AOL, MS & Yahoo Unite On Anti-Spam Initiative

dilaudid writes "FT.com has an article about AOL, Yahoo and MS putting aside their differences to combat spam. An AOL VP is quoted as saying "Our customers are telling us it is the number one problem with the internet." Their intended response is "narrowly-defined federal legislation aimed at so-called "king-pin" spammers" who send the bulk of the mails. "

Of Course...

[FortKnox]

Its obvious, but something to note, that you need to have a yahoo/aol/msn email account to see all the benefits of this anti-spam initiative.

BTW - What happened to topic icons??

Re:Of Course...

[jez9999]

The topic icons appear to work for me - have you checked your settings? There is a flag to turn these on and off IIRC.

Nope. The topic icons have disappeared for me as well, and the 'No icons' option in my preferences is unchecked. This wreaks of yet more 'live' SLASH development.

Re:A valid use for a buttload of cash?

[The+Almighty+Dave]

That's ok, with the windows users gone, there won't be any money in spam. It will just go away.

yeah yeah we don't want to buy more hardware

[gelfling]

....And we want the government to force other people to allow us to do that.

They are carriers & they could care less about spam other than the hardware demands the sheer volume of this stuff means for their investment cycle. If they could magically reduce their workload by 80% w/o losing one dime in revenue I swear they would turn out their children to do it.

Re:yeah yeah we don't want to buy more hardware

[leviramsey]

RTFA. The main reason they're pushing for this is because their customers are telling them that the spam is decreasing the value of their offerings.

Spam wouldn't exist without morons

[Stiletto]

If the number one problem with the Internet is spam, then the number two problem is all the idiots who buy products from spammers and keep them in business.

Spam will never stop. Just like junk snail-mail will never stop. The tiny percentage of below-freezing IQ's out there who fall for unsolicited "offers" are ruining it for everyone else.

Re:Exceptions

[NanoGator]

" Wanna guess who sold out her email address? First 3 guesses don't count. "

How do you know her email address was even sold? Ever have a Hotmail address? It doesn't come because it's sold, the spam comes because of the brute force spam attacks on it.

Why buy a list of email addresses when you can get millions of hits at *@msn.com?

Re:A valid use for a buttload of cash?

[fredrikj]

I am concerned that when all of this is said and done, only users of a Microsoft OS will not receive spam. ;-)

That makes sense, actually. What if the "solution" would be to only accept and forward messages with a valid DRM certification?

95% Coverage

[Flamesplash]

I am concerned that when all of this is said and done, only users of a Microsoft OS will not receive spam. ;-)

Doesn't that give us like 95% coverage? Sounds good to me :)

Re:Huh?

[IAmRenegadeX]

I completely agree -- notice I didn't say "I wish they'd use the black hole lists," I just said they never mention them.

Like you, I am glad there isn't a single source of record for "e-mail blocking", especially one that is controlled by a company or government shill.

However, it'll be a cold day in hell when we're able to completely block what everyone thinks is spam...

Re:Exceptions

[Otter]

Wait, lemme guess- that "narrowly-defined" definition of "spammer" will not include internet service providers advertising their services, nor companies the ISPs have paid to spam their subscribers?

My primary email account has disappeared under an avalanche of bounces and blocks from some asshole spammer forging my domain name in everything he sends out. I'm job hunting now, and refuse to install some new untested filters that are liable to throw out something important. So I need to wade through hundreds of returned ads for streaming gay porn.

If these companies can put a stop to the total scumbags, they can include a provision that their ads can be sent over the NSA's secret high-speed network. I'll still be grateful to them.

My grandmother got porno spam within 2-3 days of her MSN "internet appliance" getting set up, and it had a very unusual account name(with numbers in it, too)- no dictionary atttack hit this one.

Maybe, but my suspicion is that you underestimate the magnitude of dictionary attacks on common domains like that. Given millions of idiots, all MSN addresses are shallow.

What really needs to be done

[Monoman]

* Use existing laws: I am sure there is more than enough laws already on the books that cover "fraudulant and egregious methods to disguise and misrepresent". We don't need laws specific to spam we should use generic laws that cover communications fraud.

