How to Kill Spam Without the State

WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.

Again

[Lord+Kholdan]

Yet another piece of libertarian propaganda.

They say we should give the responsibility to the end user because politicians can't handle it because "spammers are more technically savvy then politicians". Is it true? Yes. However, I'd say that even politicians are even more tech savvy then Joe Emailer.

This is yet another piece of their tired rhetoric full of holes. Take it with a bucket of salt.

Re:Again

[Deusy]

Perhaps it is just Libertarian rhetoric.

But it does have some subtle - if not intentional - points that are very important.

There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.

Shouldn't we just be encouraging the adoption of these technologies rather than empowering the state with more tools with which to persecute people?

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault? If you have a lock available to you then you use it. The same thing goes for your emails.

Laws are there to be dodged and abused. Community cooperation and prevention strengthens us.

We should be encouraging ISPs to use and support the technologies available to them to destroy spam rather than lobbying for useless new laws (they'll just send the spam from another country you idiots!).

Re:Again

[platypus]

There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.

And all of these either have either costs, drawbacks, or don't really solve the problem (i.e. Bayesian filter on MUAs don't avoid the traffic etc.), while I can't for the life of me find anything bad on the thoughts of spammer rotting in jail.

</half joking>

Re:Again

[jcr]

Shouldn't we just be encouraging the adoption of these technologies rather than empowering the state with more tools with which to persecute people?

Of course, we should be applying whatever technical measures can help. However, I take exception to your characterization of anti-spam laws as a tool of persecution. Spammers are theives, and pursuing them in the courts isn't persecution, it's PROSECUTION.

-jcr

Re:Again

No.

End-Users need to take responsibility for their own actions. Joe Spammer now is most likely some innocent fool who didn't know any better.

They may have:
* been infected with a virus

* shopped around for an "Internet Marketing" kit that's really a 50 million CD with some cheap-ass bulk mailer written in VB.

* something else less obvious

Either way, they probably did it out of ignorance.

Politicians are regular Joe Blow's as well, and until someone comes around and starts preaching responsibility to people who get themselves involved in something as big as the Internet, the only other option is centralizing the network to dumb it down.

Re:Again

[Shillo]

> And all of these either have either costs, drawbacks, or don't really solve the problem (i.e. Bayesian filter on MUAs don't avoid the traffic etc.), while I can't for the life of me find anything bad on the thoughts of spammer rotting in jail.

In addition to this, suggestions that the end-users take the burden neglects the basic moral principle. Spammers /should/ go to jail.

--

Re:Again

You obviously don't pay taxes.

Re:Again

[Mostly+a+lurker]

There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.

This is true. However, there is a downside. Spam blacklists, in practice, block lots of legitimate mail. Bayesian filters need tuning by the individual user, and I seriously doubt its usefulness to the typical investor in asset enhancement solutions. Challenge-Response systems are potentially effective without the cooperation of the users, but the implementation would need to be very robust and the costs should not be underestimated.

To rid ourselves of the spam menace, it is necessary to stop spam being profitable. Catching and fining spammers is one way this might be done. Technologies that stop spam arriving in the mailboxes certainly help those of us who have no interest in the spam's advertised services. They will do nothing to prevent continued stupidity by those who are stupid today.

Re:Again

[madfgurtbn]

(they'll just send the spam from another country you idiots!).

Why don't people get this? It seems pretty simple to me.

I think most anti-spam efforts cause more harm than good. The reason we get spam is because it is profitable. Antispam measures such as blackholing only raise the bar high enough to keep out the laziest of spammers thus making it more profitable for the most sleazy and organized spammers.

If it were SO EASY to send spam that anyone could do it, it would drive out the serious players and leave only amateurs, who are easily dealt with--Bayesian filters, etc.

All the blood, sweat, and tears that have gone into anti-spam efforts have had NO EFFECT. I still get dozens of spams every week. I just don't have to see them thanks to Bayesian Filtering.

The solution to the spam problem is not more rules and regulations by ISP's and governments. The solution is economic. If professional spamming is not profitable, then there will be no professional spammmers.

Re:Again

[Lord+Kholdan]

Politicians are regular Joe Blow's as well, and until someone comes around and starts preaching responsibility to people who get themselves involved in something as big as the Internet, the only other option is centralizing the network to dumb it down.

And guess which option are they going to choose?

Re:Again

[Deusy]

I can't for the life of me find anything bad on the thoughts of spammer rotting in jail.

To think that just those guilty of mass spam are to be the only victims of such law being applied is to think that innocent people don't go to jail. Naive and, frankly, stupid.

Re:Again

[Deusy]

All the blood, sweat, and tears that have gone into anti-spam efforts have had NO EFFECT. I still get dozens of spams every week. I just don't have to see them thanks to Bayesian Filtering.

Use your brain. It's this simple: Everybody employs anti-spam technology. Spam doesn't reach people. People sending spam therefore do not make money. Spam stops.

If spamming was not profitable, people would not do it.

It's the getting "everybody to intelligently use anti-spam tech" bit that's the difficult part. Hence my mention of ISPs.

Implementing new laws is useless. New laws will simply be circumvented - for example, can you apply your laws outside of the US and is the Internet a US-only thing?

The big boys of the spam industry will not be affected. Just a few idiots and a few unfortunate people who are the victims of authorities abusing available laws.

The way to reduce spam is to reduce the effect of spam, not to make it illegal.

Re:Again

[snarkh]

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?

Let me see... The person who illegally entered and made the mess, perhaps?

Where I live now people routinely leave the doors unlocked.

Laws are there to be dodged and abused. Community cooperation and prevention strengthens us.

It is good to know the free spirit is still alive in some people. I am just a tiny bit surprized that a free thinker like you would want to cooperate with the community.

Re:Again

[Deusy]

It is good to know the free spirit is still alive in some people. I am just a tiny bit surprized that a free thinker like you would want to cooperate with the community.

Okay, I really didn't phrase my comment well. Rephrased:

People will always dodge and abuse laws. Instead, we should strengthen through community coorperation in problem prevention.

Re:Again

[StrawberryFrog]

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?

I never get tired of saying this, because it never stops being pertinent:

No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.

If you believe otherwise, you're not far off from the "women who wear short skirts have no case if they get raped" school of thought.

Re:Again

[djmurdoch]

Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.

Spam blacklists and filters will catch non-spam. There's no way to make the tests perfect.

Challenge-response systems send out their own spam whenever some idiot gets infected with the latest email virus, and starts forging "From" addresses.

Blacklists and filters would work a lot better if there was less spam. A multi-pronged approach (filtering PLUS regulation PLUS private legal action PLUS community cooperation PLUS ...) is better than thinking any single solution will work.

Re:Again

[platypus]

Oh man, whaddaya think why I wrote that "half joking" tag? Obviously this whole thing is too complex to deal with in one sentence.

But I'm not willing to invest more in an answer to an article which argues with this "who is more technologically savvy" nonsense.

Re:Again

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault? If you have a lock available to you then you use it.

Wrong analogy. The problem with spam is, someone in China leaves the door to his/her house open, yet the mess (or worse!) is in my house. And I don't live in China.
And sure, I can filter all I want, but that leaves the mess on the streets in front of my house.

Re:Again

"Shouldn't we just be encouraging the adoption of these technologies rather than empowering the state with more tools with which to persecute people?"

Not at all. Using technology to block spam would mean individual involvement, which is completely contrary to the Soccer Mom "why isn't there a law?" philosophy that passes for politics nowadays, whereas having the guvment do it is.

So the bleating is loud and long for the State to get involved by passing laws to solve the problem.

And thus invoking the Law of Unintended Consequences and the most frightening statement in any language, "Hi! I'm from the government and here to help you?"

Re:Again

[schon]

There is the technology available to avoid spam

And this misses the point that spam is not a technological problem, it's a social one. You don't solve social problems with technology. You solve social problems with social solutions.

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault? If you have a lock available to you then you use it.

Yes, but if you do lock your door and someone breaks in and makes a mess (or worse!) should I have to say "oh, well - at least I locked the door!"?

If you extend your analogy to its logical conclusion, it is actually an example of why we should have anti-spam laws, not why we shouldn't. If I have anti-spam measures, and I get spam, there should be legal recourse against the spammer, just like if I lock my door and someone breaks in, there is legal recourse against the theif.

Re:Again

[madfgurtbn]

I think I didn't make myself clear in my reply above. My intention was to say that I agree that laws are pointless because our laws only cover a small fraction of the world's population.

I also agree with your goal of taking the profit out of spam, but I believe most attempts to stop spam make it more profitable for the individual who succeeds in circumventing the anti-spam system. It's like prohibition or the war on drugs. It leaves the activity in the hands of amoral thugs who will stop at nothing to move the product.

Re:Again

[Steve+B]

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?

The person who entered your house is at fault, obviously.

Do you also subscribe to the "she had it coming, going out in public dressed like that" school of rapist defense? If not, how do you distinguish between the two cases?

If you have a lock available to you then you use it.

In most jurisdictions, lockpicking in order to gain unauthorized access to other people's private property is a crime in itself. (It's the "breaking" component of "breaking and entering". If the cops catch you before you actually get in, the law presumes intent to enter, and you are charged with attempted breaking and entering.). The same principle should apply to spam -- filter circumvention is a form of cracking, and should be punished as such.

Re:Again

[snarkh]

Ok, that sounds better. However laws are useful tools in many situations.

Re:Again

[letxa2000]

If I have anti-spam measures, and I get spam, there should be legal recourse against the spammer, just like if I lock my door and someone breaks in, there is legal recourse against the theif.

Yes, but the law that gives you that kind of recourse has to be very clear as to what IS spam so non-spammers don't get in trouble. It has to be very precise so spammers don't use the law to their advantage by finding a loophole. But such a complete and accurate law (which laws seldom are) must pass 1st Ammendment muster by not inadvertently prohibiting some legitimate communication and trampling on free speech.

It's easy to outlaw theft. This problem is significantly more complex than theft and while any jury can recognize and understand theft, not all juries will be able to completely understand all the aspects of a spam complaint. And, the worst part, what's riding in the balance is nothing less than what the government will and won't let us communicate via email. That's very dangerous territory.

Personally, I would accept a law that reaffirms that spamming is illegal theft of services. "The sending of spam is theft of services, is illegal, and the spammer will be liable for no less than $500 per spam sent." Then leave it to the jury to decide whether the email was spam. Anything that attempts to define spam in legislation is dangerous.

Re:Again

[ender-iii]

There are some programs that let you choose how to deal with spam and save you bandwidth. (like the one in my sig)

Re:Again

[Malc]

"There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it."

No, that doesn't cut it.

Spam black lists are under attack right now and slowly being taken off one by one. It costs me time keeping things configured and just searching for the best RBL of the moment.

Bayesian filters don't seem to be working too well either. Even with training Mozilla isn't doing too well. 4,000 junk and 7,000 not junk and it seems only 50% effective on the stuff that gets past Yahoo's tagging. You would have thought that with the hundreds of Sven virus messages that I've trained it on that it would filter them, but 25% of them are still making it through. Besides, it's too late by then - at this rate Sven will have consumed a gig of my bandwidth this month just because I have to receive it before I can filter it.

Challenge-Response is too annoying for words. It's also ineffective. For instance I bought some airline tickets recently. The purchase confirmation went out from an automated system. The domain didn't quite match the web site I was on so I couldn't whitelist before clicking buy. They would have been filtered by such a system and nobody would have responded to the challenge because it was an automated system. Daily I see other email that would have been blocked for similar reasons. It's too much effort. Furthermore, it irritates people who are trying to contact me, no matter how trivial the system might seem. Going back to Sven, it still uses my bandwidth. And finally, I've seen what I assume to be fake challenge messages for whatever reason, which also dilutes the effectiveness of the system.

No, I'm sorry, but I think this is a prime example for government regulation. I don't see why people need to be so offended by the idea. Let's stop wasting everybody's time.

Re:Again

[ischorr]

Why haven't we moved to a technology that doesn't make spam so incredibly easy to happen, like AMTP?

Half of the world's email being spam (and just increasing) sounds like a good enough reason to ditch an ultra-easily-exploited protocol like SMTP... Why stick with a technology that simply wasn't even close to being designed for what it's being used for?

Re:Again

[pjrc]

There is the technology available to avoid spam. Spam blacklists,

Who intentionally issue large netblocks against hundreds of innocent bystanders that just happen to be at the same ISP as a spammer. And who are much better at adding to their lists than removing from them. And who've been largely taken out by illegal DDoS attacks (presumably by the spammers).

Bayesian filters,

Which require training from the user, and over time require the user to retrain by actually checking the filtered spam.

and Challenge-Response systems

That are not a solution for people who WANT to be contacted by legitimate users without presenting a rude "jump through these hoops to prove you're not a spammer, or piss off".

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?

The intruder.

If you have a lock available to you then you use it. The same thing goes for your emails.

Obviously you've not seen modern spam. About 200/month get though my filters (spamassassin with quite a bit of custom tuning). Many of those are because my threshold is a bit high because I can't accept false positives (who might be a new customer or someone with a legitimate question about material on my website). But many others get through the filter with a low score.

Spammers are putting a lot of work into crafting filter-resistant messages. In the context of your locked door analogy, how would you view that? If I have a high quality lock on my door, and I'm careful to keep it locked, but theives come along and intentionally defeat my lock.... it is also my fault that I didn't have a perfect lock on my door that nobody can pick. Cause spammers today are doing everything they can to defect the filters (locks) that many people have installed.

But locked or not, it's still wrong (and usually illegal) to enter someone's home without permission. And it's certainly illegal to intentionally break into someone's home by defeating the lock on their door.

But if you're a libretarian, maybe you think it ought to be legal to break into homes if you're strong enough to break down the front door or cleaver enough to pick the lock. And of course, it's ok for spammers to forge headers, use deceptive subject lines, impersonate unsuspecting users, intentionally misspell words or make tricky use of whitespace or embed special html tages for no purpose other than to get past filters, all to hock fraudulent scams and questional merchandise.

Call my a pink liberal commie, but I think it ought to be illegal to use such fraudulent, bad-faith tactics. And it's not ok to break into my home, even on the rare occasion when I happen to forget to lock the door!

Re:Again

[BrokenHalo]

Bayesian filters need tuning by the individual user

And sometimes they are just not very good. I tried Mozilla's version of Bayesian filtering a few weeks ago (while I was still using Moz as my mail client; I am not any more), but in my case I simply don't get enough spam on my current primary address to make the filter trainable. (And I am unconsolable, of course.) I was getting close to 100% false-positives, and the spam was still ending up un my inbox.

My own set of filter rules catch over 99% of spam, according to these rules...

Whitelist (of course)
Filter by TLD (kill all .kr, .ru etc. mail)
Filter by buzzwords e.g. "this is not spam", "click here", "for more info"...
Filter by header fields (known open relays or dodgy domains)
and a "kill these scum" filter to deal with specific offenders, based on domain names in the body of the email.

I've been using these rules for several years, and they trap almost all spam, even with the obfuscated html that is currently trendy.

Of course, none of this is doing anything about the real problem, since the mail is still getting through to my computer. Hence, I still filter stuff to a spam folder, just to be sure I don't score any false-positives.

Re:Again

[rifter]

To think that just those guilty of mass spam are to be the only victims of such law being applied is to think that innocent people don't go to jail. Naive and, frankly, stupid.

Whatever! We aren't talking about some random crime here. Spam is one of very few crimes in which it is dead simple to provide absolute proof of actual guilt. It is completely traceable and once you find the spammer him/herself the evidence is readily available in great detail. I honestly cannot see how you could even suggest innocent people could be caught spamming.

Re:Again

[BrokenHalo]

...thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.

That might apply where you are, but it doesn't here (Western Australia).

For some reason, it is a different criminal offence here to break into someone's house during the day as opposed to doing so during the night. Sometimes the law is just an ass.

Re:Again

[rifter]

There are some programs that let you choose how to deal with spam and save you bandwidth. (like the one in my sig)

No program saves the bandwidth watsed on the internet by the spam itself. The closest we can come is by blackholing the spam networks right on the routers, dropping any packets from those sources. Even then there will be some impact from their spams.

Re:Again

[BrokenHalo]

If the cops catch you before you actually get in, the law presumes intent to enter, and you are charged with attempted breaking and entering.

That presumes a diligent cop. The other week, I spotted a burglar in the act of breaking in to a neighbour's house and called the plods.

The stupid fuckwits let the bastard go because he was wearing "respectable" clothes and was driving a nice car...

Re:Again

[i_r_sensitive]

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault? If you have a lock available to you then you use it. The same thing goes for your emails.

Ahh, but wether you leave the door locked or unlocked does not change that 'somebody' committed break and enter, or at the very least tresspassing.

Which is not to comment on the stupidity required to not use the available lock.

This, I think, is the best analogy I've seen yet. Break and enter is illegal, and the law is enforceable, yet we all have door locks. Many of us probably have home alarm systems as well. Do these facts warrant a relaxing of the law on break and enter? Were no such law in place, would the prevalence of door locks and the existence of alarm systems mitigate the need for such a law?

Likewise, with spam a multi-tiered approach is required. End users need to learn to "lock the door" and install an "alarm system." But, when the spammer figures out how to pick your lock and cirumvent your alarm, (and they will...) we still need to have some sort of recourse. Nor should the ISP's get off scott free, many are accomplices to this "crime" be it through negligence or lack of awareness.

Any solution which does not address the entire scope of the issue is likely not to be sufficient unto the task.

But, the bigger question is if spam should be a crime. Is spamming sufficiently immoral or disruptive, or what-have-you to warrant legislation. This is the important question, and the answer needs to be well thought out. Beyond the law of unintended consequences, there is the feasibility of enforcement to consider.

Laws are there to be dodged and abused. Community cooperation and prevention strengthens us.

I really get disturbed by this one. First of all, the assertion that laws are to be dodged and abused, even the author doesn't truly believe, unless he is /.ing from prison. C'mon, if you really believed that, you would dodge and abuse the laws, and eventually you'd have got caught.

The second assertion is part of the solution for sure. But, more importantly, is the correct use of that co-operation. The community should be co-operating with the legislators to determine if a law is necessary, and in the writing and amending of such a law. Co-operation as an alternative to being involved in that needed process smacks of vigilantism, which is not going to alleviate this problem, but rather escalate it.

The big question though, is such a law enforceable? Certainly not if we view the law as something to be abused and dodged. Certainly not if we are just going to worry about our litle corner of the briar patch.

Re:Again

[eugene+ts+wong]

Spam is one of very few crimes in which it is dead simple to provide absolute proof of actual guilt.

For some time now, I've wondered if it is feasible to make all open relays illegal within a jurisdiction. For example, can the US make all American open relays illegal?

I understand that it will not stop spam, but every bit helps, plus it makes it easier to filter out spam when it does come.

Re:Again

[cje]

The problem with technologies like Bayesian filters and challenge-response systems is that they don't actually do anything to cut down on the amount of spam that you get. What they do is cut down on the amount of spam that you see. To a lot of folks, this is a pretty subtle distinction, but for many, it's a major issue.

I get about 200 spams a day, and the size of the messages seems to be getting larger every day. If I go a couple of days without checking my mail, it can take several minutes to download all of my messages, even over DSL. I don't even want to think about how long it would take to download the same volume of data on a dialup connection. Lots of people have unlimited Internet access, but what about people who pay by the hour or pay by data volume? What about people with limited POP3 quotas who end up missing legitimate messages because spammers have filled up their inboxes? If I go on vacation for a week, I'm guaranteed to have a full inbox when I come home, along with God knows how many legitimate mails returned to the sender.

Why the hell is "liberty" a concept that is afforded to spammers and not the rest of us? How exactly is it "libertarian" to force Joe Schmoe on a time-limited 56k dialup connection to pay for donkey-porn spam? How exactly is it "libertarian" to force somebody with per-month data transfer limits to pay for somebody else's Viagra advertisements (that the spammer is essentially sending out for free?) How exactly is it "libertarian" to say "Well, if your e-mail quota gets blown by spammers, that's your tough luck?"

Many of the utopian ideals that libertarians espouse require that we live in a world that is (in general) populated by rational, well-behaved individuals who are willing to adhere to certain basic rules of society. Spammers do not fall under this category of people. Obviously, no law or government action is going to be able to completely stop spam. But to the extent that it can help improve the situation as it exists today, I'd much rather take a shot at doing something than doing nothing at all.

Re:Again

[rifter]

"(they'll just send the spam from another country you idiots!)."

Why don't people get this? It seems pretty simple to me.

I think most anti-spam efforts cause more harm than good. The reason we get spam is because it is profitable. Antispam measures such as blackholing only raise the bar high enough to keep out the laziest of spammers thus making it more profitable for the most sleazy and organized spammers.

If it were SO EASY to send spam that anyone could do it, it would drive out the serious players and leave only amateurs, who are easily dealt with--Bayesian filters, etc.

All the blood, sweat, and tears that have gone into anti-spam efforts have had NO EFFECT. I still get dozens of spams every week. I just don't have to see them thanks to Bayesian Filtering.

The solution to the spam problem is not more rules and regulations by ISP's and governments. The solution is economic. If professional spamming is not profitable, then there will be no professional spammmers.

First off, according to the EU most spam comes from the US. This makes sense when you see Congress recent attempts at "anti spam" legisllation that actually legislate that I must receive spam. They are being paid off by US spammers.

My solution is the only way we are going to get rid of spam forever, and it is as dead simple as it is ruthless. First, the US should pass laws against spamming that include heavy fines and jailtime. The fines wouldhelp finance part two, and these laws should be propogated much as the uS has been propogating their bad laws.

Next, to counteract the obvious solution of spammers running elsewhere, etc. If any ISP allows spammers to nest in their place of business then they get blocked by the border routers of every ISP in the US. There would be a list of blocked IPs and it would be mandatory for every US ISP to use it. This means NO traffic from that ISP gets to servers in the US until they get rid of Mr. Spammer. The ISPs are the real culprit here because they allow spammers to buy accounts with them and refuse to get rid of them. Therefore we punish the ISP in the best way possible, monetarily.

This would rapidly lead to a situation where ISPs would not want to have spammers because their customers could not reach the US where all the money is. After all, most people in the world will want to access US websites, and most foreign businesses will want US citizens to be able to shop at their sites. Even the spammers know most of the money for them is in the US. This is why I think it woudl work, and if it did not work to get rid of spam completely, it would certainly eliminate the costs of spam in the US.

Re:Again

[rifter]

For some time now, I've wondered if it is feasible to make all open relays illegal within a jurisdiction. For example, can the US make all American open relays illegal?

I understand that it will not stop spam, but every bit helps, plus it makes it easier to filter out spam when it does come.

It the very least, this shoudl merit some kind of civil liability. Open relays are a result of a lack of due diligence, pure and simple.

Re:Again

[schon]

the law that gives you that kind of recourse has to be very clear as to what IS spam

No. You're falling into the spammer's "frea speach" red herring.

What makes spam is not the content, but the method.

such a complete and accurate law (which laws seldom are) must pass 1st Ammendment muster by not inadvertently prohibiting some legitimate communication and trampling on free speech.

Anti-spam laws are about harrassment, they have nothing to do with free speech.

Nobody is telling spammers that they are not allowed to speak. We are saying that they are not allowed to harrass people. There is a big difference.

The most common definition of spam is unsolicited bulk email. This is a very easy test. Is it unsolicited? (Did the recipient ask for it, or is there an existing relationship?) Was it sent to multiple people? If the answer to these questions is yes, then it's spam.

Anything that attempts to define spam in legislation is dangerous.

Again, the decision of whether something is spam or not has nothing to do with the content of the message, it has to do with how it was sent. Defining how it was sent is very simple to do, and (in fact) must be done if there is to be any sort of legislation (including the type you are OK with.)

Re:Again

[kaladorn]

There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.

As someone who has been a victim of these technologies, I'm not convinced this is the road I'd see us go down. I've had my e-mail blocked just because some other git at my large Canadian ISP has had the temerity to send some spam (even if he was immediately kicked off as soon as this was discovered). As a direct result, my valid e-mail to persons in places like Australia has been affected. If this is your suggestion of a solution, I'm afraid I can't concede that it is a good one.

What is and is not legal in a nation is not an absolute - it is a social dialog between citizens and a decision made on what those citizens as a group wish to allow. For myself, I don't think spam/UCE, junk mail, telephone solicitation, etc. are anything but a waste of my time, my bandwidth, and (in the case of paper variants) trees. I don't see them as a necesary evil. Therefore, I see no issue with banning them. Can one ban them and still have other forms of free expression (if a commercial activity can be considered expression...)? Why of course we can.

I don't want to kill these people. They are (mostly) playing within some sort of legal vacuum or within the law. I'd just change the law and then they'd either quit or get busted.

Re:Again

[sharkdba]

No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.

Absolutely. I don't think the parent poster was trying to blame the owner of the house in this case. Of course, it's still theft, and whoever enters the house without permission is a criminal.

The point here is: we don't encourage criminals. Quite the opposite, we raise barriers. If there is a thief going through a neighborhood, he will look for houses with the least security. A lot of thiefs steal because it's easy to find places with low security (open door in this example).

Re:Again

[Big+Boss]

Apparently some people don't understand libertarianisim. The author of the article seems to be in that camp.

But if you're a libretarian, maybe you think it ought to be legal to break into homes if you're strong enough to break down the front door or cleaver enough to pick the lock. And of course, it's ok for spammers to forge headers, use deceptive subject lines, impersonate unsuspecting users, intentionally misspell words or make tricky use of whitespace or embed special html tages for no purpose other than to get past filters, all to hock fraudulent scams and questional merchandise. Call my a pink liberal commie, but I think it ought to be illegal to use such fraudulent, bad-faith tactics. And it's not ok to break into my home, even on the rare occasion when I happen to forget to lock the door!

Nope. Breaking into your home, locked or not, would be an initiation of force against you. Stopping such activity (or at least having laws and police in an attempt to) is a valid use of government to every libertarian I have met. Libertarians also belive government should be able to prevent fraud. I think that the writer of the article simply doesn't understand the things spammers do to get past filters and how they harm the network. IMO, any libertarian, once informed by a techie, would agree that 90% or more of the spam is sent by people that are engaging in fraud or the online-equivilant of lock picking and theft of computer resources. Once they realize this, any libertarian would be forced to conclude that such activities fall under any reasonable deffinition of "initiation of force".

IMO, the best soultion is to include things like deliberately obscuring words, sender identity, addresses, headers, creating/using viruses that create relay networks and other circumvention technologies in the computer crimes legislation on the books as cracking. Not banning "Spam"/UCE per-se, but the fradulant delivery and hijacking of computers and networks that they engage in now.

Re:Again

[letxa2000]

Me: the law that gives you that kind of recourse has to be very clear as to what IS spam
You: No. You're falling into the spammer's "frea speach" red herring.

No, not at all. I don't want to protect spammers. I want to be sure that no non-spammers get caught in the net, such as mailing lists and just about any other innocent communication that truly isn't spam--but could be considered spam if the law defines it incorrectly.

What makes spam is not the content, but the method.

The method is similar enough for mailing lists and spam, let alone order confirmations, etc. that to operate on method alone is a good reason to be suspicious of legislation that defines spam on that basis. It can catch more than just spam and angry spammers could very easily use the law to sue an innocent non-spammer just to make the law look bad.

Spam is content AND method. And the method is hard to prove anyway. But usually the content makes it clear whether it is spam or not and gives you a very good reason to suspect what method was used.

Anti-spam laws are about harrassment, they have nothing to do with free speech.

So is it about harrassment or is it about method? If I personally contact someone who I haven't talked to in 5 years and he/she doesn't remember me--or perhaps DOES remember me but always hated me and I didn't even know it--can that person sue me because I had the gall to email them to say "hi" after all these years?

Nobody is telling spammers that they are not allowed to speak. We are saying that they are not allowed to harrass people. There is a big difference.

I agree with you 100%. I don't want to hear from the spammers either. My concern is that the law be worded such that spam is defined correctly so that NON-SPAMMERS are not affected. I'm not convinced such a definition is possible, and certainly it won't be a definition that we all agree to.

The most common definition of spam is unsolicited bulk email. This is a very easy test. Is it unsolicited? (Did the recipient ask for it, or is there an existing relationship?) Was it sent to multiple people? If the answer to these questions is yes, then it's spam.

And I tend to agree with that definition. But how can I prove it wasn't solicited? How can the spammer prove it WAS solicited? If I have a mailing list that sends a confirmation email to the user and only signs the user up if he confirms via a link in that email, how can I prove that that process was followed? If someone subscribes someone else to my mailing list and I send that user a single message confirming the opt-in, can I be accused of spamming them with my confirmation message? How can I prove a given spam was sent bulk without going through half the legal process of filing a lawsuit against the spammer? Is the receipt of a single spammny message sufficient legal ground to ask for a court to confirm whether the message was sent in bulk? Could spammers then say they received a couple of emails from me and have the courts sift through MY email just because someone accused me of spamming?

Again, the decision of whether something is spam or not has nothing to do with the content of the message, it has to do with how it was sent.

Again, you said above it was about harrassment. You also say it was about how it was sent--which is very hard for the receiver to prove without filing a lawsuit against the spammer.

My point of view is that spam should be illegal. But if I receive spam it's going to be fairly obvious that it's spam and I sue the idiot--the judge or jury will look at the facts and agree. Whether it is spam or not will be decided in court based on the circumstances. If the law tries to define it then we get into a very real potential of the law considering a certain opt-in mailing list spam, or the spammer alegeding it was opt-in. There are so many potential loopholes that the spammers will find one, and at the same time it runs the risk of calling s

Re:Again

[Nuclear+Elephant]

That's because you're using the wrong anti-spam tool. You need an advanced self-teaching anti-spam tool like DSPAM to keep up with the spammers.

Re:Again

[yourmom16]

To rid ourselves of the spam menace, it is necessary to stop spam being profitable. If spam filters are more universally employed(at ISPs etc.), and the idiots who buy from them don't see the spam then it wont be profitable.

Re:Again

[DavidTC]

Except that spammers make money because idiots pay them to spam.

And how the hell much do you think it costs to make a spam run? And how much do you think it costs to make a spam run with stolen credit cards?

Trying to make the profit from spamming dip below 0 is obviously impossible, and internet access is quite often free. Ergo, spamming will always make more money than it costs.

Re:Again

[DavidTC]

And I tend to agree with that definition. But how can I prove it wasn't solicited? How can the spammer prove it WAS solicited? If I have a mailing list that sends a confirmation email to the user and only signs the user up if he confirms via a link in that email, how can I prove that that process was followed? If someone subscribes someone else to my mailing list and I send that user a single message confirming the opt-in, can I be accused of spamming them with my confirmation message? How can I prove a given spam was sent bulk without going through half the legal process of filing a lawsuit against the spammer? Is the receipt of a single spammny message sufficient legal ground to ask for a court to confirm whether the message was sent in bulk? Could spammers then say they received a couple of emails from me and have the courts sift through MY email just because someone accused me of spamming?

And if someone kills someone, how can anyone prove he did it?

What kind of stupid argument is that? We have the courts for a reason.

And pretending we don't have evidence that a person is spamming is completely and utterly insane. Completely. There's no way to pretend the issue is uncertain. It's never been uncertain. Everyone knows exactly who's spamming, and if the government wants to find out all they have to do is seed spamtrap addresses and wait for them to get email.

And why would you have to go through any legal process? I don't have to sue someone if they steal my stuff, I walk down the police station and tell them, and they arrest the guy.

As for someone lying to the police...do you know what happens if I walk down the police station and tell them you stole my stereo, and you didn't? I don't either, and I don't really want to find out.

Re:Again

The theif is responsible for the theft, which is an illegal act.

You are responsible for leaving your door open, which is a Stupid act.

Re:Again

[minas-beede]

If you left your house door open and somebody entered to make a mess and you took a video of the whole thing so he could be identified and charged for the intended mischief who would be the winner?

If you faked a computer system vulnerable to spammer abuse and a spammer sent a bunch of spam right from his own system using his own IP and you didn't deliver the spam but did inform his ISP who would be the winner?

This isn't rocket science. You can hurt spammers bigtime on your own home system - if your system is in a net segment the spammers check for open relays and open proxies.

Wouldn't you rather do that than sit and complain all the time about spam? There's not even enough spammers to go around - only the early adopters will have the big fun. Will you be an early adopter?

If the ISP doesn't act you can post about the ISP someplace - maybe even here. How many times will such a post be made before the ISP figures out the cost associated with being the last ISP to act against spammers in its own domain?

You are in the driver's seat if you want to be. Do you?

Re:Again

[letxa2000]

And if someone kills someone, how can anyone prove he did it?

Police gather evidence and it is presented in a court of law. But to gain sufficient evidence to prosecute a spammer I think you'd need to do what the RIAA is doing, get name/IP matches from ISPs, and then have some officer of the law or the court to review that person's computer for some evidence that he did in fact spam.

Anyone can take any spam and modify the headers and IP addresses to frame anyone they want. Your possession of spam with full headers is not your proof of who spammed--it's your allegation.

And why would you have to go through any legal process? I don't have to sue someone if they steal my stuff, I walk down the police station and tell them, and they arrest the guy.

So you say we should make it a criminal offense and have our police chasing down spammers? I'm against spam, but I don't want our law enforcement tied up in spam investigation--I want them out there catching murderers, thiefs, and maybe even a terrorist now and then. The police are busy enough without having to deal with a flood of spam complaints. Heck, *I* don't even have time to investigate spam anymore--I just block it.

Spamming should be a civil matter. But even that is questionable since even the courts are too busy to be dicking around with a million spam complaints per day.

As you can see, besides defining what spam is the other hard part is enforcing. If you make it a criminal act that the *police* have to enforce there just isn't enough manpower. If you make it a civil violation then you still have the problems of inundating the courts unless some special spam complaint court is established that can dispatch the complaints quickly.

I dunno... spam definition... government regulating what people can and can't send... finding the manpower to enforce it, be it the police on the street or the courts or a special new court...

I'll take my Bayesian filter any day of the week.

Re:Again

Its not just blame the victem. And its not the same as the rape argument either. virses from a board high school kid that do harm mean there is a security problem and a kid that needs a better hobby. Sending that kid to a crime school(prison) with some big thug who questions his sexual orientation(cell mate) is not the answer either... If you were 2 use a rape argument, it would have to be revised significantly. Its more like jumping over a camp fire. Fall in, and its the fire that burned you---but its totally your poor judgement you got there. No need to put out the fire; just keep the stupids away from it--however these days in the USA, then its the owner's fault for not protected the stupid from themselves...and the maker of the campe fire or the supervisor/parent is to blame.

Re:Again

[bojan]

spam is not a technological problem,
much like any form of crime is not a mechanical problem.

Certainly you may restrain criminals by mechanical means, but you may not stop crime through such means.

Much the same way, you will not stop spam technologically.

Because much like crime, it is a social problem.

- bL

Re:Again

[DavidTC]

Anyone can take any spam and modify the headers and IP addresses to frame anyone they want. Your possession of spam with full headers is not your proof of who spammed--it's your allegation.

Anyone can just claim to have seen someone murder someone else. A witness isn't a proof someone commited murder, it's an allegation.

And? You claims person X commited a crime, the police check it out. If they did not, in fact, commit such a crime, and you were delibrately lying to the police, you can and will be charged with a crime.

And if a hundred people claim person X commited a crime, like would happen in spamming, well, they still check it out. But their job is a lot easier, no need to worry about the character of their witnesses.

Frankly, your argument is completely idiotic. It applies a million times better to computer crime, and people are caught for that all the time. With spam, you by defination have at least dozens of witnesses, and if spam was illegal would be less of it, and people knew that if they reported they would get the person who did it arrested, they'd be lining up to report it.

Trying to pretend that the courts won't accept electronic evidence is about the same as claiming they won't accept eyewitness evidence. They indeed do. And it's certain enough to track down, arrest, and more importantly search said spammer, and find physical evidence of the crime in his possession.

So you say we should make it a criminal offense and have our police chasing down spammers? I'm against spam, but I don't want our law enforcement tied up in spam investigation--I want them out there catching murderers, thiefs, and maybe even a terrorist now and then. The police are busy enough without having to deal with a flood of spam complaints. Heck, *I* don't even have time to investigate spam anymore--I just block it.

Spammers are thiefs. They are also usually computer criminals, having delibrately installed trojans on, at this point, millions of computers.

