Slashdot Mirror
Ask ISP Owner Barry Shein About the Spam Wars
Spam sucks. But it's worse for ISPs than for the rest of us, because they get bounces and complaints and other behind-the-scenes spam-caused messes the rest of us don't see. AOL talks of spam as "public enemy number one." Barry Shein, who started (and still runs) the world's first full-service dialup ISP, likens spammers to organized criminals, and calls spam "an organized, vicious, sociopathic thing" in this article, which spurred an interesting Slashdot discussion. So what should we do about spam? Ask Barry. One question per post, please. We'll post his answers to 10 of the highest-moderated questions sometime in the next week or so.
What is your e-mail address? I promise I will not sell it to third parties.
One of the greatest problems with spam-prevention techniques has to do with collateral damage. Can you see any solution to spam that either prevents or minimizes the damage to innocent bystanders, such as other users of a spammer's ISP?
I can't say that I don't give a fuck. I've just run out of fuck to give.
What is the best way to discourage spammers from spamming? (Aside from Dave Barry's idea of a hunting season and selling tags)
If you could meet a spammer, what would you say? What would you do? What caliber would you use? Would you want someone to do it for you? Is $10,000 a head too much?
Would you like to consolidate your student loans while watching my 18 year old roomate take a shower, and then purchase some long distance phone cards?
Obviously the best step towards eliminating spam would be to make it a crime or easily punishable, but the nature of SMTP makes accurately tracking down the responsible spammer difficult at best and often time impossible.
What kind of changes would you make to the way email is handled to facilitate the elimination of spam?
Do you think that we can fight spam efficiently by still relying on the outdated STMP for mail delivery?
What do you think should enhance/replace it?
have you been defaced today?
Do you have any thoughts on these laws? I know that, as a non-lawyer, you probably can't do much for the actual wording, but what content would you have if it were totally up to you?
I can't say that I don't give a fuck. I've just run out of fuck to give.
What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?
Let me explain...
I sometimes hear that spam has significant costs in bandwidth and storage but I don't believe it. As far as I can tell, SMTP traffic is at most 2-5% of net traffic. And a quick calculation shows that an ISP's costs for storing its users' spam are fractions of pennies on the dollar. (*)
You've likened spam to a DDoS attack on your mail servers. Stories about being flooded with traffic sound impressive but computers are so fast now, it's hard to put anecdotes into context. So I'm looking for dollar amounts. For a customers paying b dollars per unit time, an ISP like yours has to spend c dollars per unit time on servers that can handle those customers' incoming SMTP traffic. If this is significant, I'm looking for c over a times b :)
Obviously admins to run the servers are an important cost. But for purposes of this question, suppose you wanted to do the bare minimum. Say you set up the SMTP servers to use just a few of the less-intrusive DNSBL lists, like sbl.spamhaus, relays.ordb, or list.dsbl, and then ignored them as much as possible.
The next most common argument I hear is that customers will abandon ISPs that don't fight spam. But every ISP has the same problem, so this is really a competitive advantage issue except for the small percentage of users who are actually driven off the internet by spam.
Then there's outgoing spam but I don't imagine that's too hard to recognize and stop quickly.
Let me know what I'm missing...
(*) Thumbnail calculations of spam storage follow. Let's say J. Average ISP Customer gets 20 spams a day at 10K each, and deletes them only every 30 days. That's an average of 20*10K*15 = 3 MB of storage. If the ISP replaces hard drives every two years on average and its total storage costs are ten times the actual medium costs (for labor, backup, redundancy, downtime), then at today's hard drive prices, that spam storage will cost the ISP 0.003 * 10 / 2 dollars, or about a penny and a half. Over that same year, J. Customer pays the ISP $100+.
Thank you for participating
One of the few measures that can be taken against spam is the use of blacklists (for instance via DNS). There are a lot of pro's and con's for the use of DNSBL's. How do you feel about these? Should DNSBL's be governmentally regulated? Do you use any DNSBL? Should an ISP enforce certain RBL's (let say, of open relay's) on its customers?
I'm not a complete idiot... Some parts are missing.
Is it time to apply the computer-cracking laws to circumvention of anti-spam filters? After all, the two are identical in effect (break into somebody else's system without permission, and indeed against an express prohibition).
/. If the government wants us to respect the law, it should set a better example.
Do ISPs have the tools they need to prevent outgoing SPAM from their own customers? I look
at Sendmail and don't see anything that would allow you to throttle mail volume, check outbound messages for SPAM, restrict new customers etc. There isn't even anything built in that would warn you about a customer sending a million messages. It would seem that a few tools like that would be a big help to an ISP too small to develope its own.
I certainly am tired of deleting the penis elargement and Nigerian bank deposit e-mails, but where is the balance and how do we attain it, if ever?
