Cornucopia of Spam

Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad" torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

What's the point?

[Omkar]

After all, we know how law-abiding spammers are. And how effective the government is in combating computer criminals. I really don't think this will make a difference.

Re:What's the point?

[cobyrne]

The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised. And, therefore, it should always be possible to track down the person responsible for the spam. The point is that, without the promise of $500 for each violation, it was not economically viable to track down the spammer. Now, it may very well be.

I once managed to track a spammer to a town about 2 hours drive from where I live. If I had been able to collect $500 out of my efforts, it is something that I would do more often...

Re:What's the point?

[Dan+B.]

Well if the goverment made as much money out of cracking down on spammers as say, speeding fines, with 'spamming fines', how much more aggressive do you think law enforcement would be on spammers? Then how many people would still do it?

It always about the money, or the budget.

Vicious circle I'm 'fraid.

But people will always speed ;-)

Re:What's the point?

[WCMI92]

"The crucial element here is "if enforced".
I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement."

Again, if a company is running "spamcains" there will be an obvious pattern of incriminating evidence. The local prosecutors should then step in and do the investigating.

This won't net sleazeballs that do a quick, one time only, "hit and run" spamcain, but how many do that now? Most of them run CONTINUOUS spamcains, as that is the only way the law of averages (given the .005 response rate) catches up to make significant money.

Good anti-spam laws will make doing this in the bulk required to achieve profit difficult to impossible.

Re:What's the point?

[Murrow]

The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised.

Mostly true.

One exception I can think of off the top of my head is the pump-and-dump stock scam spam. All they're after is to get a bunch of victims to buy a worthless stock, push up the price, and allow them to sell the shares they've already bought at 1 cent for 20 cents.

Arkansas emphatic

[ratbag]

Arkansas obviously believe that if you

• underline something it MUST be obeyed

Techinical solution

[Raul654]

Think of spammers like an infection. How does your body deal with it? It attacks the infections in a bunch of different ways. Why can't we do the same with spam? Rather than working hard for the magic bullet, why not use some combination of: Bayesian filtering, artificial bandwidth scarcity, blacklisting, aggressive collection of fines, targeting of domains that are advertised, etc. If you were to do all of these together, I'd imagine spam would not be a pleasant buisness to be in...

Re:Techinical solution

[Dan+B.]

How about imposing things like JAIL TERMS on people convicted of 'serial spamming'.

I read an article once about a guy who lives in a multi-million dollar house in one State and just burns though trial ISP accounts in other states that can't properly prosecute (if that's the right term, since most States don't yet have decent laws against spam).

Big Karma bonus for the governors of NV though, 41-0 on passing laws to nail the perpetrators AND finig them $500 for each successful plaintif in court.

Oh yes, I see the day when I no longer need the words 'rape, enlargement, mortgage, lolita, diploma and toner' in my filter list for 'Permanantly delete'.

Re:Techinical solution

[frankie]

Think of spammers like an infection. How does your body deal with it?

An interesting proposal. Spews and SBL are probably Leukocytes. SpamCop users might be APCs. But I don't see any Macrophages in our virtual immune system. That must be why spam is so rampant -- we need activists to go eat the spammers! Volunteers, anyone?

Re:Techinical solution

[Raul654]

Well when your in the buisness of morgaging out Lolitas for the purposes of rape enlargement, I should think it would

Re:Techinical solution

[Steve+B]

Once again, Nevada takes the moral high road, leaving the rest of the nation to follow.

I for one would prefer to live in a country where prostitution was legal and the cops conducted nightly sweeps to round up and jail spammers.

spam spam spam

I am certainly glad that lawmakers and researchers are turning their full attention to spam. It is certainly a big nuisance. I for one get very insulted having ten thousand strangers telling me that my penis is too small. If they could just step over this way I would whip it out and clobber them with it!

Still, I have to wonder if this is a slippery slope that we are travelling down. How long before chain emails and inoccuous humorous forwards are also denied?