Re:Again

No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.

If you believe otherwise, you're not far off from the "women who wear short skirts have no case if they get raped" school of thought.

Yes, but surely it's better to be prudent and lock one's doors all the same. It's like women who wear short skirts (or burkas perhaps) should travel in groups to better their chances of safety. It doesn't excuse the actions of a rapist / spammer, but it's really hard to prevent fools getting burned by matches too.

Re:Again

[letxa2000]

Anyone can just claim to have seen someone murder someone else. A witness isn't a proof someone commited murder, it's an allegation.

True, but the allegation of murder is serious enough to warrant at least a quick investigation. The fact that the person seen murdered doesn't appear where he or she normally would lends more weight to the allegation. And a dead body is a body that proves that someone was murdered--the investigation then looks for who.

Murders also (thankfully) happen much less commonly than spam so the relatively infrequent accusation of murder can and should be investigated.

And if a hundred people claim person X commited a crime, like would happen in spamming, well, they still check it out. But their job is a lot easier, no need to worry about the character of their witnesses.

I doubt hundreds of people would be reporting the same spam in the same jurisdiction. The only way this could be handled efficiently is having a central clearinghouse department that receives all the complaints, and even that department would be overwhelmed. And we'd have yet another government organization. Great.

It applies a million times better to computer crime, and people are caught for that all the time.

All the time? Most computer crime is not reported, let alone investigated, let alone prosecuted. You might see an occasional headline of how someone supposedly wrote the virus that destroyed Microsoft computers last week, but that's the exception. Most computer crimes are most definitely not investigated by any law enforcement.

Trying to pretend that the courts won't accept electronic evidence is about the same as claiming they won't accept eyewitness evidence. They indeed do. And it's certain enough to track down, arrest, and more importantly search said spammer, and find physical evidence of the crime in his possession.

Again, you miss the point. I'm not concerned about the spammers. I'm concerned about the potential for abuse.

So you are a disgruntled spammer that is pissed at some anti-spammer. You use your experience to send a bunch of spam out that looks like it was sent by the anti-spammer. People report it and it is investigated. Investigators visit the anti-spammer and rummage through his residence or office, generating suspicion that the anti-spammer is actually a spammer. His reputation is damaged even if nothing is turned up.

Spammers are thiefs. They are also usually computer criminals, having delibrately installed trojans on, at this point, millions of computers.

Great! Then they are already guilty of established crimes and can be prosecuted already. No additional legislation is even necessary.

State never kills spam

[jkrise]

Spam is revenue for the State, and it isn't a good idea to kill it. Spam has also fetched more revenue for anti-spam s/w firms, than for the purportedly promoted products.

It stands to reason therefore, that the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE.

Thus, to kill spam:
1. Do not trust the State to do anything.
2. Do not buy, solicit or encourage anti-spam software.
3. Use free anti-spam tools wherever possible (this is easier with Linux).
4. Unless spam hogs your bandwidth or disk usage, don't bother.
5. And lastly, or rather firstly, spend money on a CD Writer and media to take backups, rather than on anti-spam s/w.

You will lead a cheerful, richer life.

Re:State never kills spam

Thank you, Captain Obvious.

5. And lastly, or rather firstly, spend money on a CD Writer and media to take backups, rather than on anti-spam s/w.

What the fuck does spam have to do with backups? Why not spend the money on cheap hookers, so you support your local neighbourhood?

Re:State never kills spam

Wow.. what am i going to hear next? MS Windws is state sponsored?
More Winsows-> More Viri-> More AV Tools Sold -> Revenue!!!

Re:State never kills spam

What the fuck does spam have to do with backups?

Simply this. Most virii and worms use spam as their carrier or agent. The chances of data getting hosed are pretty high with higher amounts of spam received / processed.

As for your ideas on hookers, well, you can hook yourself and save some bucks.

Re:State never kills spam

It stands to reason therefore, that the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE.

I don't think so - this is a typical argument-dodging staement by someone with a bone to pick.

By the same arguments, you could imagine most crime is caused by policemen, lawyers and judges...

Re:State never kills spam

[jkrise]

By the same arguments, you could imagine most crime is caused by policemen, lawyers and judges...

How's that? The benefits accruing to policemen and judges are indirect and secondary. Anti-spam s/w firms collect money directly from the victims. Looks like you picked the wrong bone.
-

Re:State never kills spam

[iamacat]

Actually you are not far off the mark if you think about traffic tickets, war on drugs or civil lawsuits ala SCO. But unfortunately there is quite enough spam already for anti-spam ware makers to just chill out.

Re:State never kills spam

[BattleWolf]

hmmm... do you think the same may just apply to anti-virus software? What about firewall products? I don't know... the logic is maybe a bit flawed...

Re:State never kills spam

[John+Allsup]

The US government, for economic reasons, will back up what it perceives to be MS's property rights. In this sense, MS is certainly state sponsored.
(Just as a nation with a hard line fundamentalist government may back up what it sees as fundamental rights of people that e.g. the US calls terrorists.) State sponsorship of various things is heavily engrained in our country, far more than it may seem at first.

Essentially, all property rights are things that are enforced by the government of a given country, and as such are determined by the laws of that country (possibly influenced by treaties.) In this way, any internaitonal trade by companies in country X can give rise to the perception that companies in country X are sponsored by country X.

Re:State never kills spam

[jkrise]

do you think the same may just apply to anti-virus software?

Absolutely. I've been hearing of viruses eer since 1989 (DOS days) and the standard argument was that Viruses were written by MS haters. It's the same argument even now, and the baffling thing is that, the argument seems to work - most people still buy the logic.

Public memory is too short to keep track of technology and come to the right conclusions. Are viruses, worms and spam written by terrorists? Most unlikely. The amount of money coughed up by US citizens for anti-virus s/w, anti-spam s/w, firewalls and security systems -- I'm sure would be far greater than that spent fighting terror. And this despite the likes of Ashcroft & Co.

-

Re:State never kills spam

4. Unless spam hogs your bandwidth or disk usage, don't bother.

Obviously written by a man who has no kids, "hey who cares that my kids are being told how to make their schlong/boobs/... bigger, or porn".

Re:State never kills spam

[jkrise]

The US government, for economic reasons, will back up what it perceives to be MS's property rights. In this sense, MS is certainly state sponsored. You've got the wrong angle on my point... why does the US stand idly by when it's darling MS is forced to strip it's cloak of secrecy and reveal it's Crown Jewels to a Communist country? It isn't standing up for MS, it is standing idly by. Look at it this way.. how is it that revealing source code to the US is detrimental to US security whereas revealing it to China and India isn't? Got the doublespeak? That's my point, and the reason why I conclude that no State would lift a finger against spam, the markets and users have to do it themselves. -

Re:State never kills spam

[jkrise]

Obviously written by a man who has no kids

And I'd say obviously written by a man with tiny schlong/boobs... or maybe with kids like that. Anyways, my point is this:

Kids can get enuff and more (S)Exposure without the internet, and no amount of legislation / censorship can stop a determined kid. If you think your kids are mature enough to use the Internet, I'd think it's your responsibility to prepare them for what lies ahead.

Seeing you're posting as an AC, looks like you shirk that bit of your role. I personally use the Internet with my kid near me, so he learns from my discernment, by way of example. I think I'm doing my best, and wish my kid would grow up to be responsible for his actions -- not blame the State, laws or the Intenational situation.

-

Re:State never kills spam

[evodas]

Please see my "Why don't I just become God?" posting... In case you miss it.
You will lead a richer life. Hey, come to think of it, maybe you'll even have a life to enrich.
You're welcome.

Re:State never kills spam

[halr9000]

<rant target="_parent">Let's just blindly state opinions as they were fact without arguments to back them up, and if I assert them strongly enough, I'll get modded Insightful!</rant>

1. Spam legislation is probably a dead-end, and it is definitely against libertarian principles of less government regulation, which is something I agree with.
2. Anti-spam software is GOOD, not bad.
3. I love free anti-spam software. And it's just as easy with Windows, you insensitive clod! Spambayes, POPFile and many other free anti-spam software is either platform agnostic (i.e. based on Perl or Python) or actually has native Windows (typically Outlook) ports and plugins!
4. Spam has never hogged my bandwidth or disk usage, but that is the least of my concerns. It's frigging annoying! My penis is already large! Jeez!
5. Who doesn't have a CDR drive? What does backing up have to do with anti-spam software?

Re:State never kills spam

[ender-iii]

It stands to reason therefore, that the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE.

Maybe you're right in some cases, but I take serious offence to that comment. I have spent countless hours perfecting and anti-spam solution. I offer it for free with a very reasonable costing upgrade option. And now someone comes along and says something like this?! Thanks for kicking me in the balls...

Re:State never kills spam

[poot_rootbeer]

Spam is revenue for the State

Huh?

Are you suggesting that spammers actually bother to pay sales taxes on the herbal viagras and teen slut web site subscriptions they peddle? I would doubt that.

Re:State never kills spam

[mengel]

Actually, all of the set {anti-spam, anti-virus, policemen, homeland-security} collect money from people who are afraid of being victims, not neccesarily from those who are or have been victims.

So the incentive in all such cases is to hype up the fear and loathing of the item you claim to protect against, and of course you have to protect against it in a fashion that doesn't solve the underlying problem, in order to preserve your organization's existence.

[Of course, I must credit a cross-product of _Bowling for Columbine_ and _Fear and Loathing in Las Vegas_ for this meme :-)]

Re:State never kills spam

[DavidTC]

Yes, actually, they do. You just have an incorrect defination of spam.

Spam is unsolicted bulk email.

Most viruses and worms use email to spread. (Yes, there are exceptions, like MSBlaster and that SQL one.)

This email is unsolicted, obviously, no one asks for viruses to be emailed to them unless they're running an antivirus company.

This email is bulk, because it's identically sent out billions of times by various machines.

Ergo, most viruses are spread by spam, because they are spam.

Re:State never kills spam

[mcrbids]

the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE

This, sir, is a load of crap.

I've done plenty to fight spam. I hate it. I'd like to see it go away. I've seen spammers bring a sophisticated mail server clusters to its knees by sending 147,000 junk emails (with multiple recipients - the actual number of recipients was in the millions) in under 2 hours.

How does this make me a spammer?

Re:State never kills spam

I guess I had UCE (Unsollicited Commercial Email) in mind. Anyway, when talking about spam in general, the first thing I think about is $$$MAKE PENIS QUICKK$$$, not Check out this screensaver, and judging from most posts here, I'm not alone in that.

Re:State never kills spam

[DavidTC]

Even UCE works, because of the loop.

Most viruses, nowdays, are written by spammers to provide zombie machines to send spam from.

Hence the virus email is 'commerical', as in, it is used to make a profit, the profit being to send out spam.

However, calling UCE 'spam' is silly. No one cares if one person gets emailed with a single unsolicited business proposal, and there are times where that is appropriate. (For example, you wish to purchase an apparently unused domain name, so you email the domain's technical contact, despite there being no indication they wish to discuss any such offer.)

And, while there are problems when UCE is done in bulk, the problems are the bulk, not the fact it's UCE. If someone has a truly personal business issue to discuss, even unsolicited, people do not mind, anymore than you'd mind if someone knocked on your door and offered to buy your house, despite it not being for sale.

However, such individual unsolicited commerical emails are few and far between, and are being drowned out by unsolicited bulk commerical email, which is equivilent of people throwing flyers into your yard.

It all really does come down to consent, not content. Reasonable people can be expected to have consented to sometimes be contacted, personally, out of the blue, to talk about some legitimate business thing. No one consented to have tons of any sort of flyers dumped on them, though, commercial or otherwise. (Also note we need to start enforcing fraud laws here, too, to take care of fraudulent UCE which isn't UBE.)

Which is why I hate the whole 'UCE' thing. Commerical isn't the problem. And all restrictions on commercial are doomed to fail in the US. Restrict fraud, restrict trying to evade filters, and restrict bulk-without-consent.

Spam is not going away

[Dancin_Santa]

No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam. Whether it hits your inbox or not, somewhere along the line someone has had to relay that message to your mail server and the bandwidth is already wasted.

Get a good filter, use whitelists, whatever. Just don't think that you will be able to eradicate spam without governmental help.

Re:Spam is not going away

Just don't think that you will be able to eradicate spam without governmental help.

I remember when we had crime in America and drug use
was on the rise. Fortunately the government stepped in and offered to eradicate these problems if compensated with a large percentage of my income. I'm happy to say, its been a great success. Crime has been ERADICATED and I can't find a pusher any more.

Re:Spam is not going away

[Azghoul]

Save us, government! After you protect us from spam, keep us from riding merry-go-rounds, put up fences to keep us away from dangerous natural sites (that Grand Canyon is too dangerous for people to walk near), and then shut down that vile fast food industry, they're just trying to make us all fat slobs! And keep wasting billions on the war on drugs, that's been going SOOOO well.

Government help should be limited to fraud, and that's about it. "Wasted bandwidth", give me a break, there are technological solutions.

Re:Spam is not going away

" there are technological solutions"

Care to share a technical solution that will not waste bandwidth?

Re:Spam is not going away

[Azghoul]

Turn of your internet connection. Bounce all emails to spammed addresses (causes a little more bandwidth at first, but do you think spammers will continue to hammer addresses that bounce?).

There's two. And I'm not even trying.

Re:Spam is not going away

[rw2]

Just don't think that you will be able to eradicate spam without governmental help.

The problem isn't lack of government enforcement. The problem is lame standards for passing email.

We don't need a legislative solution, we need a technical one.

This is one I support.

Re:Spam is not going away

[rw2]

Just don't think that you will be able to eradicate spam without governmental help.

The problem isn't lack of government enforcement. The problem is lame standards for passing email.

We don't need a legislative solution, we need a technical one.

This is one I support.

Re:Spam is not going away

[shrugwhaa]

"if your email address is picked up by a spammer"

Don't leave your e-mail lying around.

Re:Spam is not going away

[Brandybuck]

Just don't think that you will be able to eradicate spam without governmental help.

A clue for the clueless: nothing will ever eradicate spam. Murder has been outlawed for approximately 5000 years. We still have murder. Law can codify acceptable behavior, but it can never eliminate unacceptable behavior.

Re:Spam is not going away

[dcmeserve]

No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam

There's a nice, free service to help you avoid this: sneakemail.com. It lets you easily generate fake email addresses to give out when you need to; the email is re-routed back to your real account through sneakemail's server. If you start getting spammed through that fake email addr, just shut it off!

Just don't think that you will be able to eradicate spam without governmental help.

The article had a very good point at the end: if you take a step back for a moment, the spam problem really isn't *so* bad, since it's the freedoms of the internet that we cherish so much that made it possible. i.e. in a sense, it's actually worth it. If you take care not to be foolish with giving out your email, etc. etc., your spam level should be low enough to be tolerable. Perhaps *eradicating* the spam is not necessary -- at least, not worth the pain that inevitably comes with government interventions.

Re:Spam is not going away

[Syrrh]

Excellent idea. I hear them-there spammers on the dang ol' webbernet ALWAYS use valid reply-to addresses.

Re:Spam is not going away

[General+Fault]

Can we do both? I am expecting a little criticism here, as I am not a lawyer and I have not read the entire DMCA yet. However, I have heard about some of it's implications. One of those (as I understand it) is that anyone who tries to circumvent a security system is acting illegally. A security system is designed to keep information either in or out of a system (i.e. keep viruses, Trojan horses, etc. out and critical information from getting out). So, would a spam blocker be considered a security system? It keeps unwanted information out of a system. Can we throw the DMCA back at those who created it by suing spammers and businesses that have used techniques to circumvent spam blockers?

Re:Spam is not going away

[haxor.dk]

So, tell me: What can the state do, that private individuals, organisations or groups cannot do on their own ?

I dont see any of the measures taken against spam so far, being the result of government awareness or initiatives?

dumb article

[HBI]

Take personal responsibility. Yeah, right. I don't get any spam. I filter it all out. Does that matter? NO! I'm one person and part of a very thin sliver of the total net population. I actually know what I am doing. The other 95-98% of the people out there do not, and will not. They have trouble getting Outlook Express working and you are going to talk about 'user responsibility'? What a clueless asshole.

Any article with the word 'schlong' in it is suspect, in any event.

Re:dumb article

[TuataraShoes]

The author of the article says he is not a techie. Does that make him clueless? No. He says in the article that he would welcome response from the technical community. Too bad that a certain vocal percentage of techies are so egotistically arrogant that they insult anyone who is less technical than themselves.

So if a non-techie says he is willing to learn, he correctly evaluates the economic reasons that spam continues, he suggests something quite sensible about graphical email addresses on web sites, and asks for further technical input... then why not give him the benefit of your technical knowledge? Or on the other hand, if you have no ideas of your own, you could just insult him.

The thrust of his argument is understanding why spam exists. Until this is understood, the psuedo solutions will fail, because they miss the mark. I thought the article had a valuable point to make. Good on you, Ari.

Re:dumb article

[chrisbtoo]

Take personal responsibility. Yeah, right. I don't get any spam. I filter it all out. Does that matter? NO! I'm one person and part of a very thin sliver of the total net population.

Don't vote either, eh?

Re:dumb article

[zero_offset]

He says in the article that he would welcome response from the technical community.

Which is his way of saying, "Explain this to me, I'm too lazy to run a few Google searches and educate myself." It's not as if the information on anti-spam techniques are difficult to find.

Spam exists because it works, pure and simple.

Re:dumb article

[HBI]

Don't vote either, eh?

Actually, I do. But my personal action has no effect on this problem in particular. The system is only as effective as its weakest link, and since that body includes QVC obsessed housewives and American football fans, I don't think there is much hope.

I pick on these demographic segements because they will buy almost anything.

Re:dumb article

[jhigh]

techies are so egotistically arrogant

Is there a type of arrogance that is not egotistical that I am not aware of?

Re:dumb article

[HBI]

So if a non-techie says he is willing to learn, he correctly evaluates the economic reasons that spam continues, he suggests something quite sensible about graphical email addresses on web sites, and asks for further technical input... then why not give him the benefit of your technical knowledge? Or on the other hand, if you have no ideas of your own, you could just insult him.

He writes an article shunting the blame for the spam issue off on the user. He's an asshole. This kind of statement should only be made _after_ we have the appropriate legal framework in place. But no, the rest of us are fighting to get laws in place to get rid of this shit, and this idiot is fighting against that because he's a wack job libertarian.

It's a public policy issue. There are a subculture of people preying on society. There is a job for the lawmaker here. Letting this message get out just damages the chances of something useful being done.

Re:dumb article

The thrust of his argument is understanding why spam exists. Until this is understood, the psuedo solutions will fail

What is so hard to understand about why spam exists? Spam exists because it makes money for the spammers, period.

Until spam becomes unprofitable, it will never go away. The focus on any anti-spam solution needs to be "How does this solution make it less profitable for the spammer."

Re:dumb article

Don't be silly. We American Football fans won't buy almost anything, we'll just buy almost any beer.

Re:dumb article

[Degrees]

He writes an article shunting the blame for the spam issue off on the user.

Well.... I got a work order last night (could not have been better timing) to assist one of my users. It says 'Client has over 21,000 junk mail in her GroupWise Inbox and would like our Network's Group help in deleting them, if that is possible.'

As I was sitting there deleting stuff, I noticed that on one day she got 203 items. I also saw that she reads spam, and replies to it!

So we have two problems here. 1) Sometimes, the user really is at fault. 2) Having the government pass a law relieves those users of responsibility for their actions. In this case, my employer will bill the client 1.3 hours at my (pretty expensive) rate. There is a decent chance that her boss will request some 'education' for her. And maybe, just maybe, the organization will allow me to implement SpamAssassin.

Laws don't work. In fact, they often have consequences that are far worse than their supposed cure - the War of Drugs being the prime example.

Because of the War of Drugs propaganda, parents are suckered into thinking government can do something about it; (some) kids are suckered into giving up on school because they can more money as drug-dealers; the artificially high price of the contraband leads to burglary and theft; and tax-payers lose because of the horrendous expense to hire police, courts, lawyers, jailers, and probation officers.

FWIW, after Prohibition was lifted in the 1930's, alcoholism rates did increase - 2%.

My point is that persecution of the merely annoying by law rarely works - and when it does work, the cost is way too high. There are private sector solutions that are better. Pay-per-kilobyte mail delivery being the obvious one - but then you wouldn't be getting your mail for 'free'. So the solution is to raise taxes and invite even more government intrusion into our lives?

Re:dumb article

[HBI]

This is badly flawed logic. Prohibition was another thing entirely, as was the 'war on drugs'. The actions of a few spammers have nothing to do with the situations cited. The spammers are scum bags and will be eventually eliminated due to the fact that they cause more harm to society than they deliver value.

Talk about setting up a straw man.

Re:dumb article

[Degrees]

My point was that spammers are playing the system. The system is broken because spammers can send their junk for (essentially) free. Laws to squash the play are a red herring. The real solution is to fix the broken system.

The 'war on drugs' is just an example of the hell we have gotten ourselves into relying on a government solution to a social problem. In this case, it is a mistake to pursue a government solution to a commercial problem.

You did not address the personal responsibility of my user who solicited spam. Do you think that passing a law "protecting" her is really in her best interest?

Ulitmately, what is in my best interest is that she learns not to talk to strangers. I don't think you can legislate that.

Re:dumb article

[HBI]

You did not address the personal responsibility of my user who solicited spam. Do you think that passing a law "protecting" her is really in her best interest?

Ulitmately, what is in my best interest is that she learns not to talk to strangers. I don't think you can legislate that.

One of the nicest features of contract law in the US is that a minor cannot enter into a binding contract. They can disavow the contract at will, even after they achieve majority. Obviously, this was done to protect minors, who are assumed to be dumb like your example user. Note that businesses tailor their operations around this. For example, a dealership won't sell a car to a minor, unless Daddy cosigns, or whomever.

I submit that someday we'll look back on whatever antispam measures are enacted in the same light. A bit of a nudge by the government to assure that business on the net is conducted reasonably. Some regulation is in fact good.

Re:dumb article

[Degrees]

Well, you make a decent point about the minor being protected by law, and that is a good thing. I will give you that. That the immunity from responsibility by the child causes the businessman to check his behaviour is also a good thing.

On the other hand, I hate the idea that laws should be passed to protect people from their own stupidity. At some point, a person grows up. Of all the paths to choose, why do people insist that it takes government to do the right thing?

As I got to work today, my snail-mail-box had a catalog from Global Computer. 120 pages of dead tree hawking systems, hardware, peripherals, power, networking, software, supplies, media, furniture, and accessories (it says so right here on the cover). They took a gamble, paid for printing and postage, and shipped the catalog to me. I probably get one of these per month. I never buy from them, but it doesn't bother me that the thing showed up. So why is unsolicited commercial snail-mail not a problem, but unsolicited commercial e-mail is a problem?

-

The government -- your friend, ... really? It is not lost upon me that Global Computer gets a bulk rate subsidized by your and my first class postage. And I am pretty sure that the post office is required by law to deliver it. Nondelivery is not an option - even for those people who really want it*. Are you certain regulation of e-mail will be a good thing?

I tend to agree with the author of the article, anti-spam legislation is mostly a feel good feint that government can actually do something about the problem. My home town passed an anti-graffiti law. Care to guess whether the amount of graffiti in my town went up or down?

If I were working in a smaller organization, I would be promoting the challenge -- response system. Just like with instant messaging, where you can block the callers you do not want, the systems are open without regulation. In a larger organization, I would use a server based spam filter with mailboxes for spam and ham that my users fill. In fact, I hope to be implementing it next week.

You may end up being correct, that anti-spam legislation does get passed, and that we look back at it as a good thing. Me, I think that spam is a passing fad, much like flyers placed on car windshields. When printing first became really affordable, many people put flyers on cars. It hardly happens today because people realize it just doesn't work - no one ever buys anything from a flyer - and it still costs money to print the thing.

*Actually, I saw an instance where a government agency managed to mail a letter knowing that it would not be delivered. It was kind of a dirty trick, but I digress.

Re:dumb article

[HBI]

"So why is unsolicited commercial snail-mail not a problem, but unsolicited commercial e-mail is a problem?"

If the sheer bulk of commercial snail mail were equivalent to the spam load on my mailbox (40+ per day, filtered, but still...) then we'd have rules about that too. Commercial mail costs money, which is a significant barrier to entry: they aren't going to waste $.25 or so on someone who is sure not to buy their stuff. As it is, the junk mail I receive at home is a major component of all the trash I throw out, so i'd be all for limiting that too. But hey, it might be just me in that case. The spam case is clear-cut. There is virtually no cost for the sender.

Me, I think that spam is a passing fad, much like flyers placed on car windshields. When printing first became really affordable, many people put flyers on cars. It hardly happens today because people realize it just doesn't work - no one ever buys anything from a flyer - and it still costs money to print the thing.

Actually the reason why people don't put flyers on windshields probably has more to do with litter ordinances than anything else. I remember I worked at the family business and we got nailed a few times (people were taking said flyer and throwing it on the ground, township got involved and there you go) and then said screw it and got a bulk mailing permit. Also, there are postal regulations regarding putting flyers anywhere on or near a mailbox, and they will hit you with those too.

My point is that you are ignoring a lot of not-so-subtle disincentives to the activities you cite. All of these are provided by government in one way or another.

Re:dumb article

[Degrees]

So we agree that it is the sheer volume of mail that makes it a problem, and that the volume is so great because of the extraordinarily low cost of e-mail. Where we disagree, are what disincentives ought to be applied. I think that regulation is ineffective and overrated, while you think that it will be effective. I think that the private sector will figure out solutions on its own, (although I admit it might take a while). For some reason, you prefer government control. Fair enough.

My point is that you are ignoring a lot of not-so-subtle disincentives to the activities you cite. All of these are provided by government in one way or another.

I would argue that the expense without reward is the largest disincentive -- and is not provided by government. Even without fines for littering, unsolicited annoying advertising is doomed to failure. Why not let it fail naturally, without bringing in regulators?

Onus is on users

[Kanasta]

Firstly, stop buying things from spam!

My friend once commented on how all he hated getting so much spam the everyday. I myself get maybe one or two pieces a week, so I started to show him the basics of filtering out some of the crap.

So what do you think he says? He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes! He even likes to follow the links two visit the sites.

Fuck I wanted to smack him right in there and then. Actually I'm in a bad mood right now I want to go back and find him and smack him anyway.

Re:Onus is on users

Well, I connected, and filled in the forms with some bogus (but reliable-looking) data, including invalid (though matching the basic "checksum") cc numbers. Hopefuly would take them some time to send them to verify them with the bank...

Re:Onus is on users

[JaredOfEuropa]

He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes!

And that is the crux of the problem I have with the notion that we can cure spam by acting like responsible users. As long as there is the possibility of one single potential customer who might be interested in penis enlargement pills, spammers will continue to inundate the world with their emails.

The solution is indeed to make spam unprofitable, but I do not think that the way to achieve that is to ask everyone to stop buying penis enlargers. Making spam illegal helps a little, but the well-known spammers out there aren't exactly known as law-abiding mr. Squeeky Clean. It should be illegal to advertise through spam. For one, it may give some of the avertisers pause, and in addition these culprits may be a lot easier to find, since they need some address to send their wares from and receive payments.

And yes, they can always move abroad... but more and more countries are considering legislation against spam. And since many countries follow the US' lead when drafting trade and economic legislation, it would be nice if the US would take the lead and implement a decent law for once, against spam and against those hiring spammers.

Re:Onus is on users

[thogard]

The problem is who is buying from the spamers? Its not the end customers, its the people pushing their junk. They are the ones paying the spam shops.

This small point seems to be missed by most of the posters here.

Its just like an adverting agency. An adverting company doen't get paid to get you to buy soap, they get paid by convincing the soap company to part with some money.

Re:Onus is on users

[Azghoul]

I don't think you'll be able to legislate spam out of existance. In fact, I know so. There are, let's just round it off, nearly 200 nations in the world.

There is no way every one of them has laws (with teeth to stop it. And hey, look how well laws against murder work!!), and there's no way the U.S. diplomats are going to say, "No, we'll stop our billion dollar trade unless you stop your spammers."

Spam is so tiny a problem in comparison to what the trade diplomats are really working on... Compare spam to the steel industry, or agriculture, for example.

The onus IS on the users, to work on their ISP's to filter spam, and to filter it themselves, and to NOT CLICK ON THEM!!

(rue the day :) when HTML made it into email...)

Re:Onus is on users

[danila]

There is no way every one of them has laws (with teeth to stop it. And hey, look how well laws against murder work!!), and there's no way the U.S. diplomats are going to say, "No, we'll stop our billion dollar trade unless you stop your spammers."

I don't expect the diplomats to do it, I expect ISPs to do it. If spammers move to Vanuatu, I expect most ISPs to say "Fuck Vanuatu!" and block all incoming e-mail from that country. :) That would cause a minor inconvenience for Vanuatuans, forcing them to use US-based webmail for international communications, but who the fuck cares about them. :-) Many ISPs already routinely block whole countries, such as Nigeria and Argentina, because most USians receive little legitimate mail from these countries.

So we only need to outlaw spam in the major Internet countries, such as US, EU, SEA, China, Russia, Australia, etc. And the Vanuatus of the world can do whatever they want but they should be ready for the consequences.

Re:Onus is on users

[Azghoul]

Why not just rely on ISPs entirely? Publically flog ISPs that allow spammers, get existing ISPs to drop all connections to/from them.

What I want to know is, why aren't the ISPs doing something about this now? They're the ones with the bandwidth costs, aren't they??

Re:Onus is on users

[berzerke]

...What I want to know is, why aren't the ISPs doing something about this now? They're the ones with the bandwidth costs, aren't they??

Simple, money. Ever heard of pink contracts? Basically, for something on the order of 2x normal fees (perhaps more), the spammers gets to ignore the TOS. In short, the spammers bribe the ISPs to look the other way. For some ISPs, it is simply more cost effective to look the other way.

In addition, those within the ISP who do want to drop the spammers are often not liked. The salesman who brings in a "new" customer at more than the going rate looks good. The admin that kills that spammer's account is getting rid of a "valuable" paying customer.

And that leds back to a point the article made: Spamming is done because it is profitable. I still favor email filtering upstream (at the ISP level) as the best (long sigh) solution. Give customers notice that the filtering is occuring, and give them the option to opt-out. Those stupid enough to buy from spammers will (a) probably ignore the notice that there is filtering in place, and (b) not be able to figure out how to opt-out.

This will reduce the number of ads seen by the stupid user, who therefore won't send money to the spammer. Spammer's profits go down, and if the go down far enough, spammer goes out of business.

Re:Onus is on users

[cpt+kangarooski]

I don't really understand the problem here. Just because you, and I, and most people, hate spam does not mean that he _has_ to hate it as well. Disliking spam is a commonly held opinion, but it's an opinion all the same.

It's okay for people to like obnoxious things like cigars, or Weird Al Yankovic, or riced out cars. Or even spam.

True, as long as someone likes any of those things, the rest of us will be stuck with them, but nevertheless I think that having to tolerate the existence of things you dislike is part and parcel of living in a free society. And it's not as though you have no other way to rid yourself of spam.

Re:Onus is on users

[secolactico]

What I want to know is, why aren't the ISPs doing something about this now?

Some ISPs did just that. That was the whole point of SPEWS, wasn't it? Punishing spam friendly ISPs.

Re:Onus is on users

[Skapare]

If 99.99 percent of the people who receive spam refuse to buy anything from it, then the spammer will ... hit an economic bonanza from all the orders coming in to him, or his client, from that 0.01 percent that do. That would be an immensely successful campaign. The problem isn't that some people part with their money for spammers; it's that it takes only a very tiny fraction of people to do so for the spammer to have tremendous success. This is because the economy of scale in spamming is so huge for the sender. The recipient who deletes a piece of spam even before reading it, based on the subject line or for whatever reason, has already incurred the cost through his ISP. Most of the cost of spam is at the receiving end. When a spammer does a ten million address run, he doesn't put ten million copies of mail in the sendmail queue. Yet ISPs such as AOL, which would likely be the target of a few million of those addresses, has to queue a separate copy for each and every one (or else apply some filtering to each and every one to get rid of it). Even when filtering out the spam in the simplest of ways, the costs at the receiving end will be greater than the costs at the sending end. Spammers have absolutely no economic incentive to trim their lists down to the tiny fraction of a percentage of people who do want that crap; it would cost all their profits to do that work. It used to be when direct marketing was expensive, having lists of people who genuinely wanted it was a great value. But today, the cost of preparing such a list is many times greater than just hitting every known email address ... hence the term spam.

The problem with trying to take the approach of getting everyone to stop accepting spam really won't work just because there will always be some tiny portion we cannot convince. So, go smack your "friend" a 2nd time for me. But I don't think it will do any good. Convincing 99% of the ISPs to stop letting spam come from their network (and there are ways to do this quite effectively) will have much much more effect on reducing spam (it's then practical to just block all of the remaining 1%) than trying to convince 99.999% of people to stop reading spam and financing the spammers by buying things from them or their clients.

Re:Onus is on users

[Brandybuck]

My mom is the same way. I tell her and I tell her but she does not listen. I tell her that spam is illegal but she does not listen. I tell her to never unsubscribe to spam, explaining exactly why, but she doesn't care. I can see her eyes glaze over as I speak. I am, in her own words, her "personal computer instruction manual", but she won't listen. It's so aggravating I want to scream.

Re:Onus is on users

[Skapare]

And this is why many people/networks will choose to block an entire ISP, after some reasonable time in which that ISP fails to terminate the spammer (which they would not do in most pink contract situations). Remember, the costs incurred by the spammer continuing to attempt to send spam even though mail servers will refuse it, is as great as, and maybe even greater than, the cost of "just hit delete". The only way to get rid of these costs (which are many many times what it costs the spammer to attempt to send it) is to get the spammer shut down. Those who blacklist ISPs like that are there trying to pressure them to drop pink contracts, and drop spammers. It works for some ISPs but not others. Those who use those pink ISPs and whine about not being able to send mail are indirectly helping the spammers.

Re:Onus is on users

The article assumes the spammers make all the money. Well, a few do...primarily naughty web sites and off-shore bookies...most don't. The real money-maker is selling the spammer software, providing the mailing lists, and hosting spammer-tolerant mail domains. In other words, the wholesale market. They're in the business of selling the spam servive itself--not the merchandise and services offered in the pitches. Go after the kingpins, and the corner pushers are out of business!

Re:Onus is on users

I agree that it is frustrating that people can be so naive.

Problem with advocating that people tell others to stop buying now is that the number of responses to SPAM to make it profitable now is a vanishingly small one. So, the SPAMMER always gets paid and the 'company' (using company although many are scammers not legit businesses) that pays them may need as little as 10 responses to cover the amount to pay the SPAMMER and anything after that is pure profit (assuming that SPAM is designed to get $ not sell a real product).

So, a response of 50 people out of a 1,000,000 e-mails sent is worth it for both the SPAMMER and the 'company'. The percentage of response is: .00005%. For most of us, it is like looking for the needle in a haystack, since many SPAM responders probably do not have much contact with anyone who is technical.

The only thing that might reach them is a series of PSAs by an ISP trade group or individual ISPs adding a couple of commercials to their schedules that explain that users should not purchase from SPAM ads, especially from companies the have never heard of and/or have no relationship with (to prevent complaints from 'legitinimate marketers' who have a relationship with a customer).

TV and radio should reach people that don't do anything technical beyond surfing the internet and hopefully start building up an awareness that SPAM is an untrustworhty source for products of all types. Once that awareness becomes culteral for internet users then SPAM should become uneconomical.

It should be economical for ISPs to do this since it should eventually lower the overhead now consumed by anti-SPAM measures, storage of unwanted e-mail, and work done on abuse issues.

Of course some of the anti-SPAM groups might take donations to put together their own ads and buy airtime or use more economical distribution channels like the ad slide shows in movie theaters to get the message out.

Re:Onus is on users

Try setting up filtering for her, popfile.sourceforge.net works on any computer that can run Perl (even Windows -- it has separate Windows installer that also installs Perl) and can be used with any almost any e-mail client she is using.

It will take a bit of training, but I didn't find it needed too much and as a safe guard you can monitor her 'SPAM' folder occasionally before deleting the contents (she does not even have to check it).

