Slashdot Mirror
Ask ISP Owner Barry Shein About the Spam Wars
Spam sucks. But it's worse for ISPs than for the rest of us, because they get bounces and complaints and other behind-the-scenes spam-caused messes the rest of us don't see. AOL talks of spam as "public enemy number one." Barry Shein, who started (and still runs) the world's first full-service dialup ISP, likens spammers to organized criminals, and calls spam "an organized, vicious, sociopathic thing" in this article, which spurred an interesting Slashdot discussion. So what should we do about spam? Ask Barry. One question per post, please. We'll post his answers to 10 of the highest-moderated questions sometime in the next week or so.
One of the greatest problems with spam-prevention techniques has to do with collateral damage. Can you see any solution to spam that either prevents or minimizes the damage to innocent bystanders, such as other users of a spammer's ISP?
I can't say that I don't give a fuck. I've just run out of fuck to give.
Tried it? Like it? Have problems with it?
I use Popfile at home. It seems like the perfect answer to spam. What's your take on Popfile and other Bayesian filtering methods?
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
What is the best way to discourage spammers from spamming? (Aside from Dave Barry's idea of a hunting season and selling tags)
I would just have a blanket, three strikes you are out policy. If someone complains about the content of your email three times, no matter the circumstances, you are outta there.
As an ISP, you shouldn't have to be the front line of defense for some of the people who want to use your networks to deluge the email boxes of the world with their emails about penis growth, diets and discount shoes.
Craenor
Obviously the best step towards eliminating spam would be to make it a crime or easily punishable, but the nature of SMTP makes accurately tracking down the responsible spammer difficult at best and often time impossible.
What kind of changes would you make to the way email is handled to facilitate the elimination of spam?
Do you think that we can fight spam efficiently by still relying on the outdated STMP for mail delivery?
What do you think should enhance/replace it?
have you been defaced today?
Do you have any thoughts on these laws? I know that, as a non-lawyer, you probably can't do much for the actual wording, but what content would you have if it were totally up to you?
I can't say that I don't give a fuck. I've just run out of fuck to give.
What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?
Let me explain...
I sometimes hear that spam has significant costs in bandwidth and storage but I don't believe it. As far as I can tell, SMTP traffic is at most 2-5% of net traffic. And a quick calculation shows that an ISP's costs for storing its users' spam are fractions of pennies on the dollar. (*)
You've likened spam to a DDoS attack on your mail servers. Stories about being flooded with traffic sound impressive but computers are so fast now, it's hard to put anecdotes into context. So I'm looking for dollar amounts. For a customers paying b dollars per unit time, an ISP like yours has to spend c dollars per unit time on servers that can handle those customers' incoming SMTP traffic. If this is significant, I'm looking for c over a times b :)
Obviously admins to run the servers are an important cost. But for purposes of this question, suppose you wanted to do the bare minimum. Say you set up the SMTP servers to use just a few of the less-intrusive DNSBL lists, like sbl.spamhaus, relays.ordb, or list.dsbl, and then ignored them as much as possible.
The next most common argument I hear is that customers will abandon ISPs that don't fight spam. But every ISP has the same problem, so this is really a competitive advantage issue except for the small percentage of users who are actually driven off the internet by spam.
Then there's outgoing spam but I don't imagine that's too hard to recognize and stop quickly.
Let me know what I'm missing...
(*) Thumbnail calculations of spam storage follow. Let's say J. Average ISP Customer gets 20 spams a day at 10K each, and deletes them only every 30 days. That's an average of 20*10K*15 = 3 MB of storage. If the ISP replaces hard drives every two years on average and its total storage costs are ten times the actual medium costs (for labor, backup, redundancy, downtime), then at today's hard drive prices, that spam storage will cost the ISP 0.003 * 10 / 2 dollars, or about a penny and a half. Over that same year, J. Customer pays the ISP $100+.
Thank you for participating
One of the few measures that can be taken against spam is the use of blacklists (for instance via DNS). There are a lot of pro's and con's for the use of DNSBL's. How do you feel about these? Should DNSBL's be governmentally regulated? Do you use any DNSBL? Should an ISP enforce certain RBL's (let say, of open relay's) on its customers?
I'm not a complete idiot... Some parts are missing.
