Slashdot Mirror
Spam Meeting Wrap-up
wendigo2002 writes "Get used to that daily flood of e-mail come-ons, Viagra offers and lucrative enticements to invest in Nigerian pyramid schemes. Internet gurus, software designers and lawyers today ended a three-day Federal Trade Commission discussion on combating spam by concluding neither technology nor laws are yet capable of completely dealing with the plague."
they might work better if they got spammed every day? If we can persuade these guys to get hotmail addresses, they might understand better...
I'll see your Constitution and raise you a Queen.
To over 40 million email addresses. If you don't wish to continue recieving these emails, you can follow the link at the bottom to unsubscribe.
Yay for meetings to determine that which you already know.
Public executions always sounded effective to me.
...but SpamAssassin in combination with Razor and Distributed Checksum Clearinghouse works quite well on most mail servers I've seen.
The Washington Post takes a slightly more sensationalist take on the "bare knuckle," "historic" forum.
The issue of spam is not an issue of free speech, its' an issue of theft of service and of fraud. And the answer is a total re-write of the SMTP specification and standard to allow accountability and traceability of email messages
I wish all those who convene to discuss law-enforcement and/or regulatory initiatives were so honest about their future prospects for success. Can you imagine what the DEA would be like if someone back in the 50s or 60s had actually gotten together and said "you know, guys, we'll never stop the flow of drugs into the country, and it's only going to get worse". On the other hand, that might have made the problem worse.
I still couldn't fault them for being honest, though.
Lets see more of those! I hope the reward applies irrespective of whether you bring in the spammers dead or alive :-)
``We are now importing more spam from the United States,'' he joked. ``We are actually learning what American culture is through spam.''
Hopefully you know that it's not an entirely accurate view of American culture...
Do you have ESP?
Nothing. Unless lastvaliddomain.com is actually owned by the spammer, in which case they get a live email address to play with. Spammers love live email addresses. Unless you forge your headers so they can't tell where it's coming from.
-Sara
We need a federal law with some that lets you go after:
1: The spammer themselves provided you can find them.
AND/OR
2: The entity in the US that the spam was sent on behalf of. If they're trying to sell you something, or scam you, even if they didn't send the mail, they're the root cause.
and
3: You should be able to opt-out of any entity you directly do business with. Opt-in for any of their parters. If I buy something from Amazon I can opt out of recieving their mail. Their partners can not send mail unless I specificly ask for it. If the company gets bought, the opt-in does not transfer, except for one email informing me of that.
4: Here's the gray area; there needs to be some sort of failsafe. So for example, if I hate slashdot and I spam a million people telling them to buy a slashdot subscription. If the people who get the mail can't find me because I sent the mail from an open AP and bounced it off a server in Korea, slashdot gets screwed.
Disclaimer:
I am not a spam expert (I do know a bit)
I am not a lawyer
I am not a lawmaker
Take with salt. Flame on.
Back when the Internet was a nicer place, it made sense to allow anyone to send anyone mail through any system. Now that Internet access is much more common and the propensity of abuse on open systems, it's time to either bury RFC-821 or make it significantly more modern.
No, the deluge of unsolicited garbage will continue regardless of what is done legislatively and with technology. I'm glad to see that people are finally waking-up to the fact that more laws won't fix the spam problem. But technology can be used to make it harder for spammers to hide in their anonymous cloak.
The processing of sending email needs an overhaul that gives system administrators the ability to determine the source of incoming mail and impart a "trust" level of the message. Messages coming from systems that have a high trust are tagged in the headers while those coming from systems that seem dubious or lack any sort of real credentials are tagged accordingly.
No, it won't stop spam, but it'll allow people to simply deny access to systems and users that are a continued problem, forge credentials or email addresses.
That's one approach. Another is sender-risks-paying.