Once you are satified that it is working ok, you might be brave enough to change the folder to trash so emptying the trash will kill all the SPAM without intervention -- choice is yours.

I found it easy to install, once setup does not require any extra steps for the user and seems to be very robust at catching SPAM. I have over 56,000 filtered e-mails with a 98% accuracy (which includes all original training 'errors'). All setup is done via web browser, so no file editing is needed.

NFI, I find it very useful. There are other filters using the same Bayesian filtering method, including spambayes.sourceforge.net, which has an Outlook plugin that puts all it's function into Outlook which may be easier for your Mom. There are other options, so you may want to check for 'Bayesian e-mail filtering' in google for other choices.

Re:Onus is on users

This Used to be true a few months ago, but spammers no longer have to get sympathy from ISP's, thanx to the Sobig Infections and people's STUPIDITY in opening up attachments leaving their PC's open for installing spam proxies controlled by IRC bots. Seems to be their favorite methods of spreading their smut.

This insanity is vitrually impossible to stop, spammers know this, so do the ISP's who often throw up their hands and make no further efforts to stop them, when in fact there are, but it's going to take a coordinated effort to stop it, and nobody wants to deal with it.

So, spamming will. continue... servers are still getting hacked, systems are getting hacked by spammers, who install their OWN servers on an infected machine, hosting filthy PoRN sites, and running DNS servers which re-point to different porn servers each day, like our friends at "gordontower.com".

Try a DNS lookup on it, and you'll see the IP changes almost daily. If course a "whois" reveals the DNS server being in Russa, for easy and convenient access for the spammers to easily switch their DNS to whatever they want.

Spammers DO leave trails, one of the most important is the spam message itself, and of course is the ONLY starting point one has in leading up to their trail.

Of course there are other spammers just as sophisticated, and tracking them down is actually quite fun and challanging if you have the right tools.

The really fun part is infiltrating into their online network (posing as a spammer of course). Obviously by now, they are hip to this, but the infiltrators are winning....

Unfortunately, the spammers are winning the war against the anti-spammers, as in some previous incidences already posted here, by DDOS tactics, but INHO, this is going to do nothing but attract MORE attention to them, and already the authorities are taking notice.

Unfortunately, this close ATTENTIONS are going to erode even MORE of our liberties, as the internet will soon be a big brother network for "Da Man". Serving them endless information on what YOU are doing and who you communicate with.

Perhaps we SHOULD kill the "State", we might be better off... but the original poster DID make a very clear point..... Focusing on the nitwits so eager for enlarging the anatomy between their legs, who are so eager to open up their wallets.

How can we stop it?

There is no "silver bullet", but simple security measures like IPS (intrusion Prevention Systems) can certainly help. better cooperation between ISP's and perhaps a national "spam alert" system.

Spamming makes a lot of "noise". Noise can be detected. Simple snort rules are all that's needed to "hear" these noises. Logs can then reveal a surprising amount of info on tracking the IRC servers used to control infected hosts.

Quick reactions can actually be used to stop these attacks, where each one comes from a different IP address. These can then be recorded and shut down "en-masse", shutting off a major avenue for spammers, if the ISP's would wake up and smell the roses and change their AUP to allow the ISP to cut the infected host until the customer cleans their PC. this might be "heavy handed" but I see the trend going this way.

Re:Onus is on users

[TrombaMarina]

Your post made me laugh out loud!

Seriously though, there's a great point hidden in this posting. Kanasta's friend might not be the brightest bulb, but that's no reason to lock him up as some have suggested. Although it's fun to joke about, stupidity should not be a crime, because everyone acts stupid sometimes. Stupidity comes complete with its own punishments anyway.

What I want to know is does he ever get any of the things he pays for this way? It's hard for me to believe anyone is dumb enough to think that they really can buy generic Viagra from spam. But it's equally hard to believe that spammers are so confident in this one overused scam that 2 or 3 Viagra spams show up in my inbox every day. I mean, both the spammers and the idiots who respond have to be born yesterday to fall for this or think that it works. How can they be smart enough to send an email and not realize how stupid they are being?

So, when a spammer get's started, does he say to his mom, "Hey, I've got this great Idea! I'm going to annoy the world with spam scams and get rich!" I mean, what happens to someone socialogically that makes them want to send spam?

Re:Onus is on users

[DavidTC]

Next time you're at his computer, open up a random piece of spam, and show him the headers. In particular, point to the spam 'origin', which 99 out of a 100 times will be an illegally installed proxy on some sap's cable or DSL connection. Point out that the spammer commited a felony by hijacking said computer.

Then ask him if he wishes to do business with felons.

Re:Onus is on users

[Kanasta]

But he does hate getting spam. Thats how it all started. But he wants to read every bit he gets.

Re:Just delete it

Yeah but I think the idea is how it should not end up in your inbox in the first place.

Spamcop sucks

[Bluefirebird]

I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.
The worse thing about spam is that filtering systems create false positives...
My provider requires authentication but everyone knows that you can create spam using a IP address from a well behaved smtp server.

Re:Spamcop sucks

[Phroggy]

I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.

Your e-mail was returned because whoever runs the mail server you were trying to deliver the message to has chosen to bounce mail from any IP in SpamCop's blacklist, which SpamCop has always recommended against. Complain to the people who made that decision, not SpamCop.

And, the reason the IP is listed in SpamCop's blacklist is probably because the server you're relaying your mail through has also been relaying spam, and people have complained about it (using SpamCop's reporting service). Go here to find out exactly why an IP is listed, along with sample e-mails that users have reported as spam and some statistics about how much spam has been reported from that IP.

The worse thing about spam is that filtering systems create false positives...

SpamCop says this is why their blacklist should not be used to block mail. Their list is entirely automated; it's based on reports from users, and SpamCop does not verify it. Read more on SpamCop's site about exactly how it works.

My provider requires authentication but everyone knows that you can create spam using a IP address from a well behaved smtp server.

SpamCop is really very good about identifying where a message actually came from, not just where it's been relayed through - unless there's something suspicious-looking about the server it's been relayed through (such as, for example, the hostname the server identifies itself as [the Dj line in sendmail.cf] doesn't resolve to the server's IP).

Re:Spamcop sucks

[azzy]

> The worse thing about spam is that filtering systems create false positives...

No, that's not the worst thing about spam. Try again?

Re:Spamcop sucks

[Bluefirebird]

SpamCop says this is why their blacklist should not be used to block mail. Their list is entirely automated; it's based on reports from users, and SpamCop does not verify it. Read more on SpamCop's site about exactly how it works.
Well, some brainless IT guy had this great idea to use the blacklist to block the email addresses.
Spam is only going to end if you do not use email at all.

Re:Spamcop sucks

[ChaosDiscord]

I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.

That's nice.

But why do we care?

Come to think of it, how do you know that your email is legitimate? After all, if it was legitimate, it would have gone through. The owner over the mail server that bounced your message has decided that he doesn't true your source of email. That is his right, isn't it?

Perhaps you disagree with the owner of the mail server in question about what defines legitimate email. If that's the case, take it up with the owner of the mail server. SpamCop is just providing that person with a list. The mail server's owner decided to use that list for blocking despite SpamCop's explicit warnings against doing so

"who is more technologically savvy...."

[rokzy]

"who is more technologically savvy, your average hacker or your average politician?"

ABOLISH ALL LAWS AGAINST HACKING!

it's up to individuals to make sure every single port is secure against someone wanting to cause damage to your computer/company/bank account.

Re:"who is more technologically savvy...."

[cies]

> ABOLISH ALL LAWS AGAINST HACKING!

agreed

> it's up to individuals to make sure every single port is secure against someone wanting to cause damage to your computer/company/bank account.

I agree NOT: Joe User will never understand all the priciples of email/ports/www/etc.. The software makers will have to "make sure every single port is secure", and if not they need to build in an security update mechanism.

cheers,
cies

Re:"who is more technologically savvy...."

[John+Allsup]

To paraphrase:


Abolish all laws against violence, fraud, theft, etc.

It is up to individuals to ensure that they are secured properly against all kinds of theft, and it is up to individuals to ensure that they protect themselves.


Let's think.

It is clear that the result of the above would be lawless anarchy and rule of the gun.

What next? People would eventually work together, gradually bringing about despotic rule in various forms. Better forms of government would then come about, allowing members of the various 'protection groups' to have to worry less about their security and more about getting stuff done. Industry and stuff will come about, and inter 'protection group' trade will do likewise. Each 'protection group' will negotiate conventions with each other in order to further it's own constituents interests. Etc. Etc. Etc. (been here before?...)

Re:"who is more technologically savvy...."

[theonetruekeebler]

"who is more technologically savvy, your average hacker or your average politician?" Your average monkey.

Re:"who is more technologically savvy...."

[Wes+Janson]

Let's re-write that for a moment, shall we?

ABOLISH ALL LAWS AGAINST MURDER/ASSAULT!

it's up to individuals to make sure everyone is secure against someone wanting to cause damage to your person.

Re:"who is more technologically savvy...."

[yerricde]

The software makers will have to "make sure every single port is secure"

Perhaps they could do it by stealthing all incoming ports unless the owner of the machine has chosen to open them. Comments?

for end users

for the end users i recommend a white-list filter that automatically deletes ALL email at the server so any graphics & HTML & script never get on the local computer unless the sender is in a database or address-book...

Re: Just delete it

[Black+Parrot]

Heh. From "Just do it!" to "Just delete it!" in a mere 35 years...

Just posted this elsewhere...

[CGP314]

It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form.

On my London Blog I don't use any form of obfuscation. The reason for this is I want people to contact me about my writing. I want to know what people think, and any barrier I put in the way will reduce the number of legitimate emails I get. I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.

Sure, I drastically increase the number of spams I get, but popfile takes care of them all. The author of this article is still correct in his economic analysis. There is little burden for me using this method, but a much larger burden for my ISP.

Re:Just posted this elsewhere...

[gd23ka]

I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.

If they don't even understand how to mail you, what makes you think they understand what you wrote?

Re:Just posted this elsewhere...

[houghi]

On my London Blog I don't use any form of obfuscation.

Why not? Use something like : http://www.keypost.com/linkfiles/encode-address.ht m that wil obfusticate your email and yet let somebody click on the link or copy and paste it.

Naturaly there are other sites out there that can do this for you.

Re:Just posted this elsewhere...

[Malc]

Have you thought of putting up an email form? I've done this, and it took me about 20 mins to do in PHP. Provide fields for their name, email address and subject, and then a large text area for their message. If you have more than one address, include a drop list of possible recipients. Note that you promise to reply promptly with your real email address. I've had several people use the one I put on my personal web site.

no HTML formatted email :)

[qmrq]

Set your inbox to filter all HTML formatted email.. no more spam. Of course this can only work well for personal addresses for correspondence with friends who understand how to configure their mail client. If you want to be able to correspond with lots of people (ie link your addy on your website, on usenet, etc) I don't see an end to receiving spam any time soon.

Re:no HTML formatted email :)

[westlake]

Set your inbox to filter all HTML formatted email.. no more spam

ever the optimist...
HTML is pretty but plain text sells too.

Re:no HTML formatted email :)

[akbkhome]

This is very easy and kills 70% of spam dead..

exim4 config:

acl_check_data:

deny condition = ${if match {$message_body} \
{Content-Type:.*text/html} {yes}{no}}
condition = ${if !match {$message_body} \
{Content-Type:.*text/plain} {yes}{no}}
message = "DO NOT SEND HTML EMAILS - stop wasting my time"

deny condition = ${if match {${lc:$message_headers}} {content-type:.*text/html} {yes}{no}}
message = "DO NOT SEND HTML EMAILS - stop wasting my time"

Other than this - spamassasin and a blacklist help..

Re:no HTML formatted email :)

You just verified to a spammer that your email address is a good one.

Re:no HTML formatted email :)

[DavidTC]

You're stuck in 1999. Spammers don't care if addresses are good anymore.

My mail server gets so many attempts to send mail to addresses that are not valid, have never been valid, and were never listed anywhere that it's not funny. Hundreds of spammers have the same list of ~40 completely made up addresses that have never responsed with anything but the 5xx invalid user code, whatever that is.

They've realized that since it costs nothing to send email, that it's not worth wasting time filtering out bad addresses. After all, there's always the chance that it's your IP that was blocked, and thus you can send to that user from another IP.

spam and nntp news

[Spaham]

Here's an idea about spam on the news: Why not make the following a rule for most groups: If a company posts commercial advertising on a group, it thereby gives the right to anyone to post copyrighted material from the said company. This should slow down unwanted ads, shouldn't it ? Would this be legal ?

Re:spam and nntp news

[colinleroy]

of course not. How would it be legal ? Are you allowed to take stuff from companies sending you paper junk mail ?

Re:spam and nntp news

[Spaham]

"posting commercial advertising on this newsgroup implies automatically that the poster gives unlimited rights to all the usenet users to post any content from the originating company." (translate this to accurate legalese of course) No one forces them to post the ad in the first place, why shouldn't they be bound by this rule ??

Fortunately...

[Black+Parrot]

> We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem.

Fortunately we have this completely spin-free political rag to set us straight on it...

Makes me pay for my spam

[marcovje]

They really wanted to give it a libertarian twist,
no matter what, didn't they?

99% of the users can't block spam serverside, and just putting the burden on them, will make them pay for the costs, since they have to download it (telephone, burden on bandwidth).

Not putting a brake on the origin will cause even more spam.

There is only one solution: put cost on sending spam AND their ISPs that try to get away with it. Moneywise, or with penalties.

Re:Makes me pay for my spam

[melonman]

The solution, as in many other cases of antisocial behaviour, is to cut the revenue stream. Has legislation and armed intervention stopped the drugs trade?

So we need to reduce the return rate on spam to a point where it is no longer worth doing. If people stopped clicking on spam links the advertisers would stop using it.

Actually, it would be perfectly reasonable, and technologically possible AFAICS, for an ISP to share the cost of handling spam among those who click on the links. That way, whatever bandwidth is used is paid for, and, I suspect, most users would stop clicking on the links very very quickly. And if they don't, who cares, they are paying for the service they are using...

In any case, it isn't a question of making the user pay when he didn't before, the user pays now, whatever his behaviour wrt spam. Making people responsible for their actions is usually a good plan. At the end of the day, it is the link-clicker who pays the spammer, and I don't see why I should subsidise him.

Re:Makes me pay for my spam

[marcovje]

No, but that is no reason to drop legislation and intervention as an instrument entirely. They are
also a way to increase the costs, (and thus decrease spammers revenue)

The article pretty much suggest to drop the burden
entirely on the end-user

Re:Makes me pay for my spam

You know what stops drug trade? Police violence stops teh drug trade. Get in a chief of police that doesn't have a problem with a few drug dealers ending up with cracked skulls and the problem tends to go away quickly. So far the only thing I've seen that works to stop spamers is similar.

Re:Makes me pay for my spam

[Azghoul]

Yes, because the war on drugs has reduced the average big-time drug cartel's revenue. I guess they're only able to afford 1 or 2 Ferraris for their chases with Crockett and Tubbs...

Re:Makes me pay for my spam

[marcovje]

Yes indeed. Only a few cartels in remote area's survive.

Put the burden on the user, and your neighbour will start fabricating.

Perspective from the abuse desk

[Enoch+Zembecowicz]

I work the abuse desk for a regional cable ISP, and end up suspending several customers accounts per day because they're either sending or relaying spam (mostly the latter, and usually unwittingly). The majority of the complaints we get come from giant ISPs like AOL, but from time to time we get a mail header from some end user, and the ip is looked up in the dhcp log and the customer is suspended just as if AOL or RoadRunner were complaining.

Re:Perspective from the abuse desk

[Phroggy]

How many of your complaints are sent via SpamCop? Those were the majority when I was doing abuse. AOL and RoadRunner were more threatening, of course. ;-)

Re:Perspective from the abuse desk

[gnuguru]

Cool, I'm in the same boat. Same deal. If the the box on my network is sending spam, it gets fixed. (read suspended, or detrojaned) Doesn't matter about the size of the isp or the "level" of complaint.

If the headers are correct, and show abuse, the hammer comes down.

Re:Perspective from the abuse desk

> I work the abuse desk for a regional cable ISP, and end up suspending several customers accounts per day

Yay, you whacked "several" out of thousands. Why not do what earthlink does and redirect outbound port 25 connections to a server that logs the traffic then tells you to get stuffed and use the ISP's mail server? If you really need to relay (as a mobile user) then that's what port 587 is for. I haven't seen a major spam attack out of earthlink's IP space for a long time now.

Re:Perspective from the abuse desk

[Enoch+Zembecowicz]

I don't see much of anything from SpamCop. Anything that is sent to me in the regional office is first filtered through corporate, so I have no idea what kind of raw data is coming in.

I think, the solution...

[SharpFang]

1) Set up a "trade site" anonymously. Very anonymously.
2) Get your hands on a spammer's mailing lists.
3) Send out several millons of spam with "new better penis enlargement" or some other viagra.
4) Receive all the offers. Even don't bill them, just send out the product. TRICKY PART: Don't send any viagra or other penis enlargers, send out cyanide or some other really lethal poison.
5) Run, wipe all your tracks before your mail reaches its destinations. Leave the "spamming server" with a note on the harddrive for the police to find: "These idiots deserved to die. As long as anyone answers to spam, such 'accidents' will happen. This is not our last action". Take care that it gets to the news.

Fear is a powerful weapon.

Re:I think, the solution...

TRICKY PART: Don't send any viagra or other penis enlargers, send out cyanide or some other really lethal poison. ... Fear is a powerful weapon.

Damn, I'm a sick bastard because I almost want that to happen. I know it's wrong but... but...

Re:I think, the solution...

[Phroggy]

Nice, but it doesn't need to be lethal - just make it bad enough that it makes the news. TRICKY PART: get the media to point the finger at spam in general, not just your actions.

Re:I think, the solution...

Nice, but it doesn't need to be lethal - just make it bad enough that it makes the news.

Aha! Penis-shrinking pills!

Re:I think, the solution...

[Tony-A]

Even better maybe, perpetrate a hoax.
Things like "bteubu zkflmwiglmu b d x mmtr" just have to be some terrorist code.
The media will be a problem. The media, spam, Microsoft worms. All on the same side, really.

Re:I think, the solution...

[glgraca]

This might work better on drugs.
Someone could put out some cocaine
and heroin with something lethal
(or rather, something that kills
immediately) in it.
Then stupid teenagers would think
twice before experimenting.

Re:I think, the solution...

I read a book with this as a plot. Some guy's daughter OD'ed and he came up with a way to poison the stuff at the source while still being lethal at the end user. The dealers and users countered this by giving the stuff to animals and if they didn't die, it was good to use. The point is, people will always find a way around any obstacle if they want it bad enough, whether it's coke, money, or penis pills.

Re:I think, the solution...

Rather than cyanide, send them chemical castration pills. That will ensure that their stupid genes are removed from the gene pool without resorting to actual murder. Although one could argue justifiable homicide in this case.

Re:I think, the solution...

The funny thing is, during the 70s and 80s the US (with the cooperation of the Mexican government) used bombers to drop herbicide on marijuana fields in Mexico. The herbicide didn't quite kill the marijuana, but the plants absorbed enough of it that stoners in America started getting serious medical problems from inhaling herbicide chemicals. There was a substantial public outcry that eventually led to the end of the herbicide-spraying.

Re:I think, the solution...

[Steve+B]

Nice, but it doesn't need to be lethal - just make it bad enough that it makes the news. TRICKY PART: get the media to point the finger at spam in general, not just your actions.

That's the most likely spin if it looks like incompetence (i.e. the fly-by-night operation screwed up the penis pill formula) rather than malice.

Actually, given the sort of money-grubbing sociopaths that we're talking about, I wouldn't be surprised if this actually happened (by a real accident, not a deliberate plot to frame and discredit spammers).

Re:I think, the solution...

[jred]

You know, as much as I hate to admit it, I think you're heading the right way here. They're already targeting us, err, those stoners & saying they help fund terrorism. Why *not* the spammers? The terrorists get some of their funding by spamming. If you run an open relay/proxy, you're helping the terrorists. If you buy that p e n1 s enlarger, you're helping terrorists. If you even open that email w/ a subject of v1agra, you're a terrorist!!!

There's got to be *some* way we can make use of this... Why are the government & big business the only ones who can lie to achieve their objective???

Re:I think, the solution...

[jeremycx]

That's the origins of a good idea, really...

We're used to thinking of spam as noise, with the legitimate email being the signal.

If you consider spam the signal (as the spammers do), what if you increased the noise level?

Interesting.

Re:I think, the solution...

[lildogie]

Say, SharpFang, did you leave your workstation unattended for a few minutes?

Re:I think, the solution...

[DrEasy]

Simply spreading a rumor that such a thing happened might do the trick...

Re:I think, the solution...

You mean it wasn't me? [SF, AC to avoid Offtopic/Flamebait...] There are 5 billions of people and far too many of them are idiots. Stupidity by itself isn't a crime, but if it causes suffering, it becomes a serious one.

First, let's discuss, how evil a spammer is. Or, how severe punishment does it deserve.

Compare discomfort of receiving a spam to discomfort of having a small needle pinned in your body. Similar - Nothing, really. He pins one in your ass. One for each spam sent out. Why you're ready to forget it? Because of distribution, it's one person gets one needle. Now, everyone pay the spammer back, doing the same thing - pinning his own single needle in the spammer's body. You cause one of most horrible deaths imaginable. And that's about what his activity is worth. The fact that harm is distributed between too many people and too weak to get them to unite and fight back, doesn't make it any smaller. Another comparison: If you steal $1 from a billion of people, it still is theft of $1bln. Spam is the same thing by means of harrasment.

Now, what do a person, who answers to a spam? Encourages more spammers to do the same thing. Too stupid for any criticism. Too dumb to understant the basis of the system. Like a merchant who buys soap made from human fat, from nazi death camp.
In my humble opinion, killing such a person - quickly and painlessly - is a great favor to the humanity.

Re:I think, the solution...

[maccentric]

I also have a solution--a fee on email. Make it insignificant, say .0001 cents per email. If you send 100 emails, it costs you 1 cent. We can all afford this, but spammers sending millions of emails cannot.
Problem solved.
Of course, it will be difficult to set this rate at a level that keeps eveyone happy, but if I have to pay an extra $1/month to be spam free, it's a small price to pay.

Re:I think, the solution...

[SharpFang]

Theoretically - very good. Practically - spammers would keep doing what they do now, and one month you'd see you have to pay $1000 because several million emails have been sent from your account.

anti-spam tool

Have you tried Bluesquirrel's Spam Sleuth Enterprise? Works great!

http://www.bluesquirrel.com .. yup, windows =)

Things that help

[Llywelyn]

These are some steps that I take:

1) Use a mail filter ;) I use the one in Apple's Mail program, using a combination of its built in abilities and custom filter settings to hit the big stuff.

2) Disable rendering of images in HTML documents. This way you'll kill most web bugs that indicate your account is valid.

3) Bounce messages. If it is connected to a live account you'll come up as an inactive account. This has helped before, but most of the time it just generates extra messages in your account.

i think there is one solution

[mOoZik]

The only solution that I believe is viable is to prohibit companies from purchasing unsolicited advertising from spammers. Spammers don't spam for fun - they get paid to send the millions of mails out. In the end, there are companies and individuals behind them who choose to advertise via email. By making it illegal to do so, the need to stop spammers disappers, as the companies would be 100% liable.

Re:i think there is one solution

[Phroggy]

I completely agree with most of that. However, what about when the spammer lies to the client and tells them what they're doing is not spamming? Is the client still at fault? Obviously not; the spammer is - but going after the spammers hasn't really been effective so far.

Re:i think there is one solution

[mOoZik]

Good point, but if a law stating all unsolicited e-advertising is illegal (and if that law is well publicized and promoted), then it would take a clueless fool to proceed with it anyway (I'm talking about the client, not the spammer) and perhaps he/she could use a nice penalty to teach him (and other clueless folk) a lesson. I don't think it would solve every single case, but I suspect it will reduce the volume dramatically. I believe the only way to stop spamming is to kill the demand for spammers.

Re:i think there is one solution

[hamster+foo]

That would just force the client to be careful when hiring advertising companies, and I'm sure they could include a clause that would make the company liable for any spam they send without the consent of the client. So if the client was prosecuted, they could then turn around and sue the company doing the spamming.

The broken-ness of email

[Alioth]

We need more than this to stop spam. There's too many idiots about who'll buy spammer's products.

I don't think SMTP itself is fundamentally broken - we just need some improvements to the administration.

In the early days of road transport, drivers were unlicensed - anyone with the money could buy a car and drive it. As traffic built up, eventually this was no longer tenable. As email traffic builds up - lack of licensing for MTA operators is becoming untenable. My server has rejected over 1.2 *gigabytes* of malware in the last week (mostly Swen worms). SpamAssassin kills 80 spam messages a day in my mailbox alone - and still about 15 a day get through. The option of "doing nothing" about email is no longer viable. Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use bandwidth I'm already paying for once?)

What is really needed is a licensing scheme for people who operate MTAs, just like there is for amateur radio. In brief, here's an outline of what could be implemented. I know this will probably draw the ire of Slashdotters who think they should be able to just run an MTA on their cable modem connection with no qualifications - but this is *exactly* where the problem stems from: to be sure of not dropping too much 'ham' we have to accept SMTP connections from more or less anyone. And this means we get flooded with over a gigabyte of Swen worm traffic in a week.

This list of requirements is by no means comprehensive - it's just a starting point for discussion.

* If you want to run an MTA, you must be licensed to do so.
* A licensed MTA operator may only relay mail from their own network or from other licensed MTA operators. In the case of a home user, this means they can only relay mail from their LAN. In the case of an ISP, from their own netblocks etc.
* A licensed MTA operator may only receive mail from other licensed MTAs. This means you must reject email from the unlicensed (virus/spam spewing) MTA on adsl-192.14.5.6.pacbell.net.
* A licensed MTA operator may only send mail to other licensed MTAs.

MTA licensing can be based on digital certificates. The MTA oper's signature will appear in the header of the email.

To obtain a license, the MTA operator would have to take an exam. The awarding and administering of licenses will be done by TLD. (A good idea would be that the licensing authority must not be the same company or subsidiary of the company that runs the TLD, so VeriSign is not allowed to be the licensing authority for .com/.net, and Nominet is not allowed to be the licensing authority for .uk, and Domicilium is not allowed to be the licensing authority for .im) There can be more than one licensing authority per TLD.

The upshot of this is that if a licensed MTA operator passes spam or malware, they can have their license suspended or revoked, or fines levied. MTA operators at the ISP level will be *very* careful to ensure they don't harbour spammers because they'll lose their MTA license. They will be *very* careful they configure their system to not allow executable attachments, or at least scan them for malware. Small MTA operators will be *very* careful not to accidentally configure their mail server to be an open relay.

To obtain an MTA license, an exam should be passed not for a specific MTA such as Exim or Sendmail, but general good practise in operating an email server, and general knowledge about internetworking - just like amateur radio licenses don't have exams on a specific model of ICOM radio. Additionally, the MTA operator must provide positive ID when applying for the license - this way, we make sure the MTA oper is accountable for what their MTA emits.

Of course, an actual implemented system like this will be more complex than what's outlined in this posting. Of course, most Slashdotters will hate the idea expressed above - I wouldn't really like to have to take exams to keep running the mail server I already

Re:The broken-ness of email

[Pierce]

Why not just digitally sign all messages leaving an organization? Then you can check the digital signature at the receiving end. This doesn't prevent the spam from being sent, but it does provide some accountability.

Doing this at the MTA level prevents the end user from knowing about any of it. Certs can be obtained from CACert if you don't want to support any of the existing CA monopolies.

As more people start to use certs to sign the messages create a white list where you only accept messages that are signed. Messages that are not signed could be rejected or have their subject altered, similar to how some programs place {Virus?} in the subject when a virus has been removed.

Problem solved. (As long as you trust the cert.)

P-

Re:The broken-ness of email

[Dion]

You don't actually need the government to do this simply start a global whitelist of all MTAs / users that are certified to be sane.

Certifying MTA's and users is done by signing their key and in return having them sign a contract that states that if they spam then they will be dragged naked through the town square by the soft and dangly bits.

I've written a small page on the subject, it contains the outline of this global trust hierachy along with a simpler and cheaper solution, that we can actually use today.

Re:The broken-ness of email

[John+Allsup]

Quick thoughts:

A licensed MTA operator may only send mail to other licensed MTAs
So how does the MTA legally send the email to the target inbox? I think you mean '... or to their own network.'

There are also considerations about how the email system should work (for example, to get the burden to be more on the sender than on the receiver.)

The current system is suboptimal in many ways, and enshrining the current system in law could be counter productive. (Essentially, the international treaties underlying such laws would need to be very well thought out and worded so as to avoid various different implementation details appearing in different states/countries' ratifications. Such good thinking is usually disrupted by the kind of horse trading that goes on with international agreements.)

Re:The broken-ness of email

Schemes like "sender pays" are untenable too

Depends on how you implement it. If, for example, you take the (UK) mobile phone billing model, you pay for your 'bandwidth' and a number of free phone calls are included in the cost, the more phone calls you make, the more you'll end up paying. Doesn't affect those of us who send relatively few mails, maybe a couple of hundred a month as its still free. But if you're sending a few million a day/week/whatever, ifs going to hurt you in the wallet.

Of course, I'm not a spammer, and have no idea how much these people get paid so am not sure exactly how it would work, but these things should be explored.

I too use the filtering provided by Apple Mail and find that once its been trained I get very few pieces of spam through and zero false positives. I redirect 2 hotmail accounts to Mail and the amount of junk mail in those accounts is incredable, one of these accounts I set up and never used specifically because I was curious as to how much junk I'd get on an 'inactive' Hotmail account.

I seem to have rambled!! Oops

Re:The broken-ness of email

[Fat+Cow]

Great idea - in fact we could extend it to solve some other problems...

maybe a license to send email?

how about a license to get on the internet in the first place - you have to be able to recognize spyware.

of course we'll have to expand government bureaucracy to deal with the licenses. and the police to track the new criminals.

Re:The broken-ness of email

[gnuguru]

So many glib fuckwits, only 9 shots in the 9mm.

Wait, that's nine less idiots who want to penalize the providers!

PENALIZE THE ABUSERS YOU FUCKWIT.

Re:The broken-ness of email

[robinjo]

How do you certify that a whole ISP is sane? You only need one spammer to ruin it.

Re:The broken-ness of email

[Dion]

Simple, the ISP signs a contract to get their certificate, part of the contract is that they must ensure that their users don't spam and come down hard on those that do.

ISPs that lie and don't enforce their antispam policy get their certificates revoked and their local CA (who they signed the contract with) sues them into the ground for breach of contract.

Re:The broken-ness of email

> Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use
> bandwidth I'm already paying for once?)

Because you _haven't_ paid for all the bandwidth you're using - you haven't paid for _mine_.

Why would a properly structured sender-pays approach be unfair? You pay to use my bandwidth and my time.

Whether or not sender-pays could work is another matter - mailing lists would need to be taken into account (perhaps you'd need to sign up explicitly to reimburse the sender), and email viruses would generate a whole lot more squawking if they started costing individual users actual money (rather than just bandwidth). Which might not be such a bad thing, actually...

Re:The broken-ness of email

[pjrc]

MTA licensing can be based on digital certificates.

Consider the current practice of SSL certificates, required for "secure" web sites.

A small handful of companies have enriched themselves, issuing the certificates. But at $125/year (and up), the cost is high per site. So many sites share a "wildcard" certificate issued to their ISP. Few (if any) ordinary users know to check the certificate before trusting a website's security, so the verification that the receipient of your sensitive info is ambigious. Over time, certification authorities have cut costs, with the result that it's quite easy to get a certification with fake info, and there's virtually no verification after initial issue, despite having to pay nearly full price to renew every year. Worst of all (for the integrity of the system) are newcomers like GeoTrust who will issue a cert in only minutes with no real verification at all (other than easily faked domain name registry info).

THAT is the sorry state of SSL certification, despite the high price of certs which should be more than enough to cover the costs to truely verifying the identity of every entity. All in all, SSL certs today mean very little... other than enriching a very untrustworthy (Verisign) to the point where they could buy Thawte and obtain a near monopoly.

Why would MTA licensing somehow be any better?

Re:The broken-ness of email

[krantan]

One of the most interesting/possibly effective methods of spam reduction i've read about is the Habeas system. I don't know much about it other then the company rhetoric, does anyonw have personal experience? It frightens me on some levels (i.e. dependence on a single company for my right to email) but it seems that it could be at least a stop-gap solution to reduce the profitablilty of spam. Mouth of the Beast Thoughts?

Re:The broken-ness of email

[mamer-retrogamer]

Of course the success of this licensing system assumes that licenses cannot be forged or otherwise obtained by spammers. Which, I am sorry to say, is not bloody likely.

Re:The broken-ness of email

[Alioth]

That's the whole point of having a certificate revocation list - if spammers get a license and use their MTA to spam, their license gets suspended or revoked. Forgeries will be an extremely tiny problem with cryptographic digital signatures (a licensed MTA would add its digital signature to the headers of any message it sent - this is how other MTAs recognise it's licensed). To forge the certificate, the forger would have to steal the licensing authority's private key. And if that happens, the certificate revocation list will take care of it (and the licensing authority will have the embarrassment of having to issue new licenses for everyone it serves, so they are likely to keep their CA key very very secure).

Re:The broken-ness of email

[fishbowl]

>Schemes like "sender pays" are untenable too
>(and unfair - why should I pay yet another fee
>to use bandwidth I'm already paying for once?)

If the spam is really that valuable to the sender (and it seems to be -- they fight tooth and nail to retain the privilege to send it), then a sender-pays strategy might end up subsidizing the whole system until the bandwith is free to you.

I'd stop filtering my spam if the spammers paid my cable bill.

We can stop it ourselves...

[zer0harm]

Here in New Zealand we just post spammers personal details in major newspapers... http://www.ananova.com/news/story/sm_811235.html?m enu= Followed up with threats and obscene phone-calls, this is an effective tactic. There are now up to 100 million less spamails per day.

Re:We can stop it ourselves...

[jvervloet]

Here is a clickable link. Though this technique seemed effective, I'm not sure it's a good idea. What is worse, spamming people for making money, or spamming people for revenge?

Re:We can stop it ourselves...

But isn't he back spaming? I've got several hundred posts that seem to be just like the old ones he claimed to have done.

Executive Summary

[The+Famous+Brett+Wat]

He says the way to kill spam is to foil address harvesting, by obfuscating email addresses in web pages and on Usenet.

All very well for new addresses, I suppose. I've taken that approach myself, on my spamless email addresses. If it becomes a problem to spammers, they are likely to adapt by harvesting addresses directly from PCs using viruses and other malware.

Yeah, but it still requires a change in the law

"Personal responsibility" is a great idea. It's what I've been advocating for five years now:

What legislators have to do is make 'he was a spammer' a legal defence in cases of murder, torture and arson. I'll do the rest.

Only one option...

[Unsolicited+Commando]

We will need to bring back vigilante mobs and lynchings. Of course, I'm totally in favor of this.

What they're missing

[Phroggy]

Spam exists because it works; enough people buy products that are advertised through spam that the increased sales more than make up for the cost of spamming.

Companies choose Microsoft solutions because Microsoft provides the most flexible, stable and secure systems, with lower TCO than the competition.

I believe both of these statements are false, but are believed to be true by people making the decisions. Why? Because spammers and (to a much lesser extent) Microsoft salespeople are dirty rotten lying scumbags out to make a buck by cheating whoever they can. On top of that, spammers also sell their service by claiming what they're selling is not spam - it's direct marketing to a targeted opt-in list of interested consumers over the Internet. We all know in reality it's completely untargetted and their definition of "opt-in" includes allowing your e-mail address to appear unobfuscated on any web page, using it to register a domain name or post to a newsgroup, or simply choosing an e-mail address that could be guessed at random. We know that, just like we know Windows almost never has a lower TCO than anything. But the people paying the money don't, because they simply don't know better.

Re:What they're missing

[cerberusss]

...believed to be true by people making the decisions.

...just like we know Windows almost never has a lower TCO than anything.

I'm a linux lovin' slut. That said, your analogy sucks. I believe there's got to be something else than pure marketing/aggresive salesforce that's responsible for the fact that Microsoft grew from a small company to one that dominates a lot of IT submarkets. You can't permanently keep up an image that's just plain false, you have to add value.

