Forty Percent of All Email is Spam

PCOL writes "There's an interesting article on spam in today's Washington Post which includes an inside look at AOL's spam control center in Northern Virginia. The story reports that roughly 40 percent of all e-mail traffic in the US is now spam, up from 8 percent in late 2001 and nearly doubling in the past six months; that AOL's spam filters now block 1 billion messages a day; and that spam will cost U.S. organizations more than $10 billion this year from lost productivity and the equipment, software and manpower needed to combat the problem."

Good percentage

Compared to Slashdot posts!

Re:Good percentage

[badfinch]

According to a site that keeps stats live for their filter for all mail proccessed 50.7% are detected spam from bulk senders. The site is http://www.herbivore.us

Re:Good percentage

[MikeDX]

AOL's spam filters now block 1 billion messages a day

Is this per user?

sure, sure.

[irc.goatse.cx+troll]

And 90% of all statistics are made up on the spot.

Re:sure, sure.

[oldmacdonald]

Not true, your statistic was made up ages ago.

Another stat

[techstar25]

Ironic. Forty percent of spam is pork.

Re:Another stat

[tm1rules]

So, 16% of all email is pork? Tasty!

Re:Another stat

[billybob2001]

Forty percent of email is em

Works in Ascii, Ebcdic and Unicode

(no, there isn't a null at the end)

Re:Another stat

[cHiphead]

then what's the other 60%?

thats the secret ingredient you simply dont want to know about.

soylent green is.... PEOPLE!?

40% ...?

[DaneelGiskard]

So who gets the 60% of the regular email I'm supposed to get?

Re:40% ...?

[scott1853]

It's deleted by the spam filters.

Re:40% ...?

[MousePotato]

... I found a mailbox I hadn't used in years, full of 1700 pieces of email. 2 were meaningful...

Hah! I got ya beat! I just got email from an account that I couldn't access for almost eight months and there were 7,018 messages in it! Of which 4 were keepers and the rest pure crap. What boggled me was that the account supposedly had a 2 meg limit that the admins never imposed and just let it grow and grow.

now i get spam

[stonebeat.org]

about spam stopping software.

Re:now i get spam

[You're+All+Wrong]

Nice innit?

However did you notice in the article it said:
"nearly doubling in the past six months, according to Brightmail Inc., a major vendor of anti-spam software."

So I'm not 100% sure the stats can be believed - it's in their interest to tell you it's all doom and gloom. It's even in their interest to have you spammed, but that of course would be conspiracy theory central...

YAW.

Accuracy

[NitroPye]

I wondder how accurate the AOL spam filter is. If some people are accidentaly getting their emails blocked or others not getting emails delivered. Does anyone know on which principal the AOL filter works. Is it just a bunch of email addresses known to be spammers or is it some kind of guessing filter that has certain words and phrases coined as spam.

Re:Accuracy

[bheerssen]

A follow up question: how much spam gets past their filters and do they use a standard deviation accordingly to arrive at those numbers? It is conceivable that the actual figure is higher.

Re:Accuracy

Even if its only 70% accurate, thats still 700,000,000 emails. At a cost of $10bn per year, its about time that its was illegal country wide, made a felony and a section of the FBI setup and funded by a $1 per quarter employee tax on companies. They should then track down, arrest, beat and torture these non-people, put them on a stinking shithole island, Australia well do and then let them rot in hell. Forcing them to listen to the Canadian screamer, Celine or even worst, Witney...

Re:Accuracy

[Analog]

I wondder how accurate the AOL spam filter is.

Not terribly. Several years ago, after I first got broadband, I set up my own mail server because my ISP's was constantly going down. I've run it since then with no trouble.

Several weeks ago, I started getting bounces on mail I sent to AOL addresses. Turns out AOL uses lists of IP addresses that are known to belong to ISPs but not be their mail servers and refuses connections from them.

Their attitude is that I have no business running my own mail server, that I should use my ISP's instead (gee, maybe if my ISP's didn't suck I would). So, yes, I can say that at least a few of those 1 billion are legitimate mail.

Re:Accuracy

[wawannem]

You know... You could fix this kind of situation yourself. If you set up a real DNS zone, AOL would have no way of knowing you aren't running a legitimate mailserver. Shell out a few bucks to get a name, then spend a day or two figuring out BIND (or worse WinNT DNS), then viola! You will be doing it correctly!! And who would have thought, when you do it right, ISPs will honor it!

Re:Accuracy

[corbettw]

Umm, what AOL is doing is right and proper. Is your host the MX record for a domain? No? Then noone should be accepting mail from it. Can your host be authenticated with reverse IP look-ups, crosschecked with MX? No? Then, again, noone should be getting your mail. (All except your own ISP, that is.)

This might be inconvient for you, but this system exists as a deterent to spammers. Don't like it? Get your own IP addresses for home use or host your own domain somewhere (that's what I do).

Re:Accuracy

[Tackhead]

> Even if its only 70% accurate, thats still 700,000,000 emails. At a cost of $10bn per year, its about time that its was illegal country wide, made a felony and a section of the FBI setup and funded by a $1 per quarter employee tax on companies. They should then track down, arrest, beat and torture these non-people, put them on a stinking shithole island,

Hey, hey, hey.

What did a pit full of decaying fecal matter do to deserve being filled with spammer?

Have some respect for shit, man.

Optimistic

[Rosonowski]

I think this is a bit optimistic. I get 300 peices of email a day, and I'm lucky if more then 50 are legitimate mail.

Re:Optimistic

[grylnsmn]

Oh yeah? Well I send over a million emails a day, and I'm lucky if 10 of them are legitimate!

Re:Optimistic

[kring]

I run a small site (~100 users) and our spam filter, which is designed to be relatively forgiving, catches about 35% of the total messages that are handled by our mail server. 40% seems pretty low to me.

Cost/Benefit

[rcs2]

Are there any estimates to the total revenue generated by spam for spammers? If it were less than $10 billion, we should be able to simply bribe them to stop spamming.

Does not surprise me

[nenolod]

I'd say more like 60% though. However, i'd also say that 40% of idiots make up statistics to prove their point, and 90% of people know that.

Anyway, I get about 1800 messages a day, total. Messages are ran through procmail and a complex spam filtering perl script that I wrote for myself. about 600-700 messages are blocked per day, therefore being more than 40%.

I'd also state that most SMB popups are SPAM.

in my inbox today:

[greenalbatros]

Did you know 40% of all email is spam?!! to find out mo...

Maybe that's the way to go...

[irving47]

Continued statistics like that, with economical impacts in the billions might attract enough federal attention to get some standardized laws across the board.

Sure, we'll still have to worry about foreign sources, but I'm sure the U.N. will be happy to help with this issue.

Re:Maybe that's the way to go...

[dpille]

...with economical impacts in the billions might attract enough federal attention to get some standardized laws...

Maybe I'm too cynical, but I'd expect to see a tax cut to benefit the wealthiest spammers instead of anything that would help the common email recipient.

Sounds about right to me

[utmslave]

I administer a Spam filter for a state University in Tennessee. Since I began filtering, I have trapped about 42% of all email bound for faculty and staff. Some spam still gets through, but the impact on our pop and imap servers has been greatly reduced.

550 Spammer Go Away!

Re:Sounds about right to me

[destiney]

A friend of mine is a sysadmin at Vanderbilt University in TN. He said they can only place spam filters on client machines, and that no filtering is allowed on the receiving server whatsoever. I asked him why, and he said they believed it was unjust to assume that any message was unwanted by the users, that it was their choice alone to decide what was spam and what was not.. Pretty insane if you asked me.