It seems to me that the problem with accountability/traceability is that it would probably require people to have a digital identity that pervades the whole internet. Well, how is this going to be implemented? The bearded-hacker community tried to implement a public key infrastructure, but it's been a huge failure, since it's never reached the critical mass where it would become useful to most people. (It's also way too hard to use.) The other well-known proposal is .NET. Do you really want a future where you have to have a .NET identity in order to send e-mail?
And what about those times when you really do need to send anonymous e-mail? What about corporate whistleblowers? Political dissidents?
I prefer the sender-risks-paying idea. There have been a lot of these proposals floating around, and yes, they've been discussed a lot on Slashdot before. No, they will not require your ISP to bill you for e-mail. No, they will not require non-spammers to pay any money at all. No, they need not involve any actual money to change hands (the currency could be based on CPU cycles, for example). There's nothing technically wrong with these proposals. The bearded-hacker community just needs to go ahead and implement one and start using it. Otherwise MS will implement it in a proprietary way (their Pennyblack project), and it will be another brick in the prison that keeps people locked into Windows/Office/Outlook.
Find free books.
I've always thought that this is a golden opportunity for La Cosa Nostra. They could sell spam protection insurance. Get spammed? Guido will pay the spammer a visit and "explain" how spamming is not conducive to a long and healthy life.
Mea navis aericumbens anguillis abundat
Why wouldn't a nationwide 'do not email' list work?
I would think this is even more feasible and enforceable than the 'do not call' list that people are trying to establish to combat telemarketers.
Pass a law that unsolicited email sent to an address on the list is subject to a fine.
If the spammers are sending out multi-thousands of emails, even a fine of $50 per complaint would soon put spammers out of business. The fine could be split between the 'spamee' and some agency to enforce the spam law. I would think that there are enough unemployed people with the skills to staff such an agency, given the state of the nation's economy.
The spammers have to send contact information if they are trying to sell you something, thus there is an easy way to find who is responsible for the spam.
Motohiro Tsuchiya, a communications professor with the International University of Japan, said Friday that about 80 percent of spam in Japan comes from outside the country and most of it is in English.
``We are now importing more spam from the United States,'' he joked.
Yeah! Finally Japanese importation of at least one U.S. product exceeds their exportation!
What's wrong is that many major ISPs do zero about spammers, and the ones who do will usually end up zapping the guy with the open proxy or the poorly secured CGI mailback form, not the guys who actually cause the problems.
"We are excited at the news to increase the amounts of this highly desirable content that we email every day," said Xing Dung Ho Chung, president of some organization in China that sends over 5 billion SPAM emails daily. "Our customers will be very pleased when download times increase proportionally with the desirable noise to undesirable signal ratio as we flood the Internet with our information, preventing undesirable signal from getting through."
Hong Dong Chong Shlong commented, "Our goal is to reduce the Internet into a medium for advertising with no possibility of gaining any other use from it. Our long term plans include government lobbying to illegalize the information that people want while simultaneously forcing people to spend a minimum quota of time reading every word of SPAM and clicking on every full screen advertisement that comes up. Strategic partnerships with computer companies and additional legislation will force the consumer to purchase a new computer each day because the hard drive of yesterday's computer will break down with the wear and tear of yesterday's immeasurable amount of SPAM."
SPAM companies also indicated plans to lobby for laws requiring the consumer to purchase every product and service advertised to them. The long term plan is to give huge multinational corporations an easy method to eternal, perpetually increasing profits with no benefit to the consumer. Humanity, except the shareholders of several enormous conglomerates, will be enslaved forever.
It seems that folks in DC can get things done...when they want to.
