Slashdot Mirror
The Anti-Spam Research Group's Plan for Spam
egoff writes "Speaking of standards, the ASRG, a member of the IETF, has a plan for "consent-based communications." Among the suggestions, according to Internet Week, are authentication services for falsified addresses, trusted senders, reputation systems (karma?), opt-out tools, best practices for challenge/response, and even a proposal for micropayments on unwanted mail. Instead of defining spam, the ASRG wants to provide administrators and users the tools necessary to avoid what they consider to be unwanted. One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
"One of the tools, Reverse MX, is expected to be in place in several months. It would allow the receiving mail server to query a domain to determine if the sending server is allowed to send on its behalf."
This would more or less force spammers to send from their own domains... Or from ISP's that are spam friendly.
It might not STOP spam (though blacklisting would be easier), but it'd make it traceable...
Which would make it easier to file complaints under the anti spam laws.
Corporatism != Free Market
1. They were about things I gave a damn about
2. They were marked (like ADV:) for easy filtering
What bothers me about spam are the violations of those two. I don't want emails about printer toner, or bigger schlongs. And I don't like having ads clutter up my inbox, where email from people I know and such belongs.
But if I could filter it all into an "Ads" mailbox, just like I have mailboxes for various mailing lists, I would scan the offers about stuff I might actually want. I'd be much more inclined to "click through" then, while my all-time number of click-throughs of spam email to date totals 0.
I like the idea; the problem is getting uptake on it. You need to encourage a lot of people. The way to do this is to get the "big" ISPs in on the scheme immediately. Participants should alter their mail transfer programs to tag the SUBJECT line of the messages with the word Untrusted. This will cause receivers to know, and significant embarrassment for those not participating...which will cause their mail system to be upgraded to participating status.
Unless the bad effects of not participating are directly visible (as in subject line), it's gonna take too long.
Spam is now the enemy. It must be destroyed. Here comes the IETF to solve the problem.
SMTP Next Generation is on its way. The only question is the exact design. The general outline is already known. First, there will be real-world verification of identity tied to every account capable of sending SMTP NG e-mail. There will be a transition period where people can sign up for "upgraded" (NG) e-mail accounts; then, a period where these "upgraded" accounts can receive e-mail from other NG accounts as well as from old, potentially anonymous accounts. Business and government users will transition to NG.
Then, there will be an Internet-wide deadline, upon which all NG e-mail addresses will be unable to receive e-mail except from other NG addresses. All SMTP old generation traffic will be blocked. The old base of mail users will be forced to transition to SMTP NG. At this point, if there is ever a complaint about spam, the spammer can be tracked down and booted off Internet e-mail forever. As a result, spam will cease to exist.
The day the Internet died. Sure, it will be more "efficient" then. No spam. But it won't be free.
Don't cry about it. It happens to all technology. Those who need anonymous communications will just move to something else. Maybe web-based discussion, for example. Just no more truly private, truly anonymous, or truly free e-mail.
Coming soon to your neighborhood.
Spam is simply not profitable enough to last much longer. It is the last of a dying breed of pioneering Internet money-making schemes like the pyramid scheme emails and banner ads. Eventually the spammers will move on to other means of money making because their revenue is guaranteed to drop off as their tactics turn more and more people off.
Instead of fighting the good fight here, the best thing to do is let this dying ember peter out on its own. Forcing spammers to use more drastic tactics just results in them doing more harm in the long run. If there had been no resistance at all, we'd probably be seeing a much more mature and respectable online advertising industry instead of the random, haphazard, and very annoying multitude of spam king wannabes downloading their spam kits and setting up shop.
I have been pwned because my
Here's your fly in the soup:
/me sees domains like a cat walking on your keyboard being used as throw-away domain for spamming. (lkjshret.com IN RMX 0/0)
It only works when receiving mail with an forged and uncooperative sender-address. Nothing will prevent a spammer listing 0.0.0.0/0 as authorized sender addresses provided he controls the DNS for the envelope-sender.
It will increase the cost of a spam-run, and that's good news. On second thought: I like it.
