Slashdot Mirror
Spam Meeting Wrap-up
wendigo2002 writes "Get used to that daily flood of e-mail come-ons, Viagra offers and lucrative enticements to invest in Nigerian pyramid schemes. Internet gurus, software designers and lawyers today ended a three-day Federal Trade Commission discussion on combating spam by concluding neither technology nor laws are yet capable of completely dealing with the plague."
Public executions always sounded effective to me.
I wish all those who convene to discuss law-enforcement and/or regulatory initiatives were so honest about their future prospects for success. Can you imagine what the DEA would be like if someone back in the 50s or 60s had actually gotten together and said "you know, guys, we'll never stop the flow of drugs into the country, and it's only going to get worse". On the other hand, that might have made the problem worse.
I still couldn't fault them for being honest, though.
We need a federal law with some that lets you go after:
1: The spammer themselves provided you can find them.
AND/OR
2: The entity in the US that the spam was sent on behalf of. If they're trying to sell you something, or scam you, even if they didn't send the mail, they're the root cause.
and
3: You should be able to opt-out of any entity you directly do business with. Opt-in for any of their parters. If I buy something from Amazon I can opt out of recieving their mail. Their partners can not send mail unless I specificly ask for it. If the company gets bought, the opt-in does not transfer, except for one email informing me of that.
4: Here's the gray area; there needs to be some sort of failsafe. So for example, if I hate slashdot and I spam a million people telling them to buy a slashdot subscription. If the people who get the mail can't find me because I sent the mail from an open AP and bounced it off a server in Korea, slashdot gets screwed.
Disclaimer:
I am not a spam expert (I do know a bit)
I am not a lawyer
I am not a lawmaker
Take with salt. Flame on.
Back when the Internet was a nicer place, it made sense to allow anyone to send anyone mail through any system. Now that Internet access is much more common and the propensity of abuse on open systems, it's time to either bury RFC-821 or make it significantly more modern.
No, the deluge of unsolicited garbage will continue regardless of what is done legislatively and with technology. I'm glad to see that people are finally waking-up to the fact that more laws won't fix the spam problem. But technology can be used to make it harder for spammers to hide in their anonymous cloak.
The processing of sending email needs an overhaul that gives system administrators the ability to determine the source of incoming mail and impart a "trust" level of the message. Messages coming from systems that have a high trust are tagged in the headers while those coming from systems that seem dubious or lack any sort of real credentials are tagged accordingly.
No, it won't stop spam, but it'll allow people to simply deny access to systems and users that are a continued problem, forge credentials or email addresses.
That's one approach. Another is sender-risks-paying.
It seems to me that the problem with accountability/traceability is that it would probably require people to have a digital identity that pervades the whole internet. Well, how is this going to be implemented? The bearded-hacker community tried to implement a public key infrastructure, but it's been a huge failure, since it's never reached the critical mass where it would become useful to most people. (It's also way too hard to use.) The other well-known proposal is .NET. Do you really want a future where you have to have a .NET identity in order to send e-mail?
And what about those times when you really do need to send anonymous e-mail? What about corporate whistleblowers? Political dissidents?
I prefer the sender-risks-paying idea. There have been a lot of these proposals floating around, and yes, they've been discussed a lot on Slashdot before. No, they will not require your ISP to bill you for e-mail. No, they will not require non-spammers to pay any money at all. No, they need not involve any actual money to change hands (the currency could be based on CPU cycles, for example). There's nothing technically wrong with these proposals. The bearded-hacker community just needs to go ahead and implement one and start using it. Otherwise MS will implement it in a proprietary way (their Pennyblack project), and it will be another brick in the prison that keeps people locked into Windows/Office/Outlook.
Find free books.
Why wouldn't a nationwide 'do not email' list work?
I would think this is even more feasible and enforceable than the 'do not call' list that people are trying to establish to combat telemarketers.
Pass a law that unsolicited email sent to an address on the list is subject to a fine.
If the spammers are sending out multi-thousands of emails, even a fine of $50 per complaint would soon put spammers out of business. The fine could be split between the 'spamee' and some agency to enforce the spam law. I would think that there are enough unemployed people with the skills to staff such an agency, given the state of the nation's economy.