Re:What they're missing

[doublebackslash]

I once got a forwarded e-mail that was laiden with e-mails. I collected, sorted, and formated the list. I wrote an anti-forward e-mail and used an e-mail server to send out 3000 e-mails in about 30 minutes. No cost to me, except for bandwidth. I cannot believe that the cost of spam is high, so if even a few hundred have bought spam items (shame on them), they have more than re-capped /their money's worth.

Re:What they're missing

[GSloop]

"I believe there's got to be something else than pure marketing/aggresive salesforce that's responsible for the fact that Microsoft grew from a small company to one that dominates a lot of IT submarkets. "

You're right, it's called Monopoly and massive market power.

Office didn't have very many users.

E.g.
MS convinced all the major vendors at the time (Offiec 4.3 & Office 95) to put Full Professional copies of Office on all stations along with Windows, at very little or no additional cost. (I believe there were penalties if they didn't do so. In any case, you were foolish to ignore MS's wishes - there would be penalties in anycase, explicit or not. Just look at IBM and OS/2 with the Windows beta etc.)

Then, when market penetration went to 90+% MS simply stopped bundling Office Pro. We got small business for free. Now that's even stopped. (Heck, not even crappy Works is free anymore - not that I'd want it...)

Now Office Pro costs $500+ for full copies. Small business is $200+

I can buy OEM copies of WordPerfect Pro 2002 (Word-processor, shreadsheet, Database, and presentation package) for ~$25. And none of these products are shabby. (BTW, OEM Wordperfect suite is about equal to MS Office Pro in terms of apps/functionality.)

There's no "value add" other than the fact that MS completely dominates the market share. Thus it's just easier to buy MS Office. So the value add is it all works together. The reason for this, is MS used its dominance to decimate the market. It's no wonder they're the only player anymore.

Cheers,
Greg

Re:What they're missing

[cerberusss]

[about pricing]

Of course they're clever bastards (but they're not the first, nor the last company who prices for market penetration). But that alone just does not cut it, I think. Joel Spolsky wrote a bit on how Excel squashed Lotus. And I don't think they had a monopoly back then.

I'm convinced that's how Open Office etc. should work. Flawless im- and export, and I mean real fucking flawless.

And I wish people here would quit putting out/modding up extremities as if Microsoft acted like a monopolist from day one. Because that's just not true, or at the very least not really a balanced view.

Re:What they're missing

[yerricde]

I'm convinced that's how Open Office etc. should work. Flawless im- and export, and I mean real fucking flawless.

If you're convinced enough to swear, are you convinced enough to put your PayPal where your mouth is and fund development of better MS Office document import filters in OpenOffice.org?

Re:What they're missing

[cerberusss]

are you convinced enough to put your PayPal where your mouth is

Yes I am, but I didn't fund OpenOffice. Instead, I went here and spent $55 on a copy of Crossover Office. Works like a charm now and not in the nearby future.

Re:What they're missing

[GSloop]

Leveraging monopoly power from one area into another is monopolistic activity too.

Or, do all companies just *instantly* start out as monopolies?

IE wasn't a monopoly in browsers was it early on? No, it used power and cash from another monoploy to construct and extend that monopoly to browsers.

Started with DOS - a de-facto monopoly. Extended to Windows. Moved to Office. Moved to browsers.

The legality of this, IMHO is a moot point. The moral failings of this practice and the victims it leaves behind are reprehensible.

The real problem we have now, is that the US Justice Department is now a wholly owned subsidiary of Microsoft.

Sure, the market will come to bear. I think all rapists will also reap their ultimate reward - from someone with a gun, a mob, or othewise. However, I don't believe we ought to let the rapist or the monoploist rage unchecked over the world around them.

The Market can often take much too long to correct behavior. In these cases, we step in and rescue the victims, and restrain the predators.

Cheers,
Greg

Slashdot Spam

I'm starting to consider boring and pointless slashdot articles about spam, to be the new spam.

who is more savvy?

[penguin7of9]

who is more technologically savvy, your average spammer or your average politician?

Who is more technologically savvy--your average bank robber or your average politician? Who is more savvy about poisons and guns--your average murderer or your average politician?

See, by your argument, most laws are useless because they were made by people not as good at committing the crime as the people who actually did commit the crime.

Moan all you like!!

[zer0harm]

I'll be laughing at you all when my money's in the bank, and I can finally afford a big penis!

Since I tried Span Assassin I get few

unsolicited e-mails anymore. I used to get hundreds a day. It kinda makes me feel lonely.
And I'm kinda out of touch now. I mean so far I'm thinking my penis is big enough, but what if one day the wife breaks it to me that she needs a little more oomph. I might not know where to turn.

Best way to stop spammers

[Ghostx13]

Make Rosie O'Donnell sit on the spammers face. Between the crushing weight and the aweful smell it should kill them. Well that or it will turn them into a Dr. Phil clone.

If that doesn't work we can tie some spam to them and make them run naked through ethiopia.

Spam filtering == censorship?

[kingk0ng]

No, this isn't a a daft claim like the one that do-not-call lists breach freedom of speech. I agree with the article that it's just not the place of the state, or even infrastructure providers like ISPs or Hotmail, to filter our private mail based on content.

Even if you think that governments might be technically competent to fight spam, should they be given licence to read (even in an automated way) and analyze all private correspondence just in order to stop some junk mail? [1] I'm not so concerned about blacklisting known spammers, etc., but

Spam is really, really annoying, but when does the cure become worse than the disease?

[1] (Obviously they're going to do this anyway, but we don't need to condone this or make it acceptable.)

Re:Spam filtering == censorship?

[e-gold]

slowly, and without anyone in the media noticing, people are using the currency I sell to do get paid to read email stuff. I've tried, desperately, to impart a clue to journalists about this, to no avail.
JMR

Re:Spam filtering == censorship?

[JuggleGeek]

No, this isn't a a daft claim

Yes, it is. Especially when you go off into discussions about giving the government rights to read/analyze all the data, which has never been suggested by a sane person.

Some people would prefer that their ISP aggressively block/filter spam. Some would prefer that their ISP do no filtering at all. Others will prefer something in between. It isn't your choice - that's between the ISP and their users. It doesn't involve the government, and it isn't censorship.

Re:Spam filtering == censorship?

[DavidTC]

How on earth is Hotmail an 'infrastructure providers'? For that matter, how is your ISP's mail server an 'infrastructure providers'? (No ISP sits around doing content filtering over the wire, the actual infrastructure, that's just absurd. The closest they come is filtering out packets with spoofed IP addresses.)

Using your defination, it's just as logical to claim you are a 'infrastructure providers'. I mean, you're a box, owned by a private party, connected to 'infrastructure', whatever the hell that is, which is a wire owned by a private party, exactly like mail servers are. I'm going to email you a virus, I hope you don't go filtering it out using software or anything.

And spam isn't a content issue, anyway, it is, and always has been, about consent. Filtering on content is a stopgap measure, and no one wants the state to pass any laws about content of email, mainly because that's unconstitutional in the US. And there's plenty of filtering that isn't based on content, like blacklists.

Clean up SMTP first

[iamacat]

Run SMTP over SSL and make all connections that are not listed in DNS MX records login with local username and password. Then, have the server sign the message of a logged-in user with server's key, which is registered with a certificate authority. If enough ISPs adopt that and there are cheap mail-only services, people will have an option to only accept signed messages or at least move unsigned ones to a separate folder.

Then, once all e-mail (that gets read) is tracable to a particular person/company, outlaw spam. No need for a no-spam list, because nobody wants spam. People can always sign up for whatever mailing lists interest them. No need to harvest e-mail addresses given for totally unrelated purposes.

Will it get rid of all unwanted e-mail? By no means. But its irresponsible to just complain or try to pass laws without making simple changes to the software first and seeing how well it works. You don't install a UNIX system with an empty root password and then whine about intruders, do you?

That would be a bit drastic, but...

[Serious+Simon]

What could also be effective, is listing their names on www.ihaveasmallweenie.com

The wrong^H^H^H^H^Hright way

[t_allardyce]

I cant walk down Oxford Street without 20 people trying to hand me flyers but that doesnt mean it should be illigal. Spammers are assholes but they are only assholes because we know that what they are doing is technically legal and theres nothing we can do about it. Filtering spam might get rid of allot of it but it doesnt give us the satisfaction of hurting the spammers. To get this satisfaction we have to go over and beat the absolute crap out of them until they cant even use a mac! Obviously thats over-reaction but thats what people think and thats why spam laws get in. Actually what am i saying, screw them, make it illigal and sue their asses. I hate advertising more than anything, if i had to put up with telemarketing and tv ads every 5 mins i would go apeshit and shoot people.

Re:The wrong^H^H^H^H^Hright way

[swordgeek]

On the one hand, there's nothing legal about spam. Fraud is illegal. Theft of service is illegal. Spam is illegal.

But the real reason I had to post was this:

"we have to go over and beat the absolute crap out of them until they cant even use a mac! "

That's damned funny!

Meanwhile in the real world ...

It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form. I hereby announce a new policy for the Colorado Freedom Report: I will not post e-mails on the page except in graphic form (or with some other disguise). This creates a mild inconvenience in that users will have to type in the e-mail rather than merely hit the mouse button, but I figure if it kills just one spam, it's worth it.

Um no, if I lose just one business lead because someone can't be bothered to type in the email address then that's worse than all the spam in the world.

Short- and long-term approaches

[emurphy42]

Never mind the people sending the spam (allegedly including unaware victims of spam-relaying viruses). Let's institute heavy federal penalties against people *advertised in* spam. Of course, there's still umpteen million ways to screw up such a law, but it seems to me that it's easier to track down the owner of an 800 number or a web site or a PO Box than to track down the sender of a spam. This law would whack some spammers (spamvertising their own crap) and dry up the customer base of the rest.

Until someone does this (and does it *correctly*), here are the rules that I currently use to keep things manageable:

1) Messages containing my ISP's boilerplate text for "I stripped out a virus attachment, but here's the rest of the message in case you wanted to see it"... I *never* want to see it. Off to /dev/null it goes.

2) Messages larger than about 250K (except for two specific ones that I expect to get on a regular basis) are filtered to a "large messages" folder, so that I don't waste CPU time scanning through all those lines and lines of stuff.

3) SpamAssassin takes a look. Anything with a score of 5 or higher goes to a "probably spam" folder (in case of false positives), not that I've had any yet.

4) Messages sent to my mailing lists get sorted into folders for those lists.

5) Filter out messages that were bcc:ed to me (i.e. my name is nowhere in the To: or Cc: headers). If they contain "Cumulative Patch" or "Undeliver(ed|able) (to|mail to|message to)", then they're Swen crap (probably disinfected by the infected person's ISP, since they didn't get trashed in step 1); trash them now. Anything else goes into a "maybe spam" folder. (I think I've had one false positive over the past few weeks.)

6) Anything that makes it this far can go ahead and sit in my inbox. The volume of mail reaching my inbox (both ham and spam) is fairly small, like one or two dozen per day. The mailing lists (combined) get a few to several dozen per day.

Well darn it.

[Simple-Simmian]

This is another instance where my Libertarian views diverge (at least from this clueless ahole's view point.) I want spammers put in pound you in the ass prison. They are costing me and my ISPs money. Let the Guberment put the fear of god into their useless hides. Spam is spam if it comes from some cofused granny, a clueless newbie or some acomplished spam arist. I don't want any. Kill the the spaming bastages, kill them dead now or lock them up and toss the key. Enough is enough.

The Best Solution

[bhima]

In my view the best solution to end spam is to stop its real cause: Demand. It should be a civic duty to find these people, who respond to spam (thereby funding it).

Once identified they should be publicly humiliated re-educated and their computer confiscated.

Repeat offenders should be taken to the center of town and publicly beaten.

Only with the reduction of spam generated income will spam decrease! Hey who knows Infomercials and Televised Home shopping may disappear as well!

Re:The Best Solution

[1337bst]

Xactly !!
An average Viagra spam run will
bring you around 6k $ a month.

Basicly, no demand no offer.

Re:The Best Solution

No, repeat offenders should have their penis shortened by *more than 4in!!!!!!*

Or their breasts.....

Re:The Best Solution

[scambaiter]

Its always the same story: follow the money. We always wondered who might be so stupid to buy from a spammer... well, we found out 2 months ago.

I havent really checked all problems and implication but this might work: make a clear statement that credit card companies will not consider it fraud if some moron gives his credit card number to some spamvertized herbal viagra vendor and the cc gets abused. If people would start thinking again who they actually give their data to spammers and fraud-shops would generate less revenue in the long run.

I know that this is not as simple as i laid it out, but i really think this is a starting point: have people buying spamvertized products become aware that they are doing something awfully stupid and its up to them to deal with all the mess that may come out of buying spamvertized goods. What happened to the whole "i am not sure if buying something from the internet" attitude? Have people really become so desperate because of their penis size that they will send money to just anyone?

Have 2-3 stories on the news about people who got completely ripped off after buying spamvertized products might help as well. I guess its more about educating people than to humiliate them.

Solution: Make forging and obfuscation impossible.

[meldroc]

In order to deal with spammers, we have to analyze their vulnerabilites. Understanding their weaknesses is easy once you answer this question: What do spammers fear the most?

That's easy. Look at spam messages. You'll see forged return addresses, redirections through open relays, spoofed Received lines, etc.

What does this mean? Spammers are most afraid of being tracked and identified.

And they have a good reason to be afraid. When spammers are identified, they get their ISP accounts terminated, and may get stuck paying hundreds of dollars of cleanup fees. They're harrassed, sued, threatened, they quickly earn a terrible reputation. They'll go to extremes to remain anonymous.

The key is to make it difficult or impossible for spammers to forge headers and obfuscate their emails' points of origin. How do we do this? Require cryptographic authentication of all mail going through any MTA. No exceptions, ever. Every time a mail goes through an MTA, it must be signed by that MTA. Any message without a signature or with an invalid signature gets dropped. By requiring crypto signatures, responsible MTAs can be easily tracked, and spamming MTAs can be blocked.

Key creation, distribution and endorsement can be through a central authority, though I prefer a PGP-style web of trust because central authorities can abuse their power. Naturally, any MTA caught distributing spam should immediately get their keys revoked, and the revocation should be distributed to MTAs as widely as possible, causing all emails from that MTA to be blocked in a matter of minutes. If an MTA wants its emails to reach its destinations, it will crack down hard on spammers.

The difficult part is convincing ISPs to require authentication and drop unsigned messages. However, if a large ISP such as AOL or Comcast can be convinced to do this, MTAs will have a strong incentive to start signing messages, and authentication will start to catch on.

stupid article

[CanadaDave]

It didn't mention any suggestions on how to remove spam. It didn't mention anything about software like Mozilla or SpamBayes. What a waste of a read.

Re:MOD PARENT +5 INSIGHTFUL!

Seriously, what the fuck is going on in our world right now? The fucking terminator is on my TV telling me that he never groped women nor does he envy Adolf Hilter. He says it's a democratic ploy to discredit him. He's the fucking TERMINATOR for god sakes, he's a cold calculating calculator manufacture for mass human death. C'mon.

I think the weekly world news is right, the aliens are backing him. That's why the Democrates are so scared of him that they have to "discredit" him. If he becomes Govenor, he's going to pull a fucking TOTAL RECALL on their asses out there. Come to think of it, mabey that's why he's running to begin with....

Then Rush says some dumb shit on NATIONAL TV about some "black guy", he quits the show, then they come out with the OXYCONTIN abuse story.

Not so sure.

[jotaeleemeese]

If email communication had to be somehow authenticated, then you could demand that anybody sending you an email should authenticate himself with your email server first.

That way people without the necessary authentication could not send.

I know there are tools out there that already do that, what is missing is that a few big players in the ISP/ email market (Yahoo, MS, AOL) come together and change the defacto standard way machines interchange email with each other.

Re:Not so sure.

[__past__]

That doesn't really work. Either you would only be able to recieve mails from people whose auth token you already know, say from a key exchange in a personal, real-world meeting (obviously not a good idea for sales@example.com type addresses), or you need a global web of trust that makes sure that everyone that can connect to the internet has one, and only one, signature that can be unambigously traced down to the real person (of course, without harming privacy...). The first way is undesirable, the second one has basically be a dream scince the invention of public key crypto, without anything happening.

Re:Not so sure.

[thogard]

Been there done that. Its called X.400 and the last x.400 mail server I saw cost $20,000. That didn't include the certs. It also would choke under a moderate load.

Any other mail solutions requires that the ISP do things properly and that isn't going to happen.

Re:Not so sure.

[Spetiam]

the PGP "web of trust" scheme might work: everybody signs all the keys of people they know to be human (not spammers), and you select whose signatures you trust, and how many degrees of separation you will trust (this isn't part of the PGP implementation, i don't think, but it's an idea)

Re:Not so sure.

[eugene+ts+wong]

It would work for the average person & the average worker. It's the front lines of companies that have problems. Maybe they can make a system where they have disposable addresses such as foo-sales@example.bar. I realize that this is easy to fake, but with more information coming in within each email, the filters will be able to tell which emails are most likely spam. After all, if 2 emails come in with the exact same text, but with different disposable addresses, then you'll @ least be able to filter it out & save time on the server. Companies can afford to filter on the server, & protect themselves that way.

Users can use challenge response systems. If I join a club, & they want my email address, I can give them an "open" address @ hotmail com. They can say, "Hey Eugene! It's us from the club.". That alone shows me that this isn't spam. I'm expecting an email, & they got my name exactly right, even though it isn't the same as the user name. If I want to keep in permanent contact, then I could send an authentication token or something like that.

The trick is to not have everybody use the same methods. We should spread out & try to save the most time.

Governments should focus on making open relays illegal within their own countries.

Re:Not so sure.

[Niten]

Perhaps with the advent of a new internet mail protocol... for example, imagine a protocol that encompasses the responsibilities of both the IMAP/POP and SMTP protocols of today. Outgoing messages are signed by an RSA (or insert your favorite public key algorithm here) key unique to the sender's account (and heck, perhaps encrypted to the recipient's account while you're at it). The mail server essentially becomes a certifying authority, certifying that any message sent to you comes from one specific account on that server.

Of course, in this system I have described, a spammer could still stick a new server out on the net and use it for a little while, but as soon as it has been determined that this server is spamming people it can be blacklisted. And blacklisting is a tactic which might actually be effective in this universe of discourse, considering senders would need to be authenticated with their mail servers in order to send a message. So a mail server admin would have to intentionally allow spam to be sent from his machine (or, well, get hacked) in order to get it blacklisted.

Of course, I'm sure people much smarter than I have thought this one through far more completely. But it's a thought.

Obligatory Simpsons Quote

[Trent05]

Ahhh, there's no justice like angry mob justice.

""

So if someone is pissing through our letterbox....

[Dj]

So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox. My that's brilliant! And the way to reduce gun deaths is for people to learn how to dodge bullets matrix-stylee.

wrong question

[Tom]

who is more technologically savvy, your average spammer or your average politician?

That is the totally wrong question.

Politicians know that they don't know everything. That is why they have staff and expert advisors.

Politicians, however, have something that we the tech-community do not: Police, jails and option to use them.
Spam won't go away 100%, ever. But if the spam rate were on par with the murder or robbery rates (i.e. I have a single-digit percentage chance of getting one spam during my life), then I'd be satisfied.

What we, the tech-community, can do is help them find the culprits. All we need are bounties high enough to make it worth our time.

Raise your hands, you unemployed geeks who would jump at the chance of becoming paid-for spammer hunters.

Re:wrong question

[WaxParadigm]

"Raise your hands, you unemployed geeks who would jump at the chance of becoming paid-for spammer hunters."

While there is a part of me (of all of us) that starts to consider this idea, do you not believe something like this would end up making it not only possible for "grandma" to get punished for her email, but would provide economic encentive for her grandkids to turn her in?

It's thinking like this that helped Hitler round up his innocent victims.

Spam sucks, I know, but do we really need government keeping that close of an eye / control over the most powerful mechanism for (what could otherwise be free-as-in-speech) speech?

Re:wrong question

[Tom]

It's thinking like this that helped Hitler round up his innocent victims.

And Hitler build the Autobahn, so we should immediately stop any and all roadbuilding.

If you make laws against spammers, you obviously need to define what exactly a spammer is.

If your grandma is sending 10 mio. e-mails a day then by all means turn her in an lock her away.

Final point: Spam is not free speech. Fighting spam is not suppressing speech. For all I care, people can write as many "make $$$ now" mails as they like. They just have no right whatsoever to send them to me if I don't want them.

Re:wrong question

[cpt+kangarooski]

Final point: Spam is not free speech. Fighting spam is not suppressing speech. For all I care, people can write as many "make $$$ now" mails as they like. They just have no right whatsoever to send them to me if I don't want them.

I disagree. The core assumption of the First Amendment at least seems to be that it encompasses and protects all speech. Thus the 'no law' language. In practice it's possible to show that some restrictions are sufficiently important as to outweigh it, but it always takes significant effort on the part of the person who wants the restriction.

So I think you should prove that spam is not free speech if you want to say that it's not. You might be right, but I think it's best if people work their way through the analysis.

They just have no right whatsoever to send them to me if I don't want them.

And how, pray tell, are spammers supposed to know that you don't want them unless you tell them so, or put up some sort of notice that they are reasonably likely to be aware of? Which gets us into the problem of what sorts of notice are reasonable and what sorts are not.

Re:wrong question

[Steve+B]

And how, pray tell, are spammers supposed to know that you don't want them unless you tell them so

1. They know perfectly well that the probability that everyone they target wants their stuff is on a par with the probability that all the oxygen molecules in the room will happen to randomly cluster in the far corner. Given that the standard of American law is "reasonable doubt", that's quite sufficient to establish that spamming per se is intentional trespass.

2. The usual standard for using someone else's private property is "permission must be granted first", not "you have permission until and unless it is explicitly refused". There are exceptions in cases of strong need or reasonable reason to believe that the owner won't mind, neither of which is remotely applicable to spamming.

Which gets us into the problem of what sorts of notice are reasonable and what sorts are not.

This is another advantage of my suggestion (to focus the legal angle on circumvention of spam filters rather than on spamming itself). When someone sends a bulk e-mail with forged headers to advertise "herb@l V1AGRA", it's clear on the face of it that he knew that the mail would be filtered if he had sent it with honest headers and not obfuscated the words "herbal VIAGRA". Thus, there is no question of whether or not the spammer had been put on notice that he wasn't supposed to send spam to any given person; he's already revealed that he knew that some of his targets did not want his mail and had taken active steps to reject it.

Re:wrong question

[cpt+kangarooski]

They know perfectly well that the probability that everyone they target wants their stuff is on a par with the probability that all the oxygen molecules in the room will happen to randomly cluster in the far corner.

That's really not too relevant. We have an enormous commitment to free speech. Door to door religious missionaries surely know the same thing. Yet their actions are entirely legal in the absence of actual or constructive knowledge as pertaining to particular individuals. The generic likelihood though isn't enough in the case of speech.

The usual standard for using someone else's private property is "permission must be granted first", not "you have permission until and unless it is explicitly refused".

True but as you note, there are exceptions. Spam qualifies for one -- the fact that you have a door is an implicit invitation for people to do what would otherwise be trespass in order to knock on it and talk to you. The fact that you have a phone connected to the phone network implicitly invites calls. The same goes for email.

You can affirmatively reject these permissions, but the assumption in our society is that if you're able to receive communications, you're inviting communications. Our society just likes communication after all. It's not odd for us to weigh in so heavily in favor of it.

When someone sends a bulk e-mail with forged headers

Well it's a hell of a lot easier to just make it illegal to forge headers in commerical communications. Forging headers is arguably deceptive advertising, a form of fraud. That's _not_ protected under the current state of first amendment law relating to commercial speech. Likewise we can probably mandate, though it's a bit more difficult, that removal addresses be offered. (they have to actually work of course, since if they didn't it'd be fraud)

And enforcing the rules we _already_ have or know are constitutional will at least get rid of spammers that somehow lie in their spams. That is a lot of spam right there. But it doesn't threaten honest spammers who at least are better than the other kind. And of course such enforcement would be just as likely to work from a practical perspective as a general ban on spam with regards to jurisdiction, effectiveness, etc.

to advertise "herb@l V1AGRA", it's clear on the face of it that he knew that the mail would be filtered if he had sent it with honest headers and not obfuscated the words "herbal VIAGRA". Thus, there is no question of whether or not the spammer had been put on notice that he wasn't supposed to send spam to any given person; he's already revealed that he knew that some of his targets did not want his mail and had taken active steps to reject it.

That's pretty dumb. I've been sent junk mail that looked like some other kind of mail but didn't actually rise to the level of being deceptive. E.g. junk mail in a handwritten envelope, or that looks vaguely like a bank statement or some such. Advertising around filters is legal as long as a HUMAN BEING isn't deceived. Computers are notoriously stupid as hell -- why on earth would we use them to determine what's deceptive or not?

Re:wrong question

[Tom]

So I think you should prove that spam is not free speech if you want to say that it's not. You might be right, but I think it's best if people work their way through the analysis.

That one is easy. Spam is not the speech, but the method of delivering (i.e. unsolicited mass e-mailing).
Much like a newspaper or a radio, or a flyer or a billboard is not speech, but a means of delivery.

Therefore, spam itself is not speech. The message contained within is. But that is irrelevant as I'm not trying to outlaw that message.

QED

Re:wrong question

[Tom]

And how, pray tell, are spammers supposed to know that you don't want them unless you tell them so, or put up some sort of notice that they are reasonably likely to be aware of?

Good point. However, society doesn't work that way. I do not have to put a "burglars not wanted" sign on my door because otherwise the poor burglars can't tell whether I want them or not.

Hold it, that example is not that far-fetched. Because I can contract a security expert to break into my house in order to, say, test the alarm system. That is perfectly legal for both him and me.

It's what they call an "opt-in" system.

Since we can safely assume that 99% of the receipients of spam don't want any, opt-in is the only solution that makes any sense.

Re:wrong question

[Tom]

Door to door religious missionaries surely know the same thing. Yet their actions are entirely legal in the absence of actual or constructive knowledge as pertaining to particular individuals.

It is legal because it is a nuisance, not a major obstacle.

If door bells everywhere would ring on average 10 times an hour because of door to door missionaries, I'm sure the legality of their activities would be under scrutiny.

Re:wrong question

[cpt+kangarooski]

I do not have to put a "burglars not wanted" sign on my door because otherwise the poor burglars can't tell whether I want them or not.

That's because burglary is illegal. Spam is not illegal, and being a form of speech is very difficult to make illegal given the significant protections we afford speech.

This means you wind up having to opt out again.

Since we can safely assume that 99% of the receipients of spam don't want any, opt-in is the only solution that makes any sense.

No. 99% of recipients of junk mail or telemarketing calls likely don't want them either, yet the most we can do is opt out. I don't think you quite realize how special a place speech occupies.

Re:wrong question

[cpt+kangarooski]

So do you think that it would be possible for the government to outlaw all methods of speech other than, say, face to face communication, and have it be legal because it doesn't encompass the message?

Pshaw.

While _some_ manner restrictions might work, they cannot legally form a serious burden to speech. And speech is more than just the message, it's also closely tied to the medium.

Aside from the fact that unsolicited commerical email is content based discrimination (being commerical -- unless you think it should be illegal for there to be ANY unsolicited mailing, such a friend mailing you without being invited to), this would pose too great a burden on people who wish to communicate.

Your attempt to wiggle around the first amendment isn't likely to work.

Re:wrong question

[cpt+kangarooski]

Well, spam is merely a nuisance. It's amazingly trivial to filter or even manually delete spam. The Court has said before that it's not too much of a burden for recipients of junk mail to have to sort it and throw it out. Why should spam, which you can have automatically thrown out, or which can be thrown out at the press of a button be more of a burden when it's easier to deal with?

As for frequency, 1) mail arrives when it arrives. If people are checking it all the time, then they're the ones making more work for themselves, just as if you opened the door every six minutes to see if someone was there. There's nothing stopping you from only checking once a day or so, in which case as far as you're concerned the spam all arrived in a big lump with your other mail. 2) While it's possible that solicitors could be a nuisance, your mere annoyance with them probably isn't enough for them to be considered such. E.g. what if they were all unrelated solicitors who just happened to all be coming by at about the same time? If one spammer sent you a lot of the same spam, that could be a nuisance. If they were different spams, then I'm inclined to think of it as not being that bad since it's vaguely like getting one envelope with a lot of different offers inside. And if they were different spammers, it's unlikely to be a nuisance at all, just a coincidence.

I realize that a lot of people don't like spam, and a lot of people are seriously annoyed by spam -- I certainly am -- but I think that it's a really bad idea to start reducing the protection of the first amendment for a mere annoyance.

Re:wrong question

[Steve+B]

That's really not too relevant. We have an enormous commitment to free speech. Door to door religious missionaries surely know the same thing. Yet their actions are entirely legal in the absence of actual or constructive knowledge as pertaining to particular individuals. The generic likelihood though isn't enough in the case of speech.

If this absurd argument were correct, it would be legal to run a bullhorn on a residential street at 3 AM unless and until enough (all?) of the residents of the street specifically and individually asked you to stop. It isn't. QED.

True but as you note, there are exceptions. Spam qualifies for one -- the fact that you have a door is an implicit invitation for people to do what would otherwise be trespass in order to knock on it and talk to you.

The burden is on the would-be visitor to check for NO TRESPASSING signs. Spammers have not made even the most cursory attempt (e.g. Google each e-mail address to check for a do-not-spam statement in a Usenet sig) to do so.

You can affirmatively reject these permissions, but the assumption in our society is that if you're able to receive communications, you're inviting communications.

From how many different directions can you march off the "3 AM bullhorns are protected by the First Amendment" cliff?

But it doesn't threaten honest spammers

Nor does it threaten unicorns, leprechauns, or Santa Claus.

I've been sent junk mail that looked like some other kind of mail but didn't actually rise to the level of being deceptive.

It's customary to insert much more padding than that between mutually exclusive assertions.

Advertising around filters is legal as long as a HUMAN BEING isn't deceived.

The one and only relevant issue is that the use of filter-evasion techniques (including the obfuscation of words that are commonly known to be indicative of spam) proves beyond reasonable doubt that the spammer is deliberately attempting to intrude upon private property against the express prohibition of the owner. That needs to be prosecuted and punished just like any similar trespass (i.e. the existing computer cracking laws should be explicitly applied to this type of electronic intrusion).

Re:wrong question

[Steve+B]

Uh, oh, Tom -- Captain Kangarooski has just given you an iron-clad proof that you do have to put up a "GRAFITTI ON MY WALLS NOT WANTED" (unless, of course, you do want people to break in and put grafitti on your walls).

Grafitti is, after all, undeniable a form of speech....

Re:wrong question

[cpt+kangarooski]

If this absurd argument were correct, it would be legal to run a bullhorn on a residential street at 3 AM unless and until enough (all?) of the residents of the street specifically and individually asked you to stop. It isn't. QED.

No. You seem to be referring to a time/place/manner restriction on speech. There _would_ have to be a preexisting rule against it of course; you can't take action for doing something that there literally is no prohibition against. But these are fairly common. As laws, though; not as mere presumptions of the wishes of the people in the area. I don't really expect that would work, and I doubt anyone's bothered to try. Nevertheless, they are only permitted to _shift_ speech, not to ban it. 3AM is no good, but you could probably do this at 3PM and not get in trouble.

The burden is on the would-be visitor to check for NO TRESPASSING signs. Spammers have not made even the most cursory attempt (e.g. Google each e-mail address to check for a do-not-spam statement in a Usenet sig) to do so.

Well, the burden is only there provided that the notice is sufficiently prominent. A 'no solicitors' sign that you keep in your closet is clearly no good. Even if it's posted in there. One on the back door probably isn't that good either if the typical view people would have of your house is from the front. It's rather akin to how there are often rules for 'no trespassing' signs; how many there have to be for a given perimeter, how large, how visible, etc.

Honestly, I don't think that Google counts, unless that's where the address came from. And even then, the harvester might not be the same person as the spammer meaning that they're doing nothing wrong by merely collecting the address, and might not be obligated to pass that information on to someone who would act on it. Personally I think that there should be work done to make a standard way of presenting this in the mail protocols. Possibly as an RFC. Then people need to use it and popularize it so that it's accepted as a standard rather than merely alleging to be one. (e.g. EBCDIC is nominally a standard, but it's not as if it's seriously used)

It's customary to insert much more padding than that between mutually exclusive assertions.

They're not mutually exclusive, though. How is it deceptive for junk mail to be in a handwritten envelope? Are you saying that advertisers _must_ print envelopes? Isn't that rather bizarre? Likewise, I've gotten a decent number of ads that look like bills. They're not, they don't say they are, it's just that they come in an envelope that has no significant advertising on it, and which is of the same general class as a bill envelope.

Just because it can get past my mental filters as it were doesn't mean it's actually deceptive. It means I'm making overly broad assumptions, e.g. that all handwritten envelopes must contain personal letters.

The one and only relevant issue is that the use of filter-evasion techniques (including the obfuscation of words that are commonly known to be indicative of spam) proves beyond reasonable doubt that the spammer is deliberately attempting to intrude upon private property against the express prohibition of the owner.

Unfortunately it can't really prove that in light of the fact that a filter is NOT an express prohibition. The filter sits on the user's computer, generally. How is that expressly telling the spammer anything? How is it a prohibition against sending mail when it's designed to dispose of mail ALREADY RECEIVED and could never even have an effect on sending mail.

Think of it like this: At Christmas, someone gives you a fruitcake. An express prohibition would be if you refused to accept it from the person giving it to you and told them to never give you one again. But this would be rude, so most people don't do that. Instead they do what a filter does -- they accept the fruitcake, and then throw it away when no one is looking, or give it to someone else. They didn't indicate in

Re:wrong question

[cpt+kangarooski]

Naw. Graffiti is illegal too.

I didn't say the First Amendment was an absolute bar to speech regulation. I said it was a high bar. In the case of graffiti though, the state has a pretty good chance of being able to regulate it. Spam's not graffiti though, and I think the arguments that worked for the latter won't work for the former.

Re:wrong question

[Tom]

[junk mail]

For one, the volume of physical junk mail is several orders of magnitude lower than that of spam.
Two, where I live you can put a "no ads, please" sticker on your mailbox. Almost everyone will respect that. I think you can take people to court if they don't.

[big lumps and other arguments]

Again, two points:
One, I consider even a single "enlarge your penis!!!" mail sent to my mother as offensive. It isn't always a question of quantity alone.
Two, the argument that "you can deal with it" is very misguided. It's like saying that murder shouldn't be illegal because everyone can get a gun and defend himself.

[doors and other real-world comparisons]
There is a qualitative/quantitative difference here. A door-to-door salesman or telemarketer can only annoy so many people per hour. A spammer can easily annoy millions in the same timeframe. That is enough of a quantitative difference to make it of a different quality.

[1st Amendment]
As I explained elsewhere, this is not a question of free speech. Hey, the spammer can speak or write all he wants as far as I care. But the 1st Amendment doesn't include a right to force your speech on others.
Interpretations do include a right to be heard by willing listeners, which is why locking you away can be a suppression of free speech, even though you can still speak in your cell.

Re:wrong question

[Tom]

Aside from the fact that unsolicited commerical email is content based discrimination (being commerical)

Well, yes it is. You got a problem with that? The government doesn't. Free speech isn't free if it involves any of a long list of "unwanted" content (child pornography, terrorism plans, etc.)

Aside from that, I've long held the belief that speech is something that humans do, not companies. "commercial speech" is a contradiction.

Your attempt to wiggle around the first amendment isn't likely to work.

Then the 1st Amendment needs a serious looking after.

I have some sympathy for the hardcore stance, but it's overly idealistic. If I were to shout porn soundtracks at your house at 200 db night and day, would you consider that an issue of free speech, or of harrassment?

Re:wrong question

[Tom]

That's because burglary is illegal. Spam is not illegal,

Not yet.

This means you wind up having to opt out again.

One, will it be my responsibility to opt-out to each and every individual spammer? Will I have to make sure that I translate my opt-out message into a language he understands? Do I have to opt-out each of my e-mail addresses individually?