Do you think that a technological solution, whilst imposing to everyone else the, well, the thechnological solution, is better than a law, against the spammers, like, putting them into jail, or like?
What steps have you taken to prevent spam from entering your ISP's email system? Do you recommend any kind of spam filtering software to your customers that implements Bayesian filtering? If not, why?
Is it time to apply the computer-cracking laws to circumvention of anti-spam filters? After all, the two are identical in effect (break into somebody else's system without permission, and indeed against an express prohibition).
/. If the government wants us to respect the law, it should set a better example.
Do ISPs have the tools they need to prevent outgoing SPAM from their own customers? I look
at Sendmail and don't see anything that would allow you to throttle mail volume, check outbound messages for SPAM, restrict new customers etc. There isn't even anything built in that would warn you about a customer sending a million messages. It would seem that a few tools like that would be a big help to an ISP too small to develope its own.
I certainly am tired of deleting the penis elargement and Nigerian bank deposit e-mails, but where is the balance and how do we attain it, if ever?
I am currently using a permission based solution to block spam, called Choicemail. It works great since I know that there are no filters trying to guess what is spam and what is not. People on my white list get in, people who aren't get sent a message asking them to identify themselves.
The only drawback is that some people may possibly feel slighted that they are forced to go through such a process. But so far no one has complained. In fact, most people seem to be intrigued by the concept. If this type of spam blocking catches on, people will begin to expect it. Sort of like having to knock on someone's door before entering their house. It is a custom so pervasive, we feel strange just walking into someone's home, even a friends, without first knocking.
Sorry for the length of this post, and now to the question: How do you feel about this type of spam blocking?
Why hasn't any large ISP or enterprise seriously considered whitelisting mail? The traditional blacklist idea -- when I see spammers I'll no longer accept their mail -- is so easily overcome that many spammers don't even wait one generation to change addresses. Instead, bounce all mail you don't recognize, with a note to the sender on how to inform the system that you are a real user. Nearly all spammers loose their incoming account immedately, so this seems the natural choice. There's some more detail on this method at the TMDA project.
As far as I know, most spam originates from a relatively small number of smtp servers which are open for posting without identifikation. Where there ever efforts of blacklisting these servers and denying to accept mail from them, and if yes, with which results?
Or alternatively blocking whole ip-ranges of ISPs which deny to cooperate on this issue?
Do you think that there will ever be a long-lasting technological solution (e.g. Bayesian filtering systems) to spam or do you feel that any technological counter measure will be circumvented fairly rapidly?
I was just thinking about this... what if there was a national "do no email" list? I'm just wondering if something like that would be effective.
All spammers would have to (by law) query the "national do-no-email" database before sending out their crap.
I'm just wondering if something like that would be an effective way to cut down on the noise out there?
sad robot making broken music
Do you think new laws that allow ISPs and end-users to collect damages from spammers on a per-message basis can be effective tools to reduce spam?
WARNING: there is a trojan on your
Much has been made of the problems of blacklisting. Do you see whitelisting as a viable alternative, and (if so) what form do you think that it will take?
For one, I would like to see more people actively making the distinction between unsolicited "spam", and legal (albeit questionable) "direct email marketing". I say this because I work for a marketing company that does some email advertising, and I've also worked in the abuse department at a local ISP so I've seen both sides. The difference being that the spam mentioned in the article comes largely from unsecure, hijacked mail servers. Not so say that spam is the fault of some system administrator who didn't properly configure their SMTP server, but a lot could be done right there to slow down the constant barrage of penis enlargement offers. Oh, and the company I work for DOES in fact honor the opt-out links in all our ads. If you don't want to receive email from us, you won't. Unfortunately, if one of us has you on our list, 100 others do already.... Again, I just want to see people differentiate between illegal, unethical mail server hijacking, and more legal methods. A solution to stopping one type won't necessarily work to stop the other.
In hindsight, if you could start afresh and redesign the protocols and software on which email is based, and influence any relevant ISP policies & user education, how would you do things differently to deal with the problem of SPAM?? And, of these areas, which is the weakest link in the spam-war?! Not part of the question: Why don't all webmasters add SpamBot traps to their websites....?
Vacancy for signature. Apply within.
