Slashdot Mirror
Spam Meeting Wrap-up
wendigo2002 writes "Get used to that daily flood of e-mail come-ons, Viagra offers and lucrative enticements to invest in Nigerian pyramid schemes. Internet gurus, software designers and lawyers today ended a three-day Federal Trade Commission discussion on combating spam by concluding neither technology nor laws are yet capable of completely dealing with the plague."
they might work better if they got spammed every day? If we can persuade these guys to get hotmail addresses, they might understand better...
I'll see your Constitution and raise you a Queen.
To over 40 million email addresses. If you don't wish to continue recieving these emails, you can follow the link at the bottom to unsubscribe.
Yay for meetings to determine that which you already know.
The Washington Post takes a slightly more sensationalist take on the "bare knuckle," "historic" forum.
The issue of spam is not an issue of free speech, its' an issue of theft of service and of fraud. And the answer is a total re-write of the SMTP specification and standard to allow accountability and traceability of email messages
I wish all those who convene to discuss law-enforcement and/or regulatory initiatives were so honest about their future prospects for success. Can you imagine what the DEA would be like if someone back in the 50s or 60s had actually gotten together and said "you know, guys, we'll never stop the flow of drugs into the country, and it's only going to get worse". On the other hand, that might have made the problem worse.
I still couldn't fault them for being honest, though.
Lets see more of those! I hope the reward applies irrespective of whether you bring in the spammers dead or alive :-)
``We are now importing more spam from the United States,'' he joked. ``We are actually learning what American culture is through spam.''
Hopefully you know that it's not an entirely accurate view of American culture...
Do you have ESP?
We need a federal law with some that lets you go after:
1: The spammer themselves provided you can find them.
AND/OR
2: The entity in the US that the spam was sent on behalf of. If they're trying to sell you something, or scam you, even if they didn't send the mail, they're the root cause.
and
3: You should be able to opt-out of any entity you directly do business with. Opt-in for any of their parters. If I buy something from Amazon I can opt out of recieving their mail. Their partners can not send mail unless I specificly ask for it. If the company gets bought, the opt-in does not transfer, except for one email informing me of that.
4: Here's the gray area; there needs to be some sort of failsafe. So for example, if I hate slashdot and I spam a million people telling them to buy a slashdot subscription. If the people who get the mail can't find me because I sent the mail from an open AP and bounced it off a server in Korea, slashdot gets screwed.
Disclaimer:
I am not a spam expert (I do know a bit)
I am not a lawyer
I am not a lawmaker
Take with salt. Flame on.
Back when the Internet was a nicer place, it made sense to allow anyone to send anyone mail through any system. Now that Internet access is much more common and the propensity of abuse on open systems, it's time to either bury RFC-821 or make it significantly more modern.
No, the deluge of unsolicited garbage will continue regardless of what is done legislatively and with technology. I'm glad to see that people are finally waking-up to the fact that more laws won't fix the spam problem. But technology can be used to make it harder for spammers to hide in their anonymous cloak.
The processing of sending email needs an overhaul that gives system administrators the ability to determine the source of incoming mail and impart a "trust" level of the message. Messages coming from systems that have a high trust are tagged in the headers while those coming from systems that seem dubious or lack any sort of real credentials are tagged accordingly.
No, it won't stop spam, but it'll allow people to simply deny access to systems and users that are a continued problem, forge credentials or email addresses.
That's one approach. Another is sender-risks-paying.
It seems to me that the problem with accountability/traceability is that it would probably require people to have a digital identity that pervades the whole internet. Well, how is this going to be implemented? The bearded-hacker community tried to implement a public key infrastructure, but it's been a huge failure, since it's never reached the critical mass where it would become useful to most people. (It's also way too hard to use.) The other well-known proposal is .NET. Do you really want a future where you have to have a .NET identity in order to send e-mail?
And what about those times when you really do need to send anonymous e-mail? What about corporate whistleblowers? Political dissidents?
I prefer the sender-risks-paying idea. There have been a lot of these proposals floating around, and yes, they've been discussed a lot on Slashdot before. No, they will not require your ISP to bill you for e-mail. No, they will not require non-spammers to pay any money at all. No, they need not involve any actual money to change hands (the currency could be based on CPU cycles, for example). There's nothing technically wrong with these proposals. The bearded-hacker community just needs to go ahead and implement one and start using it. Otherwise MS will implement it in a proprietary way (their Pennyblack project), and it will be another brick in the prison that keeps people locked into Windows/Office/Outlook.
Find free books.
I've always thought that this is a golden opportunity for La Cosa Nostra. They could sell spam protection insurance. Get spammed? Guido will pay the spammer a visit and "explain" how spamming is not conducive to a long and healthy life.
Mea navis aericumbens anguillis abundat
Motohiro Tsuchiya, a communications professor with the International University of Japan, said Friday that about 80 percent of spam in Japan comes from outside the country and most of it is in English.
``We are now importing more spam from the United States,'' he joked.