--the solutions are there, just very few people want to be the first ones, and it has to come automagically installed out of the box. That's the bulk of the email users and receipients. They use what comes installed. They use mostly microsoft. Microsoft does not ship any email client that filters spam AFAIK. It doesn't ship an easy to use click here to generate a whitelist for receipients, that bounces everything else. There's your basic problem. Once again, those that made the most money by far ship the least common denominator product. When there was an opportunity to put the fear of bankruptcy into them, it failed. Their fine and punishment consisted of getting to advertise more, that was it basically. Spam (and mass viruses) will continue until a default microsoft OS installation is a lot more secure and has filtering qualities to it. That won't happen until they get tens of billions stripped from their corporate coffers, and a host of high level execs get some sort of jail terms, or at a minimum get banned from being "part" of microsoft. If the 800 lb gorilla can't do it, every single other machine on the planet could be filtered, firewalled, etc and it WON'T MATTER to the net in general. It is not all their problem, that's obviously true, but I'll say it's going to be have to be mostly their solution, catch 22 there, doing all that makes them no money, just costs them money, they won't spend it, profits are king.
I'd like to use email more, used to use it a lot. It's not useful enough to me any more to bother with it much. viruses and spam and drivel. 99% of the people I know use microsoft, they will NOT_not_send me html email, they consistently cc multiple recipients, they forward every lame joke and stupid rumor and scam, mostly I get drivel, maybe every 1 out of 20 is a legit email now. Spam and drivel, I give up. I glance at my email once a day, sometimes not even once in three days, it's just not useful any longer. I don'teven maintain any sort of address book. I am reluctant to register for any new forums, or to go back to being on email lists. I have almost completely stopped buying anything off the net. I don't WANT any more email addys.
Basically, just waiting for the mother of all viruses to knock out every microsoft machine on the net, then maybe things will get a tad better. I'm actually rooting for the microsoft killer virus to show up. Sooner the better, get it over with. It's a sucky attitude to have, but I have it now.
I've seen here on slashdot all these advanced schemes and techniques,they all look good,many are over my technological head,but none of them seem outstanding or easy though. The problem everyone at the top levels of these conferences, etc, tippy toes around, it's microsoft brand "stuff" just makes the internet insecure. SPAM is just part of it. It just *does* because of the sheer bulk and bugginess, it's designed just...wrong. Close but no cigar but man has it cost people.
Geeks and techs can make anything work well enough,even microsofts stuff, that ISN'T the problem,people on this forum can deal with it using their favorite methods, the problem is there WON'T be a solution until something is done with the dang borg way of "doing" things.
Spam tools are currently at the point tht detection of spam is a near-certainty and the probabilities for false-positives (e.g. good mail getting called spam) are measured in the 0.00n-0.0n% range (that is n in 100,000 to n in 10,000) which can almost always be improved on locally by the user through various means that are anti-spam-tool independant.
SpamAssassin is currently my tool of choice. It's very flexible, can be used with any UNIXish mailer and is just getting frighteningly better over time.
SA's recent addition of Razor2, a Bayesian filter and improved handling DNS blacklists (which SA weights so you can apply them withour worrying about slicing large and useful parts of the Internet out of your field of view) have reduced many concerns that folks had before about active abuse of SA's rule-base in the past. The speed with which this system applies hundreds of tests to a message is also quite stunning, and a major boost to Perl's tacit reputation as a "slow" language.
The biggest problem with SA right now is probably the inability to scale up to the mid-range ISPs and medium-sized business without SERIOUS harware allocation due to the heavyweight neature of its testing. That's my personal mission for SA over the next year or so. My goal is to make SA a reasonable option for anyone that has to process orders of magnitude more mail than your average ISP (e.g. AOL).
When the upcoming 2.54 comes out, I HIGHLY recommend checking it out. You can install SA on most UNIX-like systems, as long as they have Perl installed by typing (as root)following the configuration process if you have not done so for Perl before, and then typingAfter that it's just a matter of how you want to configure your MTA to talk to SA. I recommend using SA in "spamd" mode with sendmail and procmail. If you already use sendmail with procmail delivery, you just have to change your
Good luck!
Nothing will be done until someone answers the question that lawmakers always ask:
..." All the politician hears is "There's these people who make money" and wonders "How can I get some of it?"
What's in it for me?
No matter what you present to a politician, no matter how good the cause or important the problem, laws get introduced and passed for only one reason, and that reason is that someone was able to answer that question.