Many posts talk about proposed changes to society, government, and technology to lessen the spam problem. However, an ISP has more insight into the problem than many others, and I thought I'd ask a question to tap that insight:
Given today's society, technology and infrastructure, what can an individual do that would be effective in reducing not only the personal strain of spam, but also lessen an ISP's burden.
What kind of strategies have you seen work. For instance, in particularly bad instances I'm prone to send an e-mail to spam@isp.net, abuse@isp.net, or admin@isp.net, but usually never even get a response. Is there a better thing to do? Are there things that are absolutely the wrong thing to do (such as replying to a spam)?
In short, what would you like to see users do in response to spam today?
I am disrespectful to dirt! Can you see that I am serious?!
What legal pursuits do you feel would be appropriate to deal with spammers? What penalties? Prison time? Just fines? Given that some spammers make large sums of money from their spamming activities, what scale of fines would be appropriate?
Carpe Diem
Sure it'd be a short term hit on the number of hosts you could exchange mail from, but eventually I think anyone who wanted to talk to anyone would have to get on.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
ISPs have tried to rely on 'common carrier' defenses in the past. However, if they start blocking SOME email, can they be held liable for mail that they DON'T block?
And can you selectively give up common carrier status? If you block some email but host anyone's web page, for instance, can you be sued successfully for objectionable content on those web pages?
What is the most evil thing you have seen, so far?
Reply-to impersonation?
Embedded hypertext identifiers?
I'm sure it's much worse than that.
What would you do to stop that evilest of evil practises?
Yes, I agree. Except the software I am using automatically adds anyone I email first to my whitelist. No hoops. The only people who have to jump through the hoop are people who have never emailed me before.
The simplest way is to charge to send email, 10p (or cents) per email. No great hardship if you can afford to run a computer. Payable in advance and your account is decremented as it is sent.
One million emails, of course you can send them sir - once you have paid the $10,000 fee upfront.
That would knock it dead!
Every time a story about p2p piracy is posted the highest rated comments claim the ISP should just carry data and be legaly forbiden from doing anything with it. When spam stories are posted, people claim it should be the ISP responsibility to remove those of their customers who send it.
What in Your opinion should the policy be here?
There's plenty of talk about passing laws against SPAM, replacing SMTP, and all sorts of other things that other people can do to reduce the amount of SPAM we recieve. My question is what can we the users do to reduce SPAM? More specifically, what that most people don't do now would make the most difference if we all started doing it? Even better, what that most people are capable of doing (email users with little or no technical expertise), would make the most difference? Perhaps the best strategy is not to evangelize the most effective methods, but the reasonably effective methods most likely to be widely implemented.
Convert RSS to HTML - integrate webfeeds into your website
If you had known back in the early 90s that spam was going to be the problem it is now, what steps would you have taken then to protect yourself and others from it?
For instance, what changes would you have advocated in the mail protocols and what standard procedures would you have told other ISPs to use to prevent spammers from getting a foothold in the first place?
Do you have any statistics on how much of your ISP's bandwidth is consumed by spam? (And for comparison's sake, other stuff like p-2-p and Quake servers.)
"Draco dormiens nunquam titillandus."
Should end users set up their SPAM filters to bounce the offending messages, or should they just get quitely filed into the SPAM folder?
I used Mailwasher for a while, which gives users the options of generating bounce messages while filtering. There is some personal gratification in making it look like my email address doesn't exist. But does it actually help, or does it just add to the ISP's bandwidth requirements?
I don't give out my email address to anyone I don't know well, and I change it every year. I tell people who need to get in touch with me to call.
All this is because I started getting 50 spams a day. Right now, it's impossible to post to a newsgroup, put an email address on a web page, or have an email address that's listed in any sort of a directory without getting tons of spam each day.
I agree with that article that email is a failure. Important/busy people just don't have time for it.
A friend of mine finished looking for a new full-time job. He sent out some resumes by email to the listed addresses, and some by Fed-EX. Only the Fed-EX ones got answers. Companies get so much spam that they miss good resumes coming to them!
Best Buy can have you arrested
DJB claims that with this system bounce messages will be eliminated (if I read correctly).
In the interview from InternetWeek, you seemed to not care about false positives. At what point do you care about false positives?