Re:Sounds about right to me

[ergo98]

That doesn't sound insane: It sounds right on the money. At the very least any server-side filtering should include a user ability to opt out, or to actually configure the spam filtration settings for their own account (rather than some sysadmin in a cube somewhere deciding that the word "penis" equals spam, destroying the communications of the medical staff, etc). I'd rather have the ability to audit the tool on occasion to ensure that it isn't blacklisting friends or family, etc.

Re:Sounds about right to me

[Chanc_Gorkon]

With one exception......viruses. Filter these suckers out at the server. This will cut your opps I clicked on something I should not have syndrome.

Re:Sounds about right to me

[Mr+Guy]

Sysadmin for the comp sci department my college set up scripts to change any .vbs file sent as an attachment to, .vbs.ifyouclickonthisanditsreallyavirusIwillholdyo upersonallyresponsiblefordamagetotheschoolscompute rs The IT department for the school, running exchange servers, had to wait for microsoft to issue a patch. While the IT department got pounded with help requests, the comp sci had 0 virus reports. Wonder why...

What is spam?

[lseltzer]

I don't want to quibble about the specific number, but how do they decide what is spam? Much of the decision is somewhat ambiguous.

Spam Control

[cheezus_es_lard]

So, we all agree that Spam is a problem. We all agree that legislating Spam out of existance isn't going to work, due to the international design of the Internet. So what needs to be developed is a backwards-compatible mail transfer protocol that authenticates the user to the sending server and forwards the message to the recieving server, who contacts the sending server back and verifies the user's identity.

I'm no software designer, but surely we could find some concept for migrating off of SMTP and POP and to a better, more secure protocol.

Other thoughts?

-cheezus_es_lard

Re:Spam Control

[JimDabell]

I'm no software designer, but surely we could find some concept for migrating off of SMTP and POP and to a better, more secure protocol.

It's not a technical issue (ignoring open relays, which can already be fixed without changing any protocols).

The fundamental issue is that one of the most important uses of email is to let anybody, anywhere email you, with no hassle. Of course, spammers take advantage of that.

What's needed is accountability. Give someone internet or smtp access? Make sure you have a way of billing them for any spam they send, and put it in big letters when they sign up.

Re:Spam Control

[Qzukk]

I'm no software designer, but surely we could find some concept for migrating off of SMTP and POP and to a better, more secure protocol

Sure. Just like we convinced everyone to close off their open relays. Not going to work.

Re:Spam Control

[Ravensign]

I agree with this principle.

At what % do we look around and say, its time for a new protocol with spam avoidance built in?

50, 60, 75?

Re:Spam Control

[letxa2000]

I haven't seen forged headers used extensively for some time. The only thing I really see being forced is the "From" address and the Reply-To address, along with the "HELO" command in the SMTP exchange. But forging "Received" headers seems to have become less frequent.

I think that's because spam is, by nature, evolutionary. What works for now is quickly picked up on and then they have to move on to something else. The only people really interested in "Received" headers are syadmin type people that are going to be able to recognize forgeries anyway so they don't gain anything by doing it.

What blows me away is how many are spamming directly from their DSL connections these days. They just don't care and apparently the DSL providers just don't do anything about it. I can see throw-away dial-ups being used to spam, but I find it amazing that someone would risk a DSL connection to spam. The fact that they DO risk their DSL connection suggests to me that it isn't really much of a risk. :(

I also think the anti-spam approach has come down more to filtering and looking for a new protocol than reporting spammers. While some spam reports actually result in action, most don't--and those that do you are seldom informed of that so it seems that you are making spam reports that go into a blackhole. I gave up on reporting spammers two years ago--except for extreme cases that border on DOS attacks.

Take this with a grain of salt

[mrhandstand]

The srticle states that 40% of Internet traffic is Spam. And where does this statistic comec from? From Brightmail...a vendor of anti-spam software. Remember...liars, damn liars, and statisticians

Re:Take this with a grain of salt

[Zathrus]

The srticle states that 40% of Internet traffic is Spam

No, the article states that 40% of email is spam.

Which, frankly, seems low. But perhaps they're including corporate email, which often sees a much lower spam level.

I'm still trying to find estimates on how much of all Internet traffic is from SMTP -- I've seen estimates of anything from 5% to 30%.

Re:Take this with a grain of salt

[Captain+Beefheart]

"But perhaps they're including corporate email, which often sees a much lower spam level." ...Except that drumming up a corporate e-mail address is usually as simple as adding the first letter of the first name to the last name, as in bgates@microsoft.com or sjobs@apple.com. I've gotten several spams to a relatively high-profile domain, the specific address of which had not been used externally, had not been in someone else's CC field externally, and had only existed for a few days before the spam started trickling in.

Losing a figurative war on spam

[Nonac]

Aside from the AOL spam control center, most of the spam prevention discussed in this email is aimed at trying to stop the sender through legislation and black lists. Legislation will never work, and black lists are marginal.

The answer to this shortcoming in the current email infrastructure is redesigning email protocols to allow spam to be stopped as it is sent.

I don't have the answer, but something that forces the sender to verify that the recipient will accept the message before it is relayed will be a start. I also like the idea that came from Microsoft recently of forcing the sender to pay the recipient a small amount of money.

The problem with bayesian filters is that they filter too much spam. The more people that use bayesian filters, the more messages the spammers will have to send to get through. Because it is almost free to send messages, they will continue to increase the number of messages they send until it gets to a point that email infrastructure can't handle it anymore.

Speaking from Experience

[DLG]

In the past 2 months, using a combination of tools including SpamAssassin, I have managed to block approximately 32000 spam mail a week. This is more than 50% of our incoming mail.

I will note that in general this is only coming to around 20% of our users. It is approximately 100 messages per user per day. This actually seems reasonable compared to one of my email accounts that is on a webpage.

So I would say the only reason the amount of spam is so low is that enough people in our firm don't give out their firm email addresses on the internet to strangers.

Although they do miss out on alot of great offers for Hovercraft Toys.

Re:Only 40%?

[scott1853]

Maybe you have lots of friends and they're all filling out those "notify my friends" forms?

What say you "just hit delete" crowd?

[walt-sjc]

Citing "Freedom of speach", the first ammendment, etc, there still seems to be an ignorant crowd that thinks that we shouldn't have any legal means to curb spam. They still think technology can solve a social problem. As ISPs put increasingly invasive filters on email servers, legit email gets lost. When 99% of all email is spam, will you STILL think it's ok? When ISP's raise your internet fees due to spam, will you still defend its legality? When you are on the road paying $.50 / minute downloading spam for half an hour, even though your local filter blocks it from your view will you still be happy?

There are people who want to re-invent the email protocol to solve the problem. Yeah, doing something technological can help the FUTURE, but what are we going to do for the 5 years it takes to develop, implement, and deploy this new technology?

Think about it.

Re:What say you "just hit delete" crowd?

[ErikZ]

"Yeah, doing something technological can help the FUTURE, but what are we going to do for the 5 years it takes to develop, implement, and deploy this new technology?"

Probably the same thing we would do if we didn't develop the tech. Just sit there and delete spam.

Re:What say you "just hit delete" crowd?

[Azghoul]

I wouldn't support legislation. Ever.

Of course, the hue and cry of the masses will eventually bury any other viewpoint.

I currently have four email accounts.

1 is my work email, only messages to and from people I work with. I have never received a spam to that account.

1 is an old work account that I still occasionally use. No Spam received for 2 years. Then I accidentally put it in when I registered a domain with those fucks at Verisign (sorry for the french). Now I get about 20 spam per day.

1 is a throwaway Netscape.net free account: Sign up for all web forms, stupid shit with this one. Gets mostly spam, but I don't care.

1 is a private family account that only a few people know. No spam there.

