Slashdot Mirror
A Timeline Of Spam And Antispam
Haak writes "American Scientist has a fine article by Brian Hayes summing up the history of spam and proposed measures to deal with it." A shorter article along the same lines is running at The Economist.
← Back to Stories (view on slashdot.org)
Spam, on the otherhand, is stoppable.
/. postings about spam recently... too much!
But, so many
The article sums it up well, but is this something that is going to ever stop? SPAM to me seems like another one of those things in life like drug dealing for instance. Whatever tactice we take to stop or outlaw it, people are always going to find a way around it. The stronger we make our SPAM filters, the more normal desired mail that is going to get blocked. DOn't get me wrong, I hate Spammers, but I dont see how any of these solutions are going to work. Thats my opinion at least, but as the article says, I suppose suing spammers might have a good effect.
I feel that SPAM should be considered like Telemarketing. And I think we should be able to opt out without notifying someone that our email address is life and getting filled. Interesting Article..I knew about the Green Card lottery, but I didnt know about DEC sending emails to people.
---
We Present the world's first Make Money Fast Spam
I'm not Seth.
But..But ..my delete key wore out
Diplomacy is the art of saying "Nice doggie" until you can find a rock. Will Rogers
I'm gonna need all that money from Nigeria to afford the necessary penis enlargement and credit rating accentuation!
Examined from the inside, the world of spam has created its own perverse little self-sustaining ecosystem.
The ones *they see* could be unique if just one person from that mailing reports it to them. Also, they could be including the random text in every email, which actually does make it so that every spam is unique.
Uhm, why do you say that? According to Merriam Webster spam is: unsolicited usually commercial E-mail sent to a large number of addresses.
Why can those messages not be 'personalized' and still fit that definition?
Ever notice that spam now-a-days has random strings of characters placed throughout it? That's to make it unique to prevent spam filters from looking the checksum of the message up in a database and marking it as spam.
Today's Aardvark Daily shows exactly why spam is the problem it is -- there are too many stupid people out there who believe they can get something for nothing.
Check out just how lame the spammer in question is and how, in his world, the word "free" has a whole different meaning to the one most people have.
Despite his blatant misrepresentations and the fact that he's promoting his scam via spam, this guy has got people queuing up to hand over their "stupidity tax".
What's worse though is that the spammer is so lame he's effectively exposing the credit card details of *all* those who sign up. You even get to look inside his two email accounts because he doesn't have a clue about choosing sensible passwords.
We're quick to blame spammers for the problem but maybe the truth is that the tide of spam is driven more by the stupid and greedy people who respond to these "too good to be true" emails.
*scotty voice*
Captain, the spam/antispam reactor is gon ta blow!! I cant give ya any more porno!
Repeal the DMCA!
The beginning of spam:
Moses brought down the ten commandments.
Result:
Related spam has grown exponentially into dozens of religions.
I don't see how to create anti-spam without some form of identification, simply because without an ID, anyone could use a mail type system to send junk messages to people and not get caught - because there's no ID, of course!
stuff |
Anti-spam activists go to a lot of trouble to help locate and identify people and groups responsible for flooding the net with spam (or who provide spamware to misinformed laypeople). These same good-doers are often sought out by spammers, sued by groups of them, have their privacy invaded (release of home phone, address) in effort to scare them into shutting up.
I am not kidding here. Take a look at some of the projects that scare the hell out of professional spammers:
spamhaus keeps an exhaustive list of major spam operations.
SPEWS lists areas of the Internet that have frequently be used for spamming, including detailed evidence files and histories of ISPs that turn a blind eye to spam.
Spamware vendor list has a listing of sites that sell spamming software -- without which we would have little or no spam.
About 7 years back, when the WWW was still cutting its teeth, I had an epiphene; The best thing about the internet, is now everyone can use it. The worst thing about the internet, is now EVERYONE can use it.
Simply put, we should require some form of an operators' license to own or operate a computer. Despite there being radical differences between the types of machinery, an adequate comparison would be to either automobiles or firearms licensing legislation.
