Slashdot Mirror
How to Kill Spam Without the State
WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.
Take personal responsibility. Yeah, right. I don't get any spam. I filter it all out. Does that matter? NO! I'm one person and part of a very thin sliver of the total net population. I actually know what I am doing. The other 95-98% of the people out there do not, and will not. They have trouble getting Outlook Express working and you are going to talk about 'user responsibility'? What a clueless asshole.
Any article with the word 'schlong' in it is suspect, in any event.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Firstly, stop buying things from spam!
My friend once commented on how all he hated getting so much spam the everyday. I myself get maybe one or two pieces a week, so I started to show him the basics of filtering out some of the crap.
So what do you think he says? He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes! He even likes to follow the links two visit the sites.
Fuck I wanted to smack him right in there and then. Actually I'm in a bad mood right now I want to go back and find him and smack him anyway.
"who is more technologically savvy, your average hacker or your average politician?"
ABOLISH ALL LAWS AGAINST HACKING!
it's up to individuals to make sure every single port is secure against someone wanting to cause damage to your computer/company/bank account.
It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form.
On my London Blog I don't use any form of obfuscation. The reason for this is I want people to contact me about my writing. I want to know what people think, and any barrier I put in the way will reduce the number of legitimate emails I get. I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.
Sure, I drastically increase the number of spams I get, but popfile takes care of them all. The author of this article is still correct in his economic analysis. There is little burden for me using this method, but a much larger burden for my ISP.
Set your inbox to filter all HTML formatted email.. no more spam. Of course this can only work well for personal addresses for correspondence with friends who understand how to configure their mail client. If you want to be able to correspond with lots of people (ie link your addy on your website, on usenet, etc) I don't see an end to receiving spam any time soon.
Here's an idea about spam on the news: Why not make the following a rule for most groups: If a company posts commercial advertising on a group, it thereby gives the right to anyone to post copyrighted material from the said company. This should slow down unwanted ads, shouldn't it ? Would this be legal ?
They really wanted to give it a libertarian twist,
no matter what, didn't they?
99% of the users can't block spam serverside, and just putting the burden on them, will make them pay for the costs, since they have to download it (telephone, burden on bandwidth).
Not putting a brake on the origin will cause even more spam.
There is only one solution: put cost on sending spam AND their ISPs that try to get away with it. Moneywise, or with penalties.
who is more technologically savvy, your average spammer or your average politician?
Who is more technologically savvy--your average bank robber or your average politician? Who is more savvy about poisons and guns--your average murderer or your average politician?
See, by your argument, most laws are useless because they were made by people not as good at committing the crime as the people who actually did commit the crime.
Quick thoughts:
A licensed MTA operator may only send mail to other licensed MTAs
So how does the MTA legally send the email to the target inbox? I think you mean '... or to their own network.'
There are also considerations about how the email system should work (for example, to get the burden to be more on the sender than on the receiver.)
The current system is suboptimal in many ways, and enshrining the current system in law could be counter productive. (Essentially, the international treaties underlying such laws would need to be very well thought out and worded so as to avoid various different implementation details appearing in different states/countries' ratifications. Such good thinking is usually disrupted by the kind of horse trading that goes on with international agreements.)
John_Chalisque
The US government, for economic reasons, will back up what it perceives to be MS's property rights. In this sense, MS is certainly state sponsored.
(Just as a nation with a hard line fundamentalist government may back up what it sees as fundamental rights of people that e.g. the US calls terrorists.) State sponsorship of various things is heavily engrained in our country, far more than it may seem at first.
Essentially, all property rights are things that are enforced by the government of a given country, and as such are determined by the laws of that country (possibly influenced by treaties.) In this way, any internaitonal trade by companies in country X can give rise to the perception that companies in country X are sponsored by country X.
John_Chalisque
It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form. I hereby announce a new policy for the Colorado Freedom Report: I will not post e-mails on the page except in graphic form (or with some other disguise). This creates a mild inconvenience in that users will have to type in the e-mail rather than merely hit the mouse button, but I figure if it kills just one spam, it's worth it.
Um no, if I lose just one business lead because someone can't be bothered to type in the email address then that's worse than all the spam in the world.
> The worse thing about spam is that filtering systems create false positives...
No, that's not the worst thing about spam. Try again?
In order to deal with spammers, we have to analyze their vulnerabilites. Understanding their weaknesses is easy once you answer this question: What do spammers fear the most?