I am currently using a permission based solution to block spam, called Choicemail. It works great since I know that there are no filters trying to guess what is spam and what is not. People on my white list get in, people who aren't get sent a message asking them to identify themselves.
The only drawback is that some people may possibly feel slighted that they are forced to go through such a process. But so far no one has complained. In fact, most people seem to be intrigued by the concept. If this type of spam blocking catches on, people will begin to expect it. Sort of like having to knock on someone's door before entering their house. It is a custom so pervasive, we feel strange just walking into someone's home, even a friends, without first knocking.
Sorry for the length of this post, and now to the question: How do you feel about this type of spam blocking?
Why hasn't any large ISP or enterprise seriously considered whitelisting mail? The traditional blacklist idea -- when I see spammers I'll no longer accept their mail -- is so easily overcome that many spammers don't even wait one generation to change addresses. Instead, bounce all mail you don't recognize, with a note to the sender on how to inform the system that you are a real user. Nearly all spammers loose their incoming account immedately, so this seems the natural choice. There's some more detail on this method at the TMDA project.
Do you think that there will ever be a long-lasting technological solution (e.g. Bayesian filtering systems) to spam or do you feel that any technological counter measure will be circumvented fairly rapidly?
I would just have a blanket, three strikes you are out policy. If someone complains about the content of your email three times, no matter the circumstances, you are outta there.
So if your best friend is infected with klez (or the latest variant) and sending messages that appear to be from you, if three people call to complain that you are sending them junk, you are outta there? Those are three complaints about the content of your email, and your policy says no matter the circumstances.
What if I don't like your political views that you've espoused on a political discussions mailing list and I call up your isp and tell them that your opinions about certain PICKWHATEVERPARTYYOUHATE Senators constitute a terrorist threat. After 3 of those complaints, you get dropped.
I wouldn't use an isp that didn't have some intelligence behind its decisions or didn't have an appeals process if I feel I was mistreated.
I was just thinking about this... what if there was a national "do no email" list? I'm just wondering if something like that would be effective.
All spammers would have to (by law) query the "national do-no-email" database before sending out their crap.
I'm just wondering if something like that would be an effective way to cut down on the noise out there?
sad robot making broken music
Do you think new laws that allow ISPs and end-users to collect damages from spammers on a per-message basis can be effective tools to reduce spam?
WARNING: there is a trojan on your
Ah, here is the reference. Diplomat shot dead in Prague
Many posts talk about proposed changes to society, government, and technology to lessen the spam problem. However, an ISP has more insight into the problem than many others, and I thought I'd ask a question to tap that insight:
Given today's society, technology and infrastructure, what can an individual do that would be effective in reducing not only the personal strain of spam, but also lessen an ISP's burden.
What kind of strategies have you seen work. For instance, in particularly bad instances I'm prone to send an e-mail to spam@isp.net, abuse@isp.net, or admin@isp.net, but usually never even get a response. Is there a better thing to do? Are there things that are absolutely the wrong thing to do (such as replying to a spam)?
In short, what would you like to see users do in response to spam today?
I am disrespectful to dirt! Can you see that I am serious?!
You completely miss the point of Shein's tirade.
By the time it gets to your inbox, it has already cost your ISP money (time/effort/bandwidth) to deliver it. You just see what leaks through your ISP's filters, despite their best efforts.
What legal pursuits do you feel would be appropriate to deal with spammers? What penalties? Prison time? Just fines? Given that some spammers make large sums of money from their spamming activities, what scale of fines would be appropriate?
Carpe Diem
ISPs have tried to rely on 'common carrier' defenses in the past. However, if they start blocking SOME email, can they be held liable for mail that they DON'T block?
And can you selectively give up common carrier status? If you block some email but host anyone's web page, for instance, can you be sued successfully for objectionable content on those web pages?
What is the most evil thing you have seen, so far?
Reply-to impersonation?
Embedded hypertext identifiers?
I'm sure it's much worse than that.
What would you do to stop that evilest of evil practises?
I'd argue this collateral damage has destroyed the usefulness of email even more than spam has. It's simply an unreliable medium these days -- you never know if your mail got there or not, because it could have been silently dropped with no bounce message sent. Thus whenever I send reasonably-important emails now, I use either the phone or AIM to confirm it was received.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
If you had known back in the early 90s that spam was going to be the problem it is now, what steps would you have taken then to protect yourself and others from it?
For instance, what changes would you have advocated in the mail protocols and what standard procedures would you have told other ISPs to use to prevent spammers from getting a foothold in the first place?
Do you have any statistics on how much of your ISP's bandwidth is consumed by spam? (And for comparison's sake, other stuff like p-2-p and Quake servers.)
"Draco dormiens nunquam titillandus."
Should end users set up their SPAM filters to bounce the offending messages, or should they just get quitely filed into the SPAM folder?