Sure, it's possible that the answer was "you'll advance your career if you save mankind with this bill", but that almost never happens. There's always a payoff somewhere, and what I can't figure out is a way to tell a Congressman what's the benefit to him for putting in the effort to fix the spam problem. And getting a bill passed is a hell of a lot of work.
I say: "There's these people who make money by sending a deluge of annoying fradulent emails
that
If every spam victim donated a dollar to support congressmen (IE, campaign funding) to do something about spam, then it'll get done. I for one am ready to help.
Just put your name at the bottom of the list, and send $5 to the person at the top of the list. Now send the list to five of your friends and soon, real soon, we'll have enough money to buy a whole session of Congress. This is completely legitimate, a lawyer looked it over, but you mustn't break the chain.
You know, it's really not that big of a problem for me...
I use Yahoo! mail, and they really do a great job of filtering spam. They have an option by every email to report it as spam, have it investigated, and then blacklisted if appropriate (delivered to spam folder, not deleted, just in case it's important in some way)
In addition to their spam filters, you can create your own and they work pretty decent, too. I get about 100 spam mails a day, about 95 are filtered to my trashcan or spam folder, and only about 5 get through...I can deal with that.
I don't see how spam makes any money any more...oh well.
---------------------------
POPFile Bayesian filtering (works on multiple OSes)
Postfix w/experimental reject_unverified_sender
reject_unverified_sender works like this:
Add sbl.spamhaus.org and list.dsbl.org RBLs (very, very low false positives), and watch the spam disappear.
Never meant half of the things I said to you. So you know, there's a half that might be true - G. Phillips
I agree -- a completely backward compatible re-write of the SMTP specification, and getting people to deploy it is exactly what's needed.
You see the problem with that statement, of course, don't you? Making it backward compatible and getting it deployed tend to be "the hard part". We already have transport-level authentication and privacy (through TLS), as well as application-level authentication and privacy (through S/MIME and OpenPGP). So how do you deploy those mechanisms in such a way that maintains compatibility, scales, and gets adopted by organizations?
Short answers are fine, but there are people who have been examining these issues for years without significant progress. Partially because it's a hard problem, but partially because it's not clear that someone's willing to spend money on it.
I have two different issues with spam:
One, my email address that i use for almost everything for the past 4 years only recieves 1 or 2 spam a day. The address i used for 3 months recieves 100-150 spams a day, it is impossible to use that address for anything..
Now i use two email addresses, one for things like MSN and registering to forums and websites that goto a drop box and then my main address that i only give out to people these days.. its useful, even behind the current spam filters we have on the mail server it gets 8-10 spams a day.
I've left to find myself. If you happen to see me, please, keep me there until I return.
White list.
:) ) unseen. Eventually, if everybody started doing this, spammers would see zero revenue, and the tide of spam would disappear.
If the *only* way for email to arrive in my mailbox was if it came from (or at least purported to come from) somebody on my list, I'd never see spam again. No need to bounce it, just delete it from the mail server, sight (and site
Anybody know of a Linux email app that does this all, deleting spam at the server but downloading wanted email? I'm all ears.
Lemon curry?
Anyway, here is how it works: Set up filters for people who you want to get messages from. I personally have several different mailboxes - for family, work, newsletters I subscribed to, etc. Everything else goes by default to the trash. Operating several Web sites, I needed to make sure that strangers can contact me, too, which is shy I set up links to my e-mail to include a standard subject, and I set up a filter to look for those subjects. This way, I'm able to eliminate 99% of spam (the rest is a combination of viruses (virii?) and spams the spoof the sender's address to someone who's on my list. In turn, I lose less than 1% of messages that I'd actually want to receive. Considering that I was getting 50-70 spams per day and only 3-5 real e-mails, the numbers are on my side.
neither technology nor laws are yet capable of completely dealing with the plague.
Um, of course they're not. If they were, the problem wouldn't exist.
That's why we develop new ones.
The coolest voice ever.
Unfortunately there is money to be made sending spam.