That's easy. Look at spam messages. You'll see forged return addresses, redirections through open relays, spoofed Received lines, etc.
What does this mean? Spammers are most afraid of being tracked and identified.
And they have a good reason to be afraid. When spammers are identified, they get their ISP accounts terminated, and may get stuck paying hundreds of dollars of cleanup fees. They're harrassed, sued, threatened, they quickly earn a terrible reputation. They'll go to extremes to remain anonymous.
The key is to make it difficult or impossible for spammers to forge headers and obfuscate their emails' points of origin. How do we do this? Require cryptographic authentication of all mail going through any MTA. No exceptions, ever. Every time a mail goes through an MTA, it must be signed by that MTA. Any message without a signature or with an invalid signature gets dropped. By requiring crypto signatures, responsible MTAs can be easily tracked, and spamming MTAs can be blocked.
Key creation, distribution and endorsement can be through a central authority, though I prefer a PGP-style web of trust because central authorities can abuse their power. Naturally, any MTA caught distributing spam should immediately get their keys revoked, and the revocation should be distributed to MTAs as widely as possible, causing all emails from that MTA to be blocked in a matter of minutes. If an MTA wants its emails to reach its destinations, it will crack down hard on spammers.
The difficult part is convincing ISPs to require authentication and drop unsigned messages. However, if a large ISP such as AOL or Comcast can be convinced to do this, MTAs will have a strong incentive to start signing messages, and authentication will start to catch on.
Meldroc, Waster of Electrons
So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox. My that's brilliant! And the way to reduce gun deaths is for people to learn how to dodge bullets matrix-stylee.
"You know you want me baby!" - Crow T Robot
who is more technologically savvy, your average spammer or your average politician?
That is the totally wrong question.
Politicians know that they don't know everything. That is why they have staff and expert advisors.
Politicians, however, have something that we the tech-community do not: Police, jails and option to use them.
Spam won't go away 100%, ever. But if the spam rate were on par with the murder or robbery rates (i.e. I have a single-digit percentage chance of getting one spam during my life), then I'd be satisfied.
What we, the tech-community, can do is help them find the culprits. All we need are bounties high enough to make it worth our time.
Raise your hands, you unemployed geeks who would jump at the chance of becoming paid-for spammer hunters.
Assorted stuff I do sometimes: Lemuria.org
That doesn't really work. Either you would only be able to recieve mails from people whose auth token you already know, say from a key exchange in a personal, real-world meeting (obviously not a good idea for sales@example.com type addresses), or you need a global web of trust that makes sure that everyone that can connect to the internet has one, and only one, signature that can be unambigously traced down to the real person (of course, without harming privacy...). The first way is undesirable, the second one has basically be a dream scince the invention of public key crypto, without anything happening.
Programming can be fun again. Film at 11.
Great idea - in fact we could extend it to solve some other problems...
maybe a license to send email?
how about a license to get on the internet in the first place - you have to be able to recognize spyware.
of course we'll have to expand government bureaucracy to deal with the licenses. and the police to track the new criminals.
stay frosty and alert
The author is right in one regard, legislation won't do it. If everyone who is capable of deciphering the email headers to try to track down the originators of SPAM would try to report just one piece of spam to the offender's ISP, it would possibly begin to make a difference. The math is simple -- there are only a certain number of reputable (ie., non spammer-friendly) ISPs. If even 1000 people a day would use the available tools (www.abuse.net for one), and report this junk, eventually spammers will be forced to move to the spam-friendly ISPs. Then it's just a matter of adding the spam-friendly ISP to your favorite black-hole list, and you've just done your little part to stop spam.
This is true. However, there is a downside. Spam blacklists, in practice, block lots of legitimate mail. Bayesian filters need tuning by the individual user, and I seriously doubt its usefulness to the typical investor in asset enhancement solutions. Challenge-Response systems are potentially effective without the cooperation of the users, but the implementation would need to be very robust and the costs should not be underestimated.
To rid ourselves of the spam menace, it is necessary to stop spam being profitable. Catching and fining spammers is one way this might be done. Technologies that stop spam arriving in the mailboxes certainly help those of us who have no interest in the spam's advertised services. They will do nothing to prevent continued stupidity by those who are stupid today.
If not for users, how about 'personal responsibility' for admins?
On a mailing list I help run, we turned on Postfix's DNS checks(not RBLs and the like, just "does connecting host have valid forward DNS? Does it match what they claimed?" etc- postfix can do a half dozen DNS-related checks to make sure you're legit. It was ENORMOUSLY successful, virtually killing off all soam overnight, because so much spam has so many fake headers.