* Go after those that hire spammers too. If I contract someone to perform a service and I know their methods are not legal then I should be held liable too.

* Don't depend on laws to fix everything. Fix the system!

Re:Dumb and Dumber

[dknight]

This works only assuming that all email/websites/etc... are within the US. I know we like to police the world, but even we couldnt pull THAT one off.

Doubting Yahoo's commitment to this ???

[adzoox]

I have had Yahoo mail for almost 9 years now. I was getting about 3-4 messages a day all the way up to 2001 when they started charging for premium services. Then an avalanche of SPAM hit. Now at 300+ a day.

I do realize everyone's SPAM is at insane levels and SPAM has gone up in the last 3 quarters. That said, I have very intelligently and precisely made my 15 free filters and none of them work on Yahoo mail. Middle of last year, I decided to chunk down the money for the premium email account. I used up the free 35 extra filters pretty quick.

It is my opinion that Yahoo allows junk mail, in fact, dumps it heavily on it's customers so that they will buy a premium service.

And if you lie about the headers?

[unfortunateson]

The spammers will claim they all fit in the personal communications requested by the recipient, and are not required to fill in all that rigamarole.

And you're right back where you started from.

No, the solution is to inform people that
a) Your body parts aren't going to get bigger (bellies excluded)
b) You really don't want to trust your finances -- even credit bailouts -- to people who'd SPAM you
c) There are no dignitaries in Nigeria that have millions of dollars they need to launder into the US, and if they did, you'd be arrested
d) There's no need to pay for porn. Go out into the big blue room and you could find someone real. Besides, there's enough free internet porn, just look.

You get SPAM because it works. People buy this crap. If they didn't, the spammers would stop.

Is Spam Really a problem

[AlgUSF]

I just delete spam before reading my e-mail. Spam isn't that hard to detect.

Re:your request From: acv235fv@hotmail.com SPAM!

refinance lowest rates From: bob33010@aol.com SPAM!

If everyone just ignores them and doesn't buy anything from the spammers, then it will dry up. Another favorite is to find their real e-mail address, usually from their form, or their link, and e-mail them 2.5MB from /dev/random. :-)

Re:A valid use for a buttload of cash?

[frankthechicken]

I am concerned that when all of this is said and done, only users of a Microsoft OS will not receive spam. ;-)

Or you would have to at least register your details with them.

I've often wondered why spam hasn't been dealt with along the lines of virus protection, i.e you pay a subscription to keep your records of spam locations up to date and thus able to block those offenders. Though I must admit, setting simple rules on the mail client has kept me largely free of the sifting through spam, and the potential harm to me of receiving mail pointing out the wisdom in giving my bank details to a rich Nigerian, is not really worth the cost of subscription.

Drug War Parallel

[limekiller4]

This is kind of funny, the parallels between the spam wars and the so-called drug wars. I call say this because it is more appropriately labeled "war on some drugs." But that's another rant.

But isn't it interesting that they (meaning AOL et al) are going after the big offenders and not, say, THEMSELVES? After all, they are analagous to the street-level pushers of the spam. The big spammers ("kingpins") are the ones who create the spam and are the nexus for it's origin. The product is then filtered down until it reaches the local ISP of the client/user and finally handed to the target -- the customer.

You might object and say, "the difference between drugs and spam at this level is quite sharp because drug users want the drug. Spam receiptients do not." Well SOMEONE is buying. Spammers don't spam because they think their literature amounts to avant garde exercises in promotional haiku. They spam because someone pays them to. And someone pays them to because someone is buying. In other words, every nickel they spend on spam comes back to them dressed up as a dime. It's as simple as that. The only real difference between the two analogies when you consider it is that spam is less visible because of the inherant privacy and legality of spam. That's all. You still have a product, you still have a buyer and you still have a larger community that must deal with the fallout of that activity.

However, this is the point at which the analogy breaks.

The community normally goes after the street-level dealers and the users. Of course the dealers have little to lose because they're poor to begin with and there will always be someone to deal. Always. And users/buyers are always going to use/buy. So go after the source, right? This makes sense, right?