There's a solution, it's in using email intelligently. But like I say, the great unwashed AOL users will whine until their gov't wastes more of my tax money.

Re:What say you "just hit delete" crowd?

[Ed+Avis]

'Using email intelligently' consists of having multiple email addresses and trying to keep them secret? WTF?

Re:What say you "just hit delete" crowd?

[Christianfreak]

Your rant doesn't make a whole lot of sense. I don't think the problem is that people think that SPAM shouldn't be regulated, (okay maybe a tiny minority), its not regulated because there is no way to do so. I see very little SPAM that doesn't have forged headers or that didn't come through an open relay.

We don't need new laws. The SPAM is already illegal. You can't enforce a NO SPAM list because a) spammers are difficult to track anyway and b) even if they weren't there is nothing finacially or otherwise preventing them from re-routing their SPAM through international servers.

That said I think a lot of the filtering software misses the point. Its not as difficult to find the owners of open relays. I really think that we should go after ISPs that knowingly or not have open relays. Easier to track than the spammer himself and if you get the open relays you stop a whole lot of spam right away.

As for overseas sites, maybe thats where we need treaties and insentives for foriegn governments to crack down on said open relays (I know it will never happen). In the meantime that's where filtering is a good idea.

Re:What say you "just hit delete" crowd?

[amcguinn]

Fair questions.

Let's look at the future: Currently, people are willing to accept email from unknown senders. If the volume of spam continues to increase as you plausibly predict, that is where the system will break. I assume that well-known people already read emails only from whitelisted senders, and that if I send email to, say, Tony Blair or Linus Torvalds it will not get read. As unwanted mail increases, the number of people doing whitelist-only filtering will increase too. Note that this can be done almost perfectly with existing protocols & software, and the only changes that will become necessary will be to prevent forged From: lines, which would not be too big a hole for spammers in any case.

That is what is at stake, therefore: our ability to communcate by email with people we have not established a relationship with. That would be an actual loss, but is it worth legislating for?

Bear in mind that it is not 'given' that there must be a legislative solution, any more than that there must be a technical solution. Both technical and legal solutions run into choppy waters when attempting to separate spam from non-spam.

It is possible that email will slowly die, and be replaced by something else - you can imagine instant messaging expanding into non-instant messaging too, but with authenticated senders and enforced whitelists. SMTP email would become like Usenet, swamped in useless messages, its functions of old taken over by different media.

Re:What say you "just hit delete" crowd?

[fmaxwell]

I know I'm going to regret this, but my beliefs are as strongly held as yours are...

But I haven't seen any laws which don't also block free speech.

The Constitution and the courts have not held that freedom of speech is absolute. For instance, it is not legal to yell "fire!" in a crowded theater (unless there is a fire). You do not, for example, have a Constitutionally protected right to slander someone. Your freedom of speech does not mean that you can go up to a minor and tell them about your sexual fantasies. You have no right to clip into the phone wires outside my house to make long-distance calls in order to exercise your freedom of speech. You do not have a legal right to call 911 to tell them about your great new multi-level marketing site.

Laws limiting freedom of speech must simply pass the Central Hudson Test. I, and many advocates of anti-spam legislation, believe that such legislation would survive a court challenge based on this test.

It could. I don't get any spam on instant messenger, for instance.

I have.

Re:What say you "just hit delete" crowd?

[mr.nicholas]

here's a solution, it's in using email intelligently.

It's not that easy (or simple), friend. It's not just about giving your email address away to trusted folks, nor is it about placing your email in places that can be trolled from the web.

About 99.9% of my mail I get is spam. I receive about 2000 emails a day to my personal account and if I'm lucky, 3 of them are legit (I now mostly communicate with my family and friends via IM).

I run my own email server (and have since '93). The problem is that my system is constantly being dictionary-attacked for addresses. No matter where you hide (or don't hide) your account names, having some fucker scan every known name in the universe against your system WILL get it. And once one spammer gets it, they all do. (You do know they trade lists, right?).

As it stands now there is no good way of preventing dictionary scanning. Yes you can make it hard (and I do by catching more than 2 User Unknowns, IP firewalling off the address that started the scan and sending back 1MB of /dev/random data from sendmail as a response message), but when someone wants to scan you, they will; even if they have to do it one address-per-envelope at a time.

My son (who is 11) receives close to 300 spams a day (because he has his first name as his account name [as my entire family does on my system*]), 200 of which would make Solomon blush [hey! click here to see girls get fucked by turtles]. I, of course, filter HIS mail by hand (he pops from an account that I forward mail to).

I *want* legislation; badly. I want it to be illegal to forge headers. Since my state (North Carolina) *HAS* anti-spam laws already, it would be really nice to be able to enact them. But because of the forging, it's next to impossible to do unless I quit my day-job just to parse headers and track down companies so that I can take them to small claims court.

I can't do that. And I don't have the time. And nor should I be required to. So what's the answer: unfortunately, legislation.

SPAM is a plague of locust for the 'net. I equate it to kids who crack/cheat on multiplayer games and make them unplayable by everyone else. SPAM has absolutely ruined the usefulness of email.

* By using full first names as accounts (nicholas@blah.com) it's easy to guess my accounts. I should NOT however, be forced to use anything else because of the abuse of the system by lowlifes who are too lazy to get a real job to make money.

Yeah, I'm vehement about this. Check out other posts by me here to see.

Re:What say you "just hit delete" crowd?

[Azghoul]

Apparently you're vehement, but I do not agree that it requires legislation. When you drive into a downtown at night to see a show, and you park your car, do you leave it unlocked? You do things ALL the time to prevent abuse against you, why should using better/different email processes be any different??

It /is/ easy and simple, "friend". I've had many accounts over the years and i DON'T get spam unless i make a mistake (like I noted in my first post) or I have a separate account just for junk.

Explain to me how, "friend", that I can get away with not having anywhere near the spam problem you do, even though I've been online for about as long as it's possible to have been.

Sorry you're so vehement against it. It's a techical problem, there are technical solutions.

Re:What say you "just hit delete" crowd?

[amcguinn]

If we go the way I described, you have two options

1. Just carry on. Your emails from strangers will be buried in ever-larger piles of spam, but they mean a lot to you so it's worth receiving them.
2. Use a web-based "comment submission" system on your web site instead of listing an email address.

Number 2 might not be available to you today if you use a basic static-content-only web hosting service, but it is likely to become more widely available as the need for it grows. In theory it is also capable of being spammed, but it is easier to protect than an email address.

As to whether legislation will work; I'm leaving that question to others. I have my doubts, though.

Technological solutions will be easiest

[Ed+Avis]

The real problem with spam is the economics: it costs next to nothing to send a message, the only real cost (time) is borne by the recipient. Fix that problem and spam will go away. It doesn't need legislation, which in any case could apply in just one jurisdiction.

A system like Hash Cash could solve the problem. The most popular free mail clients could start including hash-cash postage with each sent message, and then in a couple of years' time start to drop incoming messages that don't have postage paid. AOL could include hash cash in their mail client easily. *Easily*. That spam-detection centre they run is not cheap. Even Microsoft would add hash cash to Outlook, Outlook Express and Hotmail, since it's another encouragement to upgrade to a new Outlook release (which of course requires a new Windows version).

Getting the whole world to upgrade its mail clients is a hard task, but getting every government in the world to pass anti-spam laws and enforce them is much harder. Goodness knows it's bad enough trying to get _one_ legislature to take a sane view on anything technology-related.

Re:Technological solutions will be easiest

[Ed+Avis]

On the contrary, it will not be possible for a spammer to use a proxy or other system to add hashcash postage to large numbers of messages, simply because the amount of postage is chosen to limit the number of messages that can be processed in one second.