We had zero problems with users with funky setups(ie sending work email from home, their own domains, etc). We had ENORMOUS problems with a dozen ISPs whose freaking mail servers often didn't even have FORWARD DNS! Worse, some claimed, when contacted by their users, that it was a problem with OUR dns.
The problem was mostly with clustered outgoing mail servers, where ISPs didn't give a shit enough to set up proper DNS for each cluster member. Do you think they had reverse DNS? :-)
So, we can take personal responsibility by a)refusing to accept connections from servers which have bad/no DNS and b)fixing our own mail server's DNS. That would be a biiiig step...
Please help metamoderate.
I can't for the life of me find anything bad on the thoughts of spammer rotting in jail.
To think that just those guilty of mass spam are to be the only victims of such law being applied is to think that innocent people don't go to jail. Naive and, frankly, stupid.
Free Gamer - Free games list and commentary
If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?
I never get tired of saying this, because it never stops being pertinent:
No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.
If you believe otherwise, you're not far off from the "women who wear short skirts have no case if they get raped" school of thought.
My Karma: ran over your Dogma
StrawberryFrog
notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."
the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.
i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.
i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.
that would rule.
mp
"The secret to strong security: less reliance on secrets." -- Whitfield Diffie
Oh man, whaddaya think why I wrote that "half joking" tag? Obviously this whole thing is too complex to deal with in one sentence.
But I'm not willing to invest more in an answer to an article which argues with this "who is more technologically savvy" nonsense.
Remember what you are talking about here. Spam. It isn't people conducting their own affairs in their own house. It's someone shitting all over everyone else annoying mails about porn and penis enlargement.
Denying the need for government like that makes you an anarchist, by the way. Not a libertarian.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Bad moderators, bad, bad, bad moderators.
Strange women lying in ponds distributing swords is no basis for a system of government.
Shifting cost back to the spammer might be possible, but there are two problems:
- Already, spammers often operate using temporary untracable accounts. They are cut off when the ISP gets wise to them, and they simply move on to the next account. In some cases they will use a hacked account of an unsuspected user. So, if they are willing to commit fraud or break into unprotected systems to get their spam out, you can be quite sure that they will find ways to avoid any costs being charged back to them. What we might achieve is that certain ISPs will change their policy of lenient to spammers
- Implementing a charging model will come at a price, both a monetary one and one of added inconvenience. The current model of most ISPs who will sell you an unlimited (or a capped) data volume at a fixed price, works out cheaper both for the ISP and for the customer.
As for the cost of spam in bandwidth: I don't recall the exact figures, but spam is supposed to make up a very significant portion of total traffic. We're not talking 1% or 2% here.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
If someone is urinating on your property, that's an actual initiation of force, and hence a legitimate use of government to solve the problem. It is not easy to argue that spam (and junk snail mail for that matter) represents an initiation of force. That is the root of the issue for Libertarians: the role of government is to protect the citizens against the initiation of force, and nothing more. Why? Because concentrated power is the most dangerous force that exists in the world -- it needs to be strictly limited, not expanded to "solve" every concievable social problem.
The argument is not "shut up and deal with it" as the above post would have you believe. The argument is that spam does not represent a true initiation of force, and thus it is not a legitimate use of government to solve the problem. The analogy presented above is a nothing but a typical, predictable, childish evaluation of the Libertarian argument, one which completely ignores the basic principles which guide the Libertarian philosophy.
This is really the only answer. Currently it's not against the law to send email with forged/spoofed return address. If I started selling stuff over the regular mail using someone else's name/address, I'd be arrested for mail fraud. That's all spam is, after all, and should have the existing laws covering fraud modified to apply.
I agree that the spammers main vulnerability
is their need for anonymity. ( In fact several
of the largest well known spammers have been
harassed and even received death threats. )
I disagree that signatures are needed. Instead
start a compaign. Provide software ( for free )
to people that scans saved mail messages and
1) Checks if the source is an open relay
( generally by checking for particular relay
software ). It then looks up the ISP of the
relay and notifies them.
2) Parse the header and lookup the ISP.
We then need the cooperation of the ISPs,
but most ISPs are being hurt enough by ISPs
that they will be willing. Any ISP that doesn't
cooperate will be blacklisted.
There will be people hurt by this: the idiots
that let their machine get hacked, or install
AnlaogX proxy or some other open relay software.
