How to Kill Spam Without the State

WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.

dumb article

[HBI]

Take personal responsibility. Yeah, right. I don't get any spam. I filter it all out. Does that matter? NO! I'm one person and part of a very thin sliver of the total net population. I actually know what I am doing. The other 95-98% of the people out there do not, and will not. They have trouble getting Outlook Express working and you are going to talk about 'user responsibility'? What a clueless asshole.

Any article with the word 'schlong' in it is suspect, in any event.

Re:dumb article

[TuataraShoes]

The author of the article says he is not a techie. Does that make him clueless? No. He says in the article that he would welcome response from the technical community. Too bad that a certain vocal percentage of techies are so egotistically arrogant that they insult anyone who is less technical than themselves.

So if a non-techie says he is willing to learn, he correctly evaluates the economic reasons that spam continues, he suggests something quite sensible about graphical email addresses on web sites, and asks for further technical input... then why not give him the benefit of your technical knowledge? Or on the other hand, if you have no ideas of your own, you could just insult him.

The thrust of his argument is understanding why spam exists. Until this is understood, the psuedo solutions will fail, because they miss the mark. I thought the article had a valuable point to make. Good on you, Ari.

Onus is on users

[Kanasta]

Firstly, stop buying things from spam!

My friend once commented on how all he hated getting so much spam the everyday. I myself get maybe one or two pieces a week, so I started to show him the basics of filtering out some of the crap.

So what do you think he says? He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes! He even likes to follow the links two visit the sites.

Fuck I wanted to smack him right in there and then. Actually I'm in a bad mood right now I want to go back and find him and smack him anyway.

Re:Onus is on users

[JaredOfEuropa]

He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes!

And that is the crux of the problem I have with the notion that we can cure spam by acting like responsible users. As long as there is the possibility of one single potential customer who might be interested in penis enlargement pills, spammers will continue to inundate the world with their emails.

The solution is indeed to make spam unprofitable, but I do not think that the way to achieve that is to ask everyone to stop buying penis enlargers. Making spam illegal helps a little, but the well-known spammers out there aren't exactly known as law-abiding mr. Squeeky Clean. It should be illegal to advertise through spam. For one, it may give some of the avertisers pause, and in addition these culprits may be a lot easier to find, since they need some address to send their wares from and receive payments.

And yes, they can always move abroad... but more and more countries are considering legislation against spam. And since many countries follow the US' lead when drafting trade and economic legislation, it would be nice if the US would take the lead and implement a decent law for once, against spam and against those hiring spammers.

Re:Onus is on users

[berzerke]

...What I want to know is, why aren't the ISPs doing something about this now? They're the ones with the bandwidth costs, aren't they??

Simple, money. Ever heard of pink contracts? Basically, for something on the order of 2x normal fees (perhaps more), the spammers gets to ignore the TOS. In short, the spammers bribe the ISPs to look the other way. For some ISPs, it is simply more cost effective to look the other way.

In addition, those within the ISP who do want to drop the spammers are often not liked. The salesman who brings in a "new" customer at more than the going rate looks good. The admin that kills that spammer's account is getting rid of a "valuable" paying customer.

And that leds back to a point the article made: Spamming is done because it is profitable. I still favor email filtering upstream (at the ISP level) as the best (long sigh) solution. Give customers notice that the filtering is occuring, and give them the option to opt-out. Those stupid enough to buy from spammers will (a) probably ignore the notice that there is filtering in place, and (b) not be able to figure out how to opt-out.

This will reduce the number of ads seen by the stupid user, who therefore won't send money to the spammer. Spammer's profits go down, and if the go down far enough, spammer goes out of business.

Just posted this elsewhere...

[CGP314]

It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form.

On my London Blog I don't use any form of obfuscation. The reason for this is I want people to contact me about my writing. I want to know what people think, and any barrier I put in the way will reduce the number of legitimate emails I get. I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.