Ie. are you attempting to stop all spam, with the possibility of false positives an acceptable risk, or is there some sort of calculation that your organization uses to balance the false positives (mail rejected as spam that wasn't) against the false negatives (mail that was accepted, but was spam)
Build it, and they will come^Hplain.
I've used mod points for Mattcelt's posting, but just have to reply - I immensely dislike SPAM & spammers that much. Don't knock my karma off for this, CmdrTaco!
SPAMMERs disregard the rules of SMTP fair play (falsified headers, for one), so we should have the tools to deal with these miscreants.
1) Allow users to reply to SPAM with "User unknown" message as if the administrator issued the message.
2) ISPs should allow users to report SPAM and falsified headers, which are then compared to the spooled email messages. E-mail issued from offending domains are rejected with a "Please Resubmit" message. This could be an Opt-in service to allow community policing for SPAM. Imagine the flood of Resubmit Messages back to offending (or falsified) domains. Even if the headers where hacked, the SPAMMERs would not reach their audience, and the postmasters would shrug off the "Please Resubmit" requests. Shouldn't swamp any email server.
3) ISPs should allow users to delete, ignore, and read email messages without informing the entire mailing list of your current status. AOL does this, and I can just imagine SPAMMERs elisting people to parse through email status - Who reads them, who deletes them, and who ignores it.
What, in your experience, has been the most *cost-effective* spam-reduction software solution? Is it server-based, or is it some kind of client software?
cleetus
I would like an email account where senders not on my whitelist need to pay something (e.g. thirty-seven cents), or at least risk paying something, to put a message in my inbox. Two businesses that have been mentioned on slashdot before are Vanquish.com (has a bonding system) and internetstamps.net (sells stamps).
Are you thinking of providing a pay-for-attention email service through your business?
It seems to me that the existing email protocol has some fundamental problems that contribute to spam. It is basically impossible to authenticate who an email came from. Do you think that adding a new email protocol could solve these problems?
Specifically, if we created a second protocol that required that all email be digitally signed by the person listed in the "from:" clause and that the originating ISP guarantees this identity, wouldn't that solve most of the problems? The true identity of people who use the bandwidth I pay for to communicate with me seems like a fair thing for me to be able to insist on. I might even be willing to pay a little more to have such a system, although I would think such a system would be cheaper for my ISP, since the cost of carrying 33% garbage isn't there.
I should be able to say I want to filter email from Alan M. Ralsky of West Bloomfield, Mich or from any that passed through any ISP that cannot guarantee me that I can determine this. The problem is that Mr. Ralsky can send me email and I have no hope of identifying that it came from him. All that is required, it seems to me is for the leading ISP's to get together and create and enforce a standard that says your new-style email will be digitally signed with your legal name and that only ISP's that comply with enforcement practices will be allowed to use the new email protocol.
I am a Systems Administrator for a statewide ISP. We have found that blocking such domains as azoogle.com, topica.com, etracks.com, and other claimed Opt-In spammers has really cut down on spam complaints. We had to go as far as firewalling these 3 spammers since they were chewing our bandwidth to peices. EverBlur which was recently kicked off their provider, has stopped altogether.
My question is, do you see this as an effective method? Do spammers really quit after seeing their packets are being dropped? Why do they not?
Lets pretend that congress takes up the issue of spam and passes a very restrictive law essentially outright banning it. COULD that be an effective way to prevent it, or would the international nature of the internet make it useless?
People who think they know everything really piss off those of us that actually do.
I worked a couple of years ago for a company that makes 'emarketing' software, and I managed the company's ASP for that software.
Most of the emails we sent out we're from internal, registered customers of the company. I would call these 'opt-in' emarketing messages that ranged from pitches to buy new or upgrade products, customer satisfaction surveys and automated replies for visiting a website and signing up.
There were, on the other hand, spammers. That is the only way to describe the quality of the emails they sent out. When I could query their databases and find email addresses of 'abuse@someisp.com' and other, similar non-customer addresses, there is no other way to classify it.
In either case, we never tried to hide or run away. We always used real email addresses and kept the same domain names. So, my challenges were, "How to I keep the 'good' customers from impacting the 'bad' customers?" I dealt a lot with CAUSE, the MAPS RBL and other organizations to keep the emails flowing.