For example suppose the standard postage amount is a problem which typically requires five seconds of CPU time on modern systems. Then no proxy even if it were taken over by crackers could send out more than one spam every five seconds. This is a greatly reduced rate of spam and probably low enough to make spamming not worth the effort.

Re:Technological solutions will be easiest

[Ed+Avis]

Even if there are thousands of open, postage-adding relays, this will be an order of magnitude less spam than the current situation of thousands of open relays that don't need to add postage. Really, which is worse: spammers abusing a host to send hundreds of messages a second, or spammers abusing a host to send one message every five seconds? Whichever way you look at it, open relays or no open relays, requring computationally expensive postage will greatly limit the number of spams that can be sent.

You are right that mailing lists would be a problem, but most non-technical users don't subscribe to mailing lists surely? They use web discussion forums or whatever. I don't see customer notifications as a problem, surely each customer doesn't get more than three or four notifications each month and that is certainly manageable. Sending out huge numbers of messages to _all_ your customers isn't feasible, and that is the point.

In a perfect world we would have real cash payments for mail (IMHO); one cent per message or something like that, with the possibility to waive payment for known senders. But that is hard to implement so hash cash is a compromise solution. In any case you have to compare the disadvantages of a hashcash-based system with the current spam-ridden Internet mail system, unless you have an alternative to propose.

Re:Technological solutions will be easiest

[Ed+Avis]

Yes, a faster relay server can send more messages than a slower one. Spammers with access to fast machines can send more messages. But even if you have a very fast machine the number of messages you can send per second is far, far less than currently possible.

All this depends on the existence of open relay servers which take messages and compute the postage for them, presumably to support legacy email clients which don't add postage for themselves, and moreover are misconfigured to accept incoming messages from anywhere. Presumably these servers would not be any more numerous than open SMTP relays are now.

You're right that mailing lists are a problem. Such addresses would have to be explicitly whitelisted by their subscribers - or maybe if you tell your mail program 'I am subscribed to misc-discuss@goatse.cx' then it would accept messages which had valid postage for that mailing list address as well as those with valid postage for your own address.

For systems like AOL there is no extra load on the server because the postage can be added at client machines - you see the hourglass for a few seconds after pressing 'send', or more likely, the postage is computed in the background while the message is in the outbox. At least, this is how I think it is intended to work: the Hash Cash site doesn't say specifically whether postage should be computed at the client or on the mail server. But IMHO doing it end-to-end is better.

isn't it ironic???

[Botchka]

that the biggest purveyor of filling my postal mail box with crap that I haven't signed up for or asked for (ie: cd's and cd holders that are worthless), is now fighting spam. Give me a break! How about they stop mailing those stupid #@%@$%^& cd's and filling the landfills with garbage that doesn't degrade. They are hypocrites!

Re:isn't it ironic???

[hkmwbz]

Except they paid to send you stuff through snail mail. Spammers basically use other people's bandwidth and disk space to send out their crap. Hypocrites? Not at all.

Spammunition

[BlackjackGuy]

My spam problems have almost entirely gone away since installing Spammunition. It's a bayesian filter for MS Outlook. Wish I didn't have to use MS Outlook but it's a requirement at work.

Bayesian filters are definitely the way to go. They flat-out *work*. Other programs I've used just didn't perform, like Cloudmark Spamnet.

Re:Spammunition

[walt-sjc]

Is your spam problem GONE or is it simply hidden from view? You and your ISP have alreay paid the cost of that spam. The cost to you seems minimal, but to a large ISP it is HUGE. When your ISP raises it's rates due to the volume of spam that you do not see yet still receive, will you still be happy with your filter as "The Solution" to spam?

Don't get me wrong, I have been filtering spam for years. Filters can minimize the impact of the spam problem, but they do nothing to solve it.

Go after the businesses who pay spammers

[kalislashdot]

You know it's a funny thing because businesses like and hate spam. They like it because it brings in money and they hate it because they have to spend money on spam filters and lost work time.

Here is a possible solution. Spammers cover their tracks. Well instead of trying to go after spammers go after the business that use them. Those businesses MUST be traceable because they include ways to buy their product. If we must make a law, which would only work in the US, it should say "You can't hire a spammer to send your mail". Then when www.pacificmeds.com sends me a spam for "save money on prescription drugs" they can be fined.

Go after the source, not the person who fills the need. Once the need is squashed by the law spam will reduce greatly.

Re:Go after the businesses who pay spammers

[clifyt]

And then what do we do what a company hires an untraceable spammer to send out a million messages with its competitors names?

I know as a youth, one of my hometowns stores fliered the city with a competitors name and fake coupons for a rediclous amount off to give them a bad name when their competition was at its worst.

It finally came out the other guys had done this, but the other store decided to make a promo out of it and honor the coupons anyways...backfiring on the others.

In a smaller town, this sort of thing can be traced back to the source rather easily. On the internet, how are you going to police the fact that PacificMed's greatest competitor (would that be AtlanticMeds) by doing the same sort of thing? Find a spammer in Asia (or one that works for your local college that will simply use Asian relays) and pay them $1000 to send out a million spams either to get them in legal action or simply to give them a black eye in the public's mind.

clif

Re:Go after the businesses who pay spammers

My life as a spammer (in brief):

Started working for new company under contract. Help the bossman w/ his spam. Make him do it legitimately by unconfirming all lists and sending reconfirmation notices. Result: 60% reconfirm (including people who had reported us for spamming before). Now we have nice, clean lists and the reply-to/return-path headers are actually LEGIT! Imagine that... an honest bulk mailer. Too bad our rep is already soured. We even have people who are afraid to click on the unconfirm links for fear of being added to another list.

I'm thinking of writing an (anonymous) article for /. on the subject. Anyone interested in reading about how I turned a malicious spammer into an honest netizen?

-- S

I hate spam (Don't we all)

[SirLantos]

{Complaint}It the past 6 months are so I have been recieving about 200% more spam. I get to work in the morning and delete 90% of my e-mail becasue its spam. Out of every 200-300 e-mails I recieve, I actual only care about 10-20 of them, the rest is spam.{/Complaint}

The problem is that nobody can find a reasonable solution. Here are some examples of common solutions:
1."Make spam illegal out right."
Problem: OK, this is a bit extreme. Even if you did manage to do that, companies from outside the US or companies/people can hide where the e-mails are coming from, good luck catching them.

2."Charge for e-mails."
Problem: The people that want that are the post office folks. I seriously doubt anybody would sit back and allow this. Just thinking about pisses me off.

3."Find the people that send spam and destroy them."
Problem: OK, this is my personal favorite. But, the goverment already made that illegal. It's like the saying goes: "Some people are alive simply because it is illegal to kill them." BTW, all of you peeps out there that are going to yell at me for suggesting something like that: RELAX, IT WAS A JOKE!!! Have a sense of humor for goodness sake.

That's just my opinion,
SirLantos

in other news ...

[borgdows]

after renaming "french fries" Congress has just decided to rename "spam" as "french email" !

Ratio is higher here

[Lumpy]

3 legitimate Emails and 81 spams this morning. typically my spam filter catches between 60-120 a day on my work address and I have to add 3-4 more rules a week to keep it down.

A simple solution is replacing the broken SMTP with something that requires authentication and doesnt give you the ability to modify the headers unless you run the server. If the spammers have to use real email addresses or had a real way of tracking them easily attached to every email, they would stop.

Just like how cockroaches scatter when you turn on the lights.

Psychological profile of spammers

One thing about spam that stands out, is that so much of it is of a very explicit sexual nature. It is sent indiscriminately to individuals who are unlikely to have any use for these products and services.