You will have to admit that opt-out is not realistically practicable. A low-level technical solution, such as on the SMTP level, would be the only thing that technically works, and I don't think you'd bet a months wage that the spammer would care this --||-- much.

I don't think you quite realize how special a place speech occupies.

Yes, if you isolate it from the rest of the world. Sadly, in that case it becomes irrelevant.

If my speech includes harrassing or maybe killing others (hey, that can be a tremendous message), it's no longer a matter of speech. I'll get jailed for harrassment or murder, not for speech.

Likewise, IMHO spammers deserve to be jailed (at least) not for speech, but for the about 20 minor felonies (fraud, harrassment, theft of service, etc.) that they commit while doing their little "speeches".

As I said: They can speak as much as they want for all they care. But as soon as they get on my lawn/mailbox, it's not a matter of only speech anymore.

Re:wrong question

[cpt+kangarooski]

For one, the volume of physical junk mail is several orders of magnitude lower than that of spam.

Yeah, but it's nevertheless easier to dispose of even large quantities of spam than it is to dispose of large quantities of junk mail.

Also the quantities received differ -- I have three email accounts. One gets almost no spam. One gets some, but it's entirely managable. The other gets a great deal, but I can still get rid of all of it in about a minute using a lousy web interface. None of these is such a heavy burden that I would be justified in calling for government assistence, especially given the speech issue involved.

Two, where I live you can put a "no ads, please" sticker on your mailbox. Almost everyone will respect that. I think you can take people to court if they don't.

I'm not entirely sure how well that would work with regards to junk mail, as opposed to non-mailed advertisements, but sure. I don't have a problem with signs like that provided they give adequate notice. Your's likely does.

One, I consider even a single "enlarge your penis!!!" mail sent to my mother as offensive. It isn't always a question of quantity alone.

Meh. Certainly if this were in public, your mom would be SOL. There's no right not to be offended; this has been long-ago settled in the Cohen case IIRC. (basically someone was walking around with 'Fuck the draft' written on his jacket)

In private, people do have a right to act as gatekeepers, permitting in some people or messages and denying others from entering. Nevertheless, when you connect to the 'net and request that your mail program download all the mail sent to you, you're allowing it all in. You didn't have to -- you could have not d/l'ed your mail and let it languish. Or you could filter it. Or you could 'manually' filter it by deleting it once it's come in.

In the world of snail mail, you can block offensive mail from coming to you, BUT you have to specifically request that it be blocked. What is offensive to some is not offensive to others, and it's inappropriate for the government to block me from getting mail that I might not have a problem with merely because your Mom would. Especially since she isn't getting my mail anyway!

Thus, if your mom would find that offensive, the onus is on her to have it filtered so that she never has to encounter it again. I'm sorry if this means that spammers might have one free bite at the apple since she likely couldn't block something without knowing it was out there, but I think that's how it works out.

Two, the argument that "you can deal with it" is very misguided. It's like saying that murder shouldn't be illegal because everyone can get a gun and defend himself.

You're not seriously claiming that spam is as serious a problem as murder are you? That would indicate that you have no sense of proportion.

There is a qualitative/quantitative difference here. A door-to-door salesman or telemarketer can only annoy so many people per hour. A spammer can easily annoy millions in the same timeframe. That is enough of a quantitative difference to make it of a different quality.

A junk mailer can easily annoy millions of people simultaneously too. The degree to which a message is unpopular is irrelevant. The first amendment exists precisely to protect even the most unpopular speech.

But the 1st Amendment doesn't include a right to force your speech on others.

That's true. BUT no spammer in the whole world can force you to recieve his email. It was your choice to get email, it was your choice to download it all no matter what email it might have been... you invited the spam in the spam that had collected in your mailbox.

What you ought to do is tell spammers that you don't want mail from them, which I believe they should have to respect, or provide sufficient generic notice to all spammers that might contact you in the future that their spam isn't wanted.

Much like ho

Re:wrong question

[cpt+kangarooski]

You will have to admit that opt-out is not realistically practicable.

Well, I think there are two options. One is opt-out, the other is to provide constructive notice in a reasonable manner.

Think of the former as being like telling an individual salesman to go away, and the latter as putting up a prominent sign reading 'no solicitors.'

I don't have a problem with your taking action against people who ignore either, provided the notice was actual or sufficient.

A low-level technical solution, such as on the SMTP level, would be the only thing that technically works, and I don't think you'd bet a months wage that the spammer would care this --||-- much.

Won't matter. What matters in that case -- providing constructive notice -- is whether it is sufficiently prominent that reasonable spammers _should_ have seen it, regardless of whether they actually did. Or of course, if they actually did, that works too.

Whether or not spammers care is not particularly relevant.

The FTC Do Not Call list is a form of this -- since it's difficult to put a sign on your phone, or reengineer the phone system, a big list was provided that telemarketers ought to be aware of. An email solution needn't necessarily be a big list, it just has to be prominent enough.

I think that if enough people had an SMTP solution it would work. OTOH some people have proposed making a post to Usenet, and I don't think that would work. But really it's going to depend on how a jury decides, should it come to that. (after all, if it's respected, who cares if it's enforcable -- only when someone violates it do you have a desire to go to court)

If my speech includes harrassing or maybe killing others (hey, that can be a tremendous message), it's no longer a matter of speech. I'll get jailed for harrassment or murder, not for speech.

Yeah, but there's nevertheless fairly high bars that have to be met for someone to prove that your speech is so bad that it's regulable. Take a look at the case of Brandenburg v. Ohio for the general test.

Likewise, IMHO spammers deserve to be jailed (at least) not for speech, but for the about 20 minor felonies (fraud, harrassment, theft of service, etc.) that they commit while doing their little "speeches".

Fine. If a spammer _is_ acting fraudulently, or in a harassing manner, etc. then I'm not defending him. However those things are not necessarily coextensive with spam -- it is possible to send spam that is not harassing nor fraudulent, and we should not prevent people from doing so.

So I say, instead of passing broad anti-spam regulation, why not just enforce the laws on the books against fraud? It's much easier, doesn't raise significant constitutional questions, and we can do it right now.

Re:wrong question

[Steve+B]

Spam's not graffiti though, and I think the arguments that worked for the latter won't work for the former.

Impossible, since it's the exact same argument -- you don't have the right to use other people's private property without permission.

Re:wrong question

[Tom]

So I say, instead of passing broad anti-spam regulation, why not just enforce the laws on the books against fraud? It's much easier, doesn't raise significant constitutional questions, and we can do it right now.

I'm with you there, except for a technical difference:

A new law would be useful. It doesn't have to have any new content. But it helps if there is a law that clearly says: "We consider the combination of this and that and these things to be punishable in sum. We call this spam, and let nobody say it's legal."

You know, the problem with assembling all the 20 minor offenses is that a good lawyer will wiggle out of 19 of them, and your spammer ends up paying $50 for a symbolic fine.

Ah, the beauty of the legal system. :)

Re:wrong question

[Tom]

None of these is such a heavy burden that I would be justified in calling for government assistence, especially given the speech issue involved.

True, if you were the only one affected. If society as a whole is (and in western countries half the people have e-mail now), then it's actually the governments responsibility.

[offensive stuff]
Good points you make there. I retract my argument.

You're not seriously claiming that spam is as serious a problem as murder are you? That would indicate that you have no sense of proportion.

No, I'm not claiming it's as serious. Just the mechanics of the argument run the same. Things are not legal or illegal based on whether you can deal with them or not. That applies to the large (murder) as well as to the small (petty theft, or spam).

BUT no spammer in the whole world can force you to recieve his email. It was your choice to get email, it was your choice to download it all no matter what email it might have been... you invited the spam in the spam that had collected in your mailbox.

Bzzt, wrong. Again, this is an argument along the lines of "you deserve whatever you get". Breaking into my house is illegal. Sure, I could've never bought one, and when I bought it I could have known that houses do get broken into sometimes. And by putting valuable stuff inside I surely invited the thieves in.
All of that is true, but it still doesn't change the legality of the acts involved.

We have plenty of tools available to deal with spam that I see no need to, and great danger in, broadly regulating against it.

As the current state of affairs shows, we do not have the tools to efficiently deal with spam. You and I might have, but what about your mom and my dad?

What we need is the SMTP equivalent of "no ads please". And as long as there is no government enforcement (and fines, and jail time) behind it, spammers will not give one damn.

I agree that we don't need any overly broad regulations. A very simple one would do. Like "All senders of unsolicited commercial mass-email must honour the no-ads-please banners from RFC1234. Violators are fined $500 per offense reported. The FCC receives and keeps a list of complaints."

Sure there will always be grey areas. That's why we have courts to decide those borderline cases.

Re:wrong question

[Steve+B]

Unfortunately it can't really prove that in light of the fact that a filter is NOT an express prohibition. The filter sits on the user's computer, generally. How is that expressly telling the spammer anything?

This level of spammer apologia is reaching, even for you. The simple fact is that the use of techniques that can be clearly identified as attempts to circumvent a spam filter is strong evidence that the spammer knew, without being explicitly told by any of his victims, that he was trespassing.

This criterion neatly solves any question of defining "spam". There's no need to decide exactly how many messages constitutes "bulk", what sort of invitation makes a message either explicitly or implicitly "solicited", etc. Honest e-mail would have no forged headers, no munged words, no random junk to evade checksumming against known spam, etc. Spam that does not use these techniques would be easily filtered out. Spam that does use these techniques gets the spammer thrown in jail for cracking. End of problem.

Online bayesian filtering

[PhilHibbs]

Is there an online bayesian filtering service, that keeps an individual spam profile? I delete most of my spam without downloading it using a webmail service, I'd really like to enhance this to use bayesian filtering but I don't want to download all that spam. I also would like to do this from work (as I do now), and then just download the remaining email over my modem at home. I might even be persuaded to pay for this service.

Here's a really simple way to stop spam.

1. Create a replacement for SMTP.
2. Give it a buzzword.
3. ???
4. Don't profit, because you've made it an open standard.

Seriously. E-mail is an outdated relic from the past. Why, exactly, are we not replacing it?

Has all the talent died? Has the Internet reached its peak - that's it, so long, thanks for all the 404s?

Oh, sure, adoption. Thus the cute buzzword. Give that to a suit, and say, "You won't be spammed! No more bandwidth is wasted! You save money!" and you'll see it take quicker than a fly on shit.

It's not like we haven't replaced things before. (Nobody uses Archie or Gopher anymore, do they? ;))

How to Kill Spammers without the State

[Per+Abrahamsen]

All I want is for the state to keep their nose out of it. As it is now, you jail jail-time for killing spammers, which is a clear violation of my citizin right to protect myself and my property. If they would just stop interfering, we could sove the spammer-problem by ourself.

On the other hand, if the state insists on taking away our right to defend ourselves, the state has the duty to defend us. The current situation is not acceptable.

Pretty sure

Your email authentication scheme doesn't reduce the bandwidth required by spam except at the very last stage. The mail still hits your ISP's servers and probably gets bounced. The net result is still a significant amount of bandwidth is used by spammers. Whether your address is reached or not, no one is preventing spam at its roots, which is at the individual spammer level.

Only the threat of actual punishment doled out by the government can act as a deterrent. Good sense and common decency haven't worked wonders in curbing spammers.

Re:Pretty sure

[bbbbblustery]

if everybody used authentication (that worked), then spammers know they wouldn't be able to send any spam. then spam would stop.

This is exactly why we need a state

[lseltzer]

I consider myself to be a small-"l" libertarian, not as extreme about it as when I was younger, but I don't understand the reluctance to bring the state in on this problem. It's thoroughly in line with libertarian philosophy.

What does a libertarian say is the role of the state? To protect the people from force or fraud.

What do you call a message that has a fake From: address, fake headers, a subject line that says "Increase your Penis Size 2 to 4 Inches me@mydomain.com ubbnvp6443853 rtoh" and even has a fake Unsubscribe link?

It's called fraud. Nearly all spam engages in some sort of fraud and much of it is pure fraud. If you tried to buy what they're selling you'd get absolutely nothing in return.

I'm not so sure about the efficacy of bringing the state into this; it could be that law will be ineffective in dealing with such a problem, but I do know that much of what spammers do is immoral and fraudulent and should be illegal.

Re:This is exactly why we need a state

[swordgeek]

Absolutely!

Spam is already illegal. All we need to do is prosecute it as such. More than that, we need to get the big players (hotmail, aol, etc.) to force prosecution against spammers who use their domains to spoof email addresses.

It's so simple--I don't know why people like the article's author are trying to make it more difficult.

Re:This is exactly why we need a state

[Steve+B]

Precisely. There is a legitimate argument that state intervention would be ineffective against spam, or that politicians would use the guise of spam-fighting to further another agenda, but (assuming that you believe that there ought to be a government at all) there is no basic philosophical problem with the idea.

The ineffectiveness and hidden-agenda arguments indicate a need to monitor and prod the government (so what else is new?). However, if they are considered a fatal objection, then they are a fatal objection to any government action, and we're back to anarchism (not that there's anything wrong with that).

Why I'm Not A Libertarian....

[ZoneGray]

Despite the fact I'm basically a liberty-oriented free-market-loving sort of person, I've never described myself as a Libertarian, and this article is a good illustartion of why. Basically, he says, "do nothing, solve the damned problem yourself." Which is what we're currently doing, and it's why we're all so pissed off by spam.

Seems that most folks I know who call themselves libertarians fall for this sort of shallow thinking... they're basically non-violent anarchists. But the State can play a helpful role, without resorting to stupid "I just outlawed spam, vote for me next week," nonsense.

For example, the state can make it illegal to forge headers or use non-existent return addresses. It could require all UCE to be sent from a server registered or traceable to the sender. It could formally codify the SMTP protocol, and specify what constitutes fraudulent use of it.

Of course, such measures *by themselves* won't do anything to stop spam, but they can enable ISPs to manage it more effectively. Perhaps they're insufficient, perhaps others have better suggestions, but it highlights the proper role of the state, which is to establish a structure in which people can deal with one another in good faith. It does this by outlawing (if not preventing) fraud and deceptive advertising, by recognizing contracts, and other similar measures.

Too many people, though, call themselves Libertarians without having fully thought out what the state's role should be (hint: provide for the common defense, promote the general welfare...).

Re:Why I'm Not A Libertarian....

[Steve+B]

For example, the state can make it illegal to forge headers or use non-existent return addresses. It could require all UCE to be sent from a server registered or traceable to the sender. It could formally codify the SMTP protocol, and specify what constitutes fraudulent use of it.

In general, the laws should make it clear and explicit that circumvention of a spam filter is a form of unauthorized intrusion to which the standard computer-cracking laws apply.

This approach avoids the difficulty of defining spam/UCE so as to distinguish guilty spam from innocent error -- people who make innocent errors do not use filter-evasion tricks; people who use filter-evasion tricks have thereby provided prima facie proof of intent to steal other people's bandwidth.

The downside with obfuscating email-adresses

[Harald+Paulsen]

It's harder to search for your email-address that way. People sometimes write about me and includes my email address. I prefer to be able to search for it and find what have been written where. It could be a link to my webpage, a quote from usenet or something else. Ofcourse then I can lobby those pages as well and have them replace it with a more generic web@mydomain.com to atleast ease filtering.

Re:The downside with obfuscating email-adresses

[gvc]

Absolutely. It is absurd to say that "responsible internet use" implies that I should cripple my email address. I've had it for 20 years; it is in usenet archives; it is on my web page. I want people to be able to reach me easily, and I do not want to terminate my email address.

What I want is for everyone sending to that address to truthfully identify themselves, and for no-one (except me) to sign email with that address. I do not think I am asking too much of my government to support me in those wishes.

I wish that SMTP weren't so easy to spoof, and I'm sure that better authentication will eventually come to pass. But technical enhancements don't obviate legislation any more than better locks obviate break-and-enter legislation.

Re:The downside with obfuscating email-adresses

[WuphonsReach]

Reverse-DNS proposals will make it more difficult to spoof domain names. (SMTP servers will be able to check that a given IP address is authorized to send e-mail on behalf of a particular domain.)

Once domain spoofing is taken care of, you can take steps to lock down your authorized outbound SMTP servers to verify senders if you wish.

Reverse-DNS proposals have the nice feature that it distributes the responsibility. Good netizens can protect their domains from being joe-job'd as well as deciding just how authoritarian they wish to be abount controling which machines are allowed to send e-mail on behalf of their domain.

Everyone must pitch in

[flakac]

The author is right in one regard, legislation won't do it. If everyone who is capable of deciphering the email headers to try to track down the originators of SPAM would try to report just one piece of spam to the offender's ISP, it would possibly begin to make a difference. The math is simple -- there are only a certain number of reputable (ie., non spammer-friendly) ISPs. If even 1000 people a day would use the available tools (www.abuse.net for one), and report this junk, eventually spammers will be forced to move to the spam-friendly ISPs. Then it's just a matter of adding the spam-friendly ISP to your favorite black-hole list, and you've just done your little part to stop spam.

Re:Everyone must pitch in

Sorry, but that doesn't help. Spammers frequently abuse non-spam-friendly ISPs with throw-away accounts. Most users aren't in control of block lists, and lots of people are stuck in areas where their only choice for affordable access is a spam friendly labeled ISP. Legislation is the only way, but it will only stop US spam. We can blocklist the rest of the world.

Re:Everyone must pitch in

[gvc]

This is harder than you think. My email was being used by a spammer connected by a major Vegas ISP. They didn't care. Their abuse email address gave me a form response and no action. Their answer desk put me on hold (basically in an infinite loop because I was not a subscriber). Their tech support likewise did nothing. When I screamed and yelled they referred me to their legal department who stonewalled me.

Finally I found the actual extension number of their security/abuse person from a Vegas mailing list archive. Once I phoned that number, the source was eliminated within 24 hours and in a couple of weeks all the Pacific rim sources dried up too.

Total cost to me: 3-4 hours on the phone, 3-4 hours off-line, and much aggravation.

I took the trouble because my email address was being appropriated and used as the From address for a rude advertisement. Would I take the trouble for the other 200 spams that I receive in a typical day? No way!

And this was a Vegas company with a spam-hostile acceptable use policy. What of the thousands of ISPs throughout the world whose livelihood is spam?

IMO, ISPs must be strongly encouraged to block fraudulent email, especially in response to a complaint. Similarly, advertisers who employ fraudulent email should be subject to sanction.

Don't Kill Spam

[batlock]

Kill spammers!

Re: Just delete it

Aww, the pope's going to die, the terminator loves Hitler and has the goodwill of the martian people, Rush is a druggie and a racist, and there hasn't been a GNAA post in a while.

The world is become a sad place.

bcc for non-techies?

[Joe+Enduser]

On my web sites, I never write the \@ sign. It will be represented by a transparent png. No wait, it is a script that sends a gif to IE, and png otherwise :( . Now if only I could get people to use the BCC field... I tried polite ways, I tried to educate people and I started flame wars. Usually, I end up being scrapped off people's contact list...

be proactive

[gnuguru]

I'm starting to think that some kind of law enforcement must be enacted.

Spammers actually steal.

They start by stealing your email address.

Then they steal some poor newbs box and send the filth.

Then they steal all the bandwidth from each and every isp who's borders are crossed.

They steal the fake from address, which ends up being listed on rfc-ignorant.org because the only way to stop the torrent of bounces is to refuse bounce messages.

They steal the privacy of the delivered trash with embedded web bugs.

They steal the time of good people who must install filters, or use dnsbl's.

They are stealing the very heart of the net. The good faith that the internet was founded upon.

So yes, by all means be proactive in stopping spam, enact laws which have teeth, and offer a truly positive approach to spam prevention.

FRY THE THIEVING BASTARDS.

How to fight spammers

[__past__]

There are ways to directly fight spammers without waiting for new laws, and without delegating the problem to someone else. Client-side filtering is no solution, the spammers don't care much - people who filter wouldn't have bought from them anyway - and it still causes massive bandwith cost.

One of the nicest ways is a "teergrube" (tarpit) - a special SMTP server that is tuned to process incoming mail really, really slow, thus making the spammer's tools very ineffective. It doesn't take much bandwith or other resources to run one - everybody who has a computer connected to the net and doesn't need to run a "real" mail server (or is willing to configure a teergrubing proxy that only traps spammers and lets the real MTA take care of ham mail) should do so.

Most spam is sent via open mail relays. If you are bored or annoyed enough, take the time to read spam mail headers (the interesting one is the last "recieved" line, usually), and inform the admin of the open relay, so that they can close it or get the fuck out of the internet. Also, inform a blacklist like the Open Relay Database, so that mail servers will reject mails from these hosts.

Try to poison they address databases. Set up a web page invisible for human users that contains lots of addresses that don't exist. But be sure that these addresses also will never exist - only use subdomains that you control, or those mentioned in RFC 2606 (Reserved Top-Level Domain Names), hoping that stupid spamware will try to send to these addresses anyway.

None of this is at odds with client-side filtering or legislative initiatives, just some additional ideas. And annoying these bastards feels good.

Re:How to fight spammers

[scambaiter]

Seen those ideas several times before, i think some people actually do use them for some time now...

A Tarpit will work if the spammer tries to send mail directly to the tarpit box. Dont think they do this very often these days, since they (as i assume) either use open proxies or minions from their trojaned box zombie army.

The open proxies black lists are imho a good thing to use but suffer from the typical disease: black list hosts get ddosed (afair 3 lists gave up over the last few weeks becaus of ddos), so this theatre of war might be lost soon. And of course there are probably millions of open proxies out there, unlikely to find them all before some spammer got the chance to send several million mails through them.

I dont think spammers care very much about poisoning - else they wouldnt have tried 4-5 dictionary attacks on my domains this year. They will send spam to any string having an @ and on . in it, bounces go to innocent third parties...

One approach i really, really like is greylisting. (Ill probably end up putting it in my sig since i love to post this url;))

Re:How to fight spammers

[scrytch]

> One of the nicest ways is a "teergrube [iks-jena.de]" (tarpit) - a special SMTP server that is tuned to process incoming mail really, really slow, thus making the spammer's tools very ineffective.

Feel free to suggest such a solution to earthlink, MSN, and AOL. Here's a clue: spammers don't send hundreds of spams from single IP's anymore. That's what relay networks are for.

> Most spam is sent via open mail relays

No, it's usually open proxies now. Proxy talks to local network mail server, local network allows relaying. Very different problem. The emerging new method is viruses, c.f. the Sobig network. The very last (top to bottom) Received: line is usually forged, the interesting one is the one right before the last mail server you trust. Everything chronologically before that is suspect and probably bogus.

> Try to poison they address databases. Set up a web page invisible for human users that contains lots of addresses that don't exist.

These are weeded out fairly quickly. Better to seed it with "probes", aka honeypots or spamtraps, which helps identify spam senders proactively.

Re:How to fight spammers

[minas-beede]

These are weeded out fairly quickly. Better to seed it with "probes", aka honeypots or spamtraps, which helps identify spam senders proactively. Waht you call a "honeypot" and what I call a "honeypot" aren't the same - but the ideas are very similar. You say run a fake email address that's a honeypot for spam. I say run a fake open relay or fake open proxy that's a honeypot for relay spam or open proxy spam. When you do this you have many options open to you. Particularly for open proxy honeypots you may have available to yo the IP form which the spammer operates (he thinks going though your open proxy, the fake, will hide him.) If I misinterpret and you mean the same thing I do: glory be! Tell more people!

Reducing deaths

I understand that the mayor of Baltimore is proclaiming how wonderful he is that the murder rate has gone down in his town. But he didn't mention that this reduction was not due to better policing etc. but simply due to better doctors - the same number of people came into the hospital with serious injuries, but more survived.

Funny thing about viruses

[bobKali]

I've heard the whole viruses are written by MS haters argument also, and what's always baffeled me is that it seems that most of them are written in VB which I cannot imagine any self-respecting MS hater even knowing.

Re:Funny thing about viruses

[IM6100]

I think you mean that most of the recent prevalent worms are written in VBA, and prey only on the popularity of Microsoft products, which results in a large guillible population of naive users.

Most decent viruses are written in assembly language. There's no way to code something tiny that resides in a boot sector, or latches onto the front end of an .EXE file in a bloat macro language.

"personal responsibility"

[SuperBanana]

Take personal responsibility. Yeah, right.

If not for users, how about 'personal responsibility' for admins?

On a mailing list I help run, we turned on Postfix's DNS checks(not RBLs and the like, just "does connecting host have valid forward DNS? Does it match what they claimed?" etc- postfix can do a half dozen DNS-related checks to make sure you're legit. It was ENORMOUSLY successful, virtually killing off all soam overnight, because so much spam has so many fake headers.

We had zero problems with users with funky setups(ie sending work email from home, their own domains, etc). We had ENORMOUS problems with a dozen ISPs whose freaking mail servers often didn't even have FORWARD DNS! Worse, some claimed, when contacted by their users, that it was a problem with OUR dns.

The problem was mostly with clustered outgoing mail servers, where ISPs didn't give a shit enough to set up proper DNS for each cluster member. Do you think they had reverse DNS? :-)

So, we can take personal responsibility by a)refusing to accept connections from servers which have bad/no DNS and b)fixing our own mail server's DNS. That would be a biiiig step...

Re:"personal responsibility"

[Greyfox]

I would go so far as to say that those settings should be the default in all MTAs shipped.

Even with fairly harsh filtering in place, I'm still getting 100 times more spam than mail intended for me. I could turn off my E-Mail completely and have been seriously considering doing so.

One of the problems with Spam...

[16K+Ram+Pack]

Is when it isn't Spam.

Let's say that I run a company that provides Real Estate software solutions to companies, and I pick out a couple of hundred estate agents and email them about my new software? AND, if people tell me to remove them, I am responsible enough to do it.

Personally, I don't think of that as Spam. It's targeted quite closely to the people.

Re:One of the problems with Spam...

STFU, spammer, and PAY for your
advertising like an ethical
business. If it is unsolicited,
and in bulk, it's SPAM.

Re:One of the problems with Spam...

[16K+Ram+Pack]

So, no-one should be able to take advantage of a free/cheaper method of delivering information.

By your reckoning, Junk mail by post (or me printing letters and hand delivering) is fine, but email isn't?

Even though posting is environmentally damaging, and lacks the flexibility of email.

I'm convinced that the only reason governments doesn't attack junk mail like they do with spam is that they generally have a stake in the postal service.

I'm not talking about flooding thousands of people, just using email as if I would for paper junk mail.

Re:One of the problems with Spam...

[gnuguru]

Lets just say you are spamming you fuckwit.

Re:One of the problems with Spam...

[16K+Ram+Pack]

I get a lot of offers. Some are by email, some are by web, some are in the post.

Personally, I find popups far more objectionable than email, and screen them. I do the same thing for Spam, so that people offering me body enhancements, get rich quick schemes etc can't get through.

Occassionally, though, I get something from people that is targetted to my old company, and quite closely targetted. Generally, I zap these. But I don't object to receiving them, because they are the kind of opportunities that I *might* be interested in. Often, they are not even doing multiple mailings - it's more like someone personally making a cold call.

Re:One of the problems with Spam...

[JuggleGeek]

You, the marketer who sends the unsolicited emails, say "It isn't spam". That's a very common argument. "Yes, it's unsolicited email, but it isn't spam - I think those people might really be interested in whatever it is I'm selling".

The DMA makes the same claim. They want us to believe that UCE from legitimate companies with legitimate email addresses, headers that aren't forged, and working remove addresses isn't spam. But if every DMA member starts sending one UCE a month, my mailbox, and yours, will still be flooded.

The old "My UCE isn't spam" argument is just bull.

It is certainly possible to use email as a marketing medium in a legitimate manner. But to do that, you have to be sending mail to people that solicited it. If it's unsolicited, it's spam.

If you are legitimate, you should be willing to pay your own advertising costs. Don't force that cost on unwilling recipients.

Beating SPAM is easy...

[tgrasl]

Click here to unsubscribe

What about ISPs?

[Barnett]

I posted this before but was too late to get any response:

What if ISPs simply charge each other for traffic depending not on the direction of traffic but depending on which side initiated the TCP connection. That way the person downloading from a web site will be the one paying (because he made the HTTP connection) and not the web site host. And the person sending the email will be the one paying (because he made the SMTP connection) and not the recipient.

If only a few big ISPs agree to work like this others will follow and soon even small ISPs will start charging their customers for traffic based on this method.

Could this help to put an end to spam?

Re:What about ISPs?

[squiggleslash]

Yes it probably would put an end to spam, largely because ISPs with normal consumer customers would be forced to raise their prices, whereas ISPs that primarily webhost would get all the revenues. Websites would become inundated with high bandwidth items to encourage money to go to the website, end users would see even more advertising on websites and would be paying for it, and people would just end up abandoning the Internet.

Without people on the Internet to spam to, there wouldn't be any spam.

Re:What about ISPs?

[Barnett]

Not necessarily. People will more likely just abandon these sites. It is just the same as any other publication with too much ads and too little content.

No, the idea is not to raise prices. The idea is to create some real incentive for ISPs to want to limit spam(ers).

Re:What about ISPs?

The best incentive would be backbone providers growing a set of balls and killing connections of ISPs that are friendly to spam. When an ISP has the threat of having thier head lobbed off you will see people becoming a hell of a lot more diligent in that field.

Re:What about ISPs?

[squiggleslash]

Yes, users would abandon those sites. But in the absense of other sites, where do they go except to switch off altogether? Remember, this scheme is rewarding sites for penalising their readers. With the exception of the very occasional eCommerce site where money is made from sales generated by the website, who has an incentive to reduce all the disincentives for site access?

Indeed, the system gets even more stupid when you consider the increasing reliance on HTML email: using this scheme, a spammer can get paid for the email they send - as long as enough people read the email, causing images, etc, to be downloaded, the spammer will break even or profit.

At best, the only way I can see it working is for it applying to port 25 only. And even then, with spammers increasingly using tricks to get email forwarded via innocent third parties via trojans, spyware, etc, that's still not going to get very far except create yet another source of frustration for end-users.

It's a bad idea.

Re:What about ISPs?

[sketerpot]

I like the TarProxy idea better: some major ISPs install software that will incrementally classify emails as they are recieved and throttle the bandwidth according to the spamminess of the message, in effect creating an artificial shortage of bandwidth for spammers.

Re:What about ISPs?

[Syrrh]

This is a nice proposal, but it depends heavily on spammers using their own servers. Anyone blindly running mail through an insecure formmail or open relay wouldn't be bothered by tarpits.

But I don't know the current habits of spammers, are they still using unwitting relays often?

Re:What about ISPs?

[DavidTC]

No, they're all using zombies, computers with Swen or whatever installed on them.

Thus commiting multiple felonies in pretty much any location in the world, BTW.

Re:What about ISPs?

[sketerpot]

I'm not really up on how SMTP works (except that I have sent some email via telnet), but wouldn't insecure formmails or open relays involve an smtp connection to the recieveing server somewhere along the line? I would think that the connections made by any mail server to a tarpitted server would be throttled, so it wouldn't matter if it was sent by a spammer's server or by even didgier means.

Doped up big penises with lower interest rates

[snatchitup]

I for one feel comforted by the fact that if, God forbid, the day comes that I can't get it up for my wife, and I feel so bad and depressed, and my mortgage interest rates are so high.....

I feel comforted that everyday, there is veritable kornikovia(sic) of options.

what a stupid bit of reasoning.

[kevin+lyda]

who is more tech savvy?

what does that have to do with legislating on spam? i'm sure a lot of murderers know more about killing people then most politicians (excluding bush of course, he was getting rather good at it in texas but he's really shining now that he has a military to order around), but we're ok with politicians passing laws about murder. i'm also sure ceo's and financial people know more about illegal stock trades then most politicians (damn, bush is an exception there too), but we want them passing laws to keep our pensions safe. actually, we still want that to happen. the same points apply to healh care, job creation and education (though the parenthetical comments about bush don't apply on those topics)

i guess my point is that politicians pass laws on a wide variety of issues that concern the people they represent. to do that they have to consult experts in various fields - and that's the skill politicians need: the skill of asking for help and sifting through bullshit. and that's how they can best serve their people.

and obviously the other point is that bush knows an awful lot more than people give him credit for. too bad ken lay didn't get some business advice - maybe harvard could have bailed ken lay out too.

moron trustdead computing

no such thing. as soon as you give your monIE/digits to the softwar gangsters of the fraudulent kingdumb, you are their hostage.

stuff that isn't approved (kickbacks paid in full) buy the kingdumb, won't work on your pc/network.

ALL of your 'net activity is perusable from fudcontroll @ maggie.lahman.com.

this is what you wanted? lookout bullow.

I know this is veering into offtopicality, but

[zsau]

Why exactly is it that Americans or Slashdotters or Slashdotters who are Americans are so scared of their Government? One thing that comes from reading /. with this naive brain of mine is: should I be too?

Re:priorities..

You want to get 250 greenhouse gases every day?

spam?

[cnf]

not a problem

bogofilter[http://bogofilter.sourceforge.net/] catches 99% of all spam sent to me

and i have never had a false flag yet

i'd say those r pretty nice ratings ...

Mailing Preference Service

[radio4fan]

From the article:

While people get all kinds of junk mail, nobody's calling for a "do not mail" list.

Why not? We have one here in the UK -- the Mailing Preference Service.
If you sign up to it, direct mailers are forbidden to send you junk mail. The direct mailers have to pay its costs, and it's mostly effective.

They even have a 'baby mps' to stop bereaved mothers from receiving baby-related junk mail/samples.

Aren't you missing one important point?

[rufusdufus]

Tracking spammers is trival! Just buy one of their products and trace where the money goes...

Redesign the protocol

[oohp]

Design a new protocol. Dan Bernstein has some idea with his Internet Mail 2000 thing, to make storage the responsibility of the sender, not the recepient. If you want a certain message get it off the sender's machine, if not let it rot there and eat up space.

This article says nothing

[hankaholic]

This article was a waste of my time to read.

For those who haven't read it (and I hope you haven't -- don't waste your own time), basically it says this:

End-users should take responsibility for spam, and the best way to prevent spam is to stop putting email addresses in mailto: links on web pages and in unmunged form in posts to Usenet.

However, it really doesn't explain how the author thinks that people can do something to take responsibility for receiving unsolicited (!) email.

The article fails to mention dictionary attacks and worms, both of which have the potential to find millions of addresses which aren't listed on any web page or in any newsgroup.

I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book. Rather than worry about maintaining lists of email addresses, spammers could feed their message to the network of worms (possibly through IRC, or maybe even an instant messaging protocol), and the network would feed messages to every address listed on an infected user's hard drive, and probably to several variants of the addresses as well.

What the article fails to address is this: how can the person who never publishes their email address anywhere take responsibility for spam in the face of dictionary attacks, and when they have no control over friends putting the person's address in their address books?

The article says that when fighting spam, you shouldn't look to the politicians, because they have not the technical knowledge to make legislation stick.

In response to that, I suggest that you not look to the article for spam-fighting advice, because the author seems not to have the technical knowledge to actually develop a solution, or even offer suggestions beyond never publishing unmunged headers.

To those of you who read the article, I feel your pain. You will never get those wasted moments back. But did anyone else cringe when he suggested using graphics to display email addresses in Usenet postings?

My thought is that people advocating posting graphics to Usenet with every post probably don't have a spam solution either. In fact, they're suggesting placing a higher load on NNTP servers, in effect doing the same thing to news servers as spammers do to mail servers: clog them with extra, unneeded garbage, reducing their overall capacity with respect to legitimate communication.

Oh, and have a nice day, everyone!

Re:This article says nothing

I think every address book needs to be an encrypted rolodex of sorts in any email program.
I'd like to see the default of all email programs set to BCC: not CC:. I'd like to see CC: done away with entirely actually, all any idiot on the list has to do is click reply to all and have their email program set up to place people they reply to in an unencrypted address book and then every virus they install get's sent to me. I'd like to see place people I reply to in my address book done away with also.
There's three things programmers could do to stop the overloading of mail servers. I recently had to change my email address because of a virus others had installed. My allocated space on the server was filling up and bouncing messages I needed. Needless to say I'm very picky about who get's my email address now and my parents ain't gonna get it unless hell freezes over.

Re:This article says nothing

[fishbowl]

"I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book."

Hasn't there been a couple like that?

What surprises me, is that there hasn't been one that takes each message in each folder, and mails it NxN to each recipient... Wonder how many embarrassing situations THAT would cause?