Before anyone makes the claim that this is not an adequate comparison, if could be eventually, the financial costs of such practices is matching, and quickly overtaking those of firearm and auto related damages. With time, eventually it could cross over to life threatening potential (for example, if someone decided to make a virus with a specific angle, wiping out or modifying records for grandma's prescription drugs).
(1) The majority of abuses involving computers involve people who consider themselves "above the law", with no care in regards to potential damages that abusing the system can incur. Virus writers, spammers, script kiddies, warez distributors and DDOS operaters often fall under this category. For sake of comparison, lets file this under speeders, reckless drivers, drunk drivers, or road rage. Similarly, the comparison can be made for firearms.
(2) The majority of problems that occur within the computer industry and most media involve people who are poorly trained (or not trained at all), or poorly advised in using their computers. People who do not patch their systems, do not operate a firewall, and open e-mail attachments to unleash every iteration of klez upon the net. This one can be filed as those who pretend a car or a gun is a toy, and treat them accordingly.
(3) Despite the whole "for the children" trend in regards to the internet, there is no practical method to truly enforce it without trampling every detail in the constitution. Therefore, unlike most offered solutions, informing and training the young'uns in how to go about using a computer responsibly would be ideal. Similarly, do the same with new computer users. Give them a basic course, then a test, and upon passing said test, they can purchase their own computer.
The problem is, as illustrated by current tech problems, along with the e-commerce industry's shortcomings and varied collapses, Joe Sixpack tends to think of the computer as an appliance. A new magical alternative to the TV that can make all their dreams come true. They need to be informed that the computer is a tool. And just like any tool, it can be abused, and that there could be consequences, something that most of them are for the most part either ignorant to, or even defiant of. Therefore, if they have this knowlege, then they cannot claim ignorance, and as such could finally be enforced, then charges can be pressed, and at least for the short run, problems can be avoided.
After all, if they could lock away Mitnick (sp?) for over 5 years for downloading a few files, why can't they lock away a virus author or spammer for operating without a permit? At least that way they can set a precedent. Hell, I'm sure a good deal of spammers out there are in violation of other things, such as unpaid taxes, working without a business license, et al. And how many of them use their proceeds towards drug use, pornography, etc? Make the bill tough enough and at least the spammers in the US can be eradicated virtually overnight.
There. The can of worms is open. Feel free to bait a hook.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
First I ignored it. This worked for a while, but my paitence didn't grow nearly as fast as the spam volume (I've been on the net for years, so I remember when spam was a rare occurace). These are only the major things. I've tried others here and there.
Next I started using MS Outlook's built in spam catcher. This is basically a blacklist that you maintain that you can easily add things too. This actually worked somewhat well, but as the use of forged addresses (and just plain random ones) grew, this became less effective.
Next I started to use SpamNet. I used this up untill about last week. This used to be somewhat effective, and in the last month or so has been almost completely effective. This is the most wonderfull anti-spam device I've used. It was great near the end of the beta. But now it's out of beta and I'm not going to pay $5 a month to stop something I shouldn't get in the first place. Sorry Cloudmark.
When Spamnet started, it was pretty effective, but still left a decent amount to be desired. So I searched around and found SAProxy. This program let's you run Spamassassin on Windows, and the combination of this and Spamnet worked wonders. As Spamnet got better, this became more or less useless.
Unfortunatly, I had to get rid of Spamnet, due to the afformentioned monthly fee. So now all I have is SAProxy. It does work great, and it does get better with each new release. Now only about 3 messages a day get through, which is quite fantastic. Only 5% or so of the spam I get gets though. I could set the limit lower (to catch more spam) but right now I don't have to worry about it catching ham (it never has for me) and I don't want to have to start wading through my spam folder to check for ham. I thought I was using this stuff to not have to do that in the first place?
So in short, I'm now using SAProxy and quite happy. If there was a free version of Spamnet, I'd use it, but there isn't. If you're on Windows and have a supported e-mail client, get SAProxy, and save yourself a huge headache.
So what will I use next? I've been thinking of setting up a perl script to automatically find the home address of people who spam me and sending them a few ICBMs with notes attached like "HOW TO WIN AT EBAY WITH FREE CHEAP ICBMS THAT INCREASE YOUR SEXLIFE AND GROW HAIR."