My theory: most spammers are the cyber equivalent of "flashers" - sexual deviants who derive thrill from shocking unsuspecting citizens. I believe that the products offered are largely irrelevant. It is the shock value which motivates the spammer. Perhaps they could be prosecuted under similar sex crimes laws that allow us to go after the "flasher".

40 percent by number or by size ?

[LMCBoy]

According to POPFile only 18% of my email messages are spam, but it's 46% when you take the file sizes into account. The total memory fraction would seem to be a more relevant measurement if you're an ISP concerned about spam's costs.

So, when they say 40%, is that by number of messages or total size?

Sturgeon's Law

[handy_vandal]

Forty percent? That's nothing. Sturgeon's Law states that ninety percent of everything is crap.

Lengthen your fingers today

[nelsonal]

Are you tired of not being able to play the piano or type as gracefully as you should be able to? Are your stubby fingers not as dexterious for those little jobs? You need our herbal finger lenghtener! When used over a five week period most test subjects lengthened their fingers by more than 20%.
It's all natural and quite inexpensive compared to the productivity increase you will have with longer more graceful fingers.

White list with pass code

[Continental+Drift]

My Eudora filters allow me to auto-reply to mail coming from someone not already in my address book. The auto-reply tells the writer to try again and put a code word in the subject line, which the filters will then bypass. This is very effective, and since I implemented it, I don't see spam. It is a bit of a pain for people writing to me the first time.

Now, a white list like this can be bypassed by a spammer claiming to be a friend of mine. It can't claim to be me, because my filters automatically delete anything sent to my address claiming to come from me. I'm wondering if anyone else who has implemented a white list for themselves has seen any problems with it.

more like 60-70%

[Cheeze]

i run a small isp's mail server system (~30k accounts) and just our dnsbl blocks about 60% of all incoming e-mail. spamassassin and various other techniques pick out about 5-10% more of the overall.

Blocking spam before it gets to our main mail server has extended the life of our mail server indefinately. The less we have to spend on hardware, the more time and energy we can spend on building quality of service for our customers. That keeps the customers happy, and keeps the business people doubly happy, since they don't lose customers and don't have to buy new hardware every year for a mail system.

Not true

[roman_mir]

95% of all email is spam. The rest is my project manager sending out emails about TPS reports.

Re:I believe it.

[chef_raekwon]

like anyone'e opinion/ideas on what may be done about the spam issue besides filters.

all i did was register a new domain, run smtp/sendmail/squirrelmail from home (dsl connection). this really is a $40 solution, provided you already have the hardware (you have to pay for the domain).

Make sure you don't give out your address too much, and spam becomes non-existent. if, and when you start receiving spam, turn on spam filters (they come with squirrelmail). if this fails, just change your email address, cause damn, you're running the server!

Several Easy Solutions

[$criptah]

For every action there is a counter reaction, right? Fight back! You can do it passively by setting up filters (Mozilla does an excellent job in that department) or spam back the spammers. The trick is to find spam that originates from a legid address. Send an email to that address and see if it goes through. Then set up a script on every single computer on your home network (which in my case is several FreeBSD boxes) and mail random crap to spammers (a cron entry works beautifully). Believe it or not I actually got a reply from a person saying that they got the point and removed me from the list. The other guys were persistent. In order to get rid of them (they did have actual usernames in the email address) I had to go to every goddamn gay porn site and subscribe them to free porn and a newsletter. I know, some of you will say that I have a lot of free time on my hands and may be I do. But every person who gets spam does something about it, including calling a senator and pushing for laws, I think we can fight it.

yep, we're all doomed

[gse]

One billion spam email a day, just through AOL. Gosh.

I figure I get about 425,000 a day myself at this point (er, give or take). It's at the point where it's getting painful to go through my SpamAssassin "caughtspam" folder. But there are still enough false positives (really, one is enough) that I can't send the whole thing to /dev/null.

Meanwhile, I'm accruing a great collection of classic spam subject lines. Some examples (all real):

• "I don't need your social security number yet"
• "this mom loves to stick hot dogs up her cooch"
• "Pill to Increase Your Ejaculation by 581%"
• "i am not perfect but i suck c0ck"
• "I got revenge by fucking! Here's proof :)"
• "Mission: To fuck as many mothers as I can!"
• "Fucking Machines! 13IN, .5HP, 350RPM"
• "Your slut wife boss need some action!"
• "#1 COLON CLEANSER! SEE PROOF"
• "Maybe your pets dream of intercourse with you"

Mmmm, society at its finest.

What the article didn't say

[jj_johny]

AOL does no filtering on the content only on the header information. It does nothing with the content of the email messages. It forwards every mail that is accepted by its mail servers to the users. Thats why AOL only blocks about 50% of the stuff. Even if they accepted the mail, they should be deleting or giving me the option of deleting without seeing every mail that wants to increase my unit's size or my wife's boobs and the pharmacy come ons and the Norton junk. But AOL continues to act like a single lost email is the end of the world. Well give the users some tools and let them decide. No wonder they are losing subcribers, they don't know how to deal with the number one annoyance on the internet today.

is that by data volume or by quantity?

[phrantic]

If it is by quantity (the number of mails received it is probably close to correct) but if it is by data volume (if you open the html ones at least I would say that the figure is a bit low...

I get a lot more than 40%

[gergi]

I (if you want to me, email at gergi@aol.com!) don't know why I get so much spam (gergi@aol.com if you know of a good solution to get rid of it!) I'm very friendly and social (gergi@aol.com to reach me) and I don't know why people would spam me at gergi@aol.com!

Later,
gergi@aol.com

BrightMail

[NetJunkie]

We use BrightMail and are very happy with them. If anyone can give you fairly accurate stats, it is them due to how they work.

They monitor a LOT of mail boxes...many customers plus many created mailboxes for spam. If a message hits a number of mailboxes in a short time span that message is forwarded to their NOC. A person looks at it and decides if it's spam. If so they tag it as spam before sending it to other customers that receive it.

It works very well. We now block almost all of the spam we receive and have not had ONE single false positive.

Sliding scale

[phorm]

I think this could almost be measured on a sliding scale based on lifetime of an account. Once a user opens a new account - unless the email address is easily guessable or his email provided sells it off - spam volume per real email will be low.
Then, you get a few friends your email. General email volume increases. You sign up for some server or other and forget to use a protect email... spam starts to drip in.
A little while later, the drip becomes a trickle as your email gets sold again, and again, and spreads like splitting amoebas.
Then... a few friends send you e-cards around Christmas, or invite you to some joke sites etc. Not your really gonna get it (I strongly b*tch-out any who e-card me at my work address).

To top it off, a LUG or whatever you are posting to puts their history on a public website... you start getting picked up by spam-spiders.

So over time, one will go from maybe 0-5% spam, to 50+% spam. As more people get you in their address books, the more likely it is that somebody will let your email slip to a spam-source. And spam-sources sell your email to other spam-sources... it spreads like wildfire.

The best way to protect yourself is to use a difficult-to-guess, 9+ character email, for which you never sign up for anything with, and only give to people you trust not to e-card you or have "sniffers" installed on their system which gives away the address book. Using bounce addresses might help also, as you could then switch bounces but still pull from the main email, and then filter the ones that get messy or drop them.

Terrorism!

[fredrikj]

$10 billion, that's a lot of money, and therefore an argument that George W. Bush might listen to. So, how about lobbying the US government into declaring spam "terrorist activity"? Just imagine the concept of special troops hunting down spammers, then locking them up without without a trial and throwing away the keys. Unless you bombed them off the face of the earth directly... In either case, we could even laugh our asses off while watching it live on TV!

Accountability Void

[ipmcc]

If ISPs could find some way to limit each accounts number of outgoing messages, or charge per outgoing message over, say, 500 messages a day, this would probably be much less of a problem.