Something Smarter Is Needed

[chayim]

Creating laws, regulations, and whatnot will come nowhere near solving the problems. Sure, if a spammer lives in the US then maybe this would work; but what about all these scams from Europe, Australia, Britain, etc. Just because laws exist in one jurisdication, it doesn't mean that others will play ball. And even having laws does nothing if they're not enforced. Why not have a group of IT police hunt down spammers? After all, they're already guilty of theft and fraud (think bandwidth people). Why not prosecute under existing laws and treat spammers like the theives they are. Even though you won't catch spammers outside your legal jurisdicition, you'll help. And every country that helps would quickly be eliminating the spam problem we live with.

Re:Something Smarter Is Needed

[SerpentMage]

The only reason why the SPAM is coming from the US is because right now there are no legal ramifications. Just like how there was Napster and then Kaaza. Napster was State side, shut down and now Kaaza is NOT state side.

Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US.

Re:Something Smarter Is Needed

[Steve+B]

Once laws start up the SPAMMERS will move offshore.

The difference is that spammers need a point of contact to make money. Making their bandwidth thefts explictly illegal allows the police to seize the contact points.

Pay me for spam?

[Nevrar]

While I would definitely be keen on being paid $500 per "Enlarge your member" emails received, I somehow doubt the effectiveness of legislation to stop spam...

Instead of all this,

[Omkar]

I recommend spammers be designated cyberterrorists. For spammers in uncooperative totalitarian countries, replies with randomly generated subversive messages should be mandated by law.

I can see the e-mails now

[snitty]

IMPORTANT! READ NOW!

Please sign this bill from your state assembly! I did it and I got my wish! If you don't want to get this e-mail from the state anymore click the sucker link at the bottom!

The more spam I get, the better Mozilla does

Mozilla 1.3's spam filter has really come along nicely. The Bayesian method really is working nicely.

Not quite

[Raul654]

From the spammer's perspective, if he has to worry about huge fines and/or jail time every time he sends out spam, and if only 1% of the emails are getting through, and after 10 minutes his connection goes dead, how long is he going to be a spammer?

Spam loopholes...

[SystematicPsycho]

Firstly, they can start by trying to get the following loopholes plugged with the unsubscription methods ..

o unsubscription method is not feasible. I received an unsubscription method that went like this

• "To unsubscribe by
• postal mail, please send a request to P.O Box ..... Florida - quote reference number #blah"

Who is going to send a snail mail letter long distance to seemingly be unsubscribed from a spam list? Now it's starting to cost _me money to be unsubscribed. The law says to have _an unsubscription method of some sort - this falls within the law no matter how bad it is.

o unsubscription web page is non-existent - this happens to often

Spam Relies Upon Deceit

[zentec]

A large percentage of "junk mail" depends upon some fashion of deceit. Either it's by masking the true identity of the sender, a spam-haus using domain after domain and ISP after ISP in order to avoid the blacklists or simply by lying and saying that "you really indeed did ask for this".

The answer to the spam problem is to find technical answers that start peeling away at the ways spammers use deceit.

I've said this before and I'll say it again, the first place is to rewrite RFC-821 and require valid reverse-name lookups before accepting mail. Also permit as an authentication scheme that allows the administrator of the accepting mail system to set permissable trust levels. Example, mail that's verified (through an SSL certificate might be one way) as coming from gm.com is accepted, but mail coming from slashdot.org is set to a lower trust level (because they don't want to spend the money for a certificate). Mail from getyerviagra.com is immediately tossed into a review folder, trashed or denied because they don't reverse properly and they have a forged or self-signed certificate or simply don't have one.

The LAST thing anyone here wants is ANY government telling us how to manage electronic mail. In the US, it'll be frought with hooks and back-doors so the feds can snoop your mail.

Let's get it together and fix the problem on our own.

The best solution...

[cindik]

...is unfortunately not a realistic solution:

If no one ever buys anything from spammers, spam will stop.

Unfortunately, the one in ten thousand who buys into this makes it worthwhile to spend a buck to send 10,000,000 emails.

Some people just refuse to believe that unsolicited email offers are a problem. The marketing director at our company keeps pushing to "buy this list of targeted email addresses" or "pump up our ranking in search engines" as offered by the latest spam he receives. These people aren't responsible for spam, but they're responsible for making it profitable.

Like anything else governments try to control (US war on drugs anyone? how about the US prohibition era? prostitution?), spam will continue to exist as long as there is enough demand to justify the low cost of email.

Just say no to spam?