So, here is my question: How do you, at the ISP level, differentiate between legitimate email marketing and Spam?
For those of us who are trying to set up incoming SMTP servers (or who are just curious):
What are the current "best practices" and state-of-the-art for the little guy (enterprise, small office/home office, little ISP, etc.) who:
- has some need or desire to directly serve inbound and outbound SMTP and
- has SOME time to sysadmin, but
- does not have the resources to throw several full-time-plus-pager sysadmins into the spam wars?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
What the government should do is expand departments and cooperation to track down the people who attempt to sell these things and shut them down. Most of these people are crooks and charletons, so that shouldn't be very hard. The govt. should, also, crack down one people like Alan Ralsky, requiring him to verify that each recipient of his product has personally requested to be on his lists.
All these goofballs have to make themselves available to their victims (those foolish enough to open or respond to spam.) There's a phone number or web address. Credit card usage can be tracked, with the assistance of credit card companies (and much of this is fraud anyway so you could expect them to warm to such investigations.)
Visualize:
0600: Spam sent out, promising teen webcam shots
0601: First spams arrive in honeypot email accounts
0605: Website has been identified.
0607: Run tracing credit card number to see extra material
0620: Template of potential violations has been reviewed and yields potential charges on: Adv sent to email account of unverified user (potentially a minor), in-state spamming, potential age violation if various claims on site are true (underage).
0630: Contact local law enforcement
0800: Local law enforcement pays a visit/takes people for questioning/obtains search warrant/impounds equipment, etc.
Not perfect, at first glance, becuase it could still be abused (i.e. I hate someone and set them up, but a good template test could reduce this), still, we're ready to spend billions on Iraq, yet I've heard nothing about going after these scoundrels.
PR is also a useful thing. Public service messages for radio and TV. ("Don't respond to spam, send for free guide how not to be fooled, or visit FTC website.)
A feeling of having made the same mistake before: Deja Foobar
- Boucing messages with Mailwasher
- Having munged addresses where the "NOSPAM" is in the user part rather than in the domain part (that is, "bozoNOSPAM@isp.net" instead of "bozo@NOSPAMisp.net"), so your servers get hammered with invalid harvested addresses.
- Using often broken tools such as SPAMCOP to LART other ISPs?
- Does a significant number of problems from your user always come from the same users, or is the problem widespread?
are having a negative effect towards your own efforts at fighting spam, either by diverting ressources or simply being a nuisance?How much of the SPAM complaints do you do receive are properly done (that is, with headers and sent to the proper ISPs)???
By fighting spam you are diverting your resources to an endless task, plus, you are creating a false sense of the situation.
Wouldn't it be easier to just allow your customers to receive the hundreds of emails you filter and by doing so creating an awareness on the severity of the situation?
I mean, once Joe User gets really tired of receiving spam, won't he be more aware of the need to regulate the whole thing?
As it is now, with the heavy filters in place, the end user only gets a tiny fraction of what is indeed sent to them, so why should the general population worry?
My technical proposal: people/companies purchase SMTP message-sends the way they purchase cell-phone-minutes:
- spammers who use open relays would saturate that relay's quota, and most of the spam thus
relayed would fail to go out, thus the owner of the
relay would have incentive to fix it, so they
can send their own mail.
- spammers who send directly from ISP accounts would have to purchase large numbers of them in order to send a given volume of mail.
To enforce such a system, you would need to build a smart firewall that knew just enough SMTP protocol to read the RCPT To: lines, and count recipients. When a given sending host exceeds its counter for the week, poof! the firewall blocks further SMTP activity (or even all activity) from that host until someone clears it.Backbones could limit individual ISP's with such a system, and ISP's could in turn limit individual customers; indeed they would basically have to, so that one customer can't ruin their SMTP quota. If the ISP doesn't enforce such a rule, their backbone tap enforces it for them.
If such infrastructure became widespread, the only way a spammer could send large numbers of messages would be to get large numbers of ISP accounts, which would hopefully cost them enough money to make it not worth their while anymore.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Your analogy is quite flawed tho. You can't just call the police to arrest the spammer because spamming isn't illegal in a lot of places, whilst selling crack is.
