible to post to a newsgroup, put an email address on a web page, or have an email address that's listed in any sort of a directory without getting tons of spam each day.
I agree with that article that email is a failure. Important/busy people just don't have time for it.
A friend of mine finished looking for a new full-time job. He sent out some resumes by email to the listed addresses, and some by Fed-EX. Only the Fed-EX ones got answers. Companies get so much spam that they miss good resumes coming to them!
Best Buy can have you arrested
DJB claims that with this system bounce messages will be eliminated (if I read correctly).
Would you like to see horny nigerian dads add 13 inches?
In the interview from InternetWeek, you seemed to not care about false positives. At what point do you care about false positives?
Ie. are you attempting to stop all spam, with the possibility of false positives an acceptable risk, or is there some sort of calculation that your organization uses to balance the false positives (mail rejected as spam that wasn't) against the false negatives (mail that was accepted, but was spam)
Build it, and they will come^Hplain.
Secure dildonics, not to be confused with the OS named Dildonix, is a new security system based on anus authentication. Secure authentication to enter buildings and purchase food at vending machines and so forth is just as easy as dropping your pants, turning around, and spreading your cheeks toward the special anus camera. If you don't hear a beep, it may be necessary to really rip your anus wide open to give the camera a good look, but it's all for security.
My other question (I know two are not allowed, but....) whay can't ISPs stop unreolved email or domains from even reaching the mail server? I get mails from expertsales@werwerwetgfhgvlkfvl.com or similar all the time.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
I've recently begun using a service offered by my ISP, using my personal domain's 'catch-all' mail account to track who is selling my name, and to be able to filter based on that. Is there a place for individual efforts like 'throw-away' email accounts to combat spam, or does this really need to be a community effort? Could there be a role for a DNS-like registry, where in order to send mail, you need to be a person or entity who can be gotten in touch with (and thus, smacked around appropriately)?
I understand that spam is a problem. But if not for spam, what are we to do about our penises?
j p
Thx,
- amalgamatedhomeloansandcollegedegrees@aol.uk.com.
Hey, moron, yes you. Having fun? Bored? Take a trip to Hell, it's only $1.99 and you get a FREE meal on the plane!!!
Fight for your digital freedom, join the EFF *now*: http://www.eff.org/support/
So if you write algorithms that can keep up with and try to surpass human intelligence (or lack thereof, since these are spammers we're dealing with), could self-improving spam detection algorithms lead to better artificial intelligence? And would this be good or bad?
Schnapple
...because spammers use *BSD, and *BSD is dying.
Why doesn't Kibo post to alt.religion.kibology as much anymore?
Why don't you make a spammer's information public?
When a spammer has been found to be a spammer, you make avaiable, without a subpeona the information on the spammer so that people can file lawsuits against them.
Spamming can be profitable. Take the spammers to court and take away their money.
Fight Spammers!
Given the success of compuserve in Compuserve vs Cyber promotions and intel in Intel Corporation vs Kourosh Hamidi, both cases in which corperations sued a third party for sending their users unsolicited email why hasnt litigation been more effective in slowing the tide of spam?
--aiee
The World's Index of Customers' Home Pages
IP blacklisting, intelligent content filters etc. are at best patches on an inadequate system which permits messages from unauthenticated senders.
I (naively) believe the only real solution would require that email senders can be easily authenticated and anonymous/spoofed/aliased messages simply ignored. Authenticated traffic could get prioritised handling at every stage over anonymous (eg 1st class mail vs 4th). In this climate, about everybody would reject anonymous email, and spammers using authenticated addresses could be located and dealt with.
Do you agree at all? How does the current email protocol, system, whatever have to change to to ultimately provide an effective foil to spammers?
What, in your experience, has been the most *cost-effective* spam-reduction software solution? Is it server-based, or is it some kind of client software?
cleetus
While in the short term I concur, in the long term I must cry au contraire.
If Baysean filtering makes its way to the general public -- or is introduced at an ISP level, then it will reduce the amount of spam that gets through to potential customers, and hence make each spamming less profitable.
The least profitable of the spam messages will dissapear, thereby reducing the loads on our mailboxes and on the ISP as a whole. Therefore, perhaps a better question is:
Support a few technologists in Washington.
I would like an email account where senders not on my whitelist need to pay something (e.g. thirty-seven cents), or at least risk paying something, to put a message in my inbox. Two businesses that have been mentioned on slashdot before are Vanquish.com (has a bonding system) and internetstamps.net (sells stamps).
Are you thinking of providing a pay-for-attention email service through your business?
It seems to me that the existing email protocol has some fundamental problems that contribute to spam. It is basically impossible to authenticate who an email came from. Do you think that adding a new email protocol could solve these problems?
Specifically, if we created a second protocol that required that all email be digitally signed by the person listed in the "from:" clause and that the originating ISP guarantees this identity, wouldn't that solve most of the problems? The true identity of people who use the bandwidth I pay for to communicate with me seems like a fair thing for me to be able to insist on. I might even be willing to pay a little more to have such a system, although I would think such a system would be cheaper for my ISP, since the cost of carrying 33% garbage isn't there.
I should be able to say I want to filter email from Alan M. Ralsky of West Bloomfield, Mich or from any that passed through any ISP that cannot guarantee me that I can determine this. The problem is that Mr. Ralsky can send me email and I have no hope of identifying that it came from him. All that is required, it seems to me is for the leading ISP's to get together and create and enforce a standard that says your new-style email will be digitally signed with your legal name and that only ISP's that comply with enforcement practices will be allowed to use the new email protocol.
Aren't dial-up ISP's so 1990's that they are effectively the ghetto of the internet today?
If the average genuine mail to spam ratio on your system is 1/10 (ie: for each genuine message, you get 9 spam messages) this will have the inevitable effect that your infrastructure has to be capable of processing a load which is 10 times higher than would be required if there was no such thing as spam.
Given that 1/10 is probably a very conservative estimate (escpecially for big ISPs with a lot of J. Average Customers), you can imagine that this can have a huge impact on the systems required to handle this.
Also when a spammer is using a fake (or real) address at the ISP as a return address, a lot of bounces get directed there in very short period of time (which in fact is very much like a DDoS).
While silicon speed is still increasing at a mindnumbimgly speed, disk platters haven't. It's not costly to get a lot of storage (73GB disks are 'affordable'), but it can cost a lot to build a storage subsystem that can cope with the load and is relatively solid (raid / backup).
On top of that there are the hidden costs, eg: customer support for dealing with customer issues related to spam, system administrator time spent extra on dealing with spam-related problems.
I don't think it's so simple as to stating that "bandwidth is cheap" (which simply isn't true for a very big part of the world) and "storage is cheap" so spam can not cost much.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
What's the lamest (stupidest, impossible to believe by anybody with two functioning neurons) spam that you've ever received?
For example, I once got a piece that claimed that after their "extensive market research", it had been determined that I would like to increase my breast size (I'm a male) which would provide the added benefit of increasing the passion my partner (if I had one, he'd be a male also) felt for me.
If I didn't want to receive any more offers, all I had to do was .
Karma: Food Fight (Mostly affected by Date Plate).
This is exactly what SPEWS does, and it's remarkably effective.
This is preached on email abuse newsgroups as gospel but I have yet to see anything other than anecdotal proof. What I do see are a lot of innocent ISP customers whose business is being interruped, not by spammers, but by SPEWS' vigilante blocking policies.
The analogy is much the same as having a crack house open in your neighbourhood. You either take action on the crack dealers or move out...
My $Deity, where to begin...
To correct your analogy the spammer is the crack house operator. What SPEWS does is start blowing up all the houses in the neighbourhood that surround the crack house in the hopes that the neighbours will complain to the authorities (The ISP)to take action.
What this farcical pretext misses is that spammers can move from ISP to ISP daily and as soon as you shut down one account they have opened a new one either on the same or a different ISP. The number of spammers and their mobility precludes an ISP permanantly blocking a spammer and thus the chances of getting off SPEWS once an ISP are on are minimal.
SPEWS has no posted policies as to what the timeframe is between an ISP complying with their blackmail blocking and the removal from the SPEWS list. 24 hours?, 2 weeks? who knows, SPEWS doesn't tell you. How often do they check? What criteria is applied during a check? Why don't they block the large ISPs like AT&T? Why don't they announce listings/delistings anymore? Why is there no direct method for applying for delisting? Why are postings from innocent ISP customers asking for reasons for listing met with scorn and accusations that sound make the customer is a nazi sympathizer?
There are far too many questions about SPEWs' practices.
If you don't want to repeat the past, stop living in it.
I am a Systems Administrator for a statewide ISP. We have found that blocking such domains as azoogle.com, topica.com, etracks.com, and other claimed Opt-In spammers has really cut down on spam complaints. We had to go as far as firewalling these 3 spammers since they were chewing our bandwidth to peices. EverBlur which was recently kicked off their provider, has stopped altogether.
My question is, do you see this as an effective method? Do spammers really quit after seeing their packets are being dropped? Why do they not?
While email cannot legally be sent unsolicited, there are millions of such messages each day. So why isn't the government doing much about this growing problem? The bandwidth gained back would be well worth the effort, so why hasn't congress passed laws against email spammers, who for the most part are based in the US?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Lets pretend that congress takes up the issue of spam and passes a very restrictive law essentially outright banning it. COULD that be an effective way to prevent it, or would the international nature of the internet make it useless?
People who think they know everything really piss off those of us that actually do.
Can you tell me how come spam ads for p*nis enlargement is so much worse than snail mail ads for credit card applications?
And why is spam so much worse - to the point of calling it "a sociopathic thing" - why is it so much worse than the ads that appear on TV shows?
Want to get rid of spam? Attack the problem, not the symptom: Curb your seemingly incessant need to spend money you don't have, on things you don't need. i.e. STOP CONSUMING.
I've wondered why more ISPs don't adopt this strategy to make themselves unattractive to spammers - so maybe you can tell me why it wouldn't work:
ISP has in their contract the following items:
1) a definition of spam, spamming, and spamming services.
2) A clause similar to the following: "The customer agrees not to spam, not to advertise any services hosted by the ISP via spam, not to provide services to promote spam. In the event of a violation, the customer will forfit US$10,000 clean up fees."
You require the customer to either a) put up the money in a bond, or b) put up a credit card.
Should the customer spam, and then try to back out on the credit card (dispute the charges), then you nail them with felony fraud charges, as they obviously never intended upon paying the bill in the first place.
www.eFax.com are spammers
I worked a couple of years ago for a company that makes 'emarketing' software, and I managed the company's ASP for that software.
Most of the emails we sent out we're from internal, registered customers of the company. I would call these 'opt-in' emarketing messages that ranged from pitches to buy new or upgrade products, customer satisfaction surveys and automated replies for visiting a website and signing up.
There were, on the other hand, spammers. That is the only way to describe the quality of the emails they sent out. When I could query their databases and find email addresses of 'abuse@someisp.com' and other, similar non-customer addresses, there is no other way to classify it.
In either case, we never tried to hide or run away. We always used real email addresses and kept the same domain names. So, my challenges were, "How to I keep the 'good' customers from impacting the 'bad' customers?" I dealt a lot with CAUSE, the MAPS RBL and other organizations to keep the emails flowing.
So, here is my question: How do you, at the ISP level, differentiate between legitimate email marketing and Spam?