Loophole alert

[paiute]

Political speech is exempted. Advertising of the "call X and tell him that you are against his position on Y" is protected free speech. So expect emails of the sort: "Call Senator McGuffy and tell him that his penis can be enlarged in only three weeks!"

Once again

[deblau]

Since the attention span here seems to be about 5 minutes, I will reiterate a basic argument about spam (and many other problems plaguing us):

Just as you can't solve a technology problem with laws, you can't solve a social problem with technology.

Spam is a social problem. Scam artists have been around for millenia, 'spamming' you with unwanted and unsolicited communications. The Internet is only the latest communication tool that they use to peddle their wares. Previous tools have been faxes, TV, radio, telegraph, snail mail, courier, and shouting at you from the next hill over. Don't think for one second that the 'let's DDoS them out of existence' or 'let's make email expensive to send through some complicated protocol' arguments will work. They won't.

Here are three easy steps to stop spam:

1. Don't buy anything you get from spammers. Yes, that 24" penis must be really tempting, and I know you're dying to lose 10^6 pounds, but don't do it.
2. Encourage other people to restrain themselves. The indiscriminant spam approach only works if the percentage of buyers (a.k.a. suckers, marks) is high enough to justify the cost of spamming (which is very low for email). If you can knock down that percentage, spamming won't be as successful.
3. Educate people you meet about spam. Let them know that not every email they read is for real. Let them know that responding to spam encourages spammers. Let them know that if you catch them replying to spam, you will give Indian burns to their entire family.

In short, technology isn't the problem here. The problem is that too many people keep falling for the spam. If you do your part, we can make it more expensive for scammers to use the Internet for their schemes.

Re:It'll never work...

[pclminion]

Also, what's stopping a Texan from spamming people in Arkansas? You can't enforce Arkansas laws in Texas. It doesn't work that way.

Maybe you can't enforce Arkansas law in Texas, but the Texans can sure enforce their law in Arkansas. All it takes is a shotgun and a pickup truck.

Re:Technical solution

[Jay+L]

Think of spammers like an infection

A better analogy than you may realize! Spam is like bacteria; it is self-reproducing (spam for spam software, spam for millions-of-addresses CDs). Using spam filters exerts a selection pressure on the spammers, and the stronger spammers adapt to the filters, become resistant, and multiply.

At AOL, as the single biggest target of spammers, we had to think very carefully about the effects of filters before we implemented them; turning on a weak filter would be just as bad as taking weak antibiotics for a day and stopping, and in some cases it could make the problem worse. For instance, we once decided to start treating any message with >N recipients as likely spam. All we did was force the spammers to start sending messages with one recipient each - which meant we now had to process N times as many messages as before!

(Incidentally, the antibiotic analogy led me to discover, and donate to, the Alliance for Prudent Use of Antibiotics, which fights overuse and improper use of antibiotics, helping to keep resistance down. Check them out and give them some money; you'll save on your own health care costs in the long run.)

Jay the ex-AOL Mail Guy

How to defeat spam

[GnuVince]

Spam is a business. Like all business I know, its fuel is money. When spam stops being profitable, it will probably stop being so much a problem. Most geeks, nerds and hackers know how to recognize spam a mile away and most of us have spam filters installed, but common users do not. We need to help them by explaining them how spam works, by installing them filters (PopFile is an excellent free one on Windows and other platforms).

Just make sure as much people in your neighborhood never see spam, and after a while spamming will not be as much as a problem as it is right now.

Informing the common computer users is the first step.

Summary of IETF ASRG discussions

[wayne]

I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

The most interesting discussions that I've seen so far are:

• Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later.

  Most spam specific programs will not queue and retry, and thus the spam will be dropped.

  Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

  Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

  Apparently the "canit" program already does this, but I had not heard of this technique before.

• Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server. This is completely backwards compatible and doesn't require end users to do anything.

  If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

  Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

• There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

  Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

  The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

The solution for spam - really

The problem with spam is that people are highly motivated to send it, and as long as email is open in the sense that the messages can be delivered profitably, spam will continue.

Some people (notably congressmen) seem to think legislation can fix this - that's silly. How will you legislate against the spam you receive from China, for example.