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
According to This Site, The earliest spam was sent by DEC in 1978.
Einar Stefferud, a longtime net hand, reports that DEC announced a new DEC-20 machine in 1978 by sending an invite to all ARPANET addresses on the west coast, using the ARPANET directory, inviting people to receptions in California. They were chastised for breaking the ARPANET appropriate use policy, and a notice was sent out reminding others of the rule.
Interestingly, a young Richard Stallman argued that spammers had every right to send spam.
I'm not Seth.
But of course some of the spammers get paid based on how many 'eyes' (or HTTP requests) are generated, so if they can just get through to an Outlook Express preview pane, it's worthwhile....until 'marketers' wise up.
By virtue of having my own domain name, outside of the United States, I now receive 1200+ spams a day (and noticeably increasing). People who advocate 'just hitting the delete key' make me fume. That's a lot of delete key. And a lot of time. I've now reached the point where false positives on spam detection by automated software are less likely than me hitting delete one too many times. Thanks to DNSBL I can reduce spam from 1200+ a day to 10 a day, and Paul Graham's Bayesian filtering reduces that down to 2 or 3 a week.
I'd like to share some recent observations I've made - I haven't seen this referenced elsewhere but maybe I don't know where to look (so feel free to point me where this is mentioned elsewhere).
First a minor observation that spam increases markedly on the weekends - because peop,e aren't around to close down open relays or spamming accounts?
Secondly, spammers have started adding non-spammy words (eg capacitor) and constrcuted nonsense words (capacitorsggg) inside their messages. I can only see this as a direct response to Paul Graham's approach. I don't see it as working - the rest of the message is just TOO spammy - but it sugegst to me that spammers see such an apprroach as a threat. I've seen these words sprinkled at the start of plain text emssages and after the /body> /html> of HTML messages.
Thirdly, what I've recently noticed is that a spammer will connect to my mail server, say HELO, do a MAIL FROM: and then QUIT. Then they connect to my system again and use a HELO command that is my OWN IP address. They also include a fake Received header that makes it look as though the message originated from my own machine. Nice try you scummy spammers. SpamCop is smart enough to see through that ploy. I wonder how other system's will respond.
Fourthly, I've noticed that often when I complain to SpamCop I become the victim of a JoeJob. Currently I'm getting all the delivery failures coming back to random alphanumeric usernames at my domain. Sigh. Time to strip off my domain when I lodge SpamCop submissions eh?
Recycle PCs and build a wireless community network www.hillsborough.org.nz
In 2002 I received over 18,000 pieces of spam, for a total of 163 megabytes. Compare this with the year 2000 (6 MB) and 1996 (183 KB). Based on the spam I've gotten so far this year, 2003 should see a bumper crop of 25 to 30 thousand pieces. This is just my POP3 account, and not my venerable Hotmail account that's now a smoking hole in the ground.
If I'm ever lucky enough to meet a spammer in person, I will kick him in the nuts repeatedly, until he sings soprano. Of course, I'll be chanting "Just hit Delete...just hit Delete" the whole time.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
should be as effective as slashdot's anti-troll measures... **ducks**
There will not be a "new" SMTP because the existing one is too well established.
There have been many wonderful suggestions posted as previous stories and also as responses to previous stories. Many, perhaps most, of the great solutions require a critcal mass of people to adopt a technical solution at the server. None of those will happen.
The best solution will be individuals or companies adopting products like Spam Sleuth or Spam Sleuth Enterprise which have a variety of detection methods including Bayesian (statistical analysis), EMail Stamps (shift cost to sender), Bouncing (trick the spammers), as well as the usual Whitelists, IP Blacklists, e-mail address Blacklists, etc.
Just like computer viruses, those people who use the technical solutions will be immune, and those that don't will continue to suffer. The tools exist. Slogging through spam each day is a choice.
What makes no sense about spam is that it seems like the only people really making money off of it are the spammers themselves. It's a shame I don't have it on hand, but more than 75% of the services being offered according to one account, aren't even legit, the main exception being pornography websites. (I'm sure many of you will remember the article, and someone will respond to this with it).
