Will Bounties Cure The Spam Problem?

An anonymous reader writes with a pointer to a piece in today's Mercury News about Lawrence Lessig's proposed spam-bounty legislation, excerpting: "If the law passes, citizens could be eligible for rewards of thousands of dollars or more if they're the first to provide the government with proof and the identity of offending spammers."

Re:Forget the spammers

[mark-t]

Wrong.

Some people throw all sorts of crud into their spam, for exactly that reason. You don't know which companies actually did pay for the spam and which didn't.

I wrote some shareware once and ended up getting several nasty emails one week accusing me of spamming them because my web page was mentioned in a spam email they received. I have never participated in or authorized any sort of email advertising campaign in my life, spamming or otherwise, but having seen this, I know you can't just go out and blame the web pages that the person is advertising.

Spammers and proxies

[httptech]

Spammers almost always use proxy servers to disguise their true IP address. This blind dependence on an army of proxies is actually a weakness. The more proxies they use, the more likely one is actually a honeypot (honeyproxy). Recently it was discovered that the Internet is being seeded with hidden proxy servers by the Sobig.a (BigBoss) virus. Unfortunately for the spammers, the password for the proxy server console was also discovered, allowing anti-spammers to watch their comings and goings and log their true IP addresses. Not that I recommend doing that, (as it could be illegal in most countries), but the password is here:

http://www.lurhq.com/sobig.html

No, you can't.

[pr0ntab]

But doing so on the people you can influence (the operators of legitimate mail servers serving local users) will prevent the situation where a RBL captures a whole domain due to the compromise of a local account. You don't need to figure out how to do a full authentication chain yet (that's the role PGP fills right now).
Once you get to a certain critical mass acceptance, then you can go full force (forcing the servers to authenticate to each other using shared secrets).
Presumably, at this point there would be trusted MXs that allow connections from mail servers not running SMTP AUTH because they can't use it for whatever reason, but they would be whitelists.

That situation doesn't seem to far in the future. My ISP (Cox) already uses cram-md5 SMTP AUTH. At least I don't have to worry about someone impersonating me through their server. That's one step closer.

Re:Tracking IP addresses in SMTP ?

[bobintetley]

Every time mail is routed from one server to the next, the receiving server should 'stamp' the mail with the IP address of the sending server. That way, genuine mail has a valid sequence of IP addresses, and spam can be traced back to either the originator's IP, or the first mailserver to "lie" on the stamp.

What do you think it does right now? ALL mail servers stamp the IP address of each server in the chain, along with a date/time stamp and resolved hostname (where possible). Look at the header of any email you've ever received.

Most MTAs can be configured to disregard servers with no valid MX records (drops a lot of dial up abuse).

This is why spammers either use ephemeral dynamic IP addresses from dial up accounts, or proxy servers (the proxy does the job on behalf of the client y'see - "by proxy", so the mail's origin according to the relay is the proxy server).