There are a couple of big issues with spam - 1) the annoyance factor - people just don't like to get it - their time and brainpower are wasted searching for their "real" email, and 2) the bandwidth problem - recipients and ISPs are being forced to pay for spam themselves via bandwidth costs.

The closest thing we have to an answer today is whitelisting - the idea that you only accept email from people you've already listed as authorized senders. Whitelisting removes significant email functionality (currently a lot more functionality than really necessary because there's no standard implementation) - you can no longer get email from a long-lost friend or in response to account creations on web sites, for example.

Nonetheless, whitelists are the closest thing we have to a solution for Spam Issue #1 listed above (the waste of time and brainpower). Unfortunately, they do very little to address the bandwidth issue.

Some ISPs (Hotmail, for example) have implemented whitelists on the mail server side so that clients don't actually have to download the messages from non-whitelisted senders. However, this only relieves the bandwidth burden from the end-user, not from the ISP. ISPs can be protected from spam too.

There's also an even bigger problem with whitelists - how do you authenticate authorized senders? If you only rely upon the email address of the sender, your system will quickly become useless as spammers identify addresses you're likely to accept email from. This will happen really quickly in environments where whitelisted addresses are predictable (e.g. companies usually have a postmaster or administrator email address; people living in countries that give each citizen an address are also likely to have predictable whitelisted addresses).

So we need a whitelist solution that includes strong authentication and allows spam to be cut off before it wastes too much bandwidth. Here it is.

The solution involves several features: 1) a public key infrastructure that allows recipient whitelists to be looked up; 2) extensions to the SMTP protocol to allow servers to validate messages against whitelists before accepting the message (ie without opening the message itself to search for a public key); 3) interfaces to allow recipients to modify their whitelists; 4) interfaces to allow senders to request that they be added to a recipient's whitelist (although carefully designed to prevent this system itself from being co-opted into a spam method).

With such an infrastructure in place, additional spam control is possible. A compliant mail relay can check a message sender against the message recipient's whitelist and choose to reject it immediately. The cost associated with implementing this check can be passed directly to the sender - mass emailers can still do their work, they just pay more (or go elsewhere).

If a spam message still makes it to the recipient mail server, that server gets the sender, recipient, and sender's key in the SMTP headers before the "DATA" section of the SMTP exchange occurs. With that information, the recipient mail server can validate the sender against the recipient whitelist - if the key isn't allowed, then the message is rejected before the actual message is delivered, offering a huge bandwidth and cpu-overhead savings for the ISP.

So where should the actual whitelists be stored? For performance (and DDoS-limiting) reasons, the key infrastructure and the whitelists it provides will probably need to be a lot more distributed than they are now, probably to the point of being hosted on systems at the recipient ISP.

Perhaps the whitelists ought to be separated from the key infrastructure, hosted on separate systems - I think it makes sense to provide a provision for this, but not to expect it to be the initial implementation. (Thoughts?)

You may be thinking we already have a suitable key-based authentication infrastructure in place in the form of PGP - I disagree. Although I think PGP is a good start, I don't think the "web of trust" idea will hold up to spammers' attacks. Once someone is strongly motivated to compromise the web of trust, doing so becomes trivial. I believe that this fact will also reinforce the likelihood of key servers being hosted by recipient email systems, where recipients can be charged for key maintenance as part of leasing their email accounts.

Although all of this infrastructure would take a while to design, standardize, and implement, it's certainly an attainable goal, and it would dramatically improve our ability to handle spam.

Of course, whitelisting is not without its drawbacks, even when it works perfectly. The design outlined above is almost certain to incur ongoing expense for a recipient in the need to maintain a key on a server - I think it's unlikely that free email services will be willing to offer this service, at least until it is well-established.

Deployment of such a system will probably require a lot of either altruism or foresight on the part of ISPs - in the beginning the system will be virtually useless, meaning its return on investment costs will be minimal until a large user base is established. It is my hope that altruistic organizations will both fund and initially implement such a system - universities come to mind as the most likely such organizations, hopefully with some poking and prodding from other well-funded groups (government, the IETF or IEEE, etc).

Ok, now that I've written all that... do I sign my name? :-) Those are my thoughts on the problem - discussion is welcome. Please be kind though - I'm tired this morning. :-)

-- Trever, t at wondious d0t com