ISPs make money from spam. Some internet users, like those using Aol, MSN, and other tricked out ISPs,
have not got the brains to read anthing in depth anyway so they need to have flash, groovy pics, colored text etc to have the computer work.
These types of users GO to the URLs that pop up in spam and could'nt use a real email program if they knew what it was in the first place. The only thing they do with the computer is use IE or AOL to tell them where and what to veiw on the net.
The problem with spam is the same problem with paper flyers and junk mail, unfortunately they work!
OH THE SHAME I fell off the wagon and use sigs again!
I think spamd is the way to go. Its in the new release of OpenBSD. Of course - spammers will react very quickly and blackhole any OpenBSD protected site.
But that is great for us - because we don't want to hear from them anyways.
This is just part of the evolution of the net. A new species pops up and slowly takes over.
Eventually uncompetative experiments die out completely.
I've been using Spamassassin along with the Razor and DCC plugins and it works very well, 99% of the spam that enters my Inbox is clearly labeled as such. However, does anyone know of a piece of software that will automatically add the IP address of the mail server that sent the spam to my sendmail access.db reject list? If there isn't such a thing, already, I could probably write one myself, but I don't want to go through the effort if it's already been done.
--It's Pimptastic!--
Forward your deceptive spam to the FTC at uce@ftc.gov. If we can up the numbers they get from thousands to millions, maybe they'll fix the problem.
http://www.ftc.gov/opa/2002/02/eileenspam1.htm
I am not surprised at the amount of laughter that DMA president H. Robert Wientzen caused by saying that commercial email should be opt-out. It is no wonder people hate the marketers mentality that consumers should be force to see their advertisements.
Pretending for the moment that all the spam problems don't exist and ignoring their redefinition, can you imagine trying to opt-out of billions of email messages? Even if there was rules and they did honor opt-outs, they are still killing the usefulness of email by flooding you with crap that prevents you from getting you real messages.
Then there is the fact that the DMA they probably will not follow the rules or will have lots of holes when they make the rules. One example I can think of will be that they make it so they can just change the names of the "company" or have several "companies" and switch the "company" sending the email so they can re-send you the same emails.
If companies really wanted to be ethical about this and have customers, they would not resort to ticking their potential customers off and they would use confirmed opt-in and not sell their customers personal info (email, phone, street address, etc). It may be harder to get customers, but it is a lot better in the long run if you are get and retain those customers that way then what you might get if you resort to spamming the hell out of them.
The messages can always be traced back to a source via the headers. The technology is there, but the political will to sue the asses off the miserable scum is not. The scumbags posting from DSL lines can be traced right back to their phone numbers since their ISP will (hopefully) know the account using the IP address, and presumably also the phone number used to dial in.
;-)
If the RIAA can subpeona customer details for P2P filesharing, surely the government agencies can smoke out these spamming shitballs. For off-shore spam havens, just have ALL ISPs block them. Prevent known spammers from registering new netblocks, or being involved with a company that does this. Change the law so the Ralsky's and other assorted human waste laughing in our faces as they get rich pushing filth into the 'net face prosecution and HUGE fines every time they go online.
Either that, or we could just all chip in and hire a few hit-men to get rid of the source of the problems the old fashioned way
Code, Hardware, stuff like that.
OK, it's time to start thinking in a different mode - what's been done so far isn't working well enough. Look at the facts: almost all relay email sent through open relays because they are open relays is spam. I mean something like 99.9999% of it - almost all. Most of the rest is spammer relay tests. Quality people don't looking for open relays through which to send their email. Spammers do that. Take advantage of that knowledge. If only spammers use that pathway MINE that pathway. It's figurative mines, not real ones: prohibitions against deadtraps don't apply.
/dev/null - ACT. Make up your own way of dealing with them, but make it hurt them in some way, however small. Get any number at all doing something with the tests and those that merely accept the tests and ignore them will help strike fear in the spammers hearts (the operator who does nothing knows he does nothing. The spammer has to worry that the operator does more.)