According to the linked draft, this is supposed to be a "protection against e-mail fraud, especially spam". No mention is made of legitimate uses that are also killed.
When I travel abroad, I send e-mail with my own home e-mail address as the sender through the foreign ISP's SMTP server (and collect mail with POP3 from my home ISP as usual). This has several advantages such as not needing another e-mail account and still being able to post to mailing lists. This plan will lump that in with "fraud" and make it impossible. With whitelisting on private e-mail becoming more and more common, this will be even more of an issue.
If the spammers do not make e-mail as we know it unusable, trust clueless antispammers to do that job more thoroughly.
(Another sign of their cluelessness in that draft is their statement that "spam is not yet exactly defined". The definition is, and always has been, unsolicited bulk e-mail. You can't get more exact than that.)
But here's the fun part: As a recipient, each user sets up their account with a "deposit price" for bypassing the whitelist. You can set that price to any amount in your currency of choice. As a sender, you can set the maximum amount that you're willing to pay, so that you don't suddenly get billed/debited/charged some outrageous fee. If someone who is not on your whitelist needs to send you an email, they pay a deposit. When you receive the email, you either accept it or reject it. If you accept it, you do not get paid; the sender keeps the deposit. If you reject it (meaning you've read the email and decided it was spam), the deposit paid by the sender is paid to you. It's enough to set the deposit to something like 50 cents. You'll probably get highly targeted emails at this price. I wouldn't mind risking 50 cents to send someone an email that I think they'll accept. You could set it to a few dollars to reduce the noise even further. But you could set it to any price you want. If you REALLY don't want email from sources not included in your whitelist, you could set the deposit to thousands of dollars. With this system, you'll be HAPPY to receive spam! And spammers either won't be able to afford it, or recipients will start making some money.
Any server that has a RMX record, should also have a compulsory, authenticated way of sending email from an unauthorized address. For instance, I'm now at home, and I would like to send mail with my University address. I can not do that, because the University blocks relaying from external IPs. So I send mail with my ISP account, but with the headers of my University account. If my University implemented a RMX record, I could no longer to that. And unless I can authenticate with the University servers to send mail through them, I can't send mail with my own mail address on it! If I can authenticate and send with my Uni account then it is fine, if not this will cause a big stink and RBX being dropped. Really.
Kjella
Live today, because you never know what tomorrow brings
I prefer the term, "unsolicited comercial email", but I see where you are comming from. UCE is the most obvious and obnoxious form. Bulk mailing by organizations you belong to may not be solicited but have legitimate uses. Either way, everyone knows what spam is when they see it, but there's little hope of building a useful filter based on "consent". The simple answer, to copy fax laws against unsolicited comercial faxes, is the best way to kill spam.
These IRTF people have other problems too. They've been hard at work with DRM and seem to give their End to End group the cold shoulder. Also their E2E projects included multicasting and other push like stuff. Everywhere I look, I see things I don't like, adding inteligence to a network that works because it has none. Who's putting these people up to this stuff?
Friends don't help friends install M$ junk.
There are ways to have email with the same level of anonymity that we have today without requiring some kind of authoritarian system. The most promising is the use of sender-verification. Rather then having some big brother type system setup, you have individual mail clients verify senders by replying to them and asking them to validate their humanity.
As long as it's a real person with a real email address sending the info, it should get through.
ReadThe ReflectionEngine, a cyberpunk style n
The spam issue has some interesting parallels in the models of the new economy. Just like in other industries like healthcare and pharmacuticals, the major players are not interested in a "cure". That's not profitable for them. A more appealing approach for them is some method of "treatment", preferably something that obligates the user to continually do business with them in perpetuity in order to maintain their spam-free condition.
Efforts to regulate the content of spam messages, inconsequential civil penalties, client side filtering, and any system which filters mail based on content caters to this impotent approach to addressing the spam problem. It offers no cure. It does nothing to reduce spam; it does nothing to discourage spammers; it does nothing to address the most serious problem of spam, which involves unfair and often illegal exploitation of resources.