Yeah! Finally Japanese importation of at least one U.S. product exceeds their exportation!
"We are excited at the news to increase the amounts of this highly desirable content that we email every day," said Xing Dung Ho Chung, president of some organization in China that sends over 5 billion SPAM emails daily. "Our customers will be very pleased when download times increase proportionally with the desirable noise to undesirable signal ratio as we flood the Internet with our information, preventing undesirable signal from getting through."
Hong Dong Chong Shlong commented, "Our goal is to reduce the Internet into a medium for advertising with no possibility of gaining any other use from it. Our long term plans include government lobbying to illegalize the information that people want while simultaneously forcing people to spend a minimum quota of time reading every word of SPAM and clicking on every full screen advertisement that comes up. Strategic partnerships with computer companies and additional legislation will force the consumer to purchase a new computer each day because the hard drive of yesterday's computer will break down with the wear and tear of yesterday's immeasurable amount of SPAM."
SPAM companies also indicated plans to lobby for laws requiring the consumer to purchase every product and service advertised to them. The long term plan is to give huge multinational corporations an easy method to eternal, perpetually increasing profits with no benefit to the consumer. Humanity, except the shareholders of several enormous conglomerates, will be enslaved forever.
Spam tools are currently at the point tht detection of spam is a near-certainty and the probabilities for false-positives (e.g. good mail getting called spam) are measured in the 0.00n-0.0n% range (that is n in 100,000 to n in 10,000) which can almost always be improved on locally by the user through various means that are anti-spam-tool independant.
SpamAssassin is currently my tool of choice. It's very flexible, can be used with any UNIXish mailer and is just getting frighteningly better over time.
SA's recent addition of Razor2, a Bayesian filter and improved handling DNS blacklists (which SA weights so you can apply them withour worrying about slicing large and useful parts of the Internet out of your field of view) have reduced many concerns that folks had before about active abuse of SA's rule-base in the past. The speed with which this system applies hundreds of tests to a message is also quite stunning, and a major boost to Perl's tacit reputation as a "slow" language.
The biggest problem with SA right now is probably the inability to scale up to the mid-range ISPs and medium-sized business without SERIOUS harware allocation due to the heavyweight neature of its testing. That's my personal mission for SA over the next year or so. My goal is to make SA a reasonable option for anyone that has to process orders of magnitude more mail than your average ISP (e.g. AOL).
When the upcoming 2.54 comes out, I HIGHLY recommend checking it out. You can install SA on most UNIX-like systems, as long as they have Perl installed by typing (as root)following the configuration process if you have not done so for Perl before, and then typingAfter that it's just a matter of how you want to configure your MTA to talk to SA. I recommend using SA in "spamd" mode with sendmail and procmail. If you already use sendmail with procmail delivery, you just have to change your
Good luck!
Nothing will be done until someone answers the question that lawmakers always ask:
..." All the politician hears is "There's these people who make money" and wonders "How can I get some of it?"
What's in it for me?
No matter what you present to a politician, no matter how good the cause or important the problem, laws get introduced and passed for only one reason, and that reason is that someone was able to answer that question.
Sure, it's possible that the answer was "you'll advance your career if you save mankind with this bill", but that almost never happens. There's always a payoff somewhere, and what I can't figure out is a way to tell a Congressman what's the benefit to him for putting in the effort to fix the spam problem. And getting a bill passed is a hell of a lot of work.
I say: "There's these people who make money by sending a deluge of annoying fradulent emails
that
If every spam victim donated a dollar to support congressmen (IE, campaign funding) to do something about spam, then it'll get done. I for one am ready to help.
Just put your name at the bottom of the list, and send $5 to the person at the top of the list. Now send the list to five of your friends and soon, real soon, we'll have enough money to buy a whole session of Congress. This is completely legitimate, a lawyer looked it over, but you mustn't break the chain.
I agree -- a completely backward compatible re-write of the SMTP specification, and getting people to deploy it is exactly what's needed.
You see the problem with that statement, of course, don't you? Making it backward compatible and getting it deployed tend to be "the hard part". We already have transport-level authentication and privacy (through TLS), as well as application-level authentication and privacy (through S/MIME and OpenPGP). So how do you deploy those mechanisms in such a way that maintains compatibility, scales, and gets adopted by organizations?
Short answers are fine, but there are people who have been examining these issues for years without significant progress. Partially because it's a hard problem, but partially because it's not clear that someone's willing to spend money on it.
White list.
:) ) unseen. Eventually, if everybody started doing this, spammers would see zero revenue, and the tide of spam would disappear.
If the *only* way for email to arrive in my mailbox was if it came from (or at least purported to come from) somebody on my list, I'd never see spam again. No need to bounce it, just delete it from the mail server, sight (and site
Anybody know of a Linux email app that does this all, deleting spam at the server but downloading wanted email? I'm all ears.
Lemon curry?