This compares maybe something more to the tune of people going around door to door, asking for money. It's not illegal, but it can be annoying, but it's not that bad as I only see maybe 1 person a month. But if you apply this to spam, the cost for "going to door to door" is really cheap, so you can get hundreds of "visits" a day. So how do you stop them? You can't arrest them, it's not illegal (in most states). If you can think of a better way to convince "spam friendly" ISP to not allow spammers, I'm all ears.
This kind of blocking has been done in the past (but with warnings first), and has been met with similar outlash. usenet udp. I'm up in the air about the issue. I hate spam friendly ISP's with a passsion, but on the other hand, if there was only one high-speed ISP in town and they were spam friendly, then I'd be screwed.
SOMETHING needs to be done, no doubt about it. Spam Assassin works to an extent, but it's more of a hack, and doesn't actually directly address the problem at it's source, where it needs to be addressed.
It seems that law enforcement has no reason to get aggressive on this problem as long as companies such as yours bandaid it with technological measures. What do you think about a "no filter day", in which all of the ISPs remove their spam filters for 24 hours and let the world get first hand the full brunt of the traffic you're filtering? The outrage alone, if correctly managed, could get the appropriate authorities off their asses and go after these guys.
I am a security technician and sysadmin for a research institution. My clients, who are scientists, are not interested in being paid to watch advertisements, or in having our institution funded by advertisements shown to them in email. We don't want to be paid to receive spam; we just want not to receive it. We just want the spam attack, the theft of our resources and our people's time, to stop. Do you see any way this can be reconciled?
Q: If ISPs are really all that upset about spam, why haven't they done anything about it?
It's patently obvious that ISPs could eliminate spam simply by blacklisting individuals who engage in the practice (and other ISPs who don't follow it). This is how credit ratings work, an area in which there is both a greater monetary incentive for misbehaviour and much lower (technical) barrier to entry.
Properly implemented, such an individual blacklist would eliminate most worldwide spam - since only a couple dozen individuals are responsible for more than 90% of the phenonema.
It seems to me that the real reason ISPs don't stop spam is due to base economics: spam houses pay money. So spam elmination has become a classic games theory problem - money you spend to search for spammers on your own network is wasted; you just have to respond enough to keep off the RTBL.
And because detection is always someone else's problem, spammers will continue to thrive in the time it takes to process the request.
A few questions:
How would you grade the effectiveness of current filter techniques, and blacklists etc.
What filters/blacklists do you use, and how could they evolve so that you would feel comfortable using them? When choosing blacklists or filters, how do you measure the gains of blocking x% of spam against not-blocking y% of legitimate emails.
How do you regard the threat of spam in opposition to some of the major viruses. That is, viruses like "sapphire" that generate huge disabling traffic netwide, or like "code red" that - to this day - is still making attempts to access "cmd.exe" on my own linux box.
And lastly, as we all want to know, what do you think can be done to spammers to strongly discourage them from continueing their immoral practices.
Hello, Barry--
As a World customer, I found last year that I was getting removed from several mailing lists I was subscribed to beause so much of their traffic was being bounced by World spam filters.
When I contacted customer support, they said that the messages must have contained strings that triggered the filters, and that the solution was for the lists to avoid using those strings in the future.
What strings would these be? Customer Support couldn't say.
So, if I wanted to use my World account to recieve my list mail, I would have to persuade all other list members to not use the filter-triggering words. And I would have to do this without telling them what those words were.
It seems to me that strong filtering of customer inboxes is one thing, but doing so with no provision for opt-out or whitelists interferes with the individual's right to get the internet servide he's paying for. Do you disagree?
Through my own travails with SPAM to my personal account, I've come to the basic conclusion that filtering out SPAM is a sisyphean task. No matter how good we make our filters, determined SPAMers will find a way through those filters. Blacklisting of open relays helps, really only punishes careless sysadmins, not the SPAMers who victimize them.
I see much more promise in technologies like HashCash which force sending machines to burn CPU cycles in order to send their message. My question to you is, are you aware of this type of technology? Do you think it would be effective? And what do you think it would take to get such a technology deployed (standardization, ISP acceptance, MTA/MUA integration, etc)?
Lawsuits. Why don't we see more lawsuits?