Maybe this is the new way. We don't actually solve any problems. We just put bandaids on them and allow them to consume more wasted resources, and the demand for more resources, hardware and bandwith is what drives the new economy.
Call me idealistic, but I think it sucks. I am appalled that so many people will settle for such shallow and ineffective approaches to these problems. But I guess I shouldn't be surprised. Most of these people profit from the existence of spam so why bite the hand that feeds them on a major artery when you can collect some bucks and merely trim their nails?
Most of the SPAM that comes to my site is currently of the SPAM@Home variety, i.e. the same message comes from hundreds or thousands of compromised hosts, from thousands of different addresses, to thousands of my users. As far as I can tell, rMX won't have any effect on these distributed SPAM networks.
:w
My organization has roughly 120 Internet email users and a quick grep -c of the logs reveals that in the last week my server has denied 700 messages from open relays or known sources of UCE. In spite of this I have to wade through around ten spam emails each morning before I can get to work and I regularly get questioned by vice presidents and the CEO about why I'm "not blocking pornographic emails". RMX, micropayments, filtering, and other solutions may not be ideal. They may, to some degree, restrict free speech. They could require extra effort on the part of legitimate senders or admins of spam-unfriendly ISPs. It's possible that such schemes may do away with Internet email as we know it... but after deleting the fourth email this week (each from different network) containing an animated GIF of a woman sucking a horse's penis I don't give a crap. The problem has to be dealt with and if that means that you have to change email clients, switch to a email service that supports authentication, use a web-based service when traveling, update your DNS records, or close your open relay that is fine by me.
My article for building this got denied last night so I'll post it here instead. To create a list of authenticated users automatically that allows people to enter their address etc.. via a web form (much like Spam Arrest visit this how-to. It requires only a web server, php interpreter and Mercury e-mail server.
Micropayments are a tax on speech
Oh come on... do you complain about your telephone bill in the same way?
I disagree. The Internet was founded on exactly the opposite. The whole distributed computing concept was bourne out of a distrust for any single node being too important.
In effect, on the Internet, nothing is trusted.
The reason we have a spamming problem is not because the net is too trusting by design. It's because the medium is largely unregulated and transgressions therein are unenforced, so spammers operate with little fear of consequences.
In no other medium can you exploit other peoples' resources like you can on the Internet, and there are plenty of laws already, both criminal and civil that address these transgressions, but unlike other mediums, there is no agency or organized force in place to do something about it.
Here are some ideas I came up with that build on RMX to help prevent, and prosecute spam.
The first involves anonymous domain names. The author of the draft suggests simply not accepting mail from annon domains. I don't know if I really like this idea. A better system might be a RTBL type list of anon domains known to vouch for spam. That way someone could get a domain name without giving up personal info, and still be able to send mail.
Another usefull feature would be to sue non-forging spammers. Everyone could upload their spams to a group server. Since most states have laws that allow you to sue spammers for small amounts of money per message, once enough are collected from a single domain a lawsuit with enough of a financial incentive to actualy go through could be undertaken.
ReadThe ReflectionEngine, a cyberpunk style n
Slashdot is for geeks so I guess a technical solution to spam seems logical. However, is fixing this legally really that hard? First, it is a problem that has governments and corporations and users - in fact everyone except the spammers - are all on one side. It should be possible to get an international agreement to ban spam in this case. International agreements can/do work if they have support and they are realistic (for example banning CFCs worked). So the support is there - is it realistic? One of the things this group avoided is to try to define spam. But why do you need to have a precise definition? Something simple should work like:
For any mass email that is sent, the sender must be able to prove that the receieve gave his/her permission. Certain standards could be set here (eg. this permission must be opt-in for example). All bulk email must contain the details of the sending company and the option to ask said company to remove your details. Any company violating any of these rules or *aiding* a company to conceal this information (eg running an open gateway) should be fined heavily. Any country not signing up should be suject to sanctions (eg they cannot receieve international internet access or IT services from any signing country until they enforce these laws).
Now there are probably places where suggesting like this could be refined - but why is a legal solution to this problem such a wrong idea in general?!