I am not surprised at the amount of laughter that DMA president H. Robert Wientzen caused by saying that commercial email should be opt-out. It is no wonder people hate the marketers mentality that consumers should be force to see their advertisements.
Pretending for the moment that all the spam problems don't exist and ignoring their redefinition, can you imagine trying to opt-out of billions of email messages? Even if there was rules and they did honor opt-outs, they are still killing the usefulness of email by flooding you with crap that prevents you from getting you real messages.
Then there is the fact that the DMA they probably will not follow the rules or will have lots of holes when they make the rules. One example I can think of will be that they make it so they can just change the names of the "company" or have several "companies" and switch the "company" sending the email so they can re-send you the same emails.
If companies really wanted to be ethical about this and have customers, they would not resort to ticking their potential customers off and they would use confirmed opt-in and not sell their customers personal info (email, phone, street address, etc). It may be harder to get customers, but it is a lot better in the long run if you are get and retain those customers that way then what you might get if you resort to spamming the hell out of them.
OK, it's time to start thinking in a different mode - what's been done so far isn't working well enough. Look at the facts: almost all relay email sent through open relays because they are open relays is spam. I mean something like 99.9999% of it - almost all. Most of the rest is spammer relay tests. Quality people don't looking for open relays through which to send their email. Spammers do that. Take advantage of that knowledge. If only spammers use that pathway MINE that pathway. It's figurative mines, not real ones: prohibitions against deadtraps don't apply.
/dev/null - ACT. Make up your own way of dealing with them, but make it hurt them in some way, however small. Get any number at all doing something with the tests and those that merely accept the tests and ignore them will help strike fear in the spammers hearts (the operator who does nothing knows he does nothing. The spammer has to worry that the operator does more.)
: 7bit
4 610011
.co.uk location - US law doesn't reach that far. DO IT.
Instead of continuing the three-years-long moan about all those clods who run open relays (I was once one of them myself) why not quit moaning and DO SOMETHING? Spammers send relay tests. DO SOMETHING that screws the spammer because of that. Report relay attempts to his ISP, accept and deliver the tests and send the spam to
Like, for instance, here's a relay test from today:
Received: from adsl-65-70-89-125.dsl.tulsok.swbell.net by X.X.X;
Sat, 3 May 03 12:04 CDT
Message-Id:
Date: Sat, 03 May 2003 12:01:44 -1700
From: 0eik00ha7i95o4@starband.net
Subject: hello
To: timsmith777@connectfree.co.UK
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
054053046055048046056 057046049050053058097 1001151080450540530450550480450560570450490500530
510804611611710811 511110704611511909810110810804611 0101116058049049048051058057058089101115
(I had to beeak up the strings becuase of the Slashdot "lameness" filters.)
It takes as close to no smarts at all to trap a test like this as is possible. DO IT.
(By the way, I altered the string in the message-ID: that's where spammers who use this form of test encode the IP tested.) Similarly, they encode where the test originated in the body. It's decimal ascii: "048" encodes "0," etc.
Don't want to do SMTP trapping? No problem - trap some spammer open proxy abuse. MAybe you'll learn his IP, even (the clown who sent the test above has been using the same IP since at least 11-Mar-2003.)
I've been telling connectfree.co.uk about these test messages going to the spammer dropboxes in their space. I suggest that they simply divert email to the dropbox address so it goes someplace else. This is SOMETHING they can do that really screws the spammers. Until the spammers figure out the email is being diverted they discover no open relays if the email through those open relays to the dropbox doesn't get delivered.
Isn't it about time people though about what to do to stop these spammers? Is it so terribly hard to divert email to a known spammer dropbox address someplace else? Does that not conform to the TOS? CHANGE the TOS - quit waiting for someone else to solve spam and act. Worried about the US DOJ saying this is a crime? Hey, we're talking about a
Read my post again. See anything that says action must wait for a change in the SMTP protocol? NO. See anything that says the little guy with a DSL or cable connection can't take part? NO. ISPs could do even better - think about what the ISP with hundreds of abused open proxies could do if it intercepted the proxy connections made by the spammers.
This does nothing to stop direct spam. There blocklists work like a charm. This does an awful lot to sop abuse-path spam (non-direct spam.) DO IT.
Or continue to moan. One path has better results - see if you can tell which.
The trouble is that comparatively few people are savvy enough to switch to whitelist email systems. And it only takes a small percentage of internet users who don't block spam, and who order occasionally from spam, to keep the spam problem a growing nightmare for the rest of us. I think it's unrealistic to suggest that whitelists can solve the spam problem, since there's no way to argue they'll be adopted widely enough to keep huge amounts of spam from reaching people.
And another thing. I want random people to be able to contact me, for whatever reason. What I don't want is to be contacted by automated email systems for purposes of marketing. In my mind, whitelists prevent the latter, but they also prevent or seriously inconvenience the former. And to me, that's unacceptable. I presonally rely on Mozilla filters, which rid me of about 97% of my spam, while allowing the email of random people who need to contact me to (usually) get through.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?