Case in point, what I'm wondering is, who are the companies funding spammers? Judging by the relativly low success rate of bulk email, I'd imagine you're actually losing quite a bit of money to pay a company money to send out emails for your company, emails that potentially damage the reputation of your company due to the vast amounts of illigitimate business and anti spam sentiment on the net.
Simply stated, it sounds like:
Step 1: Send mass emails
Step 3: collect profit
I willing to bet their business model was derived from the underpants gnomes...
"In a Democracy, people get the kind of government they deserve." -Winston Churchill
Simple.
Money.
Mitnick's foes' lawyers claimed billions of dollars (that's laywer dollars, not real dollars, of course) of damage to the people padding the politician's pockets.
When spam gets there, we could count on the jack-booted thugs raiding a place or two in the night. Unfortunately, the spammers are getting richer, and trying to make laws that favor them...
For us carnivores, "Sucking the marrow out of life" isn't a transcendentalist philosophy but a practical instruction.
This article does not really gives much of an overview on the history of spam wars. The article leaves out more stuff that it mentions. I couldn't find any references to:
* Evolutionary progress from your garden-variety, run-of-the mill carpetbombing from the sender's ISP to hijacking of external mail relays, leading to most mail relays now being closed; to repeated gang-banging of every mail relay on the Internet, in the late '90s, that was running the completely fucked up Sun sendmail 8.6, which fails to record the sender's identity, turning it into a somewhat efficient anonymous spam forwarding service; to direct-from-dialup spamware that doesn't need mail relays and delivers directly to the recipients' mail servers; to spamware that scans and hijacks open proxies, and spam-forwarding trojan zombies that take over and infest Windows-based clients.
* The rise, fall, and bankruptcy of Apex Global Information Systems, the first commercial attempt to make a business model out of providing dedicated spam connectivity; with Cyberpromo, Nancynet, Marynet, and Sallynet spam factories as their charter "customers".
* The rise and fall of MAPS. The article makes out MAPS as the leading champions, but those in the know sadly know that MAPS is now a shadow of its former self.
* The rise and fall of ORBS, and a gaggle of similar open relay blacklists that sprouted up to supplement and replace.
* The rise, and hopefully the fall, of the trend where large backbones quietly agree to accept premium connectivity and hosting fees, in exchange for ignoring complaints about their spamming parasites, all the while flouting their supposed "anti-spam" Acceptable Usage Policies/Terms Of Service (documentation and proof available per request).
* The rise of the trend where spam farms are set up in third world countries, whose hosts completely ignore spam complaints and are generally better resistent to spam blacklists, since they don't send much mail to the US.
* The rise of SPEWS, as a partial response for a need for a successor to MAPS, and a surprising accept of SPEWS, which has an aggressive blacklisting policies, which flew in the face of conventional thinking that network providers will tremble with fear, run to hide in the nearest closet, and become completely paralized at a mere prospect of rejecting a single non-junk message.
There's plenty more subject matter for anyone who really wants to provide an overview of spam wars. This article seems a bit skimpy on the facts...
First off, the article is WAY behind the times on anti-spam techniques. SpamAssassin's statistical techniques far outstrip the simplistic features discussed. For example, it mentions obfuscation techniques, and yet SA is known to detect almost all of them one way or another, and even when it doesn't it catches the mail because it's in Razor2, comes from a BLed site, has obviously forged bits, doesn't look like valid mail to Bayes, etc, etc, etc.
Second, the article is also a bit naive on several points regarding blacklists. Many blacklists are good and useful, many are not. But taken as a whole, they present a spectrum of data that can be interpreted through a number of classical techniques that are applied to noisy data sources. Trusting any one BL or a small list is almost always a mistake, you need to build a sample set and determine who you trust and how much. SA does this, but it would be easy enough to build a BL-only SA-like tool for high-speed analysis on high volume ISPs and pipe-providers.
I'm getting worried that the problem of spam erradication is starting to look like the most divisive problem the net has faced to date. There are an awful lot of angry people, and those pitchforks and torches are starting to point in some very "infrastructurish" directions. Articles like this one, really don't help much....