So why are over half (55%) of all federal prisoners drug offenders?

This would be like Microsoft and AOL suing themselves half to death and prosecuting the recipients of the email when they purchased wares sold by spam. Never mind the fact that buying after seeing a spam isn't illegal. That's not the point. The point is that even if it were, it is an obviously flawed and ineffective model. It just doesn't work.

Re:Drug War Parallel

[Steve+B]

All I'm saying here is that there must be profit (or the perception of possible profit) for the spammer to be paid to send spam.

That caveat is precisely my point. Even if no spam recipients actually bought any spamvertised product, there will always be somebody who thinks that his spammed pitch will work.

Technical Pressure

[linuxwrangler]

One thing that the big ISPs could do is exert technical pressure to help deny spammers the ability to hide. I would love to see them reject all mail in which the HELO greeting is not fully qualified and resolvable (as required by the RFCs). Same thing everywhere else a domain appears in an SMTP conversation. This would force a mass cleanup of incorrectly configured mailservers and I would be able once again to include that as a requirement on my server.

Although perhaps exceeding the requirements of the RFCs, they might also consider refusing mail if the HELO/EHLO does not resolve back to the connecting IP.

In addition, they could publish via DNS info records or ?? the IPs of all their outbound mail servers (no MX won't work - that's only for inbound mail). It would be great to be able to bounce all mail "from" someone at yahoo/hotmail/aol/etc. unless the connection came from a mailserver associated with that email address (sure, for some people the mail may have been legitimately relayed before arriving at their site but that has never been the case for my servers).

Use RBL/SpamCop/Spews to force AUTH BASE SMTP

[cybrthng]

Come on!!!

There is spam because the system is insecure. Force AUTH based SMTP and use SSL.

Use RBL's, SpamCop and Spews to blacklist people who don't want to grow up and be secure! Big ISP's should do this, Cable & DSL providers should do this.

With wireless tech i can login to anyways network and spam away as long as i'm behind an IP address allowed by there servers.

Its LONG overdue! Use our preventative technologies to enforce some decisions for the better of the network, not the perogatives of a select few!!!!!

Re:AOL CENSORS THEIR EMAIL

[Malc]

Yahoo already tag 90% of the spam I receive at my Yahoo address. They place "X-YahooFilteredBulk: xxx.xxx.xxx.xxx" in the headers of the messages. This is the first thing I check for on my mail server. I'm happy to pay them $20/yr for that! The older version of SpamAssassin that ships with Debian Woody catches more than 50% of the spam that gets past Yahoo. I typically receive 10-20 spams a day, although I got 37 on one day last week.

Federal Law won't stop this.

[BigBlockMopar]

... federal legislation ...
I feel better already.

More to the point, what are American laws going to do to stop the spam I get?

Most of the spam is sent from open relays in shitholes like Brazil and Japan. Most of it points to websites on hosting providers in China and Korea.

You're not gonna tell me that some ulgy fuck like Alan Ralsky isn't gonna go and simply register a company offshore?

His spamming organization can work offshore and hire another company to fulfill the orders in the USA. That way, the spammer is offshore (immune to US laws), and the company delivering the product to the gullible consumer is not doing any spamming.

My tactic is to refuse any SMTP from any third-world country. I don't know anyone in China or Korea. I accept e-mail from only USA, Canada, UK and Israel. Anything else is a third-world country. This tactic cut my spam over 50%.

Re:Federal Law won't stop this.

The only point you managed to make with your post is that you are an ignorant (racist) fool. If you made at least the slightest effort to curb some of your "character" one might actually be able to see through the crap and moderate the value in it, up a few points.

I wouldn't say *censorship*

[Mr.+Underbridge]

AOL is currently using censorship to try to solve their problem. Their customers want the ISP to stop spam, and AOL interprets this as a license to censor incoming mail for "spamness".