For those of us who are trying to set up incoming SMTP servers (or who are just curious):
What are the current "best practices" and state-of-the-art for the little guy (enterprise, small office/home office, little ISP, etc.) who:
- has some need or desire to directly serve inbound and outbound SMTP and
- has SOME time to sysadmin, but
- does not have the resources to throw several full-time-plus-pager sysadmins into the spam wars?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
actually it's good to get all this different information on all the various products, because then you can decide which is good, and which is bad. knowledge is power. if the spammers didn't try an educate you where would you be then?
In some region the police are very corrupt. The spammers pay them to look the other way and not do a bust that would send them to jail in some other country. How do we deal with this?
I suggest you read Slashdot
Have a competition and gather the best players of games like Splinter Cell. Create a black-ops government organization to track down and kill the spammers. Simple solution. None of this namby pamby UN resolution legal manuvering bullshit.
My friends and I are often responsible for small sites - our own colocated servers, small businesses, and the like.
What are your technical recommendations for us, to make your life easier?
For instance, I usually argue to require valid FQDNs in the HELO and MAIL FROM command, and reject anything claiming to come from myself or one of the RFC1918 reserved IP addresses. This is entirely content-neutral - I just see no point in accepting any message from somebody who can't be contacted in turn if there's a problem delivering the message.
But I generally don't bother with RBLs, and am philosophically opposed to IP redlining since it could easily lead to a world where a few corporations act as gatekeepers.
I know what impact this has on my sites, but does this cause problems for the large sites? Or does it help you as well?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
For starters, since when was Government created to prevent Spam? If you're from the US, then we have an interesting document which describes very clearly what the purpose of Government is: to uphold and defend the rights of citizens. Government has enough trouble getting that right. When you look at some of the other little projects that Government has seen fit to adopt (War on Drugs / War on Poverty / Social Security / Empire Building / Etc.), you can't help but come to the conclusion that it's track record reads like a case study in ineptitude and failure.
That said, how would Government be the answer to a problem like spam?
If, for example, we got a bunch of groovy new anti-spam laws, all that would result would be still more backlog in the courts. Given the number of spammers in the world, and their diverse locations, how would such a thing be logistically possible? Aside from the jurisdictional issues that would surely arise, how many courts would be needed to hear these cases?
The Short Answer: It's not possible.
The solution to the problem must therefore fall into the realm of the technological.
The tools are being developed, or in some cases, they've already been developed. No doubt they will mature and improve. In the end, they will be far more effective than any solution that the government will be able to come up with, and that's just the way it is.
It's going to take some getting used to. Email is the Internet's killer app. People have become dependant upon it. People fear change.
It's getting to the point, however, that people will be willing to change the way they interact with email because they now spend so much of their time sifting through noise to get at the signal.
Whitelisting is going to happen... We can no longer afford to accept email from untrusted sources. The sooner we embrace it on a wider scale, the sooner we can all get back to work, and the less time we'll have to waste on these other half-measures.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Mailwasher has both FRIENDS and BLACKLISTS. It allows you to see all mail on the server and process it before downloading. You can pre-view/read any message on the server by double-clicking on it.
Friends get coloured green, Blacklists get coloured red. "Possible Spam" is identified in orange. You can change anything if you want after a quick scan. Not only that but you can easily have all blacklisted emails send a BOUNCE message back to the sender so it looks like your email address is dead.
Best of all, it's free.
Stopping spam on your ISP is a noble goal. (*Applause*).
But how about fixing the news server so it talks to the shell server at better than a few kbps?
(Hi, Barry!)
What the government should do is expand departments and cooperation to track down the people who attempt to sell these things and shut them down. Most of these people are crooks and charletons, so that shouldn't be very hard. The govt. should, also, crack down one people like Alan Ralsky, requiring him to verify that each recipient of his product has personally requested to be on his lists.
All these goofballs have to make themselves available to their victims (those foolish enough to open or respond to spam.) There's a phone number or web address. Credit card usage can be tracked, with the assistance of credit card companies (and much of this is fraud anyway so you could expect them to warm to such investigations.)
Visualize:
0600: Spam sent out, promising teen webcam shots
0601: First spams arrive in honeypot email accounts
0605: Website has been identified.
0607: Run tracing credit card number to see extra material
0620: Template of potential violations has been reviewed and yields potential charges on: Adv sent to email account of unverified user (potentially a minor), in-state spamming, potential age violation if various claims on site are true (underage).
0630: Contact local law enforcement
0800: Local law enforcement pays a visit/takes people for questioning/obtains search warrant/impounds equipment, etc.
Not perfect, at first glance, becuase it could still be abused (i.e. I hate someone and set them up, but a good template test could reduce this), still, we're ready to spend billions on Iraq, yet I've heard nothing about going after these scoundrels.
PR is also a useful thing. Public service messages for radio and TV. ("Don't respond to spam, send for free guide how not to be fooled, or visit FTC website.)
A feeling of having made the same mistake before: Deja Foobar
- Boucing messages with Mailwasher
- Having munged addresses where the "NOSPAM" is in the user part rather than in the domain part (that is, "bozoNOSPAM@isp.net" instead of "bozo@NOSPAMisp.net"), so your servers get hammered with invalid harvested addresses.
- Using often broken tools such as SPAMCOP to LART other ISPs?
- Does a significant number of problems from your user always come from the same users, or is the problem widespread?
are having a negative effect towards your own efforts at fighting spam, either by diverting ressources or simply being a nuisance?How much of the SPAM complaints do you do receive are properly done (that is, with headers and sent to the proper ISPs)???
By fighting spam you are diverting your resources to an endless task, plus, you are creating a false sense of the situation.
Wouldn't it be easier to just allow your customers to receive the hundreds of emails you filter and by doing so creating an awareness on the severity of the situation?
I mean, once Joe User gets really tired of receiving spam, won't he be more aware of the need to regulate the whole thing?
As it is now, with the heavy filters in place, the end user only gets a tiny fraction of what is indeed sent to them, so why should the general population worry?
Has anyone thought about using a message about usage on the sendmail banners? That is placing a message on the mail system that makes some comment about a price of usage for non-subscribers. From that point, SPAM will probably be the largest non-subscriber and the sender would thus be liable for the processing costs.
One way to fight spam is to contact the Federal Trade Commision and report it. This Site talks about how to "opt-out" of getting pre-approved credit offers and direct marked offers. It should reduce spam a little bit. Or this site gives more advice on how to reduce the amount of spam (and even better) how to report it to the federal trade commision. Also you look here for more stuff about consumer protection on the internet.
My technical proposal: people/companies purchase SMTP message-sends the way they purchase cell-phone-minutes:
- spammers who use open relays would saturate that relay's quota, and most of the spam thus
relayed would fail to go out, thus the owner of the
relay would have incentive to fix it, so they
can send their own mail.
- spammers who send directly from ISP accounts would have to purchase large numbers of them in order to send a given volume of mail.
To enforce such a system, you would need to build a smart firewall that knew just enough SMTP protocol to read the RCPT To: lines, and count recipients. When a given sending host exceeds its counter for the week, poof! the firewall blocks further SMTP activity (or even all activity) from that host until someone clears it.Backbones could limit individual ISP's with such a system, and ISP's could in turn limit individual customers; indeed they would basically have to, so that one customer can't ruin their SMTP quota. If the ISP doesn't enforce such a rule, their backbone tap enforces it for them.
If such infrastructure became widespread, the only way a spammer could send large numbers of messages would be to get large numbers of ISP accounts, which would hopefully cost them enough money to make it not worth their while anymore.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Everyone is trying to filter spam. The simplest solution is community regulated attacks on spammers. Shut them down with their own shit. A little program that let's you submit offenders and carries out attacks on targeted offenders. I write this as my mailbox fills with spam for anti-spam programs. A real anti-spam program attacks and disables spammers.. Filtering shit just makes things worse. It masks the problem instead of eliminating it.
So far, the main result of filters seems to have been to force spammers to send more spam.
Think about it. Per message, it costs practically nothing for the spammer to send email. He needs to get a certain number of responses. If 90% of all e-mails he sends are filtered, he just sends 10 times more.
Result: ISP's are hurt more.
We use Bayes at the ISP level, and it's effective, but nowhere near as effective as when it gets per-user training. Consider that a particular group of people at your ISP may get emails that look like your spam (stock reports, HTML newsletters, asian emails, etc) and you'll see what the problem is.
There are some potential solutions to this (such as ours which is to use bayes merely as part of an overall solution), but most ISPs don't want to be storing 30M of bayes database per user - its just not sensible.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I have foudn that once I get a physical mail address to a domain and indicate that I ma 30 minutes away and will visit with my pfist that the spam stops..
How effective is this type of Physical threat towards spammers?
Caution: This doesn't work on Nigerian spammers..
Don't Tread on OpenSource
Barry, How do you fel about SPEWS? As a blacklist it filters many spammers, but it's also known to list many innocent people (although it is explained why this happens).
Spamming can be profitable. Take the spammers to court and take away their money.
I AM DR. ABBIS OBUTU FROM THE FIRST BANK OF NIGERIA. I AM FROM FOREIGN COUNTRY, SO THIS "COURT SUMMONS" OF WHICH YOU SPEAK HAS NO MEANING TO ME. NOW ON TO BUSINESS. I HAVE $30 MILLION I NEED TO GET OUT OF THE COUNTRY AS QUICKLY AS POSSIBLE. IF YOU WOULD BE SO KIND AS TO LET ME PUT THE $30 MILLION INTO YOUR BANK ACCOUNT, I WILL ALLOW YOU TO KEEP TWENTY PERCENT (30%) OF THE REVENUE. KINDLY GET BACK TO ME AS SOON AS POSSIBLE. THANK YOU FOR YOUR PROMPT ATTENTION TO THIS MATTER.
It wouldn't always work because you'd get a lot of reactions like this...(yes, Slashcode, I know. Now go away please.)
There are laws against sending unsolicited junk faxes, and for good reason. So what's preventing the same type of restrictions on spam? It consumes resources (bandwidth, storage space, man hours to clean and block) and is an nuisance to all. Other than paper vs. bytes, what is so different about spam that makes it immune the the same legal issues?
Before my layoff last August, I managed the email systems at my undisclosed company. We were hit pretty hard by a virus that stole one of our email addresses from customers (to clarify, no one in our company was infected, but some of our customers were). Within hours, I had threats and complaints up the wazoo from companies because we were 'spamming' them. My reply to this was to send a link from Symantec about the virus, along with an example of what the headers should look like if the email came from my office. My favorite response was from a 'Manager of Information Sytems' who told me that he knew how the Internet worked, and that there were no viruses that would steal email addresses, and no way headers could be faked in an email. So, I suppose one good thing about being unemployed for the last eight months is not having to deal with managers that don't know anything. -wg
Most spam contains a 1800 number or some other contact number. Even if they change the email address from were the spam is sent can you not target the phone number contained in the email as a source of spam. Instead of the complex formula to recognise email from spam a whopping black list of phone numbers would do the trick. Or am i been a gobshite here?
It seems that law enforcement has no reason to get aggressive on this problem as long as companies such as yours bandaid it with technological measures. What do you think about a "no filter day", in which all of the ISPs remove their spam filters for 24 hours and let the world get first hand the full brunt of the traffic you're filtering? The outrage alone, if correctly managed, could get the appropriate authorities off their asses and go after these guys.
I am a security technician and sysadmin for a research institution. My clients, who are scientists, are not interested in being paid to watch advertisements, or in having our institution funded by advertisements shown to them in email. We don't want to be paid to receive spam; we just want not to receive it. We just want the spam attack, the theft of our resources and our people's time, to stop. Do you see any way this can be reconciled?