The spammers have to send contact information if they are trying to sell you something, thus there is an easy way to find who is responsible for the spam.
What's wrong is that many major ISPs do zero about spammers, and the ones who do will usually end up zapping the guy with the open proxy or the poorly secured CGI mailback form, not the guys who actually cause the problems.
--the solutions are there, just very few people want to be the first ones, and it has to come automagically installed out of the box. That's the bulk of the email users and receipients. They use what comes installed. They use mostly microsoft. Microsoft does not ship any email client that filters spam AFAIK. It doesn't ship an easy to use click here to generate a whitelist for receipients, that bounces everything else. There's your basic problem. Once again, those that made the most money by far ship the least common denominator product. When there was an opportunity to put the fear of bankruptcy into them, it failed. Their fine and punishment consisted of getting to advertise more, that was it basically. Spam (and mass viruses) will continue until a default microsoft OS installation is a lot more secure and has filtering qualities to it. That won't happen until they get tens of billions stripped from their corporate coffers, and a host of high level execs get some sort of jail terms, or at a minimum get banned from being "part" of microsoft. If the 800 lb gorilla can't do it, every single other machine on the planet could be filtered, firewalled, etc and it WON'T MATTER to the net in general. It is not all their problem, that's obviously true, but I'll say it's going to be have to be mostly their solution, catch 22 there, doing all that makes them no money, just costs them money, they won't spend it, profits are king.
I'd like to use email more, used to use it a lot. It's not useful enough to me any more to bother with it much. viruses and spam and drivel. 99% of the people I know use microsoft, they will NOT_not_send me html email, they consistently cc multiple recipients, they forward every lame joke and stupid rumor and scam, mostly I get drivel, maybe every 1 out of 20 is a legit email now. Spam and drivel, I give up. I glance at my email once a day, sometimes not even once in three days, it's just not useful any longer. I don'teven maintain any sort of address book. I am reluctant to register for any new forums, or to go back to being on email lists. I have almost completely stopped buying anything off the net. I don't WANT any more email addys.
Basically, just waiting for the mother of all viruses to knock out every microsoft machine on the net, then maybe things will get a tad better. I'm actually rooting for the microsoft killer virus to show up. Sooner the better, get it over with. It's a sucky attitude to have, but I have it now.
I've seen here on slashdot all these advanced schemes and techniques,they all look good,many are over my technological head,but none of them seem outstanding or easy though. The problem everyone at the top levels of these conferences, etc, tippy toes around, it's microsoft brand "stuff" just makes the internet insecure. SPAM is just part of it. It just *does* because of the sheer bulk and bugginess, it's designed just...wrong. Close but no cigar but man has it cost people.
Geeks and techs can make anything work well enough,even microsofts stuff, that ISN'T the problem,people on this forum can deal with it using their favorite methods, the problem is there WON'T be a solution until something is done with the dang borg way of "doing" things.
You know, it's really not that big of a problem for me...
I use Yahoo! mail, and they really do a great job of filtering spam. They have an option by every email to report it as spam, have it investigated, and then blacklisted if appropriate (delivered to spam folder, not deleted, just in case it's important in some way)
In addition to their spam filters, you can create your own and they work pretty decent, too. I get about 100 spam mails a day, about 95 are filtered to my trashcan or spam folder, and only about 5 get through...I can deal with that.
I don't see how spam makes any money any more...oh well.
---------------------------
Anyway, here is how it works: Set up filters for people who you want to get messages from. I personally have several different mailboxes - for family, work, newsletters I subscribed to, etc. Everything else goes by default to the trash. Operating several Web sites, I needed to make sure that strangers can contact me, too, which is shy I set up links to my e-mail to include a standard subject, and I set up a filter to look for those subjects. This way, I'm able to eliminate 99% of spam (the rest is a combination of viruses (virii?) and spams the spoof the sender's address to someone who's on my list. In turn, I lose less than 1% of messages that I'd actually want to receive. Considering that I was getting 50-70 spams per day and only 3-5 real e-mails, the numbers are on my side.
I think spamd is the way to go. Its in the new release of OpenBSD. Of course - spammers will react very quickly and blackhole any OpenBSD protected site.