At the core of this problem is the Accountability Void, and the temptation that carries with it. When you look at the lengths that (some) ISPs and watchdogs go to block (much to libertarian chagrin) kiddie porn and other potentially offensive material, its clear that solving the spam problem is NOT about technical feasibility. If there was impetus there would be a solution. The problem is that the ISP can say "we dont send it, we dont receive it, its not our problem," the spammer can say "I send it, but I use fake accounts that get closed in 6 hours, so I don't have to take responsibility for it" and, for the most part, the receiver says "I received this, but theres really not much I can do about it." I describe this phenomenon as an "Accountability Void." No one is responsible for spam.

Until there is an accountability structure in place, either legislative, technical, or economic, spam will go on. One of these days, AOL or some other "big enough" player is going to do something that will "change everything" like demand digital signatures, or some other method that fills the accountability void and spam will cease to be a problem.

The spam is hidden, not gone

[phorm]

The problem is, you are still getting spam. The filter may block you from seeing most of it, and it may stop you from getting tags with linked images, etc... but it's still coming in.
You, and your ISP, are paying for the bandwidth it uses. And if you ever had to travel and get email by dialup/cellphone... you can expect that you'll notice spam simply by the large delays it takes you to download email.

Client-side filters only mask the problem... it's like having an air-freshener and big fan in a public washroom.... the stink is still lingering in the background.

It's not just quantity but SIZE

[magarity]

Spam is not just a problem of numbers of emails, but also how big the darn things are. My filter's stats so far for this month reveal that while spam is barely over half of the quantity of mail I get but is over FOUR TIMES the size of real email:

Total Volume Sent on as Clean Mail: 211 (342.3KB ) 44.8%
Total Spam Messages: 260 (1.4MB ) 55.2%

This is the most important evil of the spam flood; not only do I not want it but it's huge!

Re:My tests shows

[Zaknafein500]

On the server I administer, I have a nightly cronjob set to parse the spamassassin logs, and email me the stats.

Since the logs were cycled on Sunday morning, there have been 8332 messages, 5824 of which were spam, for a percentage of 69.89%.

This number has increased substantially over the last 3 weeks. This time last month we were below 50%.

Re:How much "real" mail is lost?

[dubl-u]

The problem with filters at the ISP/Mail Server is that one persons spam is anothers desired mail. How do correct for this?

Those few people can type "enlarge my penis" into Google and click on a link that comes up.

The Spam Solution: Re-Costshifting

[Dion]

The base problem with spam is that it shifts the cost to the victim, the only technical solution is to shift that cost back to the sender so all (or most) costs are transfered to the sender of the mail rather than letting the receiver bear the cost of storage

An exelent proposal is IM2000.

What am I missing

[Laroue]

It seems to me that stopping spam wouldn't be that difficult. Spam seems to be catogorized like this.

Type 1- Legitimate headers. No problem you've got someone to harass to remove you from the list. You can look up the domain name contact the admin and generally make their lives difficult. And if all else fails simply block everything from that domain.
Type 2- Forged headers, can't even send a bounce message back no real options for tracing short of contacting the isp in charge of the ip address.

Type 1 doesn't seem to be a problem. Type 2 is where most of my spam seems to come from. It seems that the simple solution would be when
sendmail/qmail whatever is receiving the message and gets the reply-to address it should pause and see if it exists. If it doesn't just leave the connection open and if they are bulk spamming
the server it's coming through will quickly have issues when it has 20,000 hanging connections. When a user pops/imaps to check their mail have the pop server see if the reply-to exists, if they don't dump it to dev null. It would seem that this would keep emails trackable. For it to get to the user the user would have the ability to get back to a person.

So my question becomes, what's the hole in this kind of answer? It seems simple enough. Am i missing something?

And yes i know my spelling is horible...

Only for AOL?

[www.sorehands.com]

The article stated the figure came from Brightmail not AOL.

If it was AOL or Verizon, then I would think that the numbers would be skewed as they have sued spammers and those spammers have agreed not to send spam on those networks.

Grasshopper, remember the two rules of spammers.

1. Spammers lie.

2. If a spammer says anything, see rule 1.

There's really a workable solution to spam...

[TelevisioSledgicus]

...at least as far as 90% of end users are concerned.

On my Cingular phone, I have the capability of setting up a simple "Reject if not in list" filter, this weeds out anyone I don't know and anyone I don't want calling me on my cellphone.

On my mail filter I have whitelisting, if you're not on the whitelist, I don't see your e-mails ever. No need to holistic filtering techniques, RBL's, or anything else... if you're not pre-approved to contact me you eat a bounced e-mail.

Now that simple filtering method should cover all end-users, home accounts, and the like. The only accounts that should now be able to receive spam are your group and management accounts. root@, webmaster@, sales@, etc.. cannot readily be blocked this way unless you're looking to minimize your customer and user base (which would be fine on some days... :) but isn't feasible in the real world.

However, that is one place legislation can take care of business.... Any UBE\SPAM\Junk to management addresses should be punishable by large fines, perhaps some caning, beatings, etc.. as your local human rights limits allow =)

And for those that want to receive spam there is always the opt-in by not using whitelisting.

Your personal whitelist will just be something else you can carry with you like your checkbook or USB drive/smart card...go into an internet cafe, stick in your USB dongle, check your e-mail. Web based e-mail could keep your whitelists in their database, but I see this as a security hole since yahoo or whomever could add themselves to your whitelist as they want.

Re:There's really a workable solution to spam...

[Fritz+Benwalla]

Maybe I'm not getting this. I don't know what you do for a living, but let's say you're a web designer.

I get your name from Bob, a former client, and I want you to design my web site. I send you e-mail to that effect and you never see it because I'm not on the white list? If that's the case it would be unworkable for 90% of business e-mail, since most of what you're trying to do is make contact with prospects you've never met before.

Sorry if I misunderstood, but it seems as though for business e-mail accounts I'd spend more time manageing my white list that deleting spam.

-----

Re:I thought about it, and you know what?

[dubl-u]

Corporate speech and individual speech are equally protected under the First Amendment.

Wrong.

Re:Spam is like TV advertising

[magarity]

Umm, televison advertisements subsidize television programming. Junk mail subsidizes postage. Newspaper ads, radios ads, magazine ads, etc, etc do the same for their respective mediums. How does spam help pay for my internet connection? ABSOLUTELY NOT AT ALL. All it does is increase my ISP's costs on behalf of a freeloading spammer.

Re:Why does spam work?

[forkboy]

Just who are the people who are responding to spam?

-Men with small penises who are insecure about them

-Someone who wants a diploma but is too dumb to go to college

-Someone gullible enough to think that they can buy pure human growth hormone for 29.95 a bottle.

-A person who really doesn't know how to find a teenage beastiality plump asian tranny webcam on their own with a search engine

-Someone who wants to "make money fast" and has never been burned by a scam before. (Or is too dumb to see that this is one)

Should I go on?

Think about how many complete fucking morons you run into every single day, now understand that about 75% of them have email addresses and receive spam. Out of 10 million spams, all it takes is a few gullible fools to give a return on investment.

People sometimes ask my why I rag on stupid people so much. It's because their ignorance causes me inconvenience in many forms...spam is one of those forms. (others include needing ID to buy liquor, pot being illegal, and car insurance in denver being so fucking high)

Re:I thought about it, and you know what?

[Wntrmute]

Truth in advertising laws.

Restrictions on how/when/where some businesses can advertise. (Tobacco/Alcohol)

Nike v. Kasky

It's not as clear-cut as you make it sound.

40% is an understatement

[Burdell]

I just installed an upgraded spam filter server at the ISP I work for, and we are now filtering out almost 70% of inbound mail as spam (with basically zero false positive complaints). We combine Brightmail with the three main MAPS lists (RBL, DUL, and RSS), as well as the basic DNS based checks (for valid domains, etc.) built into the mail server, with Brightmail catching the most by far.