How would you keep your web site from being slashdotted, and you inbox from being filled with useless suggestions the same /. helpful users are making?
Then if not stolen, cancel the account/domain and make the information available to the public.
Fight Spammers!
Q: If ISPs are really all that upset about spam, why haven't they done anything about it?
It's patently obvious that ISPs could eliminate spam simply by blacklisting individuals who engage in the practice (and other ISPs who don't follow it). This is how credit ratings work, an area in which there is both a greater monetary incentive for misbehaviour and much lower (technical) barrier to entry.
Properly implemented, such an individual blacklist would eliminate most worldwide spam - since only a couple dozen individuals are responsible for more than 90% of the phenonema.
It seems to me that the real reason ISPs don't stop spam is due to base economics: spam houses pay money. So spam elmination has become a classic games theory problem - money you spend to search for spammers on your own network is wasted; you just have to respond enough to keep off the RTBL.
And because detection is always someone else's problem, spammers will continue to thrive in the time it takes to process the request.
Right, but any solution that starts with something like "If only everyone would..." is immediately doomed to failure. So, assuming the world is a bunch of retarded chimps (reasonable, I think), now what do we do? Like g'parent said, by the time it hits your filter, you (the ISP) have lost the battle.
The least profitable of the spam messages will dissapear, thereby reducing the loads on our mailboxes and on the ISP as a whole.
That assumes we're near the threshold of spam profitability - but I don't know that that's the case. As someone else responded, all it means is they'll send out more messages to make the same amount of money.
Also, there are ways of tricking Bayes filters. I've never seen exactly how they're implemented, but Bayesian statistics is VERY population-size dependent.
The way they work is basically: P(spam, given X) ~ P(X,given spam)*P(spam). Here, X is some piece of email, and P(spam) is the fraction of email, globally, that is spam. So, to trick it, there would be a few ways. First, if there is an ISP you want to hit, send a bunch of innocuous emails that ARE NOT SPAM. Then, send a bunch of spam that share something in common with the innocuous ones you sent. This will have the filter saying "I sometimes see this from non-spam," essentially, which is what you want it saying. The question is how fast the filter learns - could you set it up, then spam for a while before it learns?
I'm sure there are other ways as well.
-Looking for a job as a materials chemist or multivariat
A few questions:
How would you grade the effectiveness of current filter techniques, and blacklists etc.
What filters/blacklists do you use, and how could they evolve so that you would feel comfortable using them? When choosing blacklists or filters, how do you measure the gains of blocking x% of spam against not-blocking y% of legitimate emails.
How do you regard the threat of spam in opposition to some of the major viruses. That is, viruses like "sapphire" that generate huge disabling traffic netwide, or like "code red" that - to this day - is still making attempts to access "cmd.exe" on my own linux box.
And lastly, as we all want to know, what do you think can be done to spammers to strongly discourage them from continueing their immoral practices.
I've always thought that a small charge for sending emails, even a small fraction of a cent, would be transparent to normal users but would put spammers out of business. The problem with spam is that spammers do not bear any cost for sending millions of emails. Make them bear a cost and they will disappear. Bubbling along . . .
Feel free to disagree with the above -- I often disagree with what I say!
I have clients who have mail tools built for them. These mail tools have small opt-in lists of about 10k - 50k email addresses.
All of these addresses are gathered in legitimate ways (otherwise the lists would be in the millions).
Every recipient typed their email in and subscribed to the mailing lists directly. I do not get involved in other efforts (involuntary mailings).
How can we (as developers) take steps to stop our mailings from being blocked inadvertantly from the spam filters?
With smaller mailing lists I know that this really isn't an issue, but we are just starting to see larger blocks from yahoo and hotmail since we probably are sending 2k - 5k emails within those domains.
THanks,
Sean
2) After the first 50 email addresses are checked that day, any additional pings automatically reply with the word "bulk" instead of email.
This can be done by the ISP as part of their sendmail protocal. The only reason this has not been is:
1) Political power of the more respectable bulk emailers who try and pretend they are not spammers (Usually by using the inanne ploys as join our "service" and I hope you do not check the box)
2) It would require some organization to create the protocals and upgrade sendmail.
excitingthingstodo.blogspot.com
Do u think that IPv6 could improve the fight over SPAM?
NEOCA - Custom LED Flashlights
If people just stop responding to spam, wouldn't it stop? Or do the spammers enjoy throwing away money and time.
Who are the losers responding to spam? Aren't they the demand that drives the supply? Let's make them stop.
-... ---
you know, i keep a pair of cyan/red glasses around. have been for years. so chuffed to have a random opportunity to use them - usual use is as an odd lens filter.
Hello, Barry--
As a World customer, I found last year that I was getting removed from several mailing lists I was subscribed to beause so much of their traffic was being bounced by World spam filters.
When I contacted customer support, they said that the messages must have contained strings that triggered the filters, and that the solution was for the lists to avoid using those strings in the future.
What strings would these be? Customer Support couldn't say.
So, if I wanted to use my World account to recieve my list mail, I would have to persuade all other list members to not use the filter-triggering words. And I would have to do this without telling them what those words were.
It seems to me that strong filtering of customer inboxes is one thing, but doing so with no provision for opt-out or whitelists interferes with the individual's right to get the internet servide he's paying for. Do you disagree?
Most spam originates from a small group of die-hard spammers that move between ISPs. It's not the same thing. And then there's 'direct-to-MX' spam from dialup and cable/broadband accounts. So, while folks like ROKSO and Spamhaus.org do provide blacklists, they're not 100% effective and there's always the risk of false-positives.
A point I noticed in the article was that spam has flourished because the sender does not pay anything to the carrier (the ISP). Do you think that spam could be reduced if (a big if, granted) some form of payment scheme could be implemented?
Why not let users see the entire header before deciding to open email? Why not provide hooks for third party filter developers?
I read an article in the Wall Street journal that was a summary of the latest Demo conference. A service called SenderBase was introduced there. This service keeps a public database email volume for various IPs and their domains. Admins could use this to set up their white/gray/black lists. I see this is a viable option to allow allow ISP's to avoid filtering mail after they have received it. Related to this service is Bonded Sender, which is similar to another post's suggestion--registered MTA's. It requires email senders to post a bond thhat they are not sending post. Senders with a bond posted could be considered safe to put on your whitelist. These types of shared databases could possibly help ISP's and system admins at least to stop some spammers from taking up bandwidth by refusing connections from them.
First execute them, publicly of course, then grind them up, spice them, then stuff them into sausages, dog biscuits, then sell them as live stock feed or pet food.
Color me confused. Granted, Salon is in trouble, and they own the WELL, but they aren't gone yet -- and I've had my dialup account there since April of '88. Methinks someone's confused.
djb first started talking up "IM2000" in, if memory serves, late 1999.
It's now early-mid 2003, and there are exactly zero IM2000 clients, servers, libraries or other working software available to the general public.
IM2000 appears to be yet another one of Dr. Bernstein's interesting 4am ideas that he found amusing enough to start a mailing list about, but not interesting enough to devote any real effort to implementing or promoting. (See also: "slashpackage")
Mail administrators are facing a real problem in the here and now. Handwaving about unimplemented pie-in-the-sky ideas is not helpful to anyone. When there's a working IM2000 server that I can install, call me. Until then, let's stop flogging this horse every time someone brings up the spam subject.
News for Nerds. Stuff that Matters? Like hell.
N/T
Through my own travails with SPAM to my personal account, I've come to the basic conclusion that filtering out SPAM is a sisyphean task. No matter how good we make our filters, determined SPAMers will find a way through those filters. Blacklisting of open relays helps, really only punishes careless sysadmins, not the SPAMers who victimize them.
I see much more promise in technologies like HashCash which force sending machines to burn CPU cycles in order to send their message. My question to you is, are you aware of this type of technology? Do you think it would be effective? And what do you think it would take to get such a technology deployed (standardization, ISP acceptance, MTA/MUA integration, etc)?
Why do people like you always want to create laws against spam. Spam may be a problem, but it's a technical problem. The SMTP protocoll is insecure and outdated - it was never meant to be used on such a large network.
We don't need laws against spam - we need better technical solutions. For example an communication network based on the Jabber protocol would be a cool solution, because it allows you to check the identity of the sender.
If you are against spam - why don't you support better protocols?
can i interest you in some human growth hormone? guaranteed organic!
Lawsuits. Why don't we see more lawsuits?
* Are spammers too hard to track?
* Is it too expensive right now?
* Have the courts not been favorable?
I'd happily participate in a class action suit. My email account gets hit with 100-200 spams a day, nevermind the rest of my family, including my kids who get porn spam right along with the rest of us (see Britney with a guy, a gal, a bullsnake and a tractor!). It takes time to maintain the anti-spam filters, and even then I have to wade through the crap they miss. Then there's the time dealing with complaints from people who think I spammed them because the scumball spammers use *my* email as a return email address. And so on.
The people who think spam isn't a problem are simply clueless.
I have absolutely no idea! I wouldn't click it in a million years!
That was classic intercourse!
What should one do when their favorite web site continually spamms their visitors with duplicate articles on a regular basis ?
If we can identify the spammers, how about a clearing house of *their* addresses, phone numbers, etc? Then we can mount giant DOS attacks on them. Tie up their phones. Return all our junk mail to them. Caravans of cars nose to nose in front of their homes and businesses so they can't get in or out.
...
anyone would think that you didn't like spam
That was classic intercourse!
As far as I'm concerned, spammers hijacking servers / connections to deliver their spam should be open to criminal hacking charges. Is there any reason to not support criminal investigation of these activities?
OS Software is like love: The best way to make it grow is to give it away.
Could an escrow email system be a helpful service improvement over current SMTP email, assuming that participation is a voluntary addition to normal SMTP traffic?
By "escrow", I mean that licensed businesses would be responsible for storing and delivering email under specially defined rules (which are open for debate on ways that would improve security and reduce unsolicited items). Servers could refuse to accept or deliver email that did not meet the established rules. Subscribers could refuse to accept email from non-escrow servers (or hopefully more specific arrangements could be made depending on the "rules" of escrow service). Email service would be a legal contract, so the identity of subscribers when they submit emails would always be known.
The standard unregulated email system should still be available to all internet users to provide for free (beer) and free (speech) usage, but the escrow method would be a voluntary subscription service.
My idea is to build a challenge response system into the mail server.
The goals of the system would be as follows:
To maintain a one-way hash of authenticated From: addresses for
each user on the mail system. Incoming mail source addresses would
be compared against the hash table. If the source of the email does
not have an entry in the hash table, then the system automatically
sends a challenge to the email author. The challenge would contain
a combination of textural and visual tests designed to be impossible
for a computer program to answer automatically. The challenge would
also contain an agreement which would place the recipient in the
position of violating wire-fraud laws if they answer the challenge
fraudulently.
Once a human has responded to the challenge email correctly, then
his email gets through the mail system to the recipient.
The person who passed the challenge gets added to the hash table
and is not challenged again. Users would never see mail from
senders who failed to answer the challenge. Perhaps only mail
from external sources would be challenged. Internal corporate
mail could bypass the system. Or not.
The email source address could be spoofed, but that would require
the spammer to know a valid source address for each user on the
planet. And that user could have the hash entry cleared to force
the user to re-authenticate if the source address is compromised.
Or the source could be blacklisted.