Re:This article says nothing

[sirbone]

If you had bothered to read the point the author was trying to make, you would see three things, none of which are intended to give concrete solutions but rather provide a path for us to find a concrete solution. One, he was stressing that people need to educate themselves on why spam can exist before one can even begin addressing the problem. Two, he was taking a stab at doing just that while admitting he's not an expert on the details and petitioning people to offer up ideas. The graphics on Usenet was just that: an idea submitted for review by those who know better, not a demand. Perhaps it would be better to contact him and educate him to his error rather than being a pompous whiner. Third, politicians generally speaking are more focused on re-election that producing results, that they only produce results if it directly threatens re-election to do otherwise. Thus you are more likely to find success in fostering a community of people who do care and proactively address the problem themselves instead of sitting on their behinds waiting for someone else to do something for them. A Libertarian presidential candidate has a good quote to that last point:

"Whatever it is in life you want, go out and get it. Don't wait for the government to drop it into your lap, you make it happen. You seize the day. Carpe diem!"
-Gary Nolan.

Re:This article says nothing

[minas-beede]

I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book.

That may come. There are Trojans that turn vlnerable systems into unwitting non-standard email relays (non-standard in that they receive the email on other than port 25.) Have been such for about a year now.

I strongly recommend proxypots. Spammers look all over the internet for open proxies to abuse. Why not help them find one - except one that's not quite what they want? Instead of relaying spam it absorbs it. Instead of keeping no record of what comes to it everything is recorded, including the source IP. With that you can contact the ISP and report the attempted abuse. Reputable ISPs will eject the spammers. Disreputable ones will not, and may not even reply. Make their names and actions known. That will eventually make a very big difference.

In all cases all the spam you trapped goes nowhere. You'll have done a very good thing.

Re:This article says nothing

[hankaholic]

As I stated, I did bother to read the article, and you seem to agree that the article didn't offer anything resembling a practical solution.

As the article was posted with the title, "How to Kill Spam Without the State", I was pointing out to potential readers that the article did not deliver what was promised in the so-called summary -- namely, a way to prevent spam without resorting to legislation.

This isn't whining, this is pointing out that the description of the article was misleading, and that if you were expecting something akin to Paul Graham's thoughtful submissions, you'd likely be disappointed.

I want spam

Hey I want to receive spam. It is my right, as a citizen of the United States. Who are you and what authority do you have to deny this right of mine?

I think spam is informative and it informs us of new products, interesting mortage oportunities, good deals, pyramid schemas in which if everybody participated we would all be rich (except the leaf nodes) and other goodies.

You are Facists.

The RIGHT way of using the state to kill spam

[swordgeek]

Anti-spam legislation is a bad and wrong-headed solution to the problem of spam. Filtering is a stop-gap measure that doesn't solve anything.

The key is this: Spam is already illegal! Even entirely ignoring vandalism and theft-of-service, when was the last time you got spam that:

1) Had a legitimate and correct return mail path
2) Actually honoured an 'opt-out' request
3) Advertised a legitimate product

In other words, nearly all spam is fraud, and should be prosecuted as such.

We have laws on the books against fraud, theft, false advertising, and vandalism. The only thing that makes spam even remotely different is the question of jurisdiction, and even that's pretty easy--if the spammer is in your country, you should be prosecuting him.

Now how do we get the government to act? Simple--just believe all of the return email addresses on the spam. If I get 30 messages a day that claim to be from hotmail.com addresses, then I'm going to send them all to hotmail. Either they really are hotmail users (no chance of course, but they'd be kicked off if they were), or someone is illegally misrepresenting themselves, and defrauding hotmail to do it. Hotmail should be getting tens of thousands of reports a day from dutiful citizens, until they start to go after spammers stealing their domain name.

Re:The RIGHT way of using the state to kill spam

[JuggleGeek]

Now how do we get the government to act? Simple--just believe all of the return email addresses on the spam. If I get 30 messages a day that claim to be from hotmail.com addresses, then I'm going to send them all to hotmail. Either they really are hotmail users (no chance of course, but they'd be kicked off if they were), or someone is illegally misrepresenting themselves, and defrauding hotmail to do it. Hotmail should be getting tens of thousands of reports a day from dutiful citizens, until they start to go after spammers stealing their domain name.

So, when a spammer forges my domain, as happened recently, everyone they spam is supposed to bitch and whine to me? Fuck you. I already have to deal with bounces, and now I'm supposed to deal with your complaints, because it's too darn hard for you to do anything other than hit reply and complain to me - a victim.

I have a page about forgeries to my domain at http://www.whitis.com/mypillsrx.htm

The same spammer was recently discussed in an article, with a /. discussion following it. See this link.

Re:The RIGHT way of using the state to kill spam

[swordgeek]

"So, when a spammer forges my domain, as happened recently, everyone they spam is supposed to bitch and whine to me?"

To some extent, yes. But hear me out first.

First of all, you are a victim--possibly the most hard-hit victim. However unlike the rest of us, you are the victim with authority to prosecute. We're being spammed. You're being defrauded, and should nail someone's ass to a tree for that.

Now the second point that I didn't make clear, is the reasoning behind this, which incidentally takes you mostly out of the picture.

Individual spam victims--even hundreds of thousands of them--won't get these guys routinely and consistently nailed. The only way court cases will become the way to deal with spammers is if the Big Players--AOL, Hotmail, Yahoo!, etc.--start to go after them; and the only way that these companies will go after spammers, is if they are being materially hurt by spam. Beind defrauded isn't a big deal unless people believe the fraud, or modify their behaviour because of it.

Individual private domain owners, small 'public service'-like sites, they don't need the extra harassment, especially if (as in your case), they're getting forge-attacked. It's the big players, and the big money that has to ATTACK the spammers, and we need to promote that.

Have you talked to a lawyer yet? I see that you've got an open call for one, but you should consult with one just to see where you stand.

Re:Solution: Make forging and obfuscation impossib

If the government were to mandate such a change, how many would consider this an unspeakable blaspheme to freedom of speech?

How many would write their congress person?

Libertarians give libertarianism a bad name

[djnichol]

Spam has to be stopped at the source. Do these libertarians not understand how much bandwidth goes wasted? I'm getting tired of their incessant anti-tax initiatives at the local government level while they barely pay lip service to the excesses of the federal government.

that's right - don't try to stop spam

[Anonymous+Spammer]

As a professional sender of UCE, I just want to tell you slashdotters to keep on playing with your spam filters. As long as you use spam filters on your e-mail, I can continue to reach my real intended targets, those non-slashdotters who do not know better and will buy my products or click through to my client's websites. Your filters really help cut down on the complaints to the Internet service providers I do business with, and as long as not too many complaints come in their marketing people assure me we can do business. Of course, I still waste your bandwidth and mailbox capacity, but you no longer complain to uce@ftc.gov, my access providers, or anyone else who might cause me problems. My yahoo and hotmail and other accounts for replies are lasting much longer before getting shut down because someone complained to these service providers. And my clients are even reporting that they can start mailing out 800 numbers like 1-800-901-3719 again and they will not have you damn geeks set up your modems to keep autodialing them, since you spend your own time and effort to filter the e-mail and only clueless users who might actually call will see the numbers.

Please don't bother your Congressmen or Senators proposing legislation that might not work 100%. Just keep on filtering the spam I send you, I know you would have never bought from me anyway. That you can filter legitimizes my business and my waste of your bandwidth.

P.S. To be sure of not getting a false positive, be sure to send all filtered mail to a special folder. Waste your storage space storing the mail until you manually go through every piece to be sure you didn't accidentally filter something important. Of course, this will take exactly as much effort as it would have to just check the e-mail when it first came in, not to mention the extra effort spent in setting up the filters and the extra space for storing your incoming spam folder, but what the heck. If you think that you can scan e-mail for false positives faster this way you are just fooling yourselves, if you are scanning faster e-mail that you expect to be all spam, you will miss the very false positives that you think you are looking for. And any fales positives that you do catch will have been delayed, perhaps days or more. You geeks enjoy wasting time this way, and I certainly appreciate it. It makes the work of all us spammers much easier. After all, slashdotters like Moderation abuser tell you that Bandwidth is cheap, disk is cheap, CPU is cheap , which is good, because at the rate spammers like me waste it the costs still adds up. I am gald I never pay for it, and I would just as well that everyone else takes the additude that all of the resources I waste are cheap than band together and pass laws against us. No one should care about spam because Bandwidth is cheap, disk is cheap, CPU is cheap and it is your job to filter it.

Think you've seen this before? Don't complain. Just go through lots more work to set up special filers on your computer so that you will not see it again. Crawl into your holes, let us attack the real problems we have in getting our spam to the clueless marks that will respond. You should have to do that. It's the true geek solution, and I would really like it if you did.

And don't pay any attention at all to the fact that those anoying telemarketers suddenly topped calling you two days ago, not because you wasted time and money getting caller-id and setting up systems to filter them out, but rather because the do-not-call list became law. Heck, in my case, even those annoying calls where someone who hang up as I answered, which used to happen several times a day, completely stopped. But just recite that laws can't work, the end user must have their bandwidth wasted and go to extra work to filter their spam themselves. How else can spammers count on reaching the sheep who don't filter their mail and will respond to our great offers?

Re:that's right - don't try to stop spam

Anonymous Spammer wrote:

As a professional sender of UCE,

Bullshit! If you're a spammer, I'm Saddam Hussein's mother. Uh, wait a minute...

But since you allege some things to be facts, let's take a look at them, pretending as we talk that you really are a spammer:

As long as you use spam filters on your e-mail, I can continue to reach my real intended targets...

That's correct, as far as it goes, but there's so much more to it than that!

Of course, I still waste your bandwidth and mailbox capacity...

True, but I also waste yours! You didn't realize that, did you? You send me a spam, I download your entire site. You send me another spam, I download your entire site again. You pepper your spam with URLs, I download your site for every one of them.

Please don't bother your Congressmen or Senators proposing legislation that might not work 100%.

Legislation won't work at all. Zero. Nada. Anyone who understands anything about Internet mail and how it works and how spammers abuse the system knows that. We're going to bypass legislation and bring the cost directly home to you.

That you can filter legitimizes my business and my waste of your bandwidth.

You have it backward, as it turns out: Your spam legitimizes my visiting your site and exploring it. Fully. Several times. URLs sent to me are explicit invitations to visit your site(s). Links on your site(s) are explicit invitations to click and explore. I'm just accepting your many invitations. Since there's so much there to see, I can't retain it all and always have to return and see it all again. And again.

To be sure of not getting a false positive, be sure to send all filtered mail to a special folder. Waste your storage space storing the mail until you manually go through every piece to be sure you didn't accidentally filter something important. Of course, this will take exactly as much effort as it would have to just check the e-mail when it first came in, not to mention the extra effort spent in setting up the filters and the extra space for storing your incoming spam folder, but what the heck.

That's it exactly! What the heck! I do send all the filtered spam to a special folder. The false positives are very easy to spot there, and no, it doesn't take the same time to verify spams than it would if I had to wade through them in my New Mail folder.

Waste my storage space? Gee, I have more storage than I know what to do with, now that commercial, server-grade storage costs me, oh, about $0.0037 per MB. If I shop a little I can get it down to $0.0013 per MB or less.

Setting up the filters? Heck, I did that once, and after a little tuning haven't touched them since. I can share them, too, so other people don't even have to set up their own the hard way.

...you will miss the very false positives that you think you are looking for.

Nope. The false positives stand out like sore thumbs. Maybe it's because people who write to me for the first time generally don't write from addresses like "qwertyqwerty@hotmail.com," and generally don't use Subjects like "You didn't call! apyeuxeer". I could use one of the new Bayesian filters that actually has an accuracy rate of 99.6% or better, but I choose not to for now.

And any fales positives that you do catch will have been delayed, perhaps days or more.

Ha! What are you smoking? Spam doesn't clog my New Mail folder and it doesn't delay anything being seen that needs to be seen.

After all, slashdotters ... tell you that Bandwidth is cheap, disk is cheap, CPU is cheap , which is good,

It sure is!

Libertarian Fantasy ... Again

[looie]

this is the standard libertarian fantasy, that the world would become just wonderful ... if everybody became a libertarian. and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.

notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."

the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.

i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.

i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.

that would rule.

mp

Re:Libertarian Fantasy ... Again

... notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."

... and it is not clear exactly why they are less than eager to legally stop this behavior ...

OK, now I going out on a limb here, but my take is:

1. Libertarians are as much elitists as liberals, they just don't feel the need to try and run other people's lives for them. A half-point in their favor.
2. Libertarians really don't want there to be a government (defined as a monopoly on the use of force, any force), hence it follows that they are opposed to law enforcement, or even any kind of standard of behaviour enforced by anything greater than the neighbors. Their attitude is "Do your own defense."

The kind of society I've read Libertarians idolise is ancient Celtic, highly decentralized, hardly any authority at all. I note that these Celts failed to defend themselves from the highly organized Roman Empire, which demonstrates the limitations of that model.

Re:Libertarian Fantasy ... Again

[Okind]

and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.

Where did you get the idea that that is the dominant social theorem for libertarians? As far as I learned their views, their attitude is more accurately characterized as "if you don't put your actions where your mouth is, stop whining". This does not mean abandoning other people to life, but merely not interfering with their life as they choose to live it. The lives of people who don't take responsibility for their own life are not worth considering. After all, they don't do so themselves.

the fact is, spammers are thieves, stealing services from bandwidth providers.

Unfortunately, this is not true. After all, the bandwith providers merely provide bandwith. Spammers use that bandwidth. They also do not steal the time and money we invest in combating spam. There is no theft here.

Spammers do cause us to lose time, bandwidth and money. Just as some 'activists' harass people wearing fur coats, causing them to lose time and money (as their fur coats need cleaning or are ruined by paint). To me it is only logical that spammers should be held liable for the damage they do, just as those activists should be held liable for the damage they do.

i think a bounty law, [...]

That would be nice. Especially if some smart people (smarter than me anyway) find a way to make cracking down on spammers profitable. This by the way, is a libertarian way of tackling the problem: you take responsibility -- and thus act. Libertarians feel that you then deserve all results of your actions, such as less spam on the internet and even a profit.

Re:Libertarian Fantasy ... Again

[looie]

and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.

Where did you get the idea that that is the dominant social theorem for libertarians?

first, i got it from reading some of their literature, especially that rag published in port townsend, wa. second, i got it from reading their various posts around usenet and before that, on fidonet.

As far as I learned their views, their attitude is more accurately characterized as "if you don't put your actions where your mouth is, stop whining".

yeah, and everyone who is not a libertarian is automatically a "whiner."

The lives of people who don't take responsibility for their own life are not worth considering. After all, they don't do so themselves.

this kind of elitist bigotry makes you an excellent candidate for the role of libertarian. i come from a different school, one in which all human beings deserve respect, not just the ones that fall into your socioeconomic class or your political clique. it's because of people like you making the decision of whose lives are "not worth considering" that we are over in iraq right now, killing off civilians left and right. and, of course, let's not forget about israel, where animal abuse is a more serious offense than killing a palestinian. another classic decision of whose lives "are not worth considering."

nope, sorry. there are better ways of living and better ways of constructing a society than adopting the "virtue of selfishness" theory propounded by libertarians.

and, btw, every isp i've used has terms of service that forbid spamming, header forgery and abuse of system resources. so, yes, spammers are stealing bandwidth because they could not do what they are doing without getting kicked off the victim isp. in some cases, they lie to get an account, in others they hijack other users' accounts to do their work.

mp

Re:Libertarian Fantasy ... Again

[sirbone]

There really was no pompous libertarian holier-than-thou stuff in it. Heck, he didn't even use the word "libertarian" or make any comments about people joining with his political ideology. His only real demand is that people who want to solve the spam problem make sure they are putting forth an effort to understand the problem, which sounds quite reasonable. His only criticism follows from that, slamming people who whine about things and do nothing to help themselves, expecting others to fix their lives. In fact, that's one thing libertarians ought to be admired for. At least they try their best to proactively fix things on their own rather than demanding someone else, like the government, do it for them. I think that is quite an admirable trait in a person.

Nonetheless, If you had bothered to read the point the author was trying to make, you would see that you are in agreement with him in a sense. He was stressing that people need to educate themselves on why spam can exist before one can even begin addressing the problem. Then from that he was taking a stab at doing just that while admitting he's not an expert on the details and petitioning people to offer up ideas. He also *attempts* at proposing solutions and asks people to help educate him to cooperatively improve his suggestions, which is what he means by taking personal responsibility to solve the problem. Sitting on your butt and demanding a politician take care of it while you eat potatoi chips and watch Surviver is NOT taking personal responsibility. I see that you, like the author, put forth suggestions for fixing it. Thus you are doing what the author asks by taking personal responsibility to help out. Thus you and the author, in attempting to point out possible approaches to the problem, are proactively addressing the problem yourself instead of sitting on your behind waiting for someone else to do it for you; your last paragraph exemplifies what the author wants to see more of (though ideally also followed through with action).

Re:Libertarian Fantasy ... Again

[looie]

His only criticism follows from that, slamming people who whine about things and do nothing to help themselves, expecting others to fix their lives. In fact, that's one thing libertarians ought to be admired for. At least they try their best to proactively fix things on their own rather than demanding someone else, like the government, do it for them. I think that is quite an admirable trait in a person.

actually, like most libertarians, he assumes that people who want a law passed against spam are "whiners" and not "taking personal responsibility" in some way. that was actually my point, in that regard -- libertarians have this utopian fantasy that "taking personal responsibility" will somehow transform the desert into an oasis. "taking personal responsibility" is a code phrase for "become a libertarian" with all that implies, morally and ideologically.

Sitting on your butt and demanding a politician take care of it while you eat potatoi chips and watch Surviver is NOT taking personal responsibility.

no, but why do you assume that everyone who is working on or demanding legal action is so doing? i run linux/bsd/sunos on 6 of my 9 machines, procmail my incoming mail and have next to no real problem with spam ordinarily. i still would like to see some legal action taken to slow down the onslaught. the last worm-blast from m$ used variations on a "honeypot" address of mine & as a result, i received somewhere around 5000 of those mails in less than a week.

yes, that's an exception to the "spam" rule but i would like to see something that would promote a more active search for the butthead that did it. even though i'm not a windows user, i still paid a price in time and bandwidth for those who are.

so, i guess the first rule of "personal responsibility" would be: don't use windows. ;-)

mp

Libertarians give libertarianism a bad name:agreed

[adzoox]

Good subject line.

Libertarians in my area (Greenville SC) are nothing but whacko anarchists. Their leader is often engaged in vigilante justice.

A few months back he COMPLETELY "ruined the peace and progress" of an anti flag rally by pushing a black guy out of line. (Anti flag = no civil war flag/ACLU/Jesse Jackson issue)

This "leader" of the Libertarians has also sued my business over service - he bought a computer from me - then tried to hook a Parallel printer into the SCSI port - fried the computer - then wanted me to replace it under warranty. He later came on the 6 o clock news stating that it was black judge that handed the decision out because of his "push" and took no consideration of the facts. So, I agree ... Libertarians give Libertarianism a bad name. They don't want a solution, they want a sort of quasi secular/quasi religious vindication for everything. (Side note: said leader also ststed in his monthly newsletter that if it would have been the "old days, before gov't intrusion, we'd have settled it with pistols! .... say WHAT???)

Qui bono? Sue the friggin' content.

[crovira]

Put your company's name in Spam, pay a million dollar fine per day.

Spam stops. Simple. Straight-forward. Effective. Needs no tech to implement at all.

Re:Qui bono? Sue the friggin' content.

Ya that's something I still don't understand.

In order for spam to work there has to be some CONTACT INFO in the spam or they can't sell you anything!

So just go after the company and TAKE IT DOWN!

It's like stopping drug dealers. Busting the kid selling crack on the corner doesn't really make much dent even though it might make you feel better until he gets replaced. Taking down the kingpin at the top of the chain supplying it all really helps stop it.

But ultimately, don't fucking buy anything from spam ever and it will stop.

I said it before and I will say it again

[Monoman]

We don't need laws specific to spam. We need laws to be generalized to stop any unsolicited communications that are forged with the intent to deceive the recipient.

What about a filter for...

[SirTreveyan]

those stupid chain letters tht friends and family members are forever forwarding to you. You know the kind...sent to so many of your friends for "good luck" or some such shit. I dont know why people forward that crap.

but what about...

gullible old people? i'm serious. most of the people i know are already combating spam through technology and other methods. keep in mind that the main target demographic is people who cannot figure out that it is spam, and wouldn't know what to do with it anyway. if you can figure out how to reach them, then your idea might work.

You Might Be An Anti-Spam Kook If ...

[dwsauder]

You Might Be An Anti-Spam Kook If...

Source: Posted to IETF mailing list by Vernon Schryver.

• you have discovered the Ultimate Final Perfect Solution To The Spam Problem (UFPSTTSP).
• you are the first to think of the UFPSTTSP.
• you were motivated to find the UFPSTTSP because you know it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by any of several currently available mechanisms.
• despite being the inventor of the UFPSTTSP, you are unfamiliar with "false positive," "false negative," "UBE," "tarpit," "teergrube," "Brightmail," "Postini," "SpamAssassin," "DNS blacklist," "HELO," "RBL," or "mail envelope."
• you plan to make money by licensing the idea of the UFPSTTSP.
• you are deeply offended when people do not agree that you have found the UFPSTTSP.

• you cannot name several potentially fatal flaws in the UFPSTTSP.

• you think all you need to do to get the UFPSTTSP implemented and deployed is to publish an RFC.
• you don't recognize the difference between deploying and implemeting the UFPSTTSP.
• you plan to publish an RFC mandating the UFPSTTSP but have no idea that RFC 2223 or RFC 2026 exist.
• you have no idea of the relevance of "consensus" or "IESG approval" to publishing RFCs.
• you think all RFCs have the same standing.
• you think that spammers won't ignore, subvert, or exploit the UFPSTTSP if you publish it as an RFC.
• the UFPSTTSP depends on spammers or mail recipients changing their behavior without any immediately gain.
• the UFPSTTSP won't be effective until it has been deployed at more than 60% of SMTP servers and you don't think that's a problem.
• the UFPSTTSP is trivial to implement and deploy, but you have done neither.
• you feel your job is done after having explained the UFPSTTSP, and that "programmers" will drop everything to implement it.
• you think that a violation of an RFC by an SMTP client or server is good and sufficient reason to reject all mail from the system's domain.
• you think that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP or think they're irrelevant to the lack of authentication in SMTP.
• you think that the fact that most SMTP servers do not authenticate the SMTP clients of strangers is a major bug in SMTP instead of a major feature and expression of a primary design goal.
• despite discovering the UFPSTTSP, you don't know the meanings of MTA, MUA, SMTP server, or SMTP client.
• the UFPSTTSP requires a small number of central servers for validating email, serving as "pull servers" for bulk mail, or anything else.
• the UFPSTTSP requires that anyone wanting to send mail obtain a certificate and that such certificates would be checked by all SMTP servers.
• you think that useful certificates of a person's identity that certifies not only that the person has that name but has no other certified names are cheap and easy.
• you think that most Internet users would willingly pay more than $5/month to avoid spam, and don't know the per-user price point for anti-virus software or data.
• you don't see why a certificate that binds a name to a user is useless against spam unless it also certifies that the user has no other names.
• the UFPSTTSP involves ISPs issuing certificates to users and that the same ISPs that don't terminate the accounts of spammers or don't investigate prospective customers enough to refuse service to spammers will refuse certificates to spammers.
• you've never heard of RFC 2554 or RFC 2487 and the UFPSTTSP has something to do with authentication.
• the UFPSTTSP involves replacing SMTP.
• you routinely send single "LARTS" or reports of single examples of objectionable mail to more than two dozen addressees.
• your definition of spam differs significantly from "unsolicited bulk email".

Why don't i just become God?

[evodas]

So, again those liberarianiscts are at it again.
Let me see. In between (in no particular order, go to item 1000):
1) Working my day job
2) Doing my non-day consulting work
3) Doing occasional committee and club work at my son's school
4) Studying the insurance market to try to understand how I can get the best plan and lower premiums
5) Reading the business papers daily to figure out where the economy is going and where I should be
6) Volunteering for my favorite political candidates (still a democracy somewhat)
7) Reading the general news to stay ahead of where the macro social and political things are and are headed
8) Maintaining my German by reading turn-of-the-century novels
9) (No car, thank heaven so no need to bother about all that!)
10) Studying the fixed income markets and the mortage sheets to figure whether to refi again or not
11) Contributing to Open Source discussion groups
12) Studying and paying my bills
13) Reading my personal email (including Spam that gets through/is only suspicious)
14) Helping my wife with her work VPN and other home technical projects
15) Helping all my friends with all their technical problems
16) Writing contracts for various construction projects in my house
17) Studying the wireless market for the best cell phone deal (with this item i can start thinking about shooting myself...or others)
18) Studying the POTS market for the best POTS service
19) Studying the Cable/DSL market for the best high-speed data service
20) Studying the Disability Insurance market for the best coverage/premium
21) Studying the home-care/nursing home market for my father
22) Talking to my father everyday
23) Visiting my father 100 miles away
24) Reading Slashdot
25) Maintaining my website
26) Reading (some of) the handful of technical journals I subscribe to
28) Installing and working with some relevant new technology I've found ......
100) Learning how to pick and choose among drugs on an unregulated drug market
101) Trying not to get poisoned again from that Salmonella-contaminated beef from the supermarket
102) Protesting at all the automobile , electric power generators, mining, chemical, plastics, battery, consumer goods, etc. companies to get them to stop making my immediate environment barely livable for organic life
103) Trying to get a signal from that underground radio station in our community to get away from Monopol Communications programming ....
1000) Fight spam on my own .....

Put your competitors names in spam...

[VendettaMF]

Rapidly become a monopoly?

What a useless article!

[MickLinux]

How did this ever get passed by Slashdot?

Let's see... the big ideas that they gave us were:
#1) Don't put your email address on web pages.
#2) ... uhh, there was no #2.

Aside from that, the article pointed out that it's relatively cheap to delete spam. Excuse me, is this guy a spammer during his off time?!?

Quite simply, I *don't* post my email address to web pages. Somehow, or other, the spammers get ahold of the email addresses anyhow.

Here are some other ways: (1) You ISP sells your email address. No kidding. I have one email address, .omnitel.net, for which I suspect this is true, because the spam started rolling in immediately, and did not stop. (2) Some friend's email provider sells recipient email addresses. This is another one. When some of my acquaintances got a certain famous webmail address, because it practically was part of the OS that they got and was free like mail.yahoo.com, it took one email from them, and the spam started rolling in.

(3) Some friend of yours fowards one of those semi-viral human-engineering emails "to all", and then another friend forwards it "to all", and some spammer down the line, who let that little wormie go, reels in fish after fish just by processing the thing. Oh, you can tell those friends, "please, please, PLEASE don't send this to me". But the next time he/she runs across another hyperfeminist laud, or something says "don't let another person die! Forward this TO ALL with headers attached!", why it comes your way. *sigh*.

The only way we'll end spam is having a penny-per-sent-email charge. If my ISP started doing this, and billing me that 1 cent per email, but also billing all other ISPs that sent email 1 cent (and blocking those that didn't pay) I would thank them from the bottom of my heart. Of course, when my business email didn't go through, I would call my business contact, give them the address of the free and open-source automatic accounting software, and tell them "have your ISP start this up, and spam will stop. Don't, and your emails won't get through." Very quickly, we'd pay the 1 cent per email charge, and find that those who paid got their email through; those who needed it to be free wouldn't.

Meanwhile, I'd only get spam that was worth more than a penny. In other words, I'd get spam that most people would be reasonably likely to buy.

Re:What a useless article!

[GISGEOLOGYGEEK]

great! now lets send you to nigeria, various asian spots, central america, or 180 other countries to enforce this universal penny per email plan ... or is this yet another case of an american thinking his laws apply outside his borders?

Keep saying that. Maybe people will believe it.

[Population]

"New laws will simply be circumvented"

Right. Laws are useless. Bad guys will just get around them. We shouldn't have any laws. We shouldn't have any laws that aren't 100% perfect.

Judging from the interviews with spammers, an excellent example was in /. just a little while ago, they aren't that intelligent. I'll take a law that gets some spammers fined or jailed.

"for example, can you apply your laws outside of the US and is the Internet a US-only thing?"

Simple, if you send spam while you are inside the US, then you have performed an illegal act. This will not cut down on people living in China sending spam to the US, but it seems that the majority of spammers are in the US.

"The big boys of the spam industry will not be affected."

So you say. Yet you offer no rational for saying so. Unless they move to another country, they will be affected.

"Everybody employs anti-spam technology. Spam doesn't reach people. People sending spam therefore do not make money. Spam stops."

Right. Even if every email program shipped with anti-spam software, spam would get through and people would reply to it.

Again, just read the old interview in /. and you'll see how little money it takes for a spammer to continue.

Instead of your ranting against laws, why don't you look at the actual law?

Opt-out lists are useless. All they do is provide the spammers with real email addresses which can be used in other spams or sold for a profit.

Opt-in is the only way to go. But with junk snail mail, you don't have to do opt-in. You can send junk to every address. But the sender pays for the delivery.

Don't just rant against laws. Make suggestions that can be implemented. Saying that everyone should use anti-spam software is not something that can be implemented. Everyone won't even use anti-virus software right now.

Re:Keep saying that. Maybe people will believe it.

Your attitude is jarring and pedantic.

One...people don't argue about laws in general, they are arguing about laws about spam. Which, to be very clear, has had barely made a dent into the problem. is it good to have laws about spam ? sure. But enforcing them at the citizen level is not only an ENORMOUS pain in the ass, but arguably not worth the effort you need to make.

If you're going to make a statement about the intelligence of spammers due to an interview you saw on slashdot, then you've got some problems.

Have you ever been part of a spam incident handling for investigation ?

"Unless they move to another country, they will be affected." --- Bullshit. They might be affected, but it's unenforceable. The are very few things in the Internet that are worse than SMTP headers with regards to an audit trail.

Without making sure that ARIN, APNIC, and RIPE database are correct (the last two are frequently not), sniffing all and every traffic coming into your organization, and/or changing the way SMTP works, no law will change the amount of spam in a significant way.

Although I am NOT the original poster, I do have some suggestions. Stopping spam will not happen unless there is a fundamental change in the way that the RFCs at that govern SMTP are written.

Authentication for SMTP...requiring MX records to be registered...and employing whitelist-only techniques are going to stop spam.

I do agree with you on one point...Opt-out lists make good sense in theory, but they are UNenforceable at this point.

If you're going to rely on geographic laws to fight spam, don't hold your breath.

Spam = Immortal

[Brainomac]

As the article points out...spam is here to stay and the only way it'll die is if people stop responding to those damn viagra emails. Why does it always have to be the case of one guy ruins it for everyone?

Anyway the best spam deterrent that I've discovered so far is this service called shadango.com that I started using about two months ago. It's frickin' solid. It enables me to check both my hotmail and students address from the same interface and my inbox has been virtually junk-free. Check it out....Jeff Lindl recommends it highly!

That's my two cents,

Jeff Lindl

Re:tired from spam ?

[moro_666]

forgot to mention, it's a bit alternative so don't
expect any romantic stuff from there.

a part is here

"I think I just need a vacation. And to get laid."

SAVE ME,GOVERNMENT!

[goldspider]

"But no, the rest of us are fighting to get laws in place to get rid of this shit, and this idiot is fighting against that because he's a wack job libertarian."

Laws like the ones that were supposed to get rid of shit like drugs? We all know how well THAT has turned out, don't we?

It's a shame that Libertarians are thought of as "wack-jobs" for believing in the concept of personal responsibility. How weak are people who need to depend on the government to protect them from every little inconvenience that comes their way?

I for one am tired of people who want to impose a parental government on the rest of us simply because they are too lazy to take care of their own problems. Giving people a little credit, rather than continuously telling them they cannot achieve anything without the government holding their hand, will empower them to learn how to take care of themselves.

Re:SAVE ME,GOVERNMENT!

[HBI]

Remember what you are talking about here. Spam. It isn't people conducting their own affairs in their own house. It's someone shitting all over everyone else annoying mails about porn and penis enlargement.

Denying the need for government like that makes you an anarchist, by the way. Not a libertarian.

Re:SAVE ME,GOVERNMENT!

[goldspider]

Is spam annoying? Yes! Is it intrusive? Yes! Can people do something about it? YES!

A government solution should be the LAST resort. As long as people can do something about the crap that comes into their e-mail box, they should be encouraged to do so. If they don't know how, they need to be educated. And despite what you think of less technical users, most of them are willing to learn.

The problem is that people have gotten used to relying on the government to solve all of their problems for them, and people like you who tell them they aren't smart enough to help themselves.

For the record, I am in favor of some government intervention; only, however, when the people have no other viable alternative. An example would be the "Do-not call" lists. People don't have a viable way to filter telemarketing calls, so I believe government action is appropriate. But again, only as a last resort.

Re:SAVE ME,GOVERNMENT!

[Steve+B]

As long as people can do something about the crap that comes into their e-mail box, they should be encouraged to do so.

By this logic, there should be no laws against people literally dropping trou, backing up into position, and dumping crap into other people's mailboxes. The owner can just hose it out, after all.

Civilized societies have locks and laws against theft and trespass. The same principle applies here.

Re:SAVE ME,GOVERNMENT!

[goldspider]

"By this logic, there should be no laws against people literally dropping trou, backing up into position, and dumping crap into other people's mailboxes. The owner can just hose it out, after all."

Not an accurate comparison. My suggestion, in the context of your analogy, would be to allow people to put a combination lock on their mailboxes if mailbox-shitting became a problem (and it's not).

Re:SAVE ME,GOVERNMENT!

[Steve+B]

My suggestion, in the context of your analogy, would be to allow people to put a combination lock on their mailboxes if mailbox-shitting became a problem

Would you make it a criminal offense to pick the lock? That's how it is in the real world, and how it should be in the case of spam (via a clear legal doctrine equating the circumvention of spam filters with the circumvention of any other form of computer security).

Re:SAVE ME,GOVERNMENT!

[goldspider]

"Would you make it a criminal offense to pick the lock?"

Yes, and I would also make it an offense for a spammer to actively try to break/circumvent a filter and forcably cram their junk into people's mailbox, but that isn't happening; that's not how spam works.

Re:SAVE ME,GOVERNMENT!

[Steve+B]

I would also make it an offense for a spammer to actively try to break/circumvent a filter and forcably cram their junk into people's mailbox, but that isn't happening

Nonsense, it happens constantly (e.g. "herb@l v1agr@").

Re:SAVE ME,GOVERNMENT!

[CashCarSTAR]

The problem with Libertarianism, is it results in a socio-economic system where those willing to sink the lowest have the greatest advantage.

Listen, I'm personally a very responsible person. Yet I still believe in government oversight, because I believe that by and large, the concepts of honor, dignity and yes, personal responsibility are mostly lost in a money-run society.

I have a grudging respect for Libertarianism, but not until serious steps are made at a social/cultural POV. What worries me is that these steps are rarely talked about.

Re:SAVE ME,GOVERNMENT!

[yerricde]

People don't have a viable way to filter telemarketing calls, so I believe government action is appropriate. But again, only as a last resort.

Do people whose Internet access is metered have a viable way to filter UCE?

Re:Libertarians give libertarianism a bad name:agr

That is the true face of libertarianism my friends.

I'm sorry all you naive nerds have been bamboozled by these psychos. Don't feel bad I hear in the 20s lots of nice boys join the KKK never intending to help lynch anyone.

Re:So if someone is pissing through our letterbox.

That's very naive my socialist friend... the libertarian response would be "get a gun and feel free to remove the pisser from your private property by any means necessary".

Profitable

[dpilot]

Isn't the real issue that we have poor cost metrics and service agreements on the Internet?

The cost of sending spam is virtually invisible to the spammer.

That's it, plain and simple. As long as 'one single potential customer' responds, it's 'Step 3: PROFIT!' (I know the spammer paid for the bulk mailer program, and pays for his/her rotating ISP fees, but the costs are effectively near zero.) But that spam wasn't really free, we all pay for it. Does anyone have a good estimate of how much Internet bandwidth gets wasted on spam? Or how much recipient time gets wasted downloading it, even if it is then automatically filtered and thrown away?