: 7bit
4 610011
.co.uk location - US law doesn't reach that far. DO IT.
Instead of continuing the three-years-long moan about all those clods who run open relays (I was once one of them myself) why not quit moaning and DO SOMETHING? Spammers send relay tests. DO SOMETHING that screws the spammer because of that. Report relay attempts to his ISP, accept and deliver the tests and send the spam to
Like, for instance, here's a relay test from today:
Received: from adsl-65-70-89-125.dsl.tulsok.swbell.net by X.X.X;
Sat, 3 May 03 12:04 CDT
Message-Id:
Date: Sat, 03 May 2003 12:01:44 -1700
From: 0eik00ha7i95o4@starband.net
Subject: hello
To: timsmith777@connectfree.co.UK
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
054053046055048046056 057046049050053058097 1001151080450540530450550480450560570450490500530
510804611611710811 511110704611511909810110810804611 0101116058049049048051058057058089101115
(I had to beeak up the strings becuase of the Slashdot "lameness" filters.)
It takes as close to no smarts at all to trap a test like this as is possible. DO IT.
(By the way, I altered the string in the message-ID: that's where spammers who use this form of test encode the IP tested.) Similarly, they encode where the test originated in the body. It's decimal ascii: "048" encodes "0," etc.
Don't want to do SMTP trapping? No problem - trap some spammer open proxy abuse. MAybe you'll learn his IP, even (the clown who sent the test above has been using the same IP since at least 11-Mar-2003.)
I've been telling connectfree.co.uk about these test messages going to the spammer dropboxes in their space. I suggest that they simply divert email to the dropbox address so it goes someplace else. This is SOMETHING they can do that really screws the spammers. Until the spammers figure out the email is being diverted they discover no open relays if the email through those open relays to the dropbox doesn't get delivered.
Isn't it about time people though about what to do to stop these spammers? Is it so terribly hard to divert email to a known spammer dropbox address someplace else? Does that not conform to the TOS? CHANGE the TOS - quit waiting for someone else to solve spam and act. Worried about the US DOJ saying this is a crime? Hey, we're talking about a
Read my post again. See anything that says action must wait for a change in the SMTP protocol? NO. See anything that says the little guy with a DSL or cable connection can't take part? NO. ISPs could do even better - think about what the ISP with hundreds of abused open proxies could do if it intercepted the proxy connections made by the spammers.
This does nothing to stop direct spam. There blocklists work like a charm. This does an awful lot to sop abuse-path spam (non-direct spam.) DO IT.
Or continue to moan. One path has better results - see if you can tell which.
The trouble is that comparatively few people are savvy enough to switch to whitelist email systems. And it only takes a small percentage of internet users who don't block spam, and who order occasionally from spam, to keep the spam problem a growing nightmare for the rest of us. I think it's unrealistic to suggest that whitelists can solve the spam problem, since there's no way to argue they'll be adopted widely enough to keep huge amounts of spam from reaching people.
And another thing. I want random people to be able to contact me, for whatever reason. What I don't want is to be contacted by automated email systems for purposes of marketing. In my mind, whitelists prevent the latter, but they also prevent or seriously inconvenience the former. And to me, that's unacceptable. I presonally rely on Mozilla filters, which rid me of about 97% of my spam, while allowing the email of random people who need to contact me to (usually) get through.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?
has anyone else noticed a stream of spam that appears to be forged in an attempt to get the highest spam scores possible?
Over the last few (2-3) months, I've watched the maximum spamassassin scores for filtered mesages -- rise steadily. it looks like people somewhere are actually trying to create spam that trips as many of the rules as possible. Its actually kind of funny -- scores like 45-55 are not uncommon.
anyone else noticed this?
Who the fuck do you think configures existing blackholes? The US government? Aliens? No, it's individual site administrators. They may choose to run with an unaltered public blacklist, but that's not inherent in the blacklist paradigm.
Female Prison Rape in NY