Since most spam does not come from valid email addresses, the
user will never see the spam because the challenge would never
get answered. Loop counters can be used to prevent endless
challenge bounces.
A spammer who answers the challenge fraudulently commits
wire fraud.
Companies who send out mass mailings to their customers must
have staff necessary to maintain enough personal contact with
their customers to answer the challenge emails and get
authenticated.
If these emails annoy the user, then instead of "opting-out", he
can reply with a codeword and the mail server will add the
sender to a blacklist and the user need never see mail
from that sender again.
For individual users who want to send mail to a friend or co-worker,
the burden of answering the challenge once is a small burden. For
spammers, the burden would be overwhelming.
Now, let's say that the ISP has a T-1, and that they are excellent negotiators and pay only $100 per month for connectivity and bandwidth. Over the course of a year, that user's 73GB of spam will take 73*1024^3/1536000 ~= 51030 seconds to transfer, or about 14 hours. Assuming a 30-day month, that alone costs 51030/(86400*30)*100 ~= $1.97.
You used "$100+" for the ISP's per-customer collections per year. Rounding up to $240 ($20*12 months), and assuming a truly excellent price for bandwidth, spam adds about 1% overhead to an ISP's costs in connectivity alone.
1% doesn't sound like much, until you realize that it comes directly out of profits. If an ISP would otherwise be making a 10% return on their investment, that 1% takes it down to 9% (a 10% drop on net profits!). That number goes up radically if you figure in additional administrative, storage, and filtering charges, and the cost of bandwidth in the real world.
Dewey, what part of this looks like authorities should be involved?
It seems to me that the only way to stop the supply is go after the demand. Somewhere out there, there are the one in 1 million people who are purchasing the Sweedish-made Penis Enlarger. How can we make it so that guy (or gal!) will need to find some other way of buying goods and services? Institue a Spam-use tax? Pass laws against buying something from spam? Send goons to his/her house?
Yeah, right.
If 90% of all e-mails he sends are filtered, he just sends 10 times more.
And if 0% of his messages get through?
(hint: 0 x anything = 0)
Comment removed based on user account deletion
Quite some time ago, lawyers attempted stopping spam by making the old 'junk fax' laws apply to email, but the courts and legislators have treated email and the internet as a completely separate body. Could/should this have been handled differently?
Manipulate the moderator system! Mod someone as "overrated" today.
Clearly, if spam were no longer an effective means of marketing, it would largely stop. But that doesn't imply anything about what should be done to remove that incentive. It's like saying, "for our business to succeed, we need to increase our revenue/costs ratio".
We can make it excessively costly to use spam marketing techniques -- e.g., kill all the spammers, or really crack down on them legally (though assuming that spammers will accurately estimate their risk is questionable). Or we can reduce their returns, by trying to educate users, blocking spam (at the ISP level and/or at the user level).
I would like to get Barry Shein's insights as to what he would identify as the best leverage point in a complex system.
Personally, I think it would be a huge effort to educate the users. There's a sucker discovering the internet every minute, many of whom have sadly stunted genitalia and/or would really like to help that Nigerian fellow out of his bind.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
The problem is: catching spammers is tricky. They use tons of tricks - most notably nailing other people's servers to transmit spam - in order to make it appear as if spam comes from another source.
If we could catch some of the spammers now, I think more actions would already be in place against them (whether legal or vigilante).
Whenever I get a spam message I just look for the remove me link. I then look to which URL that takes me to. Do a whois and fight out there support email. Then I sign them up for every spam service/newletter possible including there own.
Also anytime I go to a website that asks for an email address I like to use support@[theirwebsite].com that always makes me feel a little better.
I had an internship for an ISP while in college where we dealt with a lot of spam. It seemed that most of the spam came from unsecured mail servers in China that allowed anyone access to port 25. My question in light of this is: What can we do as a world community to help insure responsible ownership of private systems in a public, global community such as the Internet?
"My ship came in, but was bombed by terrorists in port and sank." - Me
If the US passed a law outlawing spam, or provided a do-not-email list, with harsh penalties for breaking it, do you think it would help? I'm in WA state, we have an anti-spam law, it doesn't help.
Are spammers too hard and too numerous to track down to be worth it (and too poor to pay the fine even if caught)? Would spammers just move offshore and continue to spam?
I'm quite skeptical about this. Someone can correct me but as far as I'm aware, the majority of spam profit doesn't come from reachnig customers or selling products. It comes from the illusion that that's happening.
Professional spammers don't make money from selling products via email. They make money from selling the spamming service to naive businesses who don't realise that spamming people doesn't work.
Absent a technological solution as well as an always imperfect legislative solution, and despite the sour taste we get in the backs of our throats at charging and having to pay for e-mail origination, AND assuming that rogue Internet states such as China put a "postage stamp" system into effect, what are your thoughts about the viability of origination charges and its effectiveness in stopping e-mail abuse?
Towards the Singularity.
I think most people are entirely unaware of the technical issues surrounding spam, and many are unaware of its uncouthness as a marketing tool. I am thinking primarily of small businesses, especially of one-person operations such as people who sell nutritional supplements, cosmetics, real estate, etc. Do you think that it is inevitable that there will always be a segment of the small business community that considers massive, blind emailing of publicity to be a perfectly legitimate and cost-effective marketing tool?
The real target audience of spam is NOT the developer who has downloaded special filtering software so that he won't be troubled by spam. It's not even the casual Outlook Express user who carefully flags each spam message to his built-in high-tech filter can learn what he wants to see (yes I'm looking ahead to ward off the obvious counter-arguments).
All of these people ALREADY KNOW that these messages are spam. They aren't the ones targetted. Filters are doomed to failure unless the underlying technology of email changes. And no, you can't just distribute a "base" filter for everyone - how does that help the guy who's auditioning for a bit part in a porno and that's all he talks about? How does it help the 2 women who like emailing each other jokes about penis size? Or the Nigerian who's trying to arrange sending $10,000 to his son in college in the US?
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
Wrong term. Collateral damage is unintentional (and probably undesired) damage that occurs near your *intended target*. In this case, its very unlikely the diplomat who was killed had anything to do with the "Nigerian Money Scam" e-mail. For the killing of the diplomat to really be "collateral damage", the killer would have to have been shooting at the actual scammer and accidently also hit the diplomat. In this case the killer lashed out at someone who had some vague connection to the people who scammed him.
BTW, even with smart weapons its possible to get collateral damage since even if you precisely hit your intended target, the explosion may cause damage outside of the specific target you wanted to hit. That's collateral damage. If you bomb the wrong target (e.g., the Chinese embasy in Belgrade), its not "collateral damage"; you screwed up and hit the wrong target. That's what this guy did.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
If you look at this "problem" from the other side. Spam exists because it is effective. If 100,000 email boxes can be spammed for almost free, only a VERY small percentage of them need to respond to make a profit for the spammer. Remove the financial incentive and spam will die.
As much as I personally dislike the idea, a workable solution is to charge a small fee for every email sent. (I realize this opens a huge can of worms... who collects the fee, who receives it, potential for abuse, etc.) Can you comment on how effective this method could be?
What DNSBLs or filtering techniques do you currently use?
==
Cauce.org seems to have good intentions but if you search their site, you won't find any suggested solutions.
In fact, I have yet to see any good solutions to spam. I personally don't like the pay per email scheme or filtering solution.
What solution would you recommend to cauce.org?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Using the spammer's last SMTP protocol leg, before your mail server closes it, why not do the following:
By not letting go of the (would-be spammer's) SMTP connection, one can consult the mail recipient white list. From an unknown sender, instead, save the entire email in a holding queue and send back the following SMTP error message:
With a marriage of sendmail MILTER and Tagged Message Delivery Agent, one can shift the burden of automating the mail recipient white list back to the sender (like ICQ does).
With a tweak of the last leg of SMTP protocol, we, the email users, will have control over what is 200 and what is 5-f@cking-50.
What say you?
- Shamelessly ripped from the Seinfield TV episode "Soup Nazi."
What about creating a new DNS RR that would tell your MTA to only accept emails from a domain if the sender's ip address is in the MX list for the domain. This can avoid domain spoofing.
Also, force that the email you pass in the MAIL FROM: to match the one in the To: header.
Another one: force the server name passed with HELO to be a valid FQDN that maps to the ip address of the sender.
I know these measures can blow some mail lists but I think mail-list maintainers will be willing to modify their software if that helps getting rid of some spam. I have been working blocking spammers lately and in 99% of the cases they spoof the server name at HELO and the email addresses.
HTML is obsolete. It's time for a new, simpler and richer markup language.
About what percent of the messages that go through your ISP per day are spam? Can you guess what that spam costs you per day in the increased bandwidth and better computers you need to be able to handle it? Do many customers quit giving spam as the reason?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Running a personal email server I fully agree and sympathize with Mr. Shein. Since I run a personal email server, I have the luxury of blocking all IP address from Asia and South America from my sendmail port. This has reduced my spam by 70%. As significant portion of that is from China. But the large ISPs don't have this luxury.
How does Mr. Shein feel and address this portion of the Spam problem? Also he calls spam cyberterrorism, does he feel China, and other countries should be labeled terrorist?
"Your having a bad day when the voices in your head put you on hold"
How about this?
ISP's who host an email server provide multiple unique email addresses for each user. Something like foo-xxxxxxxxxx@theworld.com. If spam comes in on the unique address, you tell the smtp server to block it forever.
People who would like to send an email to a user, but don't have a unique address, can apply for one by visiting a web page like the ones that ISP's use for setting up accounts. It would have some sort of human readable code to break. You could also send a request for an email address to the user (maybe not).
The only problem I see with this is that it ties email into the world wide web. And it doesn't have a good solution for blind people. Other than that - its useable immediately.
Software Tool and Die rocks!
I've been an active anti-spammer for quite a while now and am quite proud of the knowledge I've acquired in the fight against spam. I even make good money off of filtering spam for others. As an anti-spammer I'm sure you've encountered folks that simply don't understand the purpose for a DNS blacklist. They claim it's prone to false-positives, dated information, legality issues, informally administrated, submission information isn't verified, hard to get removed from a DNSBL, or just plain silly (I actually had a person tell me this once). Most of these people make such claims due to a bad experience they personally had with a DNS blacklist at some point. It might be that they didn't get a newsletter they'd signed up for, when it reality the sender might actually use spam as a marketing tool. It could also be that they no longer get yahoogroups.com mail, when in reality they harbor spammers and take no action on abuse complaints. It could also be that they themselves had a MTA listed, when in reality they were incompetent mail admins and their MTA was an open relay. The last one is the worst of all. Unfortunately a large number of the people that have said these things somehow manage to call themselves mail administrators.
As a mail admin, I'm sure you have a better understanding than most about how much spam can hurt a business and can see the usefulness in DNS blacklists. How do you make the case for DNS blacklists when faced with the misguided biasness from those that simply don't understand?
I've read most of the posts at this point in time, and I can't help thinking that the OpenSource methodology is the best way to bring about an intelligent solution at the user and ISP level.
Why screw around with the cost and time of laws that can be hard to write, hard to pass and harder to enforce.
I haven't checked for any opensource projects at the moment, but let's get cracking! Email, ISPs and whatnot are not my forte so I'm going to pay lip service to this idea. But I would think that Slashdot and the other OSDN sites have to deal with this problem, how about sponsoring the place where we can work together to solve it.
Or what about Barry Shein? What have you done to organize a place/project for what seems to me a "very cooperative and willing community" to work on this problem?