But that is great for us - because we don't want to hear from them anyways.
This is just part of the evolution of the net. A new species pops up and slowly takes over.
Eventually uncompetative experiments die out completely.
Hacking has been illegal and stereotypically 'bad' since like, the dawn of time. Did it ever stop them? Attaching a stigma to something by creating laws to 'prevent it' merely makes it more interesting, not less. we *need* a guaranteed technological 'solution' to spam promoted and agreed upon by *ALL* the big-guns, otherwise no amount of 'law' making will make it stop. This is all completely pointless until a technological solution can be provided for all. Learn from our past mistakes! History will prove this true. Whatever solution is found, you need to make it Illegal to not implement it, otherwise it's again pointless.
Forward your deceptive spam to the FTC at uce@ftc.gov. If we can up the numbers they get from thousands to millions, maybe they'll fix the problem.
http://www.ftc.gov/opa/2002/02/eileenspam1.htm
The rest we learn by reading "Stupid White Men" and watching "Bowling for Columbine"
I am not surprised at the amount of laughter that DMA president H. Robert Wientzen caused by saying that commercial email should be opt-out. It is no wonder people hate the marketers mentality that consumers should be force to see their advertisements.
Pretending for the moment that all the spam problems don't exist and ignoring their redefinition, can you imagine trying to opt-out of billions of email messages? Even if there was rules and they did honor opt-outs, they are still killing the usefulness of email by flooding you with crap that prevents you from getting you real messages.
Then there is the fact that the DMA they probably will not follow the rules or will have lots of holes when they make the rules. One example I can think of will be that they make it so they can just change the names of the "company" or have several "companies" and switch the "company" sending the email so they can re-send you the same emails.
If companies really wanted to be ethical about this and have customers, they would not resort to ticking their potential customers off and they would use confirmed opt-in and not sell their customers personal info (email, phone, street address, etc). It may be harder to get customers, but it is a lot better in the long run if you are get and retain those customers that way then what you might get if you resort to spamming the hell out of them.
You mean, sort of like this incident?
One line blog. I hear that they're called Twitters now.
The messages can always be traced back to a source via the headers. The technology is there, but the political will to sue the asses off the miserable scum is not. The scumbags posting from DSL lines can be traced right back to their phone numbers since their ISP will (hopefully) know the account using the IP address, and presumably also the phone number used to dial in.
;-)
If the RIAA can subpeona customer details for P2P filesharing, surely the government agencies can smoke out these spamming shitballs. For off-shore spam havens, just have ALL ISPs block them. Prevent known spammers from registering new netblocks, or being involved with a company that does this. Change the law so the Ralsky's and other assorted human waste laughing in our faces as they get rich pushing filth into the 'net face prosecution and HUGE fines every time they go online.
Either that, or we could just all chip in and hire a few hit-men to get rid of the source of the problems the old fashioned way
Code, Hardware, stuff like that.
has anyone else noticed a stream of spam that appears to be forged in an attempt to get the highest spam scores possible?
Over the last few (2-3) months, I've watched the maximum spamassassin scores for filtered mesages -- rise steadily. it looks like people somewhere are actually trying to create spam that trips as many of the rules as possible. Its actually kind of funny -- scores like 45-55 are not uncommon.
anyone else noticed this?
"I'm wonding how long it will be before they start installing smarter software on the proxies."
I think it's pretty damned smart already. I can't recall where but I read a description of Jeem on on of the anti-virus web sites - that is pretty sophisticated already. The downside I hope exists for the spammers is that this brings all the security people into the fight against spam - when the spammers crack into systems (by whatever pathway) they've really crossed a line.
I advocate open relay and open proxy honeypots. The Jeem approach, if the Trojan Horse is sent by an email virus, is rich with honeypot possibilities. Once you know how the cracked proxies work (all the details) you can "phone home" to the master spammer system and tell him your honeypot now has the spam relay installed. Then he trusts it and sends it spam to deliver. The operator of the phony cracked system goes into full ROFL mode.
(It would be interesting to see if the US DOJ would claim anyone doing this was intercepting communications. Very interesting, indeed. How will the DOJ find out someone is even doing this?)