I used Mailwasher for a while, which gives users the options of generating bounce messages while filtering. There is some personal gratification in making it look like my email address doesn't exist. But does it actually help, or does it just add to the ISP's bandwidth requirements?
DJB claims that with this system bounce messages will be eliminated (if I read correctly).
While in the short term I concur, in the long term I must cry au contraire.
If Baysean filtering makes its way to the general public -- or is introduced at an ISP level, then it will reduce the amount of spam that gets through to potential customers, and hence make each spamming less profitable.
The least profitable of the spam messages will dissapear, thereby reducing the loads on our mailboxes and on the ISP as a whole. Therefore, perhaps a better question is:
Support a few technologists in Washington.
It seems to me that the existing email protocol has some fundamental problems that contribute to spam. It is basically impossible to authenticate who an email came from. Do you think that adding a new email protocol could solve these problems?
Specifically, if we created a second protocol that required that all email be digitally signed by the person listed in the "from:" clause and that the originating ISP guarantees this identity, wouldn't that solve most of the problems? The true identity of people who use the bandwidth I pay for to communicate with me seems like a fair thing for me to be able to insist on. I might even be willing to pay a little more to have such a system, although I would think such a system would be cheaper for my ISP, since the cost of carrying 33% garbage isn't there.
I should be able to say I want to filter email from Alan M. Ralsky of West Bloomfield, Mich or from any that passed through any ISP that cannot guarantee me that I can determine this. The problem is that Mr. Ralsky can send me email and I have no hope of identifying that it came from him. All that is required, it seems to me is for the leading ISP's to get together and create and enforce a standard that says your new-style email will be digitally signed with your legal name and that only ISP's that comply with enforcement practices will be allowed to use the new email protocol.
I worked a couple of years ago for a company that makes 'emarketing' software, and I managed the company's ASP for that software.
Most of the emails we sent out we're from internal, registered customers of the company. I would call these 'opt-in' emarketing messages that ranged from pitches to buy new or upgrade products, customer satisfaction surveys and automated replies for visiting a website and signing up.
There were, on the other hand, spammers. That is the only way to describe the quality of the emails they sent out. When I could query their databases and find email addresses of 'abuse@someisp.com' and other, similar non-customer addresses, there is no other way to classify it.
In either case, we never tried to hide or run away. We always used real email addresses and kept the same domain names. So, my challenges were, "How to I keep the 'good' customers from impacting the 'bad' customers?" I dealt a lot with CAUSE, the MAPS RBL and other organizations to keep the emails flowing.
So, here is my question: How do you, at the ISP level, differentiate between legitimate email marketing and Spam?
- Boucing messages with Mailwasher
- Having munged addresses where the "NOSPAM" is in the user part rather than in the domain part (that is, "bozoNOSPAM@isp.net" instead of "bozo@NOSPAMisp.net"), so your servers get hammered with invalid harvested addresses.
- Using often broken tools such as SPAMCOP to LART other ISPs?
- Does a significant number of problems from your user always come from the same users, or is the problem widespread?
are having a negative effect towards your own efforts at fighting spam, either by diverting ressources or simply being a nuisance?How much of the SPAM complaints do you do receive are properly done (that is, with headers and sent to the proper ISPs)???
It seems that law enforcement has no reason to get aggressive on this problem as long as companies such as yours bandaid it with technological measures. What do you think about a "no filter day", in which all of the ISPs remove their spam filters for 24 hours and let the world get first hand the full brunt of the traffic you're filtering? The outrage alone, if correctly managed, could get the appropriate authorities off their asses and go after these guys.
A few questions:
How would you grade the effectiveness of current filter techniques, and blacklists etc.
What filters/blacklists do you use, and how could they evolve so that you would feel comfortable using them? When choosing blacklists or filters, how do you measure the gains of blocking x% of spam against not-blocking y% of legitimate emails.
How do you regard the threat of spam in opposition to some of the major viruses. That is, viruses like "sapphire" that generate huge disabling traffic netwide, or like "code red" that - to this day - is still making attempts to access "cmd.exe" on my own linux box.
And lastly, as we all want to know, what do you think can be done to spammers to strongly discourage them from continueing their immoral practices.
Hello, Barry--
As a World customer, I found last year that I was getting removed from several mailing lists I was subscribed to beause so much of their traffic was being bounced by World spam filters.
When I contacted customer support, they said that the messages must have contained strings that triggered the filters, and that the solution was for the lists to avoid using those strings in the future.
What strings would these be? Customer Support couldn't say.
So, if I wanted to use my World account to recieve my list mail, I would have to persuade all other list members to not use the filter-triggering words. And I would have to do this without telling them what those words were.
It seems to me that strong filtering of customer inboxes is one thing, but doing so with no provision for opt-out or whitelists interferes with the individual's right to get the internet servide he's paying for. Do you disagree?