"The difference between stupidity and genius is that genius has its limits." -- Albert Einstein
My question for Barry: How can we reconcile our belief in a personal right to privacy and anonymity online with the natural desire to tag and bag the scum-sucking weasel spammers who use that same anonymity to hide from the righteous beatings they so richly deserve?
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
It's all well & good to complain that spam is the organized crime of the internet, but it's another matter to actually use that rhetoric to get the gangsters thrown in jail or at least into a different line of work (as an aside, here's a scary thought: Dave Ralsky as a character in "The Sopranos" or "Godfather IV". yow!) How do we get there? At last month's Spam Conference, the impression I got was that no one strategy is by itself going to be enough to handle the spam problem:
- Legislation won't be enough, because some people will just move their operations do different jurisdictions, while others will ignore the law (by analogy, bank robberies still happen even though they're not illegal, since that's where the money is)
- Filtering won't be enough to save us, because spammers can keep evolving to avoid filters faster than filter writers can adapt
- Blacklists are even worse than spam, since they always lead to false positives & deletion of legitimate mail
- Network changes are unlikely to help, because many of the proposed ideas are disruptive than the spam problem itself
Etc.(Subjectively, the spam I've received since the conference has gotten *much* more difficult to filter. In spite of the great tools I learned about that day, the tactics of the spammers have gotten more crafty. This is turning into an arms race, and one I'm not sure we can win. Are you concerned that things may have changed for the worse since the Conference, or on the whole did the "good guys" come out ahead?)
Given that, to steal Fred Brooks' line, "there is no silver bullet" to solve the spam problem, how do you propose that we handle it? It seems like there are grassroots efforts to prevent spam delivery (things like SpamAssassin, Paul Graham's statistical work, realtime blacklists), topdown efforts to control spam on a network (Brightmail, MessageLabs, etc) and lateral attacks on the legal & economic side of things (Jon Praed's lawsuits on AOL's behalf, Microsoft pledging to sue Hotmail spammers). These are all chipping away at the problem, but none of these people seemed to feel that their efforts alone would be enough to make spam go away.
The general consensus at the conference seemed to be that the only truly effective tactic would be to fundamentally disrupt the business model of spam: if you can make spam less profitable than say traditional junk mail, or stealing hubcaps, then you remove the incentive to take it up as a living. Do you agree with this? If so, then where are the thresholds at which spam becomes less profitable than hubcaps, and what tactics will bring us to that level most effectively?
In short, we all know what the problem is, and a lot of smart people have started to identify aspects of the problem. But are we making enough progress? If not, how can progress most effectively be made? Where are we falling behind? Has the Spam Conference been a turning point for the better, or do the spammers just have the rest of us on the run now? Can you please enumerate, in your opinion what seems to be working (if anything) and what seems to be falling short, and put this in context by describing which strategies (technology, legislation, etc) that you think will be most effective in the long run.
Thank you, and thanks for the Conference talk. It was very entertaining :-)
DO NOT LEAVE IT IS NOT REAL
There seems to be a lot of disagreement between spammers and their victims on what exactly is "spam". Lots of spammers claim that it's not spam as long as [it's not commercial | it's not porn | I bought an opt-in list | etc]. Some users don't mind diet pill ads but hate herbal viagra.
What do you consider spam? Is it unsolicited commercial email? Unsolicited bulk email? What about chain letters forwarded to you by your Aunt Ethel? Any successful legal solution will depend on a good definition.
Your main goals are to cost the spammer lots of money. Make it cost them more to spam. Or to make their spam less effective... Here are MY ideas...
1) Mail list poisoning. By Poisoning their mail list with honeypot mail addresses, means their mailing list is less effective. Things like multiple forms submission tools are really good for doing this.
2) Sue them... More and more people are doing it. Main problem... finding them (spammers).
3) Take down their site... (NO - I don't mean hacking it). I mean doing it legally. By complaining to their domain name reseller. Most use bogus "whois" data (grounds for AUP violations). Most ISP's hosting these sites are in China. Others have been known to shut down their sites.
More laws? Hah! Spamming problem is international - laws don't work.
Barring a totally new email protocol, we'll always have to deal with SMTP attacks. I'm afraid there's nothing you can do about dictionary attack, except maybe detect them and refuse the connection from this IP address for the next X hours.
Bayesian filtering is interesting because it reduces the efficiency of spam, hence the profitability of spam. But there is another way: Force people to think twice before they sell your address or, worse, post it on an open web site.
As a deterrent against address selling, I am now using exclusively disposable, traceable addresses, from www.sneakemail.com and www.spamgourmet.com.
Addresses generated from these sites can be given to just one entity or person. If that person sells or post your address, you inhibit the address and put that person/firm in your "stinker" list. And you make sure people know.
If the use of traceable addresses was prevalent, the number of spamming outfits would quickly drop, since you can pinpoint the source of each address. At least that's my experience.
My question is, do you think this would work on a large scale?
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I think we should syn flood any system sending spam. ISP or not. This will force the host or the Spammers to come to a complete halt. Better yet, we can send them so much spam in return that their servers will be forced down. Just like returning those AOL cd's or that guy that got signed up for snail mail lists and he was upset that he was getting the junk. You must fight back using the same tatics they are using!
Do you need a bigger penis?
How can we implement a plan that charges for email? How do we make said plan fair? This would make spam economically unviable but I don't see how it can be implemented with out altering the soul of the Internet or at least causing virtual a war.
I was the senior architect at a hosting company previously that had a lot of issues with spammers - It was always up to me top deal with SPEWS, ORBS, etc.. so I came up with a solution that really pissed off some customers but after explaining the situation and helping them get around things - spamming from our servers (45 of them) went down to nill... The solution was a hack to QMail that checked the "From" address and made sure that it was a valid account under the gievn users domain - if the system detected that the "From" address was not a real address, then it redirected the mail with an explanation of why, to the email address that the user signed up with... A couple of times the user did spam, and ended up filling his own earthlink mailbox with thousands of email before they realized what was going on...
Recently the ISP I use went to SMTP by authorization only for the user end. Do you think requiring this would cut down on spam if it were done from the back end as well (IE, recognized SMTP servers)?
This sig no verb.
What can I do now about a spammer spoofing with my email address?
I'm currently getting hundreds of bounced, undeliverable messages from various organizations because a spammer is using my email address to spam others. The web site he's advertising is located in China, and I seem to have no way of finding the individual much less taking action against him.
What are my options?
_ The bureaucracy is expanding to meet
the needs of an expanding bureaucracy.
What is the best way to discourage spammers from spamming?
I prefer postfix with Tagged Message Delivery Agent myself.
I could imagine that dictionary-based spam "attacks" might incur a higher per-user cost if they're aimed at theworld.com than if they're aimed at aol.com--same absolute cost, but the difference in number of actual users changes the per-user cost. Is spam-fighting actually more expensive for smaller ISPs than large ones?
Back when I was a user of The World, the wstd.* Usenet groups saw frequent complaints (my own among them) about false positives in World's spam blocking. How do you evaluate the tradeoff between blocking spam and accidentally blocking legitimate email?
That would be the customers.
I don't know if anyone has realized it yet, the biggest distributor of spam is computer-illiterate or unknowing customers.
One of the biggest reasons spam takes up a massive amount of our SMTP bandwidth is because of the fact users will forward what they don't know as spam to their friends. Their friends will then do the same, the recievers of forwarded messages the same as well (another big waste of our bandwidth is the headers in messages that have been forwarded >=100 times, most originating from spammers). I would go so far as to say these cases account for at least %50 of the problem.
My question to you:
What do we do about these cases? Try to educate the user who in and of him/herself account for %80 of the real problem (the gross congestion of unsolicited ads/spam)? Or the criminals that will almost certainly keep adding fuel to the flame, in shackles or not?
Of all the Universal Constants, here's one I know: Nice guys finish last
Pay those corrupt police a little more to kill the spammers.
In the law there is no overlap between theft and copyright infringement whatsoever.
Which to smash first ?
What would Lemmy do?
Hoop. Not hoops. Singular tense. You only have to do it once. And only if you email first. Why are you emailing first anyway? Because you are motivated (i.e. you want something from me). The only ppl object to this are spammers and salesmen. Which are you?
What do you think of this proposal from www.walterbright.com/spam.html?
Solution To Spam
The fundamental problem with spam is that the recipient pays to receive the messages, while the sender can put out millions of messages at essentially zero cost. Even if the tiniest percentage of spam recipients ever respond, that still makes it worthwhile for the bulk spammers. Spam is more than just a nuisance, it consumes a growing percentage of bandwith and costs a lot of money to try and block it. Spam is so pervasive it threatens to make email simply useless.
Current solutions amount to an arms race between the spammers and the spam filters; each time the filters get better the spammers figure a way around them. Even worse is the fact that spam filters can also filter out wanted messages. If you're running a business, you can't afford to miss any of those. A 1% false positive from the spam filter makes it useless.
Various legislative proposals have been put forward to try and deal with spam, but all of them are fundamentally flawed either in being impossible to implement (since the internet is a global system)or impossible to enforce.
The only real solution is to find a way to switch the costs of sending spam from the recipient to the sender. Even a tiny cost per email will rapidly render most spam uneconomic. What follows is my proposal for implementing this.
A Penny An Email
If sending an email cost $.01, the vast majority of spam will become uneconomic for the sender. For email users, the additional cost will be trivial, and likely far less than what they spend in time and money on spam filters.
To make the cost even more irrelevant to users, users can have whitelists. If an email sender is on the whitelist, they are not charged the penny. Furthermore, the penny cost of sending emails can be creditted to the user's ISP bill. So, receiving email can actually result in lower bills for users.
Users can individually decide if they want to accept or not emails from users who won't pay the penny, and they can individually decide if they want to pay the penny or not when they sent email.
How To Implement
To make this work, a system of micropayments needs to be established. The obvious way to do this is for the ISP to do it. All the email to a user flows through that user's ISP, so it is the natural candidate for doing the accounting. The ISP is already set up to bill the user monthly, so it's just another line item on that bill.
Of course, not all email originates and is delivered to email accounts entirely within their ISP. ISP's will therefore need to have reciprocal agreements with each other on the penny charges, and can 'settle up' with each other monthly.
What's in it for the ISP's to do this? The penny charges can be split with the ISP. Given the volume of email, that should be an attractive profit center for the ISP, enough to justify implementing the system.
Stages
This is worthwhile to implement even for one ISP. An ISP can implement it within its own email system. Other ISP's will have an incentive to join in the system, both for the revenue from the emails and as a service in demand from their customers.
Eventually, ISP's that refuse to cooperate will become isolated, and few will accept email originating from them anymore.
Bugs
The biggest problem I can see with this is the problem of forged email return addresses. I am not an expert on internet email routing, but isn't it possible for routers at each step of the transmission of email to be programmed to reject email that doesn't come from where it says it did? This should be a solvable technical problem.
Comment #5371823 sez:
You can make up a 'custom' address (e.g. zathrus-amazon@example.com) for autoresponders from each such company you do business with, and put mail to these addresses on an automatic whitelist. If one of these addresses gets sold to a spammer (it's never happened to me yet), you just kill it and end your relationship with that vendor.
With sendmail, this is cake. I've been doing this for over a year now, and not a single spam has arrived from any of the customized email alises I've given out (domain.com@mydomain.com). If I ever do see one, I just bitch out the company, drop the alias, and stop doing business with them.
On the job hunt note, I did this with boeing.com and saic.com. Some of their HR folks were impressed with the scheme; none were put off by it.