Well, I don't sue AOhelL, so correct me if I'm wrong...but don't they give you the option of using the filter or not? And as far as I understand, they're blocking commercial email, not email containing words like "penis" or something. And when customers ask AOL to stop spam, it's not like AOL is "interpreting" this as a license to "censor" for spam. It's a literal directive. They're giving the consumers what they want. Now, don't get me wrong, I wouldn't use AOL if my life depended on it, but I think you're barking up the wrong tree here.

Re:Huh?

[eaolson]

The host itself doesn't host any adult content, but the IP that it had recently acquired was listed in the same IP block as pretty much every adult/teen/kiddie porno site you can think of, and most that you can't think of.

Then maybe you should move to an ISP that doesn't tolerate kiddie porn on their servers.

Most of the serious blocklists (SBL, Spamcop, SPEWS) are quick to delist an IP once the spamming problem goes away. And some (SPEWS for example) don't even list an IP block until the ISP has been informed about the spamming, and chosen to ignore it.

Funny....

[Remlik]

The three domains my company gets the most spam from are...

AOL.com

hotmail.com

Yahoo.com

Seems to me if these three companies would clean up their own free mail systems 80% of the spam problem would take care of itself. No need for federal legislation so far as I can see. Just enact policy and enforce it on your current users. Fine yourself when you fail to keep spam out.

Blocking vs. tagging

[billstewart]

Their customers _are_ deciding what is or is not acceptable; if you don't like it, get your email somewhere else. AOL is a bit special compared to most commodity ISPs, but it's still just one of many vendors. It's certainly easier to make an informed decision if the ISP publishes the techniques they're using to block spam, but if one of them doesn't, that may be part of your criteria for not choosing them. However, having said that, ....

There are two fundamentally different things that ISPs can do with suspected spam

• Whole-ISP solutions that refuse to let it in the door at all (e.g. blocking all mail from open relays and suspected spamhausen, or using adaptive DNS responses so known relays think you live at 127.0.0.2 and don't even bother your sendmail.)
• Per-customer solutions such as tagging or discarding suspected spam once it's in the door. This gives the customer a lot more choices, but it takes a lot more resources from the ISP, including bandwidth and CPU. The first approach lets them get rid of most of the high-volume dreck cheaply.

I'm not bothered by either of these approaches; as I said, you can pick whatever kind of ISP you like. What is more of a problem is ISPs that block incoming mail without proper error messages. If you're sending legitimate email and it gets spam-filtered and the user never sees it, that's annoying, but at minimum, anything that gets rejected by the ISP's SMTP server should get an RFC-compliant reject response so you know to try contacting the recipient again using your hotmail account or whatever.

What if the spammer is getting paid per hit?

[mdfst13]

At a penny a hit, your script nets the spammer an extra $20.

Re:What if the spammer is getting paid per hit?

[BigBlockMopar]

At a penny a hit, your script nets the spammer an extra $20.

I guess that's true, and for a second, I thought it was a big flaw in my
they-asked-me-to-fill-their-weblogs-with-crap-by -sending-e-mail-to-my-domain plan. But either way, it doesn't matter. Why?

Let's say this fly-by-night pharmacy (www.pharmacyfun.biz) is paying the spammer to produce exposure. If they're paying the spammer per hit, then they're spending the $20 to advertise to /dev/null on one of my boxes.

Fine, it might make more money for the spammer, but it would end up costing the advertiser big money if enough people were doing it. And, let's face it, no matter how much you try to ban spamming, if there's money to be made in it, people will continue to do it. If the advertiser ends up spending $$ to advertise by spam because they got 2,000 extra hits, he's going to see that his sales per hit decreases, meaning that spamvertising services end up costing him more money.

Treat this like a contract killing. If you were to call a hit man to kill someone you don't like, both you and the hit man can be charged with first degree murder in most jurisdictions.

The spammer and the advertiser are one and the same.

If anything, this technique would undermine the validity of any pay per hit schemes. Filtering out the random hits could also be very difficult - make lynx report itself as some variant of MSIE, request the page exactly as it's provided in the URL, random interval between hits - those things together might be very difficult for the spamvertiser to separate a real hits from the bogus ones for billing's sake.