Today I pay a flat fee for my cable modem, and it carries certain Terms Of Service. Same back when I was on dialup. There is supposed to be an aggregate bandwidth cap on cable, but I never worry about it except when I'm going to download a new set of ISOs. There were dialup time limits as well, but in that case they were mostly worried about camping on the modem pool, not bandwidth usage.

Is it possible to come up with a more refined billing model that could effectively shift costs back to spammers without killing mailing lists?

Re:Profitable

[JaredOfEuropa]

Isn't the real issue that we have poor cost metrics and service agreements on the Internet?

Cost metrics are poor, for a reason, one that economists call 'market failure'. For each transmitted email, view of a webpage, downloaded file or transported byte, there is a fee that users would be willing to pay. The problem is that tallying and collecting these fees is impractical, or the cost of doing so would far exceed the revenue. That's why peer agreements between ISPs exist: they just agree to 'call it even' and won't bother to count bytes. This is nothing new either, snail mail agencies have been doing this for centuries.

Shifting cost back to the spammer might be possible, but there are two problems:
- Already, spammers often operate using temporary untracable accounts. They are cut off when the ISP gets wise to them, and they simply move on to the next account. In some cases they will use a hacked account of an unsuspected user. So, if they are willing to commit fraud or break into unprotected systems to get their spam out, you can be quite sure that they will find ways to avoid any costs being charged back to them. What we might achieve is that certain ISPs will change their policy of lenient to spammers
- Implementing a charging model will come at a price, both a monetary one and one of added inconvenience. The current model of most ISPs who will sell you an unlimited (or a capped) data volume at a fixed price, works out cheaper both for the ISP and for the customer.

As for the cost of spam in bandwidth: I don't recall the exact figures, but spam is supposed to make up a very significant portion of total traffic. We're not talking 1% or 2% here.

Re:Profitable

[dpilot]

I understand the reasons why cost metrics are poor, and your mentioned difficulties of making things better. But I wonder if we took the amount of brainpower that has been applied to spam filters and apply some of that to fixing cost metrics, we might be better off.

Mass murder funny?

[toupsie]

Bad moderators, bad, bad, bad moderators.

MOD PARENT UP

[WaxParadigm]

It's so nice to read responses from the clueful.

Stop the demand not the supply

[Neil+Watson]

It's just like the American (other countries aswell) war on drugs. You can never stop the supply as long as there is a demand. Spam will never be eliminated until it's not possible to profit from it.

Re:Stop the demand not the supply

A few months ago, Slashdot linked to a story about a spammer. It had this interesting fact. The reply rate for spam is %.25. That's right, one reply per 4,000 spams sent. And it was still quite profitable.

How much lower do you really think the reply rate can be forced down? I think it's already so low there's no progress to be had there.

The Internet in general, and email specifically, is built upon cooperation. The Libertarian attitude of "I'll defend myself, the rest of you are on your own." is suitible for a hermit, but not for members of a society.

Re:Stop the demand not the supply

[robogun]

With responses rates in the 3-4 per billion range and dropping, either spam will stop on its own, or we all all soon die in a supernova of spam.

Spam won't stop until someone beats up a spammer

I know it sounds barbaric and cruel, but I truly think that until that happens the spam will keep flowing.

I mean put a guy in the hospital for a week and people will take notice.

Sure even then the spam won't stop, but I bet you'd see a drop off.

Red tape is the best way to kill spam

The major advantage and disadvantage of internet is that there is no red tape. There are no "form"alities and no way of procrastination. This is a boon and a bane both.

I suggest that a bit of bureaucracy be introduced by ISPs. If you want to send email to my customers,
(a) fill out a 10-page form in triplicate, one for you, one for me and one to pass on to law enforcement authorities should they need it. The form must be signed by a govt. officer above a certain rank.

(b) For commercial establishments, deposit a refundable amount of $ww,xxx.yy for the period you will be sending emails to my customers. The amount shall not attract any interest. The amount will be adjusted according to the volume of the email.

(c) All emails not from those who submitted such a form shall be rejected.

These provisions may be suitably modified as per customers' reactions and changed conditions.

This will introduce some delay and some red-tapism into the picture. Red-tapism is the best way to kill an enterprise.

Multiple soultions, we should use them all

[dr2chase]

There are numerous ways to know that a piece of mail is not spam, and we should use them all and accept them all.

1) Transitive trust.

a) If a PGP name server is known to contain links to actual people, then messages signed from that server are ok -- if they are spam, you can track down the sender.

b) if an ISP is known to enforce a no-spam policy, ditto.

c) If the HELO domain name resolves to the IP via a trusted DNS server (e.g., dynamic DNS from tzo.com), ditto.

2) white list

a) users, per user

b) ISPs, per ISP (I don't get spam actually mailed from aol.com anymore -- I think I can usually trust them).

3) challenge-response -- if you challenge incoming emails, surely you will process them when they arrive.

4) time-limited email address from web pages, combined with known-user databases. dr2chase+2003-10-03@etc will work for initial communications (from clicked web links) for only a few days, though anyone initiating an email exchange in that window can reuse the address as much as they want (this is to allow easy-click sending and correspondence from web pages).

5) hash-cash -- prove you solved a hard problem uniquely associated with this particular email, and you've proved that you cannot be sending too much mail per day. Therefore, you must not be a spammer.

The main point here is that ANY one of these methods can be used to show that a message is not spam. Mail receivers should deploy all of them, now. Mail senders should also get to work -- in particular, user agents should include "this will look like spam" sensers, so that they can ensure that legitimate messages do not look like spam.

The other half of the spam solution is to use "economic" punishment in the sendmail protocol. Don't ever reject email -- a clean rejection is cheap and fast. Hold the connection open. Delay before replying. Use that time window to gather information ("look, 100 incoming SMTP connections from the same source in the last 30 seconds").

Just so we're clear...

[IANAAC]

Turning off your internet connection is not a technological solution. That would be a luddite solution. 'Bounce all emails to spammed addresses...' What do you mean by that? You mean I get spam at one email address and now I should bounce everything going to that address?
Yeah, you're right. You weren't even trying.

blah, libertarian spin

[gad_zuki!]

>
They really wanted to give it a libertarian twist,
no matter what, didn't they?

Yep, and as Libertarians they fail to recognize a few important facts: we've already give the state the power to control commerce, print money, etc. We have already given up many essential rights (how many pollutants have you ingested this morning) for business, etc. Yet when the grass-roots wants to make a change for the better suddenly its the old "personal responsbility" line. Its like they want to freeze any politcal change but don't undertstand the history of the US is one of protest and change. Protest and change and the workings of a democracy will, in the end, be much more powerful than some hackneyed ideological position that citizens shouldnt be using government for their own end.

The internet by its nature forces us to share and be civil if we want it to last until the end of 2005. If the net or the rights of individuals are in danger then there is nothing wrong with try to bring about change. Heaven forbid people get together a launch a class action suit against those who have harmed them. Of course to the libbers the spammers theft of resources is an acceptable loss for the mantra of "personal responsbility." It seems only victims should be responsbile while spammers get a free ride. Replace spammers with big business or what have you and its the same philosophy.

Lastly, the "do you want your politician writing insert_type_here laws" is a pathetic straw man argument. Politicans are supposed to write laws, that's their job, if they aren't using the proper advisors or writing the laws you don't like then its a problem with that law not the system as a whole.

Also, I fail to see how one can be "personally responsbile" when dealing with mass-mailing not even targeted at you. Because x amount of people are willing to buy penis pumps, something I cant control, I will continue to get spammed. If I dutifully delete spam and report spammers I still get spammed. The very reason, if not the only reason, so many want legislation is because the personal attempts have failed to bring about change and the libbers assumption that we're all a bunch of "run to the nearest authority figure" kiddies is dead wrong. Anyone with 5 minutes to spare on google would know how spam works, the damage it does, and why its so hard to stop.

Rather than doing the research or caring about the issue the libbers are just using this to get their marginalized views across and hey it worked, they're on slashdot.

What about fax spam?

[Azethoth666]

No way to filter that crap till I have spent 5 cents printing it. Or phone spam during dinner time or any other part of the day.

Nope, have the government make it illegal & put the bastards in jail.

None of this opt-out crap either. If I want spam I can damn well opt in.

Now if only we can get rid of the snail spam the Post Office insists on shoving into my mailbox.

Re:So if someone is pissing through our letterbox.

[ratamacue]

If someone is urinating on your property, that's an actual initiation of force, and hence a legitimate use of government to solve the problem. It is not easy to argue that spam (and junk snail mail for that matter) represents an initiation of force. That is the root of the issue for Libertarians: the role of government is to protect the citizens against the initiation of force, and nothing more. Why? Because concentrated power is the most dangerous force that exists in the world -- it needs to be strictly limited, not expanded to "solve" every concievable social problem.

The argument is not "shut up and deal with it" as the above post would have you believe. The argument is that spam does not represent a true initiation of force, and thus it is not a legitimate use of government to solve the problem. The analogy presented above is a nothing but a typical, predictable, childish evaluation of the Libertarian argument, one which completely ignores the basic principles which guide the Libertarian philosophy.

Here's a thought...

[Serfalyx]

Not sure if this has been suggested before, but rather than all this expensive signing and encryption, why not just have each MTA append its IP to an X-header of every message before it goes out the door? The receiving MTA would check the header, verify that the message it received was, indeed, from the last IP in the X-header list, and either deliver the message locally or append its own IP and forward the message on.

This would not prevent spam initially, but it would provide traceability for a message. Spammers would be required to put their real IP on a message to have it delivered, and since they have no control of the message after it leaves their MTA, a clear trace is left back to them.

No, this does not prevent open relays from being a problem, but it would sure make them easy to find.

Inexpensive, clean, and relatively easy to implement on top of SMTP. Of course you'd have to get large ISP buy-in, but any sort of spam-killing is really in their best interest if only from a bandwidth point of view.

In the beginning, rather than blocking messages without this header, a warning could be issued to the involved parties informing them that they really should upgrade to an MTA that supports this extension.

Clear identification is the spammer's achilles heel. Exploit that and we'll be a lot closer to getting rid of spam.

-S-

The problem...

[taltimus]

is that fighting spam requires considerable time and resources. Putting a lock on your house is simple, and when criminals circumvent that lock, there is a punishment for that. Spammers are free to find all kinds of ways to get around your attempts to limit their intrusion of your space. I don't know the answers, but creating laws that punish this sort of behavior can only help people fight spam on their own.

taltimus

Re:So if someone is pissing through our letterbox.

[Steve+B]

It is not easy to argue that spam (and junk snail mail for that matter) represents an initiation of force.

That's another advantage to my proposal that the laws should be focused, not on spamming per se, but on the use of filter-circumvention techniques (which should be prohibited just as other forms of computer cracking are prohibited).

The distinction between spamming and normal e-mail is sufficiently fuzzy at the edges (e.g. what constitutes "bulk"?) to give your position a grain of plausibility. However, a mailing that is tailored to get past spam filtering (e.g. forged headers, munging of "spammy" words) is equivalent to lock-picking one's way onto other people's property, and as such is a clearcut initiation of force.

Re:Solution: Make forging and obfuscation impossib

[leinhos]

This is really the only answer. Currently it's not against the law to send email with forged/spoofed return address. If I started selling stuff over the regular mail using someone else's name/address, I'd be arrested for mail fraud. That's all spam is, after all, and should have the existing laws covering fraud modified to apply.

Distributed Anti-Spam Software

[slart42]

I've always wondered if there isn't a good aproach to attack Spam using some kind of "distributed anti-spam" software - based on the fact that each spam message is sent to millions of recipients. If one (or 10, or 100,..., to prevent fraud) of the recipients would mark the message as spam, the MD5 hash of the message body would be added to a central spam list, and all other clients receiving the message could just compare it against the list, see that it's spam, and - flush- there it goes..
This should efficiently kill a very large percentage of spam to ever reach the end user (that is until spammers find out how to make each message they send unique ;-) ).
has anyone ever tried something like this? --hmm.. otherwise I should patent this idea ;-)

An idea: automated spammer DOS attacks

[Stunning+Tard]

Can you DDOS the spammer? If each spammed mail server contributed it could be a large attack. If mail can be identified as spam soon enough that you still have their IP (or still have the connection) could the mailserver start sending traffic back down the pipe? As they send millions of spam the traffic back could explode and call great attention to the spammers activities, maybe even interrupt the operation.

Re:An idea: automated spammer DOS attacks

[dcmeserve]

Can you DDOS the spammer?

No. They hide their addresses.

DDOS the companies that are using the spammers to advertise. They can't hide their IP addr's, or else the spam would do them no good.

Of course, DDOS'ing is still illegal...

Re:An idea: automated spammer DOS attacks

[spectro]

Can you DDOS the spammer?

No. They hide their addresses.

They actually give you their website addresses when sending you an html message with images in it. I wonder if there is a database with all these urls so we all can block any email that contains them. This would make spamming more expensive since they will be forced to register a new domain after every spam run.

Re:Again Jail?

[grolaw]

Spam is a non-violent a crime that has no effect on a huge portion of the population (people who are too young to be on-line, those who have no interest and those who can't afford to be on-line).

Jails cost a fortune. I have no desire to see one penny of my tax dollars spent jailing a spammer.

The libertarian view is that we should wack the stupid consumer.... that fraction of a percent that actually buys something from spam.

There is no way you can change a stupid fool into a less stupid fool. Legislation, education and simply calling them names won't make Bob a brighter boy.

There is a way to stop clever spammers: wack them with civil lawsuits. While we are at it, we ought to take ANY business that uses SPAM (yes, there are a number of legit businesses that pay for their spam) and wack them, too. I'd say 1000% sales tax on SPAM profits would be a nice start.

This is clearly the proper case for civil causes of action that simply destroys the finances of spammers. Take 200x what they make from spam and make it stick. Deny them bankruptcy relief and put them out on the streets. Take their children away as they are clearly unfit to raise civil citizens.

Refuse to give them any social benefits - just toast them. If we grind up a dozen or so we will get the message across. Most of these people are US citizens and are easily within the reach of US civil jurisdiction.

Just look at what major civil judgments did to the KKK - thanks to Morris Dees and the Southern Poverty Law Center.

Finally, as the election season starts again, remember that the political SPAM is protected 1st Amendment speech...so don't vote for the SPAM candidate - whoever goes SPAM first should be buried in old AOL floppies! But beware the political dirty tricks...we will see SPAM that comes from the opposing side masquerading as the candidate's ad --

This may be the 1st US presidential SPAM season.

Re:Solution: Make forging and obfuscation impossib

[docolczyk]

I agree that the spammers main vulnerability
is their need for anonymity. ( In fact several
of the largest well known spammers have been
harassed and even received death threats. )

I disagree that signatures are needed. Instead
start a compaign. Provide software ( for free )
to people that scans saved mail messages and
1) Checks if the source is an open relay
( generally by checking for particular relay
software ). It then looks up the ISP of the
relay and notifies them.
2) Parse the header and lookup the ISP.

We then need the cooperation of the ISPs,
but most ISPs are being hurt enough by ISPs
that they will be willing. Any ISP that doesn't
cooperate will be blacklisted.

There will be people hurt by this: the idiots
that let their machine get hacked, or install
AnlaogX proxy or some other open relay software.

But these idiots are making a mess of the net
by letting their machines be used by hackers and
spammers. It's time to stop coddling people and
make them pay for their stupidity.

KIll Spam, charge for email.

[plopez]

Charge per email, or develop a scheme to allow the reciever to reverse charges. THat would kill the economics of spam. THere is a reason why post offices require payment up front before delivering any snail mail. Email is not gratis, some one ends up paying. Let's stop hiding the costs.

A variation: credit cards and ID theft.

1) Reply to spam, using your credit card. Do it via a couple of open proxies.
2) Refuse the shipment
2a) Select items that are 'electronic' - no shipping.
3) Dispute the charge, claim ID theft.

Its got $0.75 processing charges, its got chargebacks, its got 2 irresponsable parties (credit card companies and attitude about ID theft and spammers) Its got shipping charges.

I will say this....the killer pill idea - What a sadistic, nasty idea. Only the disturbed or someone who is an actual terrorist would do that. The + funny, not so. It should sit at +5 because, while a disturbing idea, even bad, disturbing ideas need to be heard.

I have a good idea

[Wolfier]

KARMA! For each spam you kill, you get 1 point.

Should work extremely well with at least the /. crowd.

What about legitimate anonymous email?.

[Beryllium+Sphere(tm)]

Whistleblowers, cult critics, dissidents and people discussing sensitive subjects have a real need to keep their identities out of their email.

Today the strongest protection available is through chains of remailers, which carefully avoid storing records of where a message originated and where it's going next.

The best I can come up with is that any remailer that relays mail to the real network from remailerspace becomes the one and only signatory, and the rest of the world will blacklist it unless it's rate-limited to make it a bad way to send spam. Signing is easy since cypherpunk and mixmaster remailers are of course crypto-enabled.

There's a problem with rate-limiting, though. "Anonynmity loves company". High traffic is a Good Thing for a remailer because it makes it harder for an attacker to get any information about an individual message. An exit remailer could look for duplicates in its output and filter those as potential spam, but then spammers would just automate trivial changes from one message to the next.

What stupid, illogical, and irrational garbage!!!

[fmaxwell]

If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician?

What an ignorant, assinine, ill-conceived, steaming pile of bullshit! You don't have to have expertise in something to make it illegal. The average pedophile knows more about how to lure children into cars than the average politician does. By the author's "logic", we should not have laws against child molestation.

The average junk faxer knew more about fax technology than the average politician did in 1991, yet politicians passed the Telephone Consumer Protection Act which banned junk faxes. The result: Junk faxes, which were following a growth curve similar to what we've seen for spam, have now been reduced to a tiny fraction of what they were when the law passed. It didn't require that politicians learn about fax protocols, computerized faxing software, switched telephone network protocols, printing technologies, or fax modems.

Experience

[Dragoon]

Speaking as the former network admin for a "Direct Marketing" aka "Opt-in Mailing" company, the industry is evil.

I've dealt with the hosting in China for the purposes of sending mail, changing ip's daily, thousands of domains, and the use of OpenSource anti-spam software in some very questionalable situations. (Using an anti-spam filter to 'review copy' to make sure its not going to be picked up)

And from all my experience, There's only one thing I can say. The mailers will get around what ever you do, be it state or personal. If you have an email account, regardless of the fact if you give it out, it -will- be mailed to. E-Mail addresses are a super-hot commodity.

Especially if you can get them with the opt-in information attached.

Think of it this way. You opt-in to company A, company A sells your address to Company B. You opt-out to company A. Company B doesnt care. Company B could have already sold your info to Company C, D and E.

Opt-out's are funny, they basically just prove that you're a real live person using that computer.. true spammers love to buy listings that contain those addresses, they dont give a crap if you opt-ed out, they just want live email addresses.

So in short, you want a spam free email account? good luck, do what most people do, create a hotmail account for a spam account, and have a real account that you use for real email.

I've seen databases of 35 million mailable e-mail addresses, and trust me, thats a highly profitable database (and no, i dont have a copy, so dont ask, heh.)

flame alert

I assure you this isn't intended as a flame...which probably means it will end up being one anyway. ;-)

Forgetting all the practical arguments we should fight spam ourselves anyway at a philisophical level. We've seen what happens when government gets involved in telling us what we can and can't do on a day to day basis (DMCA, anyone?).

Legislating rules about the use of computers is not the brightest way to go about things. If we use the government and lawsuits to stop things we don't like, who is to say they can't be used to stop driving, or talking, or whatever. It's a bit of a stretch but it is a slippery slope when we get government involved in regulation especially of non-critical systems (not necessarily just computer systems).

Perhaps it's time to build a truley secure communications infrastructure with a transparent interface to the users. (i.e. digial sigs and public key encryption systems that are tack ons). Instead of trying to legislate away the leeches and looters of society lets just leave them behind and when they catch up again lets keep on moving.

There that's the end of my libertarian rant. ;-)

Filters That Fight Back

[vacuum_tuber]

This is really bizarre. There are almost 300 comments on this item and no one has even mentioned Paul Graham's proposal for Filters That Fight Back:

www.paulgraham.com

The idea is to raise the costs of spam to the spammers, if not at the spam sending side, then at the spamwebsite side. Most spam solicits visits to a website. If a relatively small percentage of Net users were to employ Bayesian filters and/or other techniques to identify and segregate spam, then to accept the explicit invitation in each spam to visit one or more URLs provided, and maybe even download the entire sites a few times, the cost of running a spamwebsite server for the tiny numbers of orders they get would rise sharply.

I don't have it completely automated yet. I'm still using filters in my email client, but they are good enough that no spam gets through to my New Mail folder, and a whitelist ensures that there are no false positives in any mail from anyone I already know I wish to hear from. What goes to my spam folder contains a few false positives of people who have never written to me before, but mostly those whose email contains garbage like HTML.

Once a day or so I simply save the cleaned spam folder to a file and ftp it to one of my servers. There, scripts take over and faithfully accept the explicit invitations in the spam to visit their websites.

As more people do this, the traffic will dramatically increase at the spamwebsites, but orders will not increase. At some level or other, either in their server farm or to their upstream provider, those sites pay for bandwidth. As they get bumped up into higher bandwidth pricing tiers, their margins on the small numbers of orders they get from complete nitwits will drop.

Think of it as a servo system: If the level of spam annoys you, set your filter to fighting back. As more people do that, spam will level off and drop. As it drops to a level at which fewer people bother to set their filters to fighting back, an equilibrium will be achieved. There will still be spam, but a whole lot less than there is now. Think mosquitos and birds. Birds control mosquito populations. There are still mosquitos, but a lot less than there would be if there were no birds. Be a bird -- eat spamwebsites.

The weak point in Graham's proposal is that it really needs a universal whitelist to prevent spammers or other malicious third parties from causing massive traffic to innocent websites by sending out spam that provides URLs that are not the spammer's. It's not clear how such a whitelist would work, who would run it, how sites would get onto it (or off, if they turn bad), or whether someone will come up with a neat P2P solution.

It is clear, though, that anyone receiving 20-100 spams a day can easily review the filtered spams or the extracted URLs and simply delete those that appear innocent. Then scripts do the rest.

Sexual Harrassment is an initiation of force

[tigre]

About a third of the spam I get could be construed as some sort of sexual harrassment or lewdity that should represent an initiation of force, that should therefore be prosecutable. It's like someone making obscene phone calls.

Re:Sexual Harrassment is an initiation of force

[ratamacue]

There you go, now we're starting to get somewhere. Harassment is an initiation of force. The harrassment argument (sexual or not, I don't think it makes a difference) may not hold water 100% of the time, but I do agree that spam (and snail mail for that matter) may be considered harassment, especially if you've already told them you don't want to recieve it.

Re:So if someone is pissing through our letterbox.

The argument is not "shut up and deal with it" as the above post would have you believe. The argument is that spam does not represent a true initiation of force, and thus it is not a legitimate use of government to solve the problem. The analogy presented above is a nothing but a typical, predictable, childish evaluation of the Libertarian argument, one which completely ignores the basic principles which guide the Libertarian philosophy.

The analogy presented by the grandparent post is just frames the argument presented by the article within someone else's philosophical viewpoint. Perhaps the poster thinks that the "initiation of force" includes spamming, an "attack" which costs the victim time and possibly money, even though it does not involve physical force. Or perhaps the grandparent poster is simply more pragmatic, e.g. concerned with results rather than philosophy.

Either way, there's nothing wrong with bringing new viewpoints into the argument. There is no impetus for those people who analyze an argument presented with a Libertarian perspective to analyze the argument from that perspective. There is also no reason for anyone analyzing an argument to accept the author's assumptions. The grandparent post may well be putting down Libertarianism in general as well as arguing against the argument presented in one particular article. He has every right to do so.

Spam is not the problem - email list sales is

The real guts of the UCE/Spam issue is the sale of email address lists.

People make money by harvesting your email address and selling it to spammers without your knowledge, consent or permission.

That's the industry that needs to die, so that the only people you can Spam are people who have provided you with their email address directly. No trading of "email address with our partners" unless you specifically PAY for that service.

oh man

[doinky]

libertarians just don't get any smarter with time, do they?

Spam is the best example these days of the tragedy of the commons. Perhaps they should have read that chapter of their economics book instead of reading Ayn Rand in the bathroom for the 46th time.

An alternative solution: reducing demand

[bassbluebird]

The article points out one fundamental observation about the spam problem - people keep buying stuff from spam emails. I would like to suggest a somewhat controversial solution that nonetheless seems like it would be effective. I for one think that it is extremely difficult if not impossible to find a solution that will keep spam out. But we can stop spam forever if we destroy its market. ISP's have the ability (though maybe not the right) to discourage their users from responding to spam messages. If the return rate of users to spam drops by a few orders of magnitude, even the extremely marginal cost of sending email can destroy spammers' profit margins. I have a brief writeup proposing a policy and enforcement mechanism that is not without its concerns, if anyone is interested. spam.pdf

spam 'em back

[peter303]

If spammers had to wade through millions of false requests to buy their products, then they'd give up too.

Re:Libertarians give libertarianism a bad name:agr

shut up, you smelly communist

How to stop spammers

[harley_frog]

"We must also take personal responsibility to kill spam.

Here's one possible solution to the problem of spam.

spam is trespassing

[oogoody]

It's going on my property without my permission.
Much like telephone calls.

The private property libertarians would probably
not say it's ok to trespass. How come it's ok
to spam?

What a crock!

[gamgee5273]

It's bullshit. It's typical Libertarian, head-up-his-ass bullshit. His argument is that we pay nothing for e-mail, thus should be fine with spam as "advertising." Don't rely on the government to stop spam, he says. "What are you doing to stop spam personally?" he asks. What bullshit.

Personally, I report every piece I get through spamcop.net - it's gone down in volume, but I still get more than the average bear. I also have my e-mail address obscured in various ways on my website, so it's not that, either.

Now, I know I pay for my e-mail. Any one with common sense knows it. Where is my ISP getting the money to run those servers and hire the support and admins for them? I pay for it at work because I know pay raises this year are lower, or even non-existant, because we need to keep the infrastructure up and running.

So, because of this fellow's delusional state, he is basically proving the case that we pay twice: once through our ISP bills, and numerous times through having to deal with spam.

If spam was something coming from the ISP and other providers we may deal with, and our bills came down accordingly, I could see his argument. But this is such a misguided, uninformed attempt to handle spam that I'm surprised it made it to the front of /.

Spammers are abusing. Spam is not legit advertising - that revenue (the vast majority of it, at least) is not making my access to the Internet free the way network television or broadcast radio is free. If the author of this article would like to come down from the mountains and live in the real world for a while, then he might get a clue. If not, please keep this waste of skin off /.

Re:So if someone is pissing through our letterbox.

[Dj]

But that is exactly what it is. You use the "initiation of force" argument as if the only thing that matters is stopping other people resorting to violence. Somewhere down the line, the fraud and theft involved in spamming gets ignored.

Unfortunately, your argument is entirely based on the libertarian simplism that your are either fighting or cooperating and there's nothing in between.

And more unfortunately still, your reply is nothing else but the smug self satisfied name calling one expects from the self superiorising libertarian camp. Thanks for confirming the stereotype.

Follow those links!

[wedgehead]

Unlike the author of the article, I *am* a techie. I'm familiar with various methods of recognizing and filtering spam, detecting spoofed return addresses, blacklisting, whitelisting, challenge-response, signing, etc. But the best solution available to every recipient of spam right now is to click those links (apologies to the author of an article arguing the same point, if someone could link it up I'd appreciate it).

Consider this: spammers will do anything and everything they can to make their emails seem like they're not spam. Until we achieve new milestones in AI (and perhaps not even then), your PC will not know whether an incoming email is a recommendation from an old friend who you ran into on the street, or an unsolicited "recommendation" from a paid spammer. We need a system for punishing email that lets the recipient decide which emails are spam.

Second, the only part of a spam that cannot be forged, spoofed, or hidden is the URL (or other contact point) of the web site advertised. Thus the only dependable way to punish the one responsible for the spam is to create cost for that site. This is as simple as clicking the link (preferably many, many times - an automated script would come in useful). This will drive up the hosting costs of the site, and drive down the percentage of site visitors who buy anything. While you're at it, you can throw in fake names, addresses, credit cards, etc. to further tax their payment processing system (anything that makes the site request an authentication from the credit card company would be a good way to push up their costs).

Right now, spammers enjoy a very low, but positive, response rate to their spams. Imagine if, for every idiot shortsighted enough to provide his credit card and contact information to a complete stranger with dodgy business tactics, there were several users who received this spam and loaded the site without any intent to purchase. Quickly, spam's economic equation would turn unprofitable. While a little bit of simple technology (a script that mimics a browser hitting the site a few hundred times) would help, you could also just repeatedly hit those links and ignore the content (might make for some interesting stories if an IT department sees proxy logs, but if everyone started doing it I'm sure they'd catch on, especially if you use a script that doesn't actually display the likely-objectionable content).

It's no panacea, but having 1% of recipients punish the advertised web site will be more effective than having 99% of the recipients filter out the spam entirely... and there's no reason that filtering and punishing couldn't peacefully coexist as anti-spammer tactics.

So stop hitting delete, and start clicking those links!

Re:So if someone is pissing through our letterbox.

[bheerssen]

That depends on your definition of force.

I argue that spammers are forcing ISPs, and through them me, to carry unwanted and irresponsible traffic over our networks. That, it seems to me, provides all the justification the goverment needs to regulate this activity. Further justification arises from the nature of many of these messages, and the fact that virtually no effort is made to protect minors from them. While I admire the libertarians on some issues, particularly their stance on individual freedom and civil rights, I can't agree with their policy on limited governance, unlimited corporate freedom, and unregulated commerce.

Re:Solution: Make forging and obfuscation impossib

[pjrc]

Even relatively simple improvements have met with huge resistance. For example, consider the SMTP-compatible approach that was recently being worked on my an IETF group. Here's my limited understanding....

Sites with MTAs (mail servers that transmit messages) would add special "reverse MX" DNS records that give a list of all the valid IP numbers for their server. This is slightly different than a normal MX record, but I'm not going into the fine details (which I don't entirely understand anyway).

Upon receiving a message, the receiving server would do a lookup on that special RMX record for the domain in the From: header. If there is a response, the IP number of the connecting MTA must match one of the valid IP numbers which that domain says are its mail servers.

Like any change, it requires many sites to adopt it. But it's fully reverse compatible with existing smpt infrastructure. You'd think such a simple, backwards compatible proposal would be a "no brainer". (this is different from the existing practice of doing a normal mx lookup... see below for a link to the full RMX proposal).

For the sad story of resistance to any changes, no matter how compatible they may be with existing SMPT, start reading at section 12.4 of the Internet Draft RMX Proposal. This proposal is pretty well written and quite accessible to most people who know a little about SMTP.

For anyone who buys into the "we gotta implement strong crypto/authentication" arguement of the parent post (such as 3-4 moderators who mod'd it up), please take some time to skim through that internet draft... such as section 3 after having read the part at the end about the incredible resistance there has been to even such a very simple and compatible change.

Spam the politicians.

[Moxy.org]

I'm surprised that one or several people haven't signed some or all the politians up for just about everything under the sun and made their e-mail's worthless. Think they'd get the picture and maybe get on the ball to get something passed as quickly as they got the do not call list stuff passed the other week?

Re:SAVE ME, GOVERNMENT!

[goldspider]

That's very different from someone physically trying to hack your box to get an e-mail through. The example you provided is easy to filter out as well.

And people can deal with 1 or 2 spams getting through every day; hell we tolerate fliers in our mailboxes. But the majority of spam is easy avoid/filter with a little effort; enough that we don't need to call our government masters in to protect us.

Re:So if someone is pissing through our letterbox.

[Steve+B]

So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox.

The response from an adolescent anti-authoritarian is "Get a bucket".

The response from a real libertarian is that the pisser is violating property rights, and should be stopped from continuing to do so and punished for having already done so.

Using computational tokens to stop spam

[wavq]

PREMISE

• Cost == CPU effort == time == money
• Bulk email mailers cannot afford high cost
• Email that proveably cost something to send is likely not bulk
• Higher cost implies the sender believes in (or is targeting) the message
• Verifying the cost must be computationally trivial for the recipient

BACKGROUND

The SHA-512 FIPS standard produces a 512 bit, cryptographically secure, (hence collision-resistant) checksum of a piece of data. When compared bit per bit, two random checksums will statistically share 50% of their content; ie: the expected number of identical bits in a pair of SHA-512 hashes is 256.

In short, it would require a certain amount of EFFORT to find a pair of strings, that when SHA-512 hashed, deviate significantly from sharing 256 bits. This CPU effort is the cost involved in the proposed scheme. The more effort one is willing to make, the more likely one finds such a pair with a high deviation. However, verification of this deviation by the recipient only involves computing two hashes and counting bits.

DETAILS

The proposed system would work with older mail clients, requires no cryptographic keys or PKI infrastructure, and can easily be adjusted for "inflation", ie: the gradual speedup of CPUs.

The sender of an email precomputes the following (where '.' is the concatenation operator)
X = sha(sha(sender).sha(recipient).sha(date).sha(subje ct).sha(body))

The sender subsequently produces a random string (alphabetic would be preferred, since the string will ultimately be embedded into the header information of the email being sent), and computes
score = abs(256 - matchingBitsBetween(X, sha(randomString))

The sender performs this calculation a number of times with different random strings, keeping track of the string with the highest score. The more CPU time the sender is willing to dedicate to looping and trying out different strings, statistically the higher the best score will be. At some point, the sender decides that either

(a) enough CPU time has been used, OR,
(b) the best score now crosses an acceptability threshold.

Now, the email is sent, along with a header item such as:
X-CPU-Token: iwpayzsk (+48)

The recipient, upon opening the email, extracts the sender's email address, date, subject and body information from the message, combines it with their address (which may be pulled from the header, or the email client), and computes:
Y = sha(sha(sender).sha(recipient).sha(date).sha(subje ct).sha(body))
and
score = abs(256 - matchingBitsBetween(Y, sha(X-CPU-Token))

This score can then be used for filtering; scores above a user adjustable threshold could be put into a separate folder.

As CPU power increases, it may become necessary to increase the minimum score of the CPU token threshold. This would be done to thwart off bulk mailing agents who find it acceptable to calculate tokens with a deviation of 40 bits, due to what they feel is an appropriate use of resources. At 45 bits, it would take too much time to calculate the tokens for millions of emails -- until CPU power increases enough. It would then be recommended that users bump the slider in a dialog box up (to, perhaps, 48 bits).

RESULTS

A straight-forward C implementation of this scheme, running on a 500MHz Pentium 3 machine is capable of producing tokens with an average score of 48 bits in about a second.

Verifying the token upon receipt occupies a trivial amount of time.

Re:Again Jail?

[BrokenHalo]

Jails cost a fortune. I have no desire to see one penny of my tax dollars spent jailing a spammer.

I agree. We should just kill them instead. As cheaply as possible. Stoning? Drowning?

Re:SAVE ME, GOVERNMENT!

[Steve+B]

That's very different from someone physically trying to hack your box to get an e-mail through.

No, it's not -- both are deliberate attempts to circumvent a barrier that I have placed around my private property in order to protect it from unauthorized use.

(And what the devil do you mean "physically trying to hack your box to get an e-mail through"? Have spammers started resorting to black-box jobs to open people's computers and directly write spam onto their hard drives?)

The example you provided is easy to filter out as well.

I can only conclude that you are being deliberately obtuse. The specific example I provided is one of millions of possibilities, all of which must be detectable by a filter (without generating false positives from other ordinary phrases).

Even if I do have a filter that is up to the job, the fact is that the spammer is attempting to force his junk past my barriers (i.e. he is attempting a form of computer cracking or a form of breaking and entering, whichever analogy you prefer). Attempting to commit these offenses is itself illegal, even if you don't succeed, and properly so.

the majority of spam is easy avoid/filter with a little effort

The majority of would-be thieves are easy to avoid/foil with a little effort (don't forget to lock your doors, keep low-level windows closed and properly maintained, maybe install an alarm system).

In the real world, these measures are backed up by laws against attempts to circumvent them. If they weren't -- if crooks could work at your lock all day without having to bother concealing themselves -- people would need bank-vault security just so their stuff would still be there when they got home. The same principle should be applied here: combine self-defense with legal backing for self-defense.