What can we, the users, do to make your job easier and more effective?
One of the easiest solutions I can see would be introducing laws to expressly criminalize relay rape, and give law enforcement enough teeth and incentive to prosecute regularly.
Upwards of 90% of the spam hitting our servers is relay raped off innocent 3rd parties. When you report the criminal trespass to law enforcement, they shrug their shoulders and say "there's no law against it" or "there's not enough fines to make it worth our time to prosecute".
Well, there should be.
How do you feel about the increasing usage of utilities like SpamAssassin or DNS-based blockers using very liberal blanket blocklists such as SPEWS (which has had a tendency to block entire subnets even if some hosts are not spammers at all)? Do you think this is a good tactic in combatting spam or is it a bad method and is harmful to the Internet as a whole? SPEWS rarely unblocks innocent bystanders caught in the middle of a blocked subnet, with the excuse of "the ISP supports spam." Many mailservers use SPEWS to completely block incoming mail from blocked hosts outright, instead of using it as it was designed, as an early warning system.
In your opinion, is it morally correct to regulate commercial solicitious email, or would that be a violation of their rights to free speech in the U.S.?
ellbee
You can't fight in here - this is the war room!
... for many reasons.
One, as other people have pointed out, spammers run dictionary-based attacks on ISP's domains. Sometimes, ISPs with multiple domains have them all connected so username@ one domain works for all of them. Due to this and other factors, chances are good that more than one email address can be delivered to any given "public" or "real" address.
So, my email I give out is username@pacifier.com. Pacifier also runs other domains. I frequently get spams for username@pacifier.rain.com, username@paclink.com, etc., addresses which until I got those spams I didn't even know existed.
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
It seems that the clueful are 100% anti-spam, and 99.9% against anti-spam legislation. It seems inevitable that legislation will be passed eventually, be that next year or 20 years from now. Would the clueful community be better served by putting its creative energies toward designing effective legislation instead of participating in technological one-upsmanship with the spammers? What might that legislation look like?
I work for a MSP (managed service provider) and one of the issues we have faced of late is that some of our less scrupulous clients are apparently spamming, although they deny this. We have found that some of our sub-nets have now been blocked by Real-Time block lists and this has affected far more than just these people who are spamming. In effect they are hurting the company (who is addressing the situation however it has been only a week since the complaint was filed with us and we DO have contracts with these people. It takes time to solve this issue. Not to mention we received only 1 AUP complaint from one source), other completely innocent clients and our staff who will lose their jobs if we start losing clients.
My question is: Do you think that SPAM vigilante's are hurting their cause more than helping in these instances? And furthermore does this kind of IP hostage taking make them as bad as the spammers, when they effectively shutdown other organization's networks like this without any solid proof? Even if they do prove it how can they simply shutdown another organization's email like that?
"Laugh, and the whole world laughs with you. Cry, and they still think its funny." - Mr. Boffo
How about all of the below and above this post? Why cannot we rewrite toe protocol and replace the old ones to include self validating headers? Then, when some ISP screws up and allows Spammers to use thier service, they get banned for a time. I know this SOUNDS harsh, but verifying your user base should be a big part of an ISP's duties. Monitor volume, Joe and Mart Everybody are not normally going to send out thousands of emails. Set a limit on the number and frequency of emails people send. If they have a huge mailing list, then they should be prepared to take a little flak. If they are innocent, then they should be determined to be innocent and the ISP should take steps to thwart the use of compromised accounts. Also it would be nice to block whole areas of the world where SPAMMERS function from, then the country, like China, Korea; et al, would be denied access until they cleaned up their acts. Internet access is not a right. Just a technological tool.
Peer pressure can be a wonderful thing. I am all for banning Columbia right now, they send drugs out and ban some people...hehe. Access can be a great motivator. Let's try it and see, filters and all.
AOL is one of the biggest polluters in the world with all of their spam(email, junk mail, CDs in the mail, tv spam).
My ISP, Internet Nebraska uses Postini, a service which intercepts all incoming email and uses content-based filters to block out nearly all spam e-mail. There are other programs that do the same thing, such as MailAgent. Postini even scans for viruses. For this service, Internet Nebraska charges me a fee of $1 per month which I am more than happy to pay. I now receive one to three spam e-mails per day as opposed to about 50 before I signed up for Postini. My question is this: Why don't more ISPs use services that are available, like Postini? It's a no-brainer to me, and I can't think of many good reasons not to use it.
http://www.walkingtaco.com
Well, there were never delivery guarantees per se, but there was a lot of work put into the SMTP protocol design so that there was a reasonable expectation that either your email would be delivered, or you'd get notification that it wasn't delivered. And except for spam filtering, this is still usually true -- if your email is not delivered for any reason other than spam filtering, you'll almost always get a bounce message (either from the mailserver on the other end, in the case of invalid accounts/etc., or from your mailserver, in the case of unreachable hosts/etc.).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
OK, so 99% of that is Pr0n, but for most of those sites, they really exist, and they'll really take your money and give you pr0n, and if you like the quality of what they're selling compared to free pr0n, well, you've kept the spammers in business selling spamming services to the pr0n industry, and you may end up with your computer getting viruses from it just as *you* would have gotten strange diseases had you dealt with most of their "artists" in person. It's not like Tiffany and her girlfriends really wanted to talk to you in person, except for $3.99/minute, but she'll be happy to sell you pictures as well as showing you banner ads for other sites that will pay _them_ if you click through.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What I'd like is for a lawyer to answer me about the ramifications of doing this.
If you put up a page on your website, offering to do a full "automated security analysis" of a remote computer, simply by "sending an e-mail to the following e-mail address".
Parse the headers, find the originating IP address, ping it, and then as part of the security analysis, run scripts which attack every single known Windows vulnerability. Afterwards, ping it, and display the results on the webpage.
Of course, you indicate in *human readable form* on that page that no human being will read e-mail going to that address, and that sending an e-mail to that address constitutes an agreement to an automated security test of your computer.
Spammers will harvest these addresses, and will pollute their address lists with addresses which will cause "random" crashes and so disrupt mass-mailings. Determining which e-mail addresses are causing the problem will be difficult for them, I would imagine, since they'll probably send a couple more e-mails in the time it takes for the script on the server to execute.
Evidently, getting permission from one's ISP (and mine is great *and* they hate spammers) and legal counsel is a prerequisite.
Of course, this is simply a security test.
Fire and Meat. Yummy.
- Some systems reject connection attempts from suspected Bad Guys wholesale without even a reject message; this is especially bad when the mail is from an innocent user who's been caught by collateral damage from an enthusiastic blacklist.
- Some systems reject messages from blacklisted systems but include an explanation in their 550/etc messages. This means that if you're a real user caught by collateral damage (or if you're a real user of an ISP that also sells to spammers), you'll know, and can complain to your ISP, which is supposed to be the point of collateral-damage blocking.
- Few if any systems give an alternate reply method, other than "try again with a different ISP.", e.g. use a Hotmail account to resend with. Annoying, but at least it's some way for a human to reply to a human.
Unix email reliability want WAY up when the HoneyDanBer UUCP system made a serious attempt to always send bouncegrams; previous UUCP systems sometimes tried and sometimes didn't, and for business use, you really need decent reliability.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The denominator of the equation (variable cost per spam) is essentially zero, so unless the numerator (expected revenue per spam message) also approaches zero, the rate of return exceeds unity and the spammer can expect a profit. To beat spam by market means, it must become utterly unprofitable--not just for the spammers, but for the spam-pimps who sell them the SpamWare programs and lists of stolen email addresses.
Where I live in Europe, we have very little spam in my native language. I receive very little spam in other european languages also, with some notable exceptions. Most (95% +) of the spam I get is american, most of the rest is korean.
I believe the reason for this is that Norway and most other European countries have laws against unsolicited email and fax marketing.
Thus, I believe the problem of spam can only be solved by laws. American laws. The bulk of the problem would be solved by a federal US law. It should be illegal for any US individual or company to send spam or use spam in their marketing, whether or not the spam is actually sent via US based servers, whether or not the spam is sent to someone based in the US or not.
To make the law effective, it should be possible to file complaints electronically and automatically. Let an organization like EFF organize it, or some sleazy class action lawyer, or both. Lawyers will go after the worst offenders, and make them pay for each recipient, whether they are located in the US or not. Claims won can be paid to those who complained about the spam via paypal, or simply be donated to the spam fighting organizations, EFF, open source projects, amnesty, the red cross, UNHCR, etc.
This will be preventive. Spam will have a cost for the spammers. They'll risk getting huge legal fees. Volume of spam _will_ go down.
Whether a particular message is illegal according to the legal definition of spam is left to courts to decide.
Point is: If it's easy in this day and age to spam a million people, it should be equally easy for those hit by this problem to demand justice and get a compensation. If the risk of getting caught and having to pay for spamming increases dramatically, the practice of spamming will decrease even more dramatically.
In Europe a company is not allowed to send you commercial e-mail (uce, spam, call it as you like) whitout your prior written consent (basically they have to demonstrate, you opted in). It works:
Of the 300 spam-mails I get a week, only 1 or 2 are originating from Europe. And if I will, I can forward it to the "Garante", which will ask them to pay me 250 Euro for damages. It works even if I am in Italy and the spammer is from Germany! Hundreds of people have already collected, and spammers are usually put out of business quite fast.
Unfortunately 50% of spam is coming through open relays in Korea and China (in english from US companies as well as in unreadable korean). The other half is mostly from US-companies selling me products meant for US-people (US-people are usually overweight, have a short penis and are in financial trouble).
If we could close those open relays in Asia and get a decent anti-spam law in USA, we will get rid of 90% of spam - assured!
Whoever tells you, laws are not a solution, ignores the european reality.
My 2c
ms
Barry proposes in "ISP Head Floats Plan To Legalize Spam" that spam is impossible to block, and so instead should be legitimized and regulated, with a central, not-for-profit company charged with collecting fees from spammers and distributing those fees to ISPs that receive the spam. Of course, there have been many other plans for charging spammers to send spam, but those plans mostly have the fees going to the ISP that sends the e-mail, rather than the ISP that receives it and has to deliver it to the end-users. I'm the author of this piece, also the author of the InternetWeek piece linked to at the top of this thread. I must say, I've never had the same article /.ed TWICE before.
I'd like to know if there's something tangible I can do about spam. I've seen lots of suggestions... don't reply to "to remove" links, just throw it away, etc. Basically "ignore it". A few antispam efforts have popped up from time to time, some of them legislation, some net efforts, etc, but they all seemed hopeless or completely without effect. I have spent some time in my own efforts, tracking headers and finding the spam portals, and writing nastygrams to the portals who are alway claiming "all our sponsors are opt-in and have removal links". Now I never did get a reply and I doubt it really did any good, but even with that, it felt like it had an impact, even if only a spec of sand on a beach. Is there anything we can do that will REALLY MATTER? Something we can see is having some sort of impact somewhere?
I work for the Department of Redundancy Department.
Do you think that if a few of the "career spammers" were tracked down and killed that we would see a reduction in the volume of spam? Seriously.
A majority of the SPAM that I receive comes from sites hosted by china-netcom. (according to SPAM-Cop)http://www.spamcop.net As far as I can tell, I have no options that I can use. I am sure that I am just receiving a trickle of SPAM that my ISP is letting through. I personally know the owner of my isp, and am very happy with it. My questions are: What can I do against foreign spammers? and What can I do to help my ISP fight SPAM?