* Are spammers too hard to track?
* Is it too expensive right now?
* Have the courts not been favorable?
I'd happily participate in a class action suit. My email account gets hit with 100-200 spams a day, nevermind the rest of my family, including my kids who get porn spam right along with the rest of us (see Britney with a guy, a gal, a bullsnake and a tractor!). It takes time to maintain the anti-spam filters, and even then I have to wade through the crap they miss. Then there's the time dealing with complaints from people who think I spammed them because the scumball spammers use *my* email as a return email address. And so on.
The people who think spam isn't a problem are simply clueless.
My idea is to build a challenge response system into the mail server.
The goals of the system would be as follows:
To maintain a one-way hash of authenticated From: addresses for
each user on the mail system. Incoming mail source addresses would
be compared against the hash table. If the source of the email does
not have an entry in the hash table, then the system automatically
sends a challenge to the email author. The challenge would contain
a combination of textural and visual tests designed to be impossible
for a computer program to answer automatically. The challenge would
also contain an agreement which would place the recipient in the
position of violating wire-fraud laws if they answer the challenge
fraudulently.
Once a human has responded to the challenge email correctly, then
his email gets through the mail system to the recipient.
The person who passed the challenge gets added to the hash table
and is not challenged again. Users would never see mail from
senders who failed to answer the challenge. Perhaps only mail
from external sources would be challenged. Internal corporate
mail could bypass the system. Or not.
The email source address could be spoofed, but that would require
the spammer to know a valid source address for each user on the
planet. And that user could have the hash entry cleared to force
the user to re-authenticate if the source address is compromised.
Or the source could be blacklisted.
Since most spam does not come from valid email addresses, the
user will never see the spam because the challenge would never
get answered. Loop counters can be used to prevent endless
challenge bounces.
A spammer who answers the challenge fraudulently commits
wire fraud.
Companies who send out mass mailings to their customers must
have staff necessary to maintain enough personal contact with
their customers to answer the challenge emails and get
authenticated.
If these emails annoy the user, then instead of "opting-out", he
can reply with a codeword and the mail server will add the
sender to a blacklist and the user need never see mail
from that sender again.
For individual users who want to send mail to a friend or co-worker,
the burden of answering the challenge once is a small burden. For
spammers, the burden would be overwhelming.
If the US passed a law outlawing spam, or provided a do-not-email list, with harsh penalties for breaking it, do you think it would help? I'm in WA state, we have an anti-spam law, it doesn't help.
Are spammers too hard and too numerous to track down to be worth it (and too poor to pay the fine even if caught)? Would spammers just move offshore and continue to spam?
Using the spammer's last SMTP protocol leg, before your mail server closes it, why not do the following:
By not letting go of the (would-be spammer's) SMTP connection, one can consult the mail recipient white list. From an unknown sender, instead, save the entire email in a holding queue and send back the following SMTP error message:
With a marriage of sendmail MILTER and Tagged Message Delivery Agent, one can shift the burden of automating the mail recipient white list back to the sender (like ICQ does).
With a tweak of the last leg of SMTP protocol, we, the email users, will have control over what is 200 and what is 5-f@cking-50.
What say you?
- Shamelessly ripped from the Seinfield TV episode "Soup Nazi."
What can I do now about a spammer spoofing with my email address?
I'm currently getting hundreds of bounced, undeliverable messages from various organizations because a spammer is using my email address to spam others. The web site he's advertising is located in China, and I seem to have no way of finding the individual much less taking action against him.
What are my options?
_ The bureaucracy is expanding to meet
the needs of an expanding bureaucracy.
What do you think of this proposal from www.walterbright.com/spam.html?
Solution To Spam
The fundamental problem with spam is that the recipient pays to receive the messages, while the sender can put out millions of messages at essentially zero cost. Even if the tiniest percentage of spam recipients ever respond, that still makes it worthwhile for the bulk spammers. Spam is more than just a nuisance, it consumes a growing percentage of bandwith and costs a lot of money to try and block it. Spam is so pervasive it threatens to make email simply useless.
Current solutions amount to an arms race between the spammers and the spam filters; each time the filters get better the spammers figure a way around them. Even worse is the fact that spam filters can also filter out wanted messages. If you're running a business, you can't afford to miss any of those. A 1% false positive from the spam filter makes it useless.