But these idiots are making a mess of the net
by letting their machines be used by hackers and
spammers. It's time to stop coddling people and
make them pay for their stupidity.
It stands to reason therefore, that the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE.
Maybe you're right in some cases, but I take serious offence to that comment. I have spent countless hours perfecting and anti-spam solution. I offer it for free with a very reasonable costing upgrade option. And now someone comes along and says something like this?! Thanks for kicking me in the balls...
ender-iii
The best possible means of controlling spam is to run one's own mail system(s). However, doing so correctly takes decent levels of skill in Unix-type OS's, TCP/IP networking, firewall setup and security basics.
I don't think it's at all reasonable to expect that all end users of E-mail have those skills. It takes considerable time, effort, and outside help, even for someone with lots of prior network and computing background (it took me about a year and a half), to become what could probably be considered a 'competent' SysAdmin.
Even assuming the right skills are present, one still needs an ISP that will (1), provide one or more static IP addresses on a broadband connection, and (2), allow their customers to be self-hosted. Such ISPs are, in my experience, rare at best.
It's well within the realm of possibility for ISP's, the big backbone providers, and domain registrars, to put a very serious dent in spamming right here and now. Some things they could all do include:
(1) For domain registrars: Be absolutely scrupulous about requiring accurate contact info in ANY domain registration. We're talking valid address, phone number, and contact name and E-mail addresses. VERIFY that information BEFORE issuing a domain registration. Considering that most spammers want to remain anonymous, this simple change alone would throw a huge wrench into spammers' gears.
(2) For ISP's: Stop hosting spammers NO MATTER HOW MUCH THEY'RE WILLING TO PAY!!! This is a big problem, as spammers are willing to pay serious $$ for ISP's to ignore their own Terms of Service.
There should be a universal policy of suspending an account at the first hint of a spam complaint regarding it. Once said complaint is investigated, the account should be immediately terminated, AND a substantial clean-up fee charged, if there is clear proof that the account was involved with spamming. If not, simply lift the suspension.
(3) For the big backbone providers (and they're the ones who could really help if only they weren't as indifferent as the former Bell System): ENFORCE your own Terms of Service! If one of the downstream ISP's they're supplying bandwidth to is infested with spammers, and does not seem interested in controlling the problem, cut that ISP's pipe fercryinoutloud! Tell them that the pipe remains cut until they dump ALL their spammy customers, permanently! If SpewSpewNet (aka UUNet) did this with even ONE of their big spam havens, I think it'd make a huge difference in the Internet's 'Quality of Life' as it were.
If the ISP in question goes out of business as a result, well, they have no one but themselves to blame for hosting network abusers and criminals.
Regrettably, I doubt we'll see any of the above taking place. Too much greed vs. too much common sense, and greed usually wins.
Bruce Lane, KC7GR,
Blue Feather Technologies
Is not anti-spam vendors, or people who make money on the few hits garnerned by replies (other than Symantec and Learning Tree, but that's a story for another time)
Rather, the majority of spam comes from suckers who bought into get-money-quick and be-your-own-boss internet marketing schemes. These poor schmoes in the US and Asia buy these kits, which may even come with rented rackspace out of the US to mailbomb from and proceed to splatter their wares to these double-opt-in lists in the hopes of making a return on their investment.
Of course, no one is dumb enough to buy any significant amount from one person. They'll keep hammering that list, getting more desperate, trying to "build a customer base" until finally they default on their hosting contract or whatever.
Meanwhile those marketing "gurus" walk away laughing all the way to the bank.
They get joe-credit-card-debt-schmoe to do the dirty work for them.
They don't have to spam or advertise. They just need good placement in google, which isn't too hard to come by these days. The lazy, the "entrepeneurs" will find them, and a fool and his money are soon parted.
And everybody else has to suffer.
It's not as simple as just ignore it, or don't buy the stuff.
Sleazeball marketing gurus will sell you the Brooklyn Bridge and promise you the moon, a 50% response rate if you just use THEIR NEW, IMPROVED SYSTEM
THAT'S THE PROBLEM!!!
And if anyone knows how to fix this, they get the Nobel Peace Prize, I swear to fucking god.
Fuck Beta. Fuck Dice
That's the origins of a good idea, really...
We're used to thinking of spam as noise, with the legitimate email being the signal.
If you consider spam the signal (as the spammers do), what if you increased the noise level?
Interesting.