Slashdot Mirror
Ask ISP Owner Barry Shein About the Spam Wars
Spam sucks. But it's worse for ISPs than for the rest of us, because they get bounces and complaints and other behind-the-scenes spam-caused messes the rest of us don't see. AOL talks of spam as "public enemy number one." Barry Shein, who started (and still runs) the world's first full-service dialup ISP, likens spammers to organized criminals, and calls spam "an organized, vicious, sociopathic thing" in this article, which spurred an interesting Slashdot discussion. So what should we do about spam? Ask Barry. One question per post, please. We'll post his answers to 10 of the highest-moderated questions sometime in the next week or so.
Even if it's three strikes and you're out, I could find 3 addresses to complain about someone that i dont like for other reasons.
Then it becomes the isps responsibility to investigate otherwise they could face legal libability for cutting off someone account wrongly.
Collateral damage to an ISP's other customers is probably the only way to pressure wayward ISP's into enforcing their AUP's.
If an ISP is willing to sell bandwidth to a known spammer and ignore complaints for months on end, then a network owner such as myself is perfectly free to regard that ISP as rogue and block all traffic from that ISP's network.
If that inconveniences other customers of that ISP, then either (a) they convince their ISP to change their ways or (b) they find another ISP.
This is exactly what SPEWS does, and it's remarkably effective. The analogy is much the same as having a crack house open in your neighbourhood. You either take action on the crack dealers or move out...
I would just have a blanket, three strikes you are out policy. If someone complains about the content of your email three times, no matter the circumstances, you are outta there.
So if your best friend is infected with klez (or the latest variant) and sending messages that appear to be from you, if three people call to complain that you are sending them junk, you are outta there? Those are three complaints about the content of your email, and your policy says no matter the circumstances.
What if I don't like your political views that you've espoused on a political discussions mailing list and I call up your isp and tell them that your opinions about certain PICKWHATEVERPARTYYOUHATE Senators constitute a terrorist threat. After 3 of those complaints, you get dropped.
I wouldn't use an isp that didn't have some intelligence behind its decisions or didn't have an appeals process if I feel I was mistreated.
You completely miss the point of Shein's tirade.
By the time it gets to your inbox, it has already cost your ISP money (time/effort/bandwidth) to deliver it. You just see what leaks through your ISP's filters, despite their best efforts.
And a good whitelist will pay attention to outgoing mail, as well, and authorize replies.
Vintage computer games and RPG books available. Email me if you're interested.
How do you protect those companies who are using legal means of targeted email marketing? I see many people who believe that they are receiving spam when they have either knowingly or unknowingly opted into these lists, which makes it perfectly legal. However, these people report them to their ISP and these companies get blacklisted unfairly. For many companies this is their bread and butter, and although what they are doing is completely legal and legit they suffer because of spammers. My idea was to have an Internet Direct Marketing Agency. With this agency direct email marketer's must register and have an "Internet Advertiser's ID". This ID would be paid for on a yearly basis and based upon the advertiser's volume. The fees would be spilt among the ISPs who had mail sent through their network, to pay for this excess bandwidth usage (a per transaction tax, essentially). Additionally, an email proxy would check incoming "spam" for that ID and if it did not check and match to the email server's IP it would be tossed as spam.... make sense?
I used to be a MS fan but then I was brainwashed. Now I see the Light. Mac OS X pwns u.
There have been several stories on Slashdot regarding ``hashcash''. Would adding some kind of 'cost' (e.g., computational) to email be a possible solution? Would you be willing to try it out?
More references on the idea:
I don't know where you saw 2-5% spam content
The 2-5% he guesstimated was total usage of bandwidth by SMTP. I say guesstimate because I've searched for bandwidth usages by protocol and haven't been able to find (recent) data. Unless we can have reasonably accurate numbers from backbone segments it's going to be difficult to estimate just how much Spam really does cost.
I mean, if the OP is correct and SMTP only chews up 2-5% of the backbone, then it's not nearly as big of a problem as if it's chewing up 20% or more.
Even so, if SMTP only takes up 5% of the bandwidth and 80% of that usage is Spam, consider just how much cost savings could be realized from dropping SMTP from 5% to 1%.