Burden entirely on the end user? Not likely!

[KC7GR]

The best possible means of controlling spam is to run one's own mail system(s). However, doing so correctly takes decent levels of skill in Unix-type OS's, TCP/IP networking, firewall setup and security basics.

I don't think it's at all reasonable to expect that all end users of E-mail have those skills. It takes considerable time, effort, and outside help, even for someone with lots of prior network and computing background (it took me about a year and a half), to become what could probably be considered a 'competent' SysAdmin.

Even assuming the right skills are present, one still needs an ISP that will (1), provide one or more static IP addresses on a broadband connection, and (2), allow their customers to be self-hosted. Such ISPs are, in my experience, rare at best.

It's well within the realm of possibility for ISP's, the big backbone providers, and domain registrars, to put a very serious dent in spamming right here and now. Some things they could all do include:

(1) For domain registrars: Be absolutely scrupulous about requiring accurate contact info in ANY domain registration. We're talking valid address, phone number, and contact name and E-mail addresses. VERIFY that information BEFORE issuing a domain registration. Considering that most spammers want to remain anonymous, this simple change alone would throw a huge wrench into spammers' gears.

(2) For ISP's: Stop hosting spammers NO MATTER HOW MUCH THEY'RE WILLING TO PAY!!! This is a big problem, as spammers are willing to pay serious $$ for ISP's to ignore their own Terms of Service.

There should be a universal policy of suspending an account at the first hint of a spam complaint regarding it. Once said complaint is investigated, the account should be immediately terminated, AND a substantial clean-up fee charged, if there is clear proof that the account was involved with spamming. If not, simply lift the suspension.

(3) For the big backbone providers (and they're the ones who could really help if only they weren't as indifferent as the former Bell System): ENFORCE your own Terms of Service! If one of the downstream ISP's they're supplying bandwidth to is infested with spammers, and does not seem interested in controlling the problem, cut that ISP's pipe fercryinoutloud! Tell them that the pipe remains cut until they dump ALL their spammy customers, permanently! If SpewSpewNet (aka UUNet) did this with even ONE of their big spam havens, I think it'd make a huge difference in the Internet's 'Quality of Life' as it were.

If the ISP in question goes out of business as a result, well, they have no one but themselves to blame for hosting network abusers and criminals.

Regrettably, I doubt we'll see any of the above taking place. Too much greed vs. too much common sense, and greed usually wins.

Just so I'm clear...

[Azghoul]

How about this: F.U.

Turning off your net connection is a perfectly valid solution. You don't NEED email, you WANT it. If spam is too nasty, just don't get any more. Find a new way to communicate with people. I hear telephones work pretty well.

Bouncing emails back is not impossible. Spamassassin doesn't bounce emails, but a similar solution could. Take spam labeled as such from spamassassin and send it back as if it bounced.

Crying "save us, Government" is just stupid.

Re:Just so I'm clear...

[DunbarTheInept]

Bouncing emails back is not impossible.

Assuming the sender had the courtesy to be truthful in stating where the mail came from, unlike EVERY SPAMMER out there.

Websense Censors this site as category: "Weapons"

What else is the "Colorado Freedom Report" about?

Or did some guy at WebSense just see "Colorado" and "Freedom" and think "militia"?

Just bitching

[too_bad]

This article is just bitching about people who bitch about SPAM.
I didnt see a single new, practical suggestion to people for reducing SPAM.

Not really worth the read.

knowspam.net

[flyingrobots]

It has blocked over 5000 emails over the last 3 weeks for me. My email only gets what I want it to get...no message 'filters' that never seemed to work. It's a great serivice!

Kevin

Personal Responsibility? Screw that!

The obvious, and simple solution is to punish the companies that benefit from the spam. Why has no one tried this approach before? Clearly, in any given piece of spam most of the contact info is bogus: the return address, the sender's name, and often the route it took to get to you. Without exception, there is one piece of info that is accurate: the conduit for your money. So, research this info and enforce the anti-spam regulations and what-not on them. Poof, no more spam problem.

Also some misinformation

[too_bad]

In the article he pulls out of nowhere this sentence:
. Interestingly, "e-mail addresses registered at e-commerce sites, posted to online discussions on Web sites, or listed as the contact for domains in the WHOIS database generated little spam."

This is utter nonsense. I have been using dynamic email addresses and I think I have given out atleast 50-100 different email addresses to different businesses. The *only* ones that got spammed and I repeat
the *only* ones were 3:

1. The address used to register my domain with yahoo.
2. An address used to post on online discussion group at www.designcommunity.com
3. This address was never given out. This is my real ISP address which I havent given out to anybody.
Infact this address gets spammed atleast 20 times a day. Not a lot, but considering I never gave out ...
Anyway, whenever this address gets spammed I see a whole bunch of email addresses in the same domain.

So its quite obvious who the real culprit are and that these statistics are pulled out of thin air.

come on.

[phippy]

Ranting about laws that won't work is what makes good laws good, genius. Lose your condescending tone, you'll appear like a smart person if you do.

Re:MOD PARENT +5 INSIGHTFUL!

[akedia]

Are you Sarah Connor?

If everyone acted as one, there is a solution

[3770]

I have a friend that treats spam snail mail by ripping it to pieces and send it back in the return to sender envelope.

He just cost that company a postage fee and the time to open that envelope.

If everyone clicked into the web sites and started doing things that took the spammers time, effectively spamming them back, it would become less efficient.

If you send out a million E-mails and you get 100 takers, you have a profit. But if you get one million takers where all but 100 of those are just trying to cause spammers to spend time, such as asking questions, some types of spam would disappear.

There are some types of spam that you can't spam back so it won't work for everything. But if you get an offer to lower your mortgage rate you have to meet with someone. Spend an hour of his time and see how happy he is about that.

Re:If everyone acted as one, there is a solution

[dtabraha]

Except for the fact that the spammer is rarely the businessman.

In most cases the click throughs and the response emails are to businesses who contracted spammers to email to thousands of people.

Worst case scenario on this is that with all the click throughs and no purchases, businesses may realize that spamming isn't profitable, but most businesses don't do that level of research on the returns of their investments.

Especially not the ones who hire spammers.

Great retort

[IANAAC]

How about this: F.U.

Yes, this will get people to take you seriously.

Turning off your net connection is a perfectly valid solution.

It is not a technological solution, as your original post suggested.

Bouncing emails back is not impossible.

Again, not a technological solution.

Crying "save us, Government" is just stupid.

Please point out where I ever said that. The only thing I pointed out was that your 'technological' solutions, were, in fact, not.

I'm tired of hearing everyone whining about spam

[shrugwhaa]

I have 6 e-mail addresses.
I get spam on ONE e-mail account. Deliberately.

I DON'T get spam on MY e-mail accounts.

I DON'T use spam filters, neither personal nor
my isp's.

If I HAVE to fill out a form I use the damn spam
address and check it the next day.

I HAVE been on the net for over 10 years and I
will continue to shake my head and call you
folks morons until you get a clue.

Re:Again Jail?

[eugene+ts+wong]

I agree. We should just kill them instead. As cheaply as possible. Stoning? Drowning?

Why not? Really. They are sapping us of our time. Why can't we defend our time till the death?

Different effects of Savvy

[billstewart]

The average spammer is dumber or ruder than the average politician. Unfortunately, that's not good enough to stop them, because the social processes are different. The average spammer is a variant on the script kiddie - they're mostly motivated by greed rather than curiosity or boredom, so they don't need to be as bright, but they're both dependent on other people to do the hard creative work of writing the programs that get the results. A large fraction of spammers are unsuccessful (duped by promises of easy money), and some fraction of the non-creative spammers are successful (because there are suckers to buy their products, including spamware products as well as penis enlargers), and a small fraction of spammers and spamware vendors are savvy creative technical folks who have to stay on the leading edge of the arms race with anti-spammers. Some of _those_ need to be really good at it, because they're using their own products to market penis enlargers, while others only need to maintain the appearance of expertise, because they're selling mediocre spamware to non-creative spammers, but all of the anklebiters can take advantage of what they produce.

Politicians, by contrast, usually aren't dumb - they tend to be lawyers or doctors or other professionals who can be part-time politicians, and even the ones who are real-estate developers have some clue about business - but they are often making laws about things they don't understand, and about things that change faster than the law-making process can adapt. Some small fraction of them are great statesmen or philosophers, but the average politician doesn't depend on them too strongly except as a PR figurehead; great fundraisers are more directly valuable...

True source of spam

[pr0ntab]

Is not anti-spam vendors, or people who make money on the few hits garnerned by replies (other than Symantec and Learning Tree, but that's a story for another time)

Rather, the majority of spam comes from suckers who bought into get-money-quick and be-your-own-boss internet marketing schemes. These poor schmoes in the US and Asia buy these kits, which may even come with rented rackspace out of the US to mailbomb from and proceed to splatter their wares to these double-opt-in lists in the hopes of making a return on their investment.

Of course, no one is dumb enough to buy any significant amount from one person. They'll keep hammering that list, getting more desperate, trying to "build a customer base" until finally they default on their hosting contract or whatever.

Meanwhile those marketing "gurus" walk away laughing all the way to the bank.

They get joe-credit-card-debt-schmoe to do the dirty work for them.

They don't have to spam or advertise. They just need good placement in google, which isn't too hard to come by these days. The lazy, the "entrepeneurs" will find them, and a fool and his money are soon parted.

And everybody else has to suffer.

It's not as simple as just ignore it, or don't buy the stuff.

Sleazeball marketing gurus will sell you the Brooklyn Bridge and promise you the moon, a 50% response rate if you just use THEIR NEW, IMPROVED SYSTEM

THAT'S THE PROBLEM!!!

And if anyone knows how to fix this, they get the Nobel Peace Prize, I swear to fucking god.

Re:Again Jail?

[rifter]

"Jails cost a fortune. I have no desire to see one penny of my tax dollars spent jailing a spammer."

I agree. We should just kill them instead. As cheaply as possible. Stoning? Drowning?

Electrocution with their own power supply. Right on the 'nads too! yeah! :)

Re:Solution: Make forging and obfuscation impossib

[WuphonsReach]

The central idea behind reverse-DNS/MX proposals is to answer the following 2 questions:

1. Does a particular domain have a list of authorized IP addresses that are allowed to send out e-mail on behalf of the domain?

2. Is the IP address of the mail server that is attempting to talk to me on that authorized list?

The devil is, of course, in the details/implementation. (Can we do it without breaking older versions of BIND? What attacks is it suspectible to?)

Here's the (4) proposals that I know about (since I just went looking yesterday):

RMX proposal - No news on Mike Rubel's page since June 2003. Not much on the official home page either. The last published draft is June 2003.

DMP - Last IETF draft published Aug 2003 and expires at the end of Sep 2003. However, version 5 of the document has not yet been posted and the author(s) does not have seem to have a central site to check for news.

DRIP - Last draft was published July 2003, expires Dec 2003. I don't see anywhere a central home page to check for news.

SMTP+SPF - Last update was mid-July 2003. I'm not sure if there is an IETF draft being floated or not.

without the state, it would be easy!

[AndyChrist]

Without the state to punish one for doing so, you need only identify the spammers, and kill them. Problem solved!

RMX has some major drawbacks

[billstewart]

RMX basically lets a site say "This IP address is/isn't allowed to send mail claiming to be from our domain name", so a recipient who receives email from username@example.com can verify whether the sender's envelope is plausible or is definitely forged and therefore can be discarded at the envelope level. The goal is to get a number of big email services (e.g. AOL, Hotmail, etc.) to use it, so that spammers can't get away with forging addresses from those sites. In theory that's good - you wouldn't need to discard everything from Hotmail to reduce spam, because you'd know whether a message really came from Hotmail, and Hotmail limits the rates that its users can send email to some volume that's too low to be practical for spammers, and tries to limit the rate at which users can create accounts.

The big problem is that it limits your ability to use your current Internet connection to send mail from whichever personna is appropriate for the message, at least without connecting through the personna's email provider's outbound relay. For instance, my Mozilla mail knows how to be my main home email address, and my work email, and my Yahoogroups John Doe address, and my Yahoogroups address with my real name on it, and my old Earthlink email address that's 99.9% spam now (the rest is ISP announcements). If I receive something on my home email address and want to forward it to a subscriber-only mailing list that my work email address subscribes to, right now I can just send it as my work address. But if my company used RMX, and the mailing list checked RMXs, it would see that it came from my home ISP's mail relay and reject it.

This kind of thing is especially an issue for the big free/cheap email providers, who are the target for this kind of thing, because they're some of the most common forgeries, but they're also the ones you most often want to use for public addresses that you change when they get too much spam.

Re:RMX has some major drawbacks

[pjrc]

Yes, that is exactly the problem. If there is ever some widely deployed email authentication system that gives a high level of certainly that the person named in the From: line really is who sent the message, users and spammers alike will need to somehow authenticate their messages. For most users, this just isn't a problem. Some users (like you) who transmit messages to one MTA using your addresses from other domains are going to suffer, and ultimately either arrange a way to send to the proper MTA or migrate to other domains that provide the flexibility you need.

Then again, people who rely on sending through one MTA/domain with their address from another may just complain loudly that migrating to properly authenticate their messages is just too difficult. If that is succesful, then we will all have to live forever without email sender authentication, where users have more flexibility to transmit with whatever sender address they choose.... but so to spammers!

Re:RMX has some major drawbacks

[DavidTC]

Yes, it would require you to, instead, use your work server as your outbound MX for sending email with that address.

I, of course, see no problem with this, and I don't understand why others do. That's how email is supposed to work.

Letting people send email willy-nilly from any IP in the universe is what got us into this mess. That must be changed, period.

It can be changed by RMX records, it can be changed by doing something that says 'email=no' in the rDNS records, it can be changed by everyone blacklisting *dhcp* and *dsl*, it can be changed by outbound port filtering, and it can be changed by requiring rDNS match HELO, the last three which have already started.

But it does have to change, and any change will result in people whining and complaining that's how they used to send email. The people running mail servers on cable modems and DSL have already started bitching because they're getting blocked.

Email need to be sent from server to server. And the server it's sent from needs to have some accountabilty to the domain the mail is sent from, and vis versa.

Re:RMX has some major drawbacks

[WuphonsReach]

Therein lies one of the rubs...

Everyone complains about domain spoofing... but nobody wants to give up the ability to spoof.

Complain of Spam?

[sk8]

The thing I don't quite understand is why everyone complains so much about spam, the user brings it, most of the time upon their own mailbox. I have numerous e-mail accounts and the only ones that get spam are the accounts I have actually signed up for stuff on. If you don't want spam I suggest you not sign up for free vacations, porn accounts of the like. Once you have been added to a mailing list you're swamped but if you avoid signing up for the things you don't get it. A law probably will not be passed, we get solicited all day everyday in our lives, what make electronic mail any different? Nothing..... Spam is a way of internet life, for most spammers it is their only job and only source of income and all there money comes from you intially signing up for something you damn well know you are not going to WIN. -sk8

Libertarians have a variety of responses

[billstewart]

The first response is usually "Slam the mailbox lid", which would certainly get the attention of the perpetrator in the real situation (ahem)(though not in the email situation) and if that doesn't fix the problem, then some people do anything from non-violently critizing the perp for his aggressive behavior, calling their guard service or a bounty hunter, or starting an internet boycott of the perp (that one does have direct spam analogies), to loading their shotguns noisily. What you do with the bucket when it's full is a separate discussion.

By contrast, it's the statists who whine about how the state ought to provide everybody with buckets. Ok, ok, so the Libertarians are actually more likely to be interested in the long discussion and recurring Internet flamewar with the statists than in actually fetching the bounty hunter...

Re:Libertarians have a variety of responses

[sharkdba]

The first response is usually "Slam the mailbox lid", which would certainly get the attention of the perpetrator in the real situation (ahem)

Well, possibly, but now you prevented delivery of you regular mail as well. Which is not a solution either.

Problems with using picture e-mail addresses.

[t-maxx+cowboy]

I say that if every website changed to only display contact e-mails in a picture form, it would only spawn a new level of pseudo employment. You know how people used to get paid for having a stupid add bar open when browsing. Well someone could possibly call this quarters ($0.25) for e-mail addresses. There will be bozos out there that will have a new bar open that allows them to type in the graphical e-mail address they see and turn it into machine readable format and automatically update some master spam e-mail list. Basically spammers will pay people to provide them e-mail addresses from the graphics that are used to hide those addresses.
I never saw the point of getting paid to take up my desktop space, and won't see the point of this either. But if I can think of this I imagine spammers can too. Then again maybe I just gave them the idea. Doh....

CIPA

[ThisIsFred]

Now if we could only apply this thinking to CIPA (the Children's Internet Protection Act), which requires filtering of "all images" which are "pornographic" or "offensive". Not only can we not decide as a society where the boundry lies, but we're supposed make a computer apply HAL-9000-like judgement (which requires an emotional component) and use image recognition technology that is nowhere near that level of sophistication.

Re:CIPA

Don't you think it's ironical? "Cipa" in polish means "cunt".

Re:CIPA

Are we describing the content filtered, or characterizing the people that proposed the law?

:o!

It's really distrubing this hit +5

I mean really, suggesting that we should KILL people who buy things from spammers out of their.. erm.. lack of confidence?

fallicious logic

"ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician?"

Ah the fallacy of petitio principii... It's a loaded question that assumes that technological proficiency is critical to solving the issue of spam.

And whether spammers are technologically savvy is highly questionable - hence the phenomena of "chicken-boner" spammers.

All rant, no plan

[serutan]

This guy is just repeating the usual libertarian litany. Okay, yeeeee-haaaww for personal freedom, boooooo to big gubmint. Fine, but the only practical advice he offers is to obfuscate email addresses on the web. That may work for a while, but email harvesters are just going to get better and better at deciphering common obfuscations. It will get harder and harder to fool them. Why bother?

"We need an internet culture that encourages spam killers."

Dude, we already have that culture. More than fifty million people signed up for the National Do-Not-Call list. It's no stretch to figure out that most of those people probably feel pretty much the same about spam. Given that level of public sentiment, banning spam seems to me a very legitimate use of the legal system, not a trampling of our individual rights. Sure, some spammers will simply move offshore. Many already have. But criminalizing spam will force them to hide in places where their traffic will be easier to block, and creating risk for their ISPs will raise the cost of spam.

spammer VS politician

[vladkrupin]

who is more technologically savvy, your average spammer or your average politician

That's a toss-up. I'd say the spammer wins by a small margin, but both are pretty sad with just a couple notable exceptions on both sides. What's worse yet is that the damage done by both is comparable as well... :(

Don't ask me, I'm just a libertarian

[Militant+Libertarian]

You know for a group of people who generally argue for more freedom on the internet, the tables certainly turn when you people get annoyed at having to click a few times a day.

So what if it uses bandwidth? If you're just a regular guy getting spam in the US, the bandwidth you're forced to use by getting spam costs you less than a penny a year at most (look at the total possible bandwidth you could possibly use each month, in gigabytes, realize you pay 1 fee for any amount within 0 and that number, and calculate the byte/cost and multiply by the amount of bytes of spam you receive).

And those telecom companies who complain about spam and their own added overhead because of it? Well maybe they shouldn't provide service to spammers if they don't like it, just 'collude' to do something useful for a change.

But they probably wouldn't do that on their own, and do you know why? because the spammers are paying customers, and like it or not they still pay the telecommunications companies for their services (probably twice what you pay). So would legislation 'save' the companies money? Well it would save, as well as cost. Who knows what the exact numbers are, but we do know that the entire spamming industry would be brought to its knees, which would certainly put the costs way above the benifits cumulatively.

Oh and by the way, what's the definition of spam, anyways? Many, many things could be considered spam, including your boss asking you to work on sunday. Think about it, you don't want to work on sunday, but the boss is trying to buy your time off you for cash, and you *certainly* don't want the deal. Unrequested, unwanted, and a solicitation. Let's send your boss to jail.

We as a society are entirely too quick to jump into legislation when private solutions work fine (or could work fine). If you want your ISP to ban spammers, threaten to move to an ISP that does it already. That should change the opportunity cost of providing service to spammers a bit more in your favor.

No good definition of "spam" can legally work.

[DunbarTheInept]

Just don't think that you will be able to eradicate spam without governmental help.

True.
But, PLEASE PLEASE PLEASE don't think you will be able to eradicate spam WITH governmental help either, becasue that attitude leads to extra rules that only hurt the honest guy. Spam is here to stay. Deal with it. Can you define a legal line between unsolicited e-mail that you want versus unsolicited e-mail you don't? Until you can, Spam will live on. And it's NOT just that the mail was unsolicited. That's not what makes spam spam. If it was, then ALL e-mail conversations would be the result of spam, because someone had to the be one to send first, and that first sending was not solicited. And it's NOT just that the person sending you the message is a stranger to you. There are perfectly legitimate reasons to contact strangers via e-mail - such as asking a question about a piece of software to the person who wrote it, or following up in private e-mail to an interesting thread you saw in usenet.

Since there cannot be a good legal definition that separates SPAM from non-SPAM, the legislative approach is doomed to fail. Incidnetally, this is why the technological approach is also doomed to fail. SPAM filters are (and will always be) as unreliable as web porn filters - It either lets undesirable content through, or it gets overly eager and filters out legitimate content.

That is why I do NOT want anti-spam laws in place. No way, no how. If you want to accept the inaccuracy of spam filters, that is your decision, but given that filtering is inaccurate and unfair, it is a decision the recipient should make. It's up to him whether he can put up with that or not. It is NOT a decision to be made for you by legislation.

Re:Again Jail?

[platypus]

Print out every mail they sent and force feed (literally) it to them!

Teergrube, don't DDOS

[billstewart]

Since the context of this discussion is whether the State can do anything useful about Spam, remember that the State does have laws against denial of service and other computer vandalism. Furthermore, sometimes spammers are using their own machines, but often they're abusing machines belonging to service providers with other customers, or hijacking machines owned by innocent bystanders (*negligent* bystanders, perhaps, but still innocent.) Don't Do That. And spammers can Joe Job people whose machines aren't even involved - that's an especially good reason to Not Do It. And people who want to DDOS you can forge spam from you and claim they're only responding to your spam.

However, there are friendlier solutions like Teergrube (google for it - it's German for "tarpit") which don't attack the spammer, but do respond to the SMTP protocol v...e...r....y... ..s...l...o....w.....l....y.... and can prevent the spammer from sending at the high rates of speeds that spammers like; if enough people ran teergrubes, spammer SMTP machines would really bog down, as well as sending much of their spam to machines that will never actually deliver it.

Now, just because you shouldn't do active attacks on the spammer, that doesn't mean that you shouldn't have automated probing systems that check out any machine that appears to be spamming, report it to their ISP and/or blacklist systems, etc.

Why "Ask Google" doesn't work

[yerricde]

"Explain this to me, I'm too lazy to run a few Google searches and educate myself." It's not as if the information on anti-spam techniques are difficult to find.

It appears you tend to respond "Ask Google" to a lot of Ask Slashdot articles. However, Google can't read your mind. Sometimes, the layman does not know the appropriate words to put into Google's query field in order to find relevant results. I myself have run into this problem. I'd ask Jeeves, but Jeeves doesn't seem to have much deep technical knowledge either.

Spam exists because it works

This means that one should approach reducing UCE by understanding how and why UCE works in order to attack those factors. This article seems to contribute to such an understanding.

Re:Why "Ask Google" doesn't work

[zero_offset]

It appears you tend to respond "Ask Google" to a lot of Ask Slashdot articles. Then you haven't researched many of my replies. Sorry, I rarely respond with that answer. Mainly because when it actually applies, five thousand people usually beat me to the punch. :)

Graphical addresses aren't 508 compliant

[yerricde]

The following law citations refer to laws in effect in the United States. Your jurisdiction may or may not have laws of similar effect. Nothing you read on Slashdot is legal advice.

he suggests something quite sensible about graphical email addresses on web sites

How is this "sensible" under section 508 of the Rehabilitation Act? Users behind non-graphical user agents, such as users with vision disabilities, cannot turn a picture of an e-mail address into an e-mail address.

I, on the other hand, open first contact through a web form that spambots looking for @-signs can't pick up but which remains accessible to anybody whose non-graphical web browser supports HTML forms.

The State is not going away

because people still believe the myths of government effectiveness and usefulness. Look at what government involvement has done to the health care, education, and pretty much everything else it has decided to 'fix'.

The bottom line is this: When government decides to get involved, you end up with excessive regulation, cost, and you ultimately lose a little bit of your individual rights.

You don't even have to be a Libertarian to understand that the government is nothing more than a power monopoly. Why are so many people here on /. willing to support legal action against the monopoly of Microsoft but also willing to bend over and let the power monopoly of the state screw their privacy in the hind end, all so we can see if it can solve the problem of spam?

Since everyone is talking about incentives, why don't we look at the incentives for people to be politicians. The incentives are power, fame, and $$$. Do you think anyone who is willing to throw away their privacy and move to D.C. on purpose is really all that concerned about solving the problems of the people stupid enough to elect them? Politicians are primarily interested in their own careers and $$$. This is why they spend so g-damned much of it, to the point that Federal Government spends approx. $1m every minute.

Politicians LOSE POWER when they solve problems, because their involvement is no longer required in whatever field they would theoretically have solved the problem. To retain power, politicians must constantly dig their fingers deeper and deeper into every issue they can think of, and they love it when well-intentioned but poorly informed people ASK them to get out their regulating gloves. Not only do they get to expand their power base, they get to be thanked for it!

The LAST thing free people should support is a government which only exists to monopolize power, money, and time.

Practically any approach is better than expecting the government to solve the spam problem. The best solution is probably not going to be found in the form of a single silver bullet but many lead bullets; a multi-tiered approach across all levels of networks.

Do you REALLY want people like Robert 'Cuckoo' Byrd and J. L. Ashcroft, Privacy Raider to have this sort of power over your online communications? Do you want to some day pay an anti-spam tax on your ISP bill?

I have watched the government reform itself and its programs every few years just to stay afloat, and I sure as hell don't want to pay for that sort of failure to be integrated into my inbox!

Very Very True

[sirbone]

I suffer no spam (or telemarketing) problem because I am not too lazy to take measures to protect myself. Thus I know from experience that individuals working for themselves can eliminate the problem for themselves. For those who want to sit on their behind and have someone else (like the government) fix their lives, I would put forth this very appropriate quote from a Libertarian Party presidential candidate:

"Whatever it is in life you want, go out and get it. Don't wait for the government to drop it into your lap, you make it happen. You seize the day. Carpe diem!"
-Gary Nolan.

Re:Solution: Make forging and obfuscation impossib

So how to keep the ability for people to use the net anonymously, say for a father-rape-support mailing list, while taking away the ability for people to use the same system for spam?

Wrong again.

[Population]

Ranting about the laws does nothing to improve the laws. Without offering alternatives all you're doing is ranting. Not to mention that he was wrong on whether the law would apply to spammers in America.

I've already given you some groundwork. I've shown you how email spam is different from junk snail mail. I've even shown you how opt-out would do nothing to decrease the amount of spam.

Re:Wrong again.

First...I'm not the original poster, and second you've shown nothing about anything. Email spam is of course different from snail mail. Opt out would do nothing, you're right.

Spam laws, as they are written right now, will do NOTHING but put a price tag on spamming, but if spammers cannot be effectively tracked and policed, it will do nothing. As I mentioned before...

Authentication for SMTP...requiring MX records to be registered...and employing whitelist-only are among some of the techniques that are going to stop spam. Laws meant to reduce spamming without further technical support (i.e. changes the way that email is sent and accepted) will do exactly what laws attempting to regulate interstate online gambling: not much.

I fail to see any "groundwork" that you've done...if you're going to berate others for not providing suggestions, then come up with some of your own more than insightful observations like "opt-out doesn't work".

Spam Plan

I use the following plan to totally eliminate spam:

1. goto www.godaddy.com
2. register new domain
3. use 100 email aliases (free with registration) to setup forwards such as:
4. • slashdot@mydomain.com
   • creditcard1@mydomain.com
   • bestbuy@mydomain.com
   • porn@mydomain.com
   • whatever@mydomain.com
5. hand out aliases to appropiate company/person/list
6. assign aliases to forward to your real email address which you NEVER give out
7. sit back and let your email client filter everything
8. If any spam does come in, you can instantly delete the alias and take whatever action you want against who sent it

I have been using this setup for over a year and I have NEVER had to deal with spam. Not bad for under $10 a year...:)

Example of what Malc is talking about

[yerricde]

An example of such a form can be found on my web site. It's a lot more likely than a picture of an e-mail address to conform to section 508 of the Rehabilitation Act.

However, for people on ad-supported web accounts without a solid form mail script, what solution do you suggest?

hack the spammers?

[ajole]

Why can't malicious hacker-geniouses turn the spotlight towards spammers? it can't be that difficult to piss them off in some way? How about spamm- err... email DOS'ing em??

Re:So if someone is pissing through our letterbox.

[seichert]

So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox. My that's brilliant!

No the libertarian response to someone urinating in your physical mailbox in front of your house is to call the police so they can come and arrest the individual. Libertarians would also argue that as part of this individual's punishment he must make restitution to the owner of the letterbox. (i.e. he needs to come out and either clean it or replace it with a new one, or pay for someone to do the same). The libertarian response is not to wait for your neighbor to do something about it or to ask a politician to make a new specific law about urinating on letterboxes, it is take responsibility for your own problem and call the police yourself.

The point is that the law and politicians cannot solve all of life's annonyances and problems. Even if you vehemently disagree with the libertarian philosophy you would still be better off figuring out how to deal with spam on your own.

Re:Again [spam]

Just a thought here: most spam has the sender address forged, but include (in the body) a real address for mugs////customers to order their rubbish.
Suppose we write a 'bot which uses known (eg Bayesian) techniques to catch spam, then sends an automated reply to that order address - with a forged sender, naturally. Said reply to be of the form "Bug off, spammer" or the like.
If such a device became widely used, the act of using a spam advertising service would be to launch a DDoS attack against oneself.

Re: Vigilante spam posse wanted

[retroworks]

Ok, how about if several hundred of us actually decide to ORDER the crap in the worst spam (one comes to mind, which I get a dozen times per day, with a woman looking down a laughing guy's beach trunks). But, like, not pay for it, or use bad credit cards, or prank orders from Shirley U. Jest, or actually buy it and then file consumer complaints... something which will actually cost the spam company some real person time. Go after the 20% of companies sending 80% of the spam. No jury would convict us.

Re: Already in progress

[retroworks]

This spam buyer eradication program has already been going on for 6 months. Spam buyers are dropping like flies. Unfortunately, no media attention to date.

Re:Solution: Make forging and obfuscation impossib

[minas-beede]

DO you have any idea how easy it can be to subvert all the cleverness of the spammer in hiding his IP and find it? You can't do this on demand for a particular spammer - but so what? They're all enemies, so action taken against any of them is for the good. Get a few proxypots going and you may be so busy getting accounts closed that you don't care which spammer you hit.

Just run a proxypot. You almost surely will trap spam, much or all of it will have been sent from the spammer's own IP. Ron Guilmette (Google for him, look for posts by him with the word Who's spamming" in the subject in news.admin.net-abuse.email) got over 100 spammers thrown off their ISPs in under 3 months using a network of proxypots to gather the data.

In addition I cannot describe the feeling of power you experience when you trap spam the spamemr thought would be sent through your proxypot. You rule him at that point. When you get back the email from his ISP saying he's ben thrown off you have the satisfaction of knowing you've caused a great deal of trouble for one of the scourges of the internet. Even if he gets a new account he may come back to your proxypot and try again to relay spam. Then you get anther opportunity to hit.

This could go so quickly that you'll pout because all the spammers were killed off before you had enough fun. Remember to nonetheless enjoy that moment when it comes.

Idea for slowing down spammers

[John+Sokol]

If all relays acted like open relays but just too failed relay attempt and deleted them. This would make the search for open relays more difficult for the spammers.

Re:SAVE ME, GOVERNMENT!

[DavidTC]

That is almost exactly the right analogy, but cars are easier.

Seriously. Do you realize how easy it is to break into most cars? I've locked my keys in a car at my house and manufactured a slim jim in 20 minutes, out of crap I had laying around, and was in the car three minutes after that, despite never using one of them before. (The secret is that you're sliding something forward (I think it was forward.) with the slant, not trying to 'hook' something and pull it. Took me two and half minutes to figure that one out. Next time I read the directions.)

And while I've never tried to hotwire a car, I can't imagine it can be more than an order of magnitude harder. Stealing a car is easy, and 'Gone in 60 Seconds' isn't just the title of a movie.

The main thing that stops cars from being stolen is, basically, laws. Laws against car theft, laws making theft harder, and laws making the results harder to sell.

And, by and by, car theft is not a problem. Sure, cars are stolen, but you do not normally expect to come back and find your car stolen, or really consider it a likely possiblity.

Pretending we shouldn't have laws against car theft because, after all, we have keys, and Lo-Jack, and car alarms, is stupid.

I think I have a real solution!

1) Give convicted serial killers e-mail accounts for a couple of months, but force them to use MSN or Yahoo.

2) Give these same serial killers a list of 20 known spammers' home or business addresses and set them free.

3) ????

4) We all profit.

Re:So if someone is pissing through our letterbox.

[Dj]

"Call the police"... So the police aren't government? And what happens when the police tell you they can't do anything because pissing throught the letterbox isn't illegal?

Re:Solution: Make forging and obfuscation impossib

[yerricde]

SpamCop.net Reporting Service can do much of what you ask.

Make buying from spam illegal

[Angram]

Actually, perhaps the only legal solution worth pursuing would be making PURCHASING from an email advertisement illegal (from companies you do not have an established business relationship with).

Then set your little trap, and prosecute/fine anyone who responds.

The cost shouldn't be on people who don't want spam, or ISPs whose bandwidth is abused, or the companies using it (it's a legitamate, if annoying, business practice), especially considering how easy it would be to destroy competitors by advertising for them. Put the cost on those actually creating the demand and revenue for the system.

When a spammer is located, serve him with a court order demanding he turn over all records of people who have purchased from him (so long as they have these laws, might as well use them constructively - if the RIAA can, why shouldn't the FBI?). Send fake spam (it'll cost in bandwidth for a while, but once people start dropping like flies, the need for it will decrease significantly).

If it's bulk mail

[yerricde]

Aside from the fact that unsolicited commerical email is content based discrimination (being commerical -- unless you think it should be illegal for there to be ANY unsolicited mailing, such a friend mailing you without being invited to)

How about banning unsolicited bulk e-mail? Would this be considered content-based or content-blind?

Re:If it's bulk mail

[cpt+kangarooski]

Yeah, that would be content-neutral. However, there still has to be some content-neutral reason for banning all unsolicited bulk email. And incidentally, how much is bulk, and how unsolicited is unsolicited?

Personally, I think that would be a very bad thing to do though, and it might not survive a challenge. It would be _very_ burdensome on speech, and so far the main reason people seem to dislike spam is because it's annoying. I don't see that the tradeoff would be appropriate in our society that values speech so highly.

Self-employment

[yerricde]

speech is something that humans do, not companies. "commercial speech" is a contradiction.

Not necessarily. Some people are self-employed. Thus, an individual can produce "commercial speech" without going through a partnership or corporation.

Simple. Use a flashlight on the cockroaches

[TaranRampersad]

The Spam Blog Of Shame.

Ah, Paraquat

...and waging chemical warfare on your own citizens.

Web of Trust

[Morosoph]

or you need a global web of trust that makes sure that everyone that can connect to the internet has one, and only one, signature that can be unambigously traced down to the real person (of course, without harming privacy...).

For this to happen, PGP/GPG needs to be trivial to use, and integrated into mail. Defaults such as adding someone to your address book gives a basic level of trust (overrideable) would be good. Once this happens automatically, a web of trust would be able to grow rapidly; one could even develop trust databases (which would have to be secure in turn, and would rate one another).

Trust should be two-dimensional. Lack of knowledge needs to be distinguished from knowledge of untrustworthiness, as the most-trusted route could include "mugs", or those who have not yet been conned by someone.

The real power to the people spam solution

[ministeroforder]

Check out www.cloudmark.com. Community action is the foundation of this soluiton to spam. Individual end users do a much better job of saying what spam is and filtering it from their collective in-boxes than any politician will ever do!