Well, in Houston they did get an energy boom in the 90's. And they messed it up same as they did in the '80s. Enron is the visible example, but all of the energy companies in Houston are suffering as well.
So to continue your analogy - even if we start over with a new idea, it won't work, because we seem to have the infinite capacity to make messes. Any solution to the spam problem that involves starting over would probably also cause one or more of the following (draw the analogies to Houston and Enron if you wish):
I can't say that I haven't given my address to people who "aren't stupid or assholes", but I doubt that this is the vector for most of the spam I receive.
/users, or your DSL provider "shares" your address with their "strategic partners". Never tasted that canned pink meat? You Will.
You say you've had your POP3 account for over a year; I've had mine for nine years. In that time, I've posted it to Usenet, used it as a mailto: on web pages, signed up for things with it, and used this address to register domains, always unmunged, sans "NOSPAM" or "remove this" or "@@@".
Even if I'd done none of these, or did munge my address, I'd still get spam, albeit somewhat less. Spammers use dictionary attacks, too, or they create a list from
Enjoy it while you can, for I see a million penis enlargers in your future.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
You do realize that legalizing drugs would address every single problem that you've mentioned in your post, don't you?
Drug deals being conducted with guns is entirely a consequence of their being illegal. You may note that gang warfare over alcohol is rather hard to find nowadays, but it was quite intense during Prohibition and in fact is a going concern over in Saudi Arabia where (purely coincidentally, of course) it's illegal.
Dyolf Knip
Shouldn't we be able to prosecute spammer's under the DMCA?
Spam filters are obviously a device used to regulate what mail you receive. They used to effectively block spam. However, spam has evolved to beat the filters.
This implies that the spammers determined the method the filter used, so that they could beat it. In other words, they reverse-engineered it.
So, aren't spammers circumventing an access-control device via knowledge they gained by reverse-engineering a product?
It's that the epitome of illegal under the DMCA?
Justin Dubs
Liquor dealers don't go shooting each other on the street corners, though people do rob liquor stores and drunks do get into fights. A day's worth of medical-priced opiates is cheaper than a half-bottle of bad gin.
Zucchini dealers don't go shooting each other, though there are the occasional Midwestern terrorist events (leaving bags of zucchini on other people's doorsteps during the growing season); marijuana's about as easy to grow as zucchini if you're not trying to hide it from the cops.
If we legalize drugs, street gangs may not stop carrying, but they'll mostly stop dealing, because you'll be able to get better-quality pharmaceutical drugs at the drug store and marijuana at the tobacco or liquor store, and at that point drug dealing turns into honest work, not significantly more profitable than selling flowers on the street corners except for a bit of low-markup business selling to minors along with selling them cigarettes. Might as well go back to stealing hubcaps.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I too have noticed that the vast majority of spammers now seem to forge the HELO/EHLO greeting. And as most non-spammers don't, this is actually a wonderful way to catch them. I've even seen them send the IP address of my secondary mail gateway in hopes that my primary mail server would fully trust it (obtained probably by looking up my MX records). I run a mail gateway for a corporate domain an get on average 30 to 40 thousand spams per day. Using sendmail with it's milter programming interface I put the HELO greeting though a very strict check. For those contemplating doing the same...
One last note about Forged AOL Spam after talking to one of their postmasters...all their legitimate mail by corporate policy is always sent from within the *.aol.com or *.aol.net domains. This will be in both the HELO as well as a reverse DNS lookup of the connecting IP address. If you don't see this in the HELO and DNS but you see a MAIL FROM for aol.com, it's probably spam.
I wish more big ISPs would provide public information about how to better detect forged mail claiming to come from their sites. For instance if I see a MAIL FROM *@yahoo.com, then should the connecting IP address always be from a *.yahoo.com host? Some ISP's like hotmail seemingly always add in a known predictable header whose absence indicates spam. But I can't reliably make these calls unless the ISPs provide that information. Also, beware that some semi-legitimate sites, like Monster.com forge the sending address on purpose; so if you want to receive resumes you may need to whitelist them.