I'd argue this collateral damage has destroyed the usefulness of email even more than spam has. It's simply an unreliable medium these days -- you never know if your mail got there or not, because it could have been silently dropped with no bounce message sent. Thus whenever I send reasonably-important emails now, I use either the phone or AIM to confirm it was received.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The problem with Spam is that there is minimal retaliation. You can send the prepaid envelopes back to the junk mailers and they get charged for that. You can slam the phone on telemarketers or play a catchy tune with the buttons why they try their pitch. the problem with spam is you can't get them back. Even if you filter, you still have to do something that does no damage to them.
The biggest problem with whitelisting is that you don't always know the email address of automatons that are trying to email you.
For instance, when you buy something online most companies will send you a confirmation email. If I haven't bought from that store before I have absolutely no idea what addrss that's going to come from, and thus have no way to whitelist it. And it's impossible for the automailer to respond and whitelist itself, since any method that's auto-parseable will simply be co-opted by spammers.
Sure, you can have an alternate mailbox for this kind of mail that isn't behind a whitelist, but it doesn't really solve the problem then.
Replying to my own with the follow-up questions I'd like to ask (but am limiting my self to one per post, and one actual sumission total). Given that it seems unlikely that all these questions will get sent on, what's everyone else think?
Tech solution followup: Do you think that recasting the email system would help? A micro-payment tariff per-email sent is suggested every now and then here. Could that work given that if it isn't uniformly adopted around the world it may not help that much?
How about law based solutions? Are the efforts of (West coast state - CA I think) to combat spam as unsolicited email destined to failure, or might that be the right approach? Can local (eg statewide) efforts work when dealing with the international operation which is mass-emailing?
Finally, how about the community based approaches? By this I mean efforts that emphasis the stigma of spamming or facilitating spamming, for example the black-listing groups who publish ISP's that allow mailing relays or direct spamming through them. It sounds like your ISP uses blacklists, is blacklisting an effective solution, or does it entail too high a false-positive rate?
More interestingly perhaps, does it knock out enough spam to be considered effective? Does simple blacklisting stop more than 50% of incoming spam? Are there really a small hand full of channels through which most of the spam is routed? I find the approach appealing because it allows a relatively fast punishment to those who propagate the problem. In a sense it's a bit like focusing on the drug-dealer not the drug-user. On the other hand it is a fast response system, which is highly open to abuse, in a sense it's a form of vigilante-ism. It also raises the question of what a service would have to do to get themselves removed from the black-lists. Speaking as someone who runs an ISP, what do you think of the black-list approach?
While in the short term I concur, in the long term I must cry au contraire.
If Baysean filtering makes its way to the general public -- or is introduced at an ISP level, then it will reduce the amount of spam that gets through to potential customers, and hence make each spamming less profitable.
The least profitable of the spam messages will dissapear, thereby reducing the loads on our mailboxes and on the ISP as a whole. Therefore, perhaps a better question is:
Support a few technologists in Washington.
If the average genuine mail to spam ratio on your system is 1/10 (ie: for each genuine message, you get 9 spam messages) this will have the inevitable effect that your infrastructure has to be capable of processing a load which is 10 times higher than would be required if there was no such thing as spam.
Given that 1/10 is probably a very conservative estimate (escpecially for big ISPs with a lot of J. Average Customers), you can imagine that this can have a huge impact on the systems required to handle this.
Also when a spammer is using a fake (or real) address at the ISP as a return address, a lot of bounces get directed there in very short period of time (which in fact is very much like a DDoS).
While silicon speed is still increasing at a mindnumbimgly speed, disk platters haven't. It's not costly to get a lot of storage (73GB disks are 'affordable'), but it can cost a lot to build a storage subsystem that can cope with the load and is relatively solid (raid / backup).
On top of that there are the hidden costs, eg: customer support for dealing with customer issues related to spam, system administrator time spent extra on dealing with spam-related problems.
I don't think it's so simple as to stating that "bandwidth is cheap" (which simply isn't true for a very big part of the world) and "storage is cheap" so spam can not cost much.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
i think it was wired that actually tracked some of the spam sent to a hotmail account they setup for that reason. a good percentage of the email from addresses had either been closed or never responded to requests for more information. attempts to visit most websites listed in the emails resulted in websites that had been shutdown or pushed you to use the phone to contact them..
Free Webmail
This is exactly what SPEWS does, and it's remarkably effective.
This is preached on email abuse newsgroups as gospel but I have yet to see anything other than anecdotal proof. What I do see are a lot of innocent ISP customers whose business is being interruped, not by spammers, but by SPEWS' vigilante blocking policies.
The analogy is much the same as having a crack house open in your neighbourhood. You either take action on the crack dealers or move out...
My $Deity, where to begin...