You can see our mail stats here.

Compare it to the real world:

[Fritz+Benwalla]

About 18 percent of the traffic carried by the US Postal Service is bulk mailing, but USPS studies say that postal employees spend 25 percent of their time sorting it. All a waste? Keep in mind that the DMA asserts the $50 billion was raised as a result of bulk mailings by charities.

I'd be interested in knowing what the total load on our economy is from the two forms, inluding manpower, network load, inconvenience etc. My suspicion is that the hyperventilation over spams growth is driving up the percieved cost, especially when you consider the cheapness of bandwidth, and that spam control is an automation battle leaving the real expensive resource, humans, to design the filters and clean up what they miss.

"The spammers are evil folks," Evil? Like Hitler evil?

Opportunists, yes. Using mildly unethical means to further themselves in business venture, often. But I wonder how many people who are apoplectic about the "evilness" of spammers cheat on their wives, cheat on their taxes, park in handicapped zones, etc. . .All no more evil than faking a return address, and certainly no less.

-----

Re:Too many problems

[Ed+Avis]

I wasn't thinking of the cost to the SMTP server but of the human cost of spam - wasted time in deleting it and the fact that people are turned off email altogether because of it. This, IMHO, is a much more serious problem than wasted bandwidth.

Also, note that if payment for messages (whether real cash or hash cash) becomes widely adopted, spam will stop because there won't be any money in it any longer. So the problem of costs to the ISP is also dealt with.

Of course it is possible for ISPs to configure their mail servers to check hash postage on each message and drop them if it's not valid. This would save the storage costs of spam. And if a particular other host always sends messages with bad postage you could stop accepting connections from that host. But all this is optional: I feel a postage system has the best chance of getting started if it is adopted from the bottom up by mail user agents rather than ISPs' mail servers. Both is better though.

I don't think that hash cash works by having a problem sent from the recipient to the sender which the sender must then generate the answer to. Rather, you have a one-way function where it is hard to generate the answer but easy to check that the answer is correct. The 'problem' includes the recipient's email address and the message content - so you cannot reuse the same postage for two messages.

The recipient just has to look at the message body, the To: header and the postage, and verify that the postage is a correct answer (which can be done quickly).

No, we do not all agree.

[fmaxwell]

We all agree that legislating Spam out of existance isn't going to work, due to the international design of the Internet.

No, we do not all agree. The majority of spam is "in-country" spam. That is to say that the sender is in the same country as the recipient. Some scammer trying to tell you about his "fantastic" multi-level marketing scheme is probably located in your country. Make the advertiser responsible for the mail and don't worry about whether he sent it through an open relay in Korea or paid someone in Brazil to blast it out.

Legislating child pornography out of existence hasn't worked either, but would you argue in favor of repealing existing laws? Would you argue against passing new laws that crack down on child pornographers?

A technical means to thwart spam is like the lock on your car door: You would not want car theft to be legal if the thief defeated the lock, so why do you want spam to be legal if the spammer defeats your anti-spam measures? We need to approach this problem from both a technical and a legislative means.

Why 40% does not seem unrealistic.

[DaemonSD]

A lot of people here are saying that more than 40% of their email is spam and that the figure quoted is somehow wrong. A lot of people here also fail to take into consideration that the 40% figure is very likely an approximation or an average and is not valid for every single user on the internet. Being computer literate, having a website, posting on different websites and other internet activities contribute to more spam because of email harvesting. Sure, you and I get more spam than the average Joe, my spam is more like 80% of all emails received, but do not forget about all the people that are on AOL and have only given their email to their family relatives. Granted, they will receive some spam too, but surely not as much as the rest of us.

Re:I thought about it, and you know what?

[Carmody]

Corporate speech and individual speech are equally protected under the First Amendment.

Seriously, what gave you that idea? Are corporations citizens? Do you think they have the right to vote? Does the second amendment apply to them? Does a sufficiently old corporation have the right to run for president, if it was founded in this country?

My impulse is to think that was an incredibly asinine statement, but I do not claim to be an expert on constitutional law. In fact, "mildly informed" is putting it too strongly. So educate me, back up the claim that "Corporate speech and individual speech are equally protected under the First Amendment."

Re:A 3 Point Program to Eliminate Spam Completely

[Cheeze]

1. what happens with Mr. DumbGuy sets up a proxy on his dialup account, and then doesn't take the necessary steps to secure it? That would technically not be the ISP's mail server, but much more spam comes from these types of instances that large mail servers being used for outgoing spam.

2. if you "legally" require software to contain certain settings, and that software is open source, it would be pretty easy to get around any settings that are "legally" put in place. This is called tarpitting, and is already used on many mail servers, but there is no reason to make it a law.

3. what happens when yahoo.com or aol.com get on that list. What, you think all spam comes from an end user?

Your 3 point program has lots of holes. One of the biggest holes is the fact that most of the spam comes from sources outside the US. Brazil, Japan, Taiwan, Singapore, Russia ,etc all send more spam than open proxies in the US. Your 3 point program would not address anything outside the US. When you have laws that force their ideas upon a part of the internet, all of the stuff you were trying to get rid of in the first place will just move outside of the US's jurisdiction.

100%-ish effective spam-prevention technique

[UberQwerty]

I have a real, useable e-mail account that never recieves any spam at all, and I never delete/filter legitimate mail! How is this possible?

I have two e-mail addresses. One gets nothing but spam, and the other gets no spam at all.

I have a free account at hotmail.com and a private one on a server that isn't owned by a big business. When I'm giving my address to someone I know personally, I give the private one. When I have to give an e-mail address to sign up for some service or to get some account, or basically whenever I'm giving my e-mail address but I don't know who is getting it, I give my hotmail account.

Result:
-My hotmail account occasionally gets confirmation e-mails when I've just created one of those free accounts for some website, but I always know when they're coming. Otherwise, it just collects spam, which I periodically delete (and block the addresses it came from).
-My personal account never gets spam.

(I have a university account that forwards to my private account, so occasionally it gets what could be called "spam" that's aimed at univ. students, but if I stop the forwarding it stops the spam, so I don't really have a problem.)

Re:100%-ish effective spam-prevention technique

[gdr]

This works until one of your friends enters your email address into a form on the web (say to send you a electronic birthday card) and it gets added to a spammers list.

It's also possible that a spammer could harvest email addresses using a Outlook virus that infected one of your friends or anyone who has been sent an email that has your email address in the header (or body for that matter).

I don't know if these sort of viruses are common but if they're not now they could be in the future.

Having multiple email addresses is a good idea but, unfortunately, not a perfect solution. Once your "safe" email address is in the hands of a spammer they can pass it on to other spammers and it can become unusable quite quickly.

What's the point?

[siskbc]

First, a fundamental problem: There IS NO COMMUNICATION between your mail client and a sender. Therefore, you have no way of submitting the hash problem TO the sender, he can only return an answer. Therefore, if this even happens, it HAS to be server-based. Re-read the site you quoted, nowhere do they talk about mail clients. There's a reason.

I wasn't thinking of the cost to the SMTP server but of the human cost of spam - wasted time in deleting it and the fact that people are turned off email altogether because of it. This, IMHO, is a much more serious problem than wasted bandwidth.

What, you think bandwidth pays for itself? So eventually your ISP costs go up, not so good. Besides, it's easier to stop spam at the choke point (server) than trying to track it down later. And for people paying to d/l spam on, say, a mobile device, having to d/l it IS the problem.

Also, note that if payment for messages (whether real cash or hash cash) becomes widely adopted, spam will stop because there won't be any money in it any longer. So the problem of costs to the ISP is also dealt with.