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
What do you think of port 25 blocking?
no big sig
Would it be possible, at a reasonable cost, to attach a tracer to all email? A filter could check the trace to verify the reply and original sending address are valid. This would eliminate half the crap in my inbox. If the address or reply is not valid it could go straight into the trash. Or to the FTC for action.Just some way to prove that it came from a real and usable address would be nice.
Professional Politicians are not the solution, they ARE the problem.
Barry,
As someone who has worked for large ISPs in England, Japan and Australia, I've seen the dramatic increase in spam over the last five or six years or so.
It seems to me that the current internet mail infrastructure is simply not designed to provide for any form of accountability and it is this that enables the spammers to so easily ride freely on our infrastructure.
What do you feel will be the future for the internet mail system? Will it be replaced (or gradually improved) with something that has more controls, or will the community band together strongly enough to deal with the problem with technological 'band-aids' on the problem?
Ok, this is probably the easiest and most strait-forward way to deal with spam today. Make SMTP require a "username/password" before sending out the email, just like pop3 asks for it before giving it to you. Also, the server for whatever domain name is in the "From" field should be the ONLY server allowed to send/relay outgoing email for that domain.
Example:
I get an email account from "somedomain.com".
It is "me@somedomain.com".
When I send email from this account, it should connect to somedomain.com instead of my ISP, and send my username and password for authorization. (same name/pass used to check it)
Then, if authorized, the server can relay it.
Does this sound too simple of an idea?? I mean, if all SMTP servers required authorization before sending, then that would cut back on spam quite I bit, I think.. Plus it would be easier to track where it came from.
I don't know, I may be setting myself up to get burned here, but please tell me if I am wrong in my assumptions.
Why has some congresscritter not publicized something like the following:
- the "Internet" sucks up 10% of the total US energy budget (true factoid I recently read)
- X % of all internet traffic is EMAIL
(I've read this stat but forget it)
- X % of EMAIL is really SPAM
(60%? More? I've read this too...)
-therefore SPAM equals wasted XXX millions (the US energy budget is big).
Business people crushed junk faxes pretty quickly, why on earth has anti-spam legislation taken so long?
Do you favour a regulatory solution to rogue isp's who support spammers.
I beleive that regulation of the providers is the only viable solution to spam.
Something similar to the Usenet Death Sentence strategy could work.
However I do realise that there is a significant barrier to this. No controlling body.
I recently pestered Vinton Cerf, Chairman of ICANN regarding the recent spate of spam mail originating from China advertising sites on the Chineese network.
His response follows...
You need to look more carefully at ICANN's scope of responsibility and mandate before you conclude that it has jurisdiction over spam. None of ICANN's mandate covers email. Only domain names and IP address space, and protocol paramater assignment.
It does not have statutory authority - and can only either use contract law to enforce its agreements or moral suasion. I would also note that ccTLDs are largely resisting forming any contractual relations with ICANN including your own ccTLD. In fact I am sorry to report that NZ has been among the major critics of any agreements with ICANN.
I conclude from this statement that we do not have a controlling body at all... Just an automatron that consumes money.
Perhaps I am in lala land with my cut and thrust, maybe I am not... If ICANN is not going to take the responsibility of ensuring that the Internet becomes usable again for email then who is.
Spam has now effected my ability to use the internet. My hosting service is resisting allowing me to run mail servers on the machines I administer instead asking that I use there mail servers.
This effects my ability to provide services to my clients such as tls esmtp connections from company Intranets on dynamic IP's to my mail server. My hosting service does not provide the certificates and tls services on there mail servers therefor I must do it myself.
Barry,
I'm currently using one of the newer crop of mail client tools commonly (mostly incorrectly) called Bayesian filters. Spamsieve is the tool in my particular case--and it absolutely rocks. Extremely effective.
For me, the [end user|anti-spam zealot|good citizen], the linguistic analysis filter has the following advantages:
--Extremely high accuracy
--No discernible performance hit
--Non-destructive, does not delete any mail
--No ethical worries over collateral damage
--No additional network traffic, lookups, waits, outages
--Completely passive, i.e. no bouncing or complaining or local blocklisting to do
--Makes NANAE and spam-l virtually obsolete so I don't have to read them anymore (the glory of this should not be underestimated by laypersons)
--No campaigning for legislation, political solutions. Impervious to the wiles of the DMA.
For you, the responsible ISP, I imagine the main disadvantage would be that you still have to deal with the spam load whether or not my MUA intercepts the spam and hides it from me.
Question: Do you see linguistic filters having a prophylactic effect in the long run? If widely adopted I think they could make spamming so pointless that it mostly withers away.
Hrm, it just occured to me that maybe a Bayesian tool could be contructed for use in marriages...interesting...
Barry,
Many countries are quickly jumping on the "computer break-in" = "cyberterrorism" bandwagon and making laws with worse penalties than brutal rape/murder. At least here in Australia it's gotten that way and I hear the US is no better off. Do you think we should campaign that spam using forged headers is a form of computer break-in (i.e. bypassing a spam filter) and thus a form of "cyberterrorism"? There is clearly a significant loss of productivity and the occasional important email.
Also, what do you think of the huge number of wide-open SMTP servers accepting these forged headers from anyone? Would you think they should be treated as aiding and abetting these evil "cyberterrorists" and forced to improve "cybersecurity"?
I don't know about AOL's spam being "enemy number one"...
:) It could have been from a name scanner or something, but that would require AOL to have craptacular spam blocking.
I signed up for 1000 free hours with AOL (was between pay accounts) and was surprised (well not realy) at what happened.
I was using the AOL service for a net connection only, so I never used their browser (just minimized it) to look at any sites, just Mozilla. After a day or so, I found a couple spam messages in my AOL mailbox. I didn't think anything of it... Then after a couple days, I had many spam's comming in at every couple hours. I didn't understand because I NEVER EVEN USED THEIR BROWSER! I thought it might be from some HTTP header that AOL sends out, containing the AOL account name or something. I don't think this is the case because they all had similar unsubscribe links and page layouts (seemed to profesional for normal low class spam
After I realised this was happening, I got pissed off (also got my other pay account activated). I called the unsubscribe number the next day. The tech support guy was very confused of why I wanted to cancel so soon. I told him that it was because of the spam. He said it was probably sites I went to and signed up for things with. I told him, in a fairly loud voice, "No, because I didn't use your browser once." He was further confused, and I told him that I just used AOL for the net connection and used mozilla "What's mozilla?" he asked..hehe When I mentioned the word Netscape, he proclaimed "Oh, well, we own netscape."...a bubbling box-o-knowledge.
He, of course, offered me some free months of service (no wonder it costs so much...your paying for the free service they always give out!), but I refused. After the I told him I never used the browser and got all the spam anyways, he didn't have as much spunk. In a sad and confused voice, he just said he didn't understand why I would give it up so soon (hate to kill a salesmans spunk).
So, maybe if they either stop selling the users names to spammers, or stop transmitting the http headers (not confirmed), they would reduce their spam count.
IIRC, there was some issue involving a pump&dump stock scam and Russian mafiosi, but I don't remember if the Russians were the spammers, the suspected killers, the potential scamees who decided to put a contract on the spammers, or some/all of the above.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A _receiving_ SMTP server can tag incoming messages with the IP address that's sending them to it, and that often has some semblence of correctness (except when NAT and firewalls and abused relays or proxies obscure the real address), but that doesn't often tell you the real user, especially if anti-spam blocking policies set by ISPs force mail to go through their servers instead of coming directly from the recipient. Those policies also mean that aggressive anti-spammers who want to DOS or DDOS spammers can't attack the individual miscreant, only the spammers' ISPs, who are much more likely to get the anti-spammers kicked off _their_ accounts as well as more likely to have enough resources that they're harder to DOS or root.
Anyway, they're no help for several of the classic spammer cases - Disposable $20/month dialup accounts, freemail accounts set up by bots, badly administered open proxies or mail relays, mail servers behind firewalls, fake freemail servers run by spamhauses who are obsequiously willing to delete the accounts of their naughty users, etc. If everybody who handles a message does a good enough job of marking it, there's some chance of tracking down users a bit, but badly administered relays/proxies are inherently not good at this (that's why we call them "badly administered") and relay-abusing spammers can just respond by forging "From:" addresses with correct domain names for the relay machines they're abusing, e.g. random-user@someschool.edu.kr or QuakeMonster@homepc456.network23.dsl-provider.seou l.net.kr.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I define spam as any email that:
(1) Is trying to sell me something, and
(2) I did not request or explicitly opt-in to receive.
It annoys me that just because my address has been harvested from who knows where, that my only options are to change it periodically or wade through my SpamAssassin folder every now and then looking for the false-positives. It also annoys me that my ISP-alloted thruput and server capacity is being taken without my permission -- which in my book equals theft.
-Technowitch
Here's what I do: every time I get spam, I forward it to a fake e-mail account I have just for spam. I spend an hour or two each week responding to it, requesting more information, or asking them to send literature, etc. to fake, but realistic, addresses. I believe that if several million people did the same it would absolutely cripple the spam industry. They would not be able to tell genuine buyers from fake ones and become instantly unprofitable. The only reason they are profitable at this time is because uninterested buyers simply delete or filter their messages. If you kill the profit, you kill the spam. What do you think of this low-tech assault on spam?
IAAL
I am a consultant for a cable ISP in India. My primary task is to help them fight against spam. When I was called for consultancy we used to get about 30 - 40 complaints per day, which would mean about 30k to 40k spam being send from our network. most of our customers are home users and the policy do not allow them to run a mail servers (we block incoming port 25) On a simple analysis I found that 99% of the spam was being send from our network via open proxies that are set up by various users. So I hunted down the ports one by one and installed a blanket ban on all the proxy ports from outside. Then we took care of 2 spammers who were in our network. We told them that if they continue spamming we will disconnect them. Now we have nearly zero complaints from our network.
raj
Sarovar.org Hosting for open source projects in Indi
First idea: Use a 'pass code.' When exchanging e-mail addresses with someone new, exchange pass codes too. Then, configure your e-mail client application to accept/send pass codes with your new contact. Pass codes could be specific to an e-mail address, a domain or non-specific. Pass codes could also be set up to expire so that a user could solicit anonymous e-mail messages for a period of time and for a specific purpose. Second idea: When an e-mail client downloads a message from an unknown e-mail address w/o a pass code, it replies automatically with an e-mail demanding a reason. When the sender's reply is received, it is placed in a special folder for the user's review. The user can then decide to accept or reject further messages. (IOW, it would work like ICQ does.) The sender's reply could be limited to a short, plain text message. Now, when the recipient recieves the first e-mail, it would reply with a long, random key that would be required in the sender's reply. That way the sender could not spoof a reply. Both ideas require no changes to POP3 or SMTP (just the creation of new MIME types and a more intelligent e-mail client). Also, both mechanisms preserve the necessary level of anonymity. This would never work, of course, without a broad consensus on the new protocols and, of course, an agreement on when to cut over to them.
asymetric mail routing.
two MX records (both on the inside and the outside). One MX record is Blacklistable (any and all blacklists... but you could have a degrading matrix of blacklisted MXs) and the other MX record is not. As soon as the ISP receives a complaint about a user causing SPAM (intentially, paid or otherwise), that user's mail gets routed through the blacklisted MTA.
With this method, the offender gets punnished and not the ISP... and if the ISP *is* the problem, well, inbound asymetric MTA routing would work, but you'd have to keep your own score card rather than depend on an external blacklist.