To correct your analogy the spammer is the crack house operator. What SPEWS does is start blowing up all the houses in the neighbourhood that surround the crack house in the hopes that the neighbours will complain to the authorities (The ISP)to take action.
What this farcical pretext misses is that spammers can move from ISP to ISP daily and as soon as you shut down one account they have opened a new one either on the same or a different ISP. The number of spammers and their mobility precludes an ISP permanantly blocking a spammer and thus the chances of getting off SPEWS once an ISP are on are minimal.
SPEWS has no posted policies as to what the timeframe is between an ISP complying with their blackmail blocking and the removal from the SPEWS list. 24 hours?, 2 weeks? who knows, SPEWS doesn't tell you. How often do they check? What criteria is applied during a check? Why don't they block the large ISPs like AT&T? Why don't they announce listings/delistings anymore? Why is there no direct method for applying for delisting? Why are postings from innocent ISP customers asking for reasons for listing met with scorn and accusations that sound make the customer is a nazi sympathizer?
There are far too many questions about SPEWs' practices.
If you don't want to repeat the past, stop living in it.
Can you tell me how come spam ads for p*nis enlargement is so much worse than snail mail ads for credit card applications?
And why is spam so much worse - to the point of calling it "a sociopathic thing" - why is it so much worse than the ads that appear on TV shows?
Want to get rid of spam? Attack the problem, not the symptom: Curb your seemingly incessant need to spend money you don't have, on things you don't need. i.e. STOP CONSUMING.
My friends and I are often responsible for small sites - our own colocated servers, small businesses, and the like.
What are your technical recommendations for us, to make your life easier?
For instance, I usually argue to require valid FQDNs in the HELO and MAIL FROM command, and reject anything claiming to come from myself or one of the RFC1918 reserved IP addresses. This is entirely content-neutral - I just see no point in accepting any message from somebody who can't be contacted in turn if there's a problem delivering the message.
But I generally don't bother with RBLs, and am philosophically opposed to IP redlining since it could easily lead to a world where a few corporations act as gatekeepers.
I know what impact this has on my sites, but does this cause problems for the large sites? Or does it help you as well?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
He's right, though -- it's not his job as an ISP to fix it on an individual basis. We need a change in the whole infrastructure.
Find free books.
All that is required, it seems to me is for the leading ISP's to get together and create and enforce a standard that says your new-style email will be digitally signed with your legal name and that only ISP's that comply with enforcement practices will be allowed to use the new email protocol.
Does that mean I can't send e-mail without my real name attached? What if I prefer to maintain some level of anonymity in my online communications? Sure, my ISP can know who I am, but I should be able to send someone mail that doesn't have my real name on it, to someone whose real name I don't know.
I think it's also important for children - someday I'll probably have kids, and I certainly plan to teach them about basic safety rules, which includes not giving out your last name or address to anyone online, including by sending them e-mail with your name on it. Goes along with not taking candy from strangers.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Comment removed based on user account deletion
There seems to be a lot of disagreement between spammers and their victims on what exactly is "spam". Lots of spammers claim that it's not spam as long as [it's not commercial | it's not porn | I bought an opt-in list | etc]. Some users don't mind diet pill ads but hate herbal viagra.
What do you consider spam? Is it unsolicited commercial email? Unsolicited bulk email? What about chain letters forwarded to you by your Aunt Ethel? Any successful legal solution will depend on a good definition.
One of the easiest solutions I can see would be introducing laws to expressly criminalize relay rape, and give law enforcement enough teeth and incentive to prosecute regularly.
Upwards of 90% of the spam hitting our servers is relay raped off innocent 3rd parties. When you report the criminal trespass to law enforcement, they shrug their shoulders and say "there's no law against it" or "there's not enough fines to make it worth our time to prosecute".
Well, there should be.
How do you feel about the increasing usage of utilities like SpamAssassin or DNS-based blockers using very liberal blanket blocklists such as SPEWS (which has had a tendency to block entire subnets even if some hosts are not spammers at all)? Do you think this is a good tactic in combatting spam or is it a bad method and is harmful to the Internet as a whole? SPEWS rarely unblocks innocent bystanders caught in the middle of a blocked subnet, with the excuse of "the ISP supports spam." Many mailservers use SPEWS to completely block incoming mail from blocked hosts outright, instead of using it as it was designed, as an early warning system.
In your opinion, is it morally correct to regulate commercial solicitious email, or would that be a violation of their rights to free speech in the U.S.?