Yes, but GETTING it widely adopted is the big problem here. You have to mandate it, probably, and it's easier to get webmasters to switch than, say, my mom, who has no idea what a mail client is. And, for ISP's, the problem is in the voluntary-adoption period. Who takes the hit first? Who starts off with this, when it will increase CPU load even for the sender, while all the spammers are still out there? And how will you get wide-scale participation? It's all well and good to talk about this stuff, but there has to be some method of implementation, where you get from here to total adoption. And voluntary adoption wouldn't work, actually, because the sender's client probably won't understand what the receiving server wants when it asks for the hash, unless they also upgraded to the hash deal. So, in the voluntary phase, do you drop these emails? Do you let them through, defeating the point?

The recipient just has to look at the message body, the To: header and the postage, and verify that the postage is a correct answer (which can be done quickly).

I can look at the header and the body NOW and tell it's spam. Really, I didn't think it was ACTUALLY president Mugabe trying to send me money when I got that email. If you have to d/l the message, look at the message, and look at the header, then there is no advantage over the status quo.

Re:What's the point?

[Ed+Avis]

Therefore, you have no way of submitting the hash problem TO the sender,

I could be wrong on this but having looked at the hash cash site I think that no communication from receiver to sender is necessary. The problem is based on the message body and the recipient name. The sender knows these at the beginning.

The costs to ISPs in the short term will be no worse than at present. In the long term costs to ISPs will fall as spam traffic declines.

You are right that adoption is a problem but that is no reason not to start now. Of the 10% of messages I get that are not spam, almost all are from relatively knowledgeable people who can upgrade to the latest version of Pine or whatever to get hash postage. For other users, it just needs AOL or Microsoft to put out a new release, which as likely as not will be an automatic update. Attaching postage to your message increases CPU load, but only for a few seconds per message sent, and even that can happen in the background.

The advantage over the status quo is that legitimateness of a message can be checked *automatically*. That is the point, you don't have to have your time wasted by checking and deleting spam, this job can be done by the computer. Children do not have to look at pornographic messages, etc etc. Saving time for humans, not computers, is the most important thing. Though like I said, in the long term making spam uneconomical will reduce the load on ISPs as well.

And unlike Bayesian filtering there is no way around it, the message has to cost a few seconds of CPU time or else the postage will not be valid. (Assuming the hash function is cryptographically secure in the sense there is no easy way to get either partial or total collisions with a given hash value.)

Whitelists!

[Tikiman]

I'd estimate that 99% of mail I get is from people I am expecting it from. I could easily configure my email client to put this mail in another folder. At the end of the day (or more often), I can look at all the non-whitelisted mail for stuff that wasn't spam-tagged to look for new people to whitelist - takes about a minute. While spam may be a huge infrastructure concern, I really don't see it as a huge productivity concern.

Remove the Filters

[jetsetscoot]

Is 40% what the user sees or what hits the ISP?

What if for one day - 24 hours - everyone who is running a spam filter at any level simply took the filters down. Show the users what the real flood of junk looks like. I bet the hue and cry would provoke real efforts - legal or technical - to solve the problem once and for all.

I find myself thinking; what's all the fuss about, I only actually see a half dozen spam messages a day in my Hotmail and POP accounts. But I know that for every piece I see there are untold dozens being blocked by filters. Filters merely hide the scope of the problem from the end users, but ISP's still have to deal with the bandwidth.

Take down the filters for a day and let everyone see the real scope of the horror that is spam

-Jetset

- I can't hear the forest for all the falling trees-

Disposable Email Addresses -- Effective?

[angle_slam]

Does anyone here use a Disposable email address service? Examples of such services include the following:

• Spam Gourmet
• Spamex
• Sneakemail
• Mailsehll
• Emailias

General information about disposable email addresses can be found in this PC Magazine article and this about.com article.

Briefly, I'll explain how they work in theory. After signing up with a disposable email service, they give you a disposable email address that you can, for example, enter into forms. Mail sent to that disposable email address gets automatically forwarded to your email account of choice. But here's where they supposedly come in handy. You can sign up for a different disposable email address everytime you fill in a web form. If you start getting spam, you can look at the disposable email address the spam was sent to and you can do 2 things: (1) cancel the disposable email address so you no longer get spam sent to that address; and (2) you know who gave out your disposable address and you can take whatever action you deem appropriate.

This seems like a cool product, in theory, but I haven't seen anyone with real world experience with these services. If anyone here can describe their experiences, it would be greatly appreciated.

And the best way to do this

[Aexia]

is to punish companies that *hire* spammers.

Let's face it; if we focus solely on the spammers themselves, we'll have little luck reducing the flow.

But if the court system allow people to sue the companies that contracted out for spam, a few hefty verdicts might cause corporations to think otherwise.

Charge Spammers For Spell Checking

[kotku]

I just created a web site whose terms of service are that if you send an email to the email address listed then you will be charged for spell checking the email at £10 a character. Anybody want to advise on what my chances of collecting are ?

Rackspace

[Skapare]

It just seems to odd to refresh the page to see more comments about spam, and I get a banner ad promoting one of the larger spammer hosters in the US ... Rackspace. Those who sign up for service from those scumbags are just as bad as the scumbags because that effectively helps support the spam they keep pounding my servers with. So far today, 98 attempts just from Rackspace addresses. Yesterday there was a total of 240.

And while previewing this comment submission, yet another Rackspace banner ad. Don't these guys know I'm never, ever, going to pay them for any services?

The cost of spam from an ISP point of view

[ZarkDav]

I work for a medium-small ISP in FR. We host around 6500 domains and 150k mailboxes.

Our abuse department is manned by one person 365 days a year, a bunch of scripts, a largish database integrated with our customers database, and lots of red tape. This person calls our customers when they are the source of spam or other non UCE conforming use of our network (including running an open-relay). He explains the situation politely and asks the customer to conform to the policy written in the contract. If the customer does not comply after the first warning, he must look for another ISP to do business with, for we send him an official letter (with official receipt acknowledgement)each time we interact with him.

All in all, given our company size, a bit over 1% of our costs are burnt by our abuse department. Needless to say, we relay these costs to our customers, as do most of our competitors.

This is only half of the cost of spam from our point of view. Our mail servers farm is sized in order to perform well even with 40% of the mail being spam. These are larger human and hardware costs associated with spam as well (though more diluted and thus difficult to pinpoint).

Spam costs people and companies a lot of money, we feel the need for the Internet mail system to be reengineered in order for the cost of sending email to become high enough so that spammers don't get away with their offense.

The Brightmail report is not a big surprise.

Perhaps AOL email is that bad,

[Lord+Kestrel]

but inside corporations, it's more like 98% real email, and 2% jokes/spam/pr0n/whatever. Speaking from my experience (I receive upwards of 600 internal emails a day), almost all of it is work related. Email from the Internet isn't all non-spam, but spam is still only 2-4% of the email I receive.

Re:Why don't I get spam ?!?

Whats your email address again?

Spammers and SMB

[mikecole]

Has anyone else notice that most spammers use windows and leave their port 139 wide open? I have great fun deleting their files and sending them a good old smbnuke.

Re:False Positives?

[berzerke]

I'll agree on the brain dead part. From what I've learned from my host, AOL has put in a new system that automatically blocks based on complaints from AOL users. The more complaints, the longer the block stays in place. Apparently no human ever looks at it (until something goes wrong). This means AOL can be unreachable pretty much at random, and it can happen several times a day.

I remember one instance not too long ago where AOL even admitted that address had been forged and they were blocking incorrectly, but they couldn't figure out how to unblock manually. This was straight from an AOL represenative's mouth.