Our ISP got a solution a couple of weeks ago. It's a company called Postini which filters spam. It turned my email from a worthless trough of spam (60 to 80 junk mail daily) to the 10 or 12 messages I want to see every day.
The question:
Currently, a company that follows all of the "guidelines" and does everything right, still stands a good chance of getting listed on SPAMCOP and other RBL lists based on a handful of complaints from clueless customers.
BCDE.COM maintains an nation-wide network of high-volume web sites. Access to the most basic site features is free, but all value-added features require that the user register -- The registration page includes very clear notice that that the "cost" of registration, of access to advanced features, is that the user will receive marketing email from BCDE.COM.
If you choose to "unregister", BCDE.COM will stop sending you email, and you will no longer be able to access the advanced site features.
Filling out the form on the site is just step one -- based on the form, an email is sent to the email address supplied, re-iterating the terms on the form, and providing a URL to "confirm" opt-in. The URL includes a secure hash to prevent spoofed confirmations. Once an address has been sent a registration request, it cannot be sent another request for a week (to prevent using the form as a flood attack).
Daily, BCDE.COM and their ISP(s) receive complaints from users and from SPAMCOP about the confirmation email, about the marketing email, about the "spamvertised" sites hosted at A.BCDE.COM which are promoted in the marketing email.
99.999% of the user base has no problem with this business model, and would prefer this approach to actually paying a subsciption fee for access to the "value add" site features.
How can an ISP known that a sending site that their customers complain about, or a customer that other ISPs complain about, is a legitimate business that is following all the "rules"?
I do not deploy Linux. Ever.
From your perspective at the ISP, what's the most problematic type of spam, and how do you deal with it? How would you like it dealt with?
Ceci n'est pas une signature.
Also, unlike Barry, who has an ISP's concerns about mail volume and customer complaints, the real problem that spam causes end-users is that it wastes their time. Having to spend _your_ time deciding whether a name and address are worth your time before they can tell you what they want isn't very useful; if it included a Subject: line, you'd have an easier time guessing, though lots of spam tries to look like Subject: lines the recipient might be interested in. And if you're going to accept Subject: lines, most POP and IMAP mail readers have a download-headers option, though they don't all have a quick killfile command.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Some obvious approaches, like most of the postage-required-for-delivery or pay-me-to-read-your-mail-with-optional-refund things will discourage and annoy many of the people you might want actually to receive email from from bothering to contact you, so you'd probably end up with some backdoor anyway, because otherwise you're killing off conversations with interesting people and potential business opportunities.
Some of the other systems, like hashcash or turing-gif widgets, may be more acceptable to senders, but not easy to adapt to the mail clients that many people use, so you've either got to find a way to make a technical transition easy (e.g. mail servers that send cookies you need to reply with), or else convince lots of people to "upgrade" their mail clients (e.g. get Microsoft to put it in Outlook.) Any ideas on getting those adopted?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
In some sense that's already happened - spammers using HTML mail often set it to download images from their sites in ways that let them know you've opened their messages. Some email clients make it easy to turn this on and off or make it clickable per message, but many aren't that flexible. So they're sending you 5KB of message, and letting your mail system download the dancing animated image if they succeeded in getting you to look past the Subject: line.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Some examples are the usual DDOSs, using cracker tools and rootkits on their email or web servers, poisoning their DNS caches so all their future email goes to 127.0.0.1, etc. A calmer example is to modify your DNS so any email you receive from an open-relay site (or for one of your trap addresses) gets the address of another open-relay site, so they can spend the time sending spam to each other instead of to you, but that's not quite vigilanteism.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A lot of shops have anti-shoplifting equipment. In a perfect world nobody would steal, but in this one some people do. This anti-shoplifting equipment and detectives are costing a lot of money, money that is pre-financed by the stockholders/owner of the business. If the amount of this investment would represent a relevant capital then the actual cost would be included in the business their products and/or services. In the end, the honest customer is paying a little more.
So he has several options.
Firstly, he can quit business. If you can't stand the heat, stay away from the kitchen.
Secondly, he can ignore the problem. If he's a cheap ISP, the customers will not complain (well some will do...), you can't expect the presidential suite if you ordered the cheapest room.
Thirdly, he could include the cost of the anti-spam services in the ISP account (or whatever services he's selling). Customers who are out for quality don't moan about paying more for getting more.
Why is it a crime?
I'm confronted, every day, with tons of shit on TV. I didn't want to hear/see that shit.
Where can I sue CNN, CBS or ABC?
They are criminals just because they send so much unsolicited garbage to me.
Traditional spamming costs the sender. Sending a paper ad, or calling the recipient's telephone through interstate lines costs the caller much more than it costs the sender to "pick up" and receive the [generally] unwanted message.
Sending unsolicited adverts via email, however, puts the cost burden on: (a) the delivery businesses (ISPs, employers), whose networks transmit extra unwanted data, and on (b) the recipients, who spend time filtering/deleting unwanted messages, possibly paying their ISP's for the privelege of doing so.
I am the most reticent person to propose a legal solution -- but -- why can't we / how do we -- make legislators understand that the not-insignificant costs of electronic (email) Spam are essentially paid for by the deliverers and recipients of these unwanted billions of messages, and not by the senders?
We should push the costs back to the senders, or make it much less palatable for them to send.
Pinpointing the address is actually pretty easy for a spammer. Suppose their machine crashes and all they know is that it was caused by an address somewhere in the last 100 000 they sent. Well, they have millions of addresses. They can just reorder their list so that the suspect addresses are distributed evenly. Then the next time it crashes, they can narrow it down to a few hundred suspects. The third run will probably nail it.
In other words, your customers want to know why they aren't getting their mail.
While people complain about the collateral damage caused by most spam prevention techniques, and others advocate Paul Graham's idea of Bayesian filtering, the one question remains: Why are we still going after the symptoms of the problem, rather than the cause? This brings me to my barrage of questions. What are your policies (as an ISP) on configuration of clients' mail servers? This stems from a recent debate on the exim-users mailing list (archived at the Exim homepage) about interfering with customers's set-ups. Some of the participants believed that it was not their duty, or their business, to tell people how to configure their servers. Some even go so far as saying that it's not good for business. What these posters seem not to understand is that the whole Internet concept relies on all participants helping with the upkeep of the network. As an ISP, what measures are you taking to insure your network is clean? Are blocking access from DSL and dial-up subscribers to port 25 on servers other than yours, and checking the configuration of customers' mail servers for proper relaying restrictions, measures that would be acceptable to yourself and to customers? On a second point: What are your policies as to the records of new customers that you contract? Does your contract include a clause allowing you to investigate customers before granting them access, and is this at all legal? Would you check for records such as those found on ROKSO (operated by the Spamhaus Project, before allowing a customer direct IP traffic to port 25, anywhere in the world, for instance?
Do you have any experience with Exim SMTP callouts or Sendmail BMilter SMTP callbacks. I think they look promising for several reasons.
d oc/html/spec_3 7.html#SECT37.10
They put some of the burden on the source of the mail. They raise the bar on spoofed sender addresses. I don't think they expose the carrier to content scanning issues as the session is blocked at the headers (I could be very wrong).
SMTP callbacks can be used to verify the following:
* RFC 821, MAIL FROM:
You are required to support a NULL return path according to RFC 821. Some people disable this either because they think it's cute or because they're trying to disable spam sent with a NULL return path. Irregardless, it's broken.
* RFC 822, RCPT TO:
Sites without Postmaster accounts are simply due to admin laziness or misconfiguration. According to RFC 822, you are required to accept mail for a few specific accounts, this is one of them.
* RCPT TO:
If the sender is unknown on the machine that answers for the domain used by the sender, then either a) the site is mis-configured or b) in all probability this is a spoofed email address and the email content is spam.
Exim Address verification
http://www.exim.org/exim-html-4.00/
BMilter
http://blue-labs.org/software/Bmilter/
What do you see as the proper relationship between an ISP and its customers? Is there one right answer, or should there be a range of options as to how customers can deal with spam? How important is it to keep customers informed and to give them tools they can use to deal with spam?
(It looks like three questions, but they're all elaborations of the question posed in the subject.)
how can i successfully spam the public and still be respectful to the readers of my spam?
While we're dreaming about ways to make spam less profitable, don't forget about somehow educating new users not to fall for stupid scams just because they saw it on the computer.
ISPs are actually in a pretty good position to distribute that sort of educational message to all new users.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Barry --
Have you sued the spammers? I've written a database for myself that keeps track of the spam I receive. Since May 2002, I've gotten 20,000+ spams.
I filed a suit against PrintPal in VA (great spam laws for ISPs and consumers alike) and won. However, getting my judgment registered in Oregon is a bit more of a pain, and PrintPal is being difficult.
Do you think a grass-roots onslaught of hundreds or thousands of these smaller lawsuits ($300-800) against the companies who are advertising (not the spam sender) will help to reduce spam enough to make the effort worthwhile?
The $7M lawsuits against spammers by Verizon don't seem to make a real impact.
TossableDigits.com: Temporary Phone Numb
If we created a private right of action, similar
to the TCPA (USC 47) that enabled small-claims
lawsuits against BOTH the sender (probably
useless) AND the seller of the goods or services
then every US seller of these goods/services would
be forced out of business.
A quick scan of my junk box shows about 70% of
the sellers have a US presence. The remainder
of non-US merchants could be put out of business
using credit card chargebacks.
Finally, extending the private right of action
to permit suits against ISPs who host products
advertised by SPAM would further discourage
spammers.
Why not a technical solution that is global and authoritative?
Why not have ICANN(or should it be IANA) create an abuse group? If someone spams then that IP address(es) get disabled temporarily on the root servers. If they do it so many times, like say three times, then they permanently lose the IP address(es) and ICANN is then free to allocate the IP(s) to another organization.
If this was designed right, then it sounds like an awesome tool to nail spammers no matter where on the globe they're sending from. What do you think?
(i read this idea in an article somewhere a few months ago. i don't remember it's source.)
Of course. Not just filters but everything, even JHD (just hit delete.) Everything that reduces the incidence of a victim reading spam has the effect of inducing the spammer to send more. Even sending more spam has this effect: the enormously gullible eventually run out either of funds or of patience and quit reading spam, quit responding.
Do you have some suggestion as to how to avoid this? Practical, I mean.
One idea I have had for some time that I think would go along ways towards fixing the spam problem is to change the mail protocol so that only the header is sent to the recipient. The recipient's computer then downloads the message body from a URL (or similar) that is contained in the message header.
This means that:
a) There is an identifiable IP address that a message comes from that is accountable to somebody.
b) A user may simply "unsubscribe" from the mailing lists on their own computer. Once you are "unsubscribed" your mail program will simply not download any additional messages from that source. The user will never even know that they ever received the message. They could be spammed all day every day from that individual and they would never know.
c) If an ISP sees that they have 100,000 messages in their message queue that are waiting to be picked up, they can easily spot them as spam (if they are) and cancel them before the recipients ever see them.
d) It would be easy for the ISP to identify the spammers on their system due to the messages taking up space in the queue.
e) Because it is tied to an IP address, it would be easy to create black hole lists. In fact, you could even create user groups so if one person received a spam they could "cancel" the spam for the rest of their group and no mail from that IP address would be downloaded for N days. (IP addresses would automatically remove themselves from the black hole list over time just to ensure that legitimate mail does come through and given this, only one spam would be received before the IP is blackholed for say a day and the spam barrage is over.)
-Art