Various legislative proposals have been put forward to try and deal with spam, but all of them are fundamentally flawed either in being impossible to implement (since the internet is a global system)or impossible to enforce.
The only real solution is to find a way to switch the costs of sending spam from the recipient to the sender. Even a tiny cost per email will rapidly render most spam uneconomic. What follows is my proposal for implementing this.
A Penny An Email
If sending an email cost $.01, the vast majority of spam will become uneconomic for the sender. For email users, the additional cost will be trivial, and likely far less than what they spend in time and money on spam filters.
To make the cost even more irrelevant to users, users can have whitelists. If an email sender is on the whitelist, they are not charged the penny. Furthermore, the penny cost of sending emails can be creditted to the user's ISP bill. So, receiving email can actually result in lower bills for users.
Users can individually decide if they want to accept or not emails from users who won't pay the penny, and they can individually decide if they want to pay the penny or not when they sent email.
How To Implement
To make this work, a system of micropayments needs to be established. The obvious way to do this is for the ISP to do it. All the email to a user flows through that user's ISP, so it is the natural candidate for doing the accounting. The ISP is already set up to bill the user monthly, so it's just another line item on that bill.
Of course, not all email originates and is delivered to email accounts entirely within their ISP. ISP's will therefore need to have reciprocal agreements with each other on the penny charges, and can 'settle up' with each other monthly.
What's in it for the ISP's to do this? The penny charges can be split with the ISP. Given the volume of email, that should be an attractive profit center for the ISP, enough to justify implementing the system.
Stages
This is worthwhile to implement even for one ISP. An ISP can implement it within its own email system. Other ISP's will have an incentive to join in the system, both for the revenue from the emails and as a service in demand from their customers.
Eventually, ISP's that refuse to cooperate will become isolated, and few will accept email originating from them anymore.
Bugs
The biggest problem I can see with this is the problem of forged email return addresses. I am not an expert on internet email routing, but isn't it possible for routers at each step of the transmission of email to be programmed to reject email that doesn't come from where it says it did? This should be a solvable technical problem.
I'd like to know if there's something tangible I can do about spam. I've seen lots of suggestions... don't reply to "to remove" links, just throw it away, etc. Basically "ignore it". A few antispam efforts have popped up from time to time, some of them legislation, some net efforts, etc, but they all seemed hopeless or completely without effect. I have spent some time in my own efforts, tracking headers and finding the spam portals, and writing nastygrams to the portals who are alway claiming "all our sponsors are opt-in and have removal links". Now I never did get a reply and I doubt it really did any good, but even with that, it felt like it had an impact, even if only a spec of sand on a beach. Is there anything we can do that will REALLY MATTER? Something we can see is having some sort of impact somewhere?
I work for the Department of Redundancy Department.
The question:
Currently, a company that follows all of the "guidelines" and does everything right, still stands a good chance of getting listed on SPAMCOP and other RBL lists based on a handful of complaints from clueless customers.
BCDE.COM maintains an nation-wide network of high-volume web sites. Access to the most basic site features is free, but all value-added features require that the user register -- The registration page includes very clear notice that that the "cost" of registration, of access to advanced features, is that the user will receive marketing email from BCDE.COM.
If you choose to "unregister", BCDE.COM will stop sending you email, and you will no longer be able to access the advanced site features.
Filling out the form on the site is just step one -- based on the form, an email is sent to the email address supplied, re-iterating the terms on the form, and providing a URL to "confirm" opt-in. The URL includes a secure hash to prevent spoofed confirmations. Once an address has been sent a registration request, it cannot be sent another request for a week (to prevent using the form as a flood attack).
Daily, BCDE.COM and their ISP(s) receive complaints from users and from SPAMCOP about the confirmation email, about the marketing email, about the "spamvertised" sites hosted at A.BCDE.COM which are promoted in the marketing email.
99.999% of the user base has no problem with this business model, and would prefer this approach to actually paying a subsciption fee for access to the "value add" site features.
How can an ISP known that a sending site that their customers complain about, or a customer that other ISPs complain about, is a legitimate business that is following all the "rules"?
I do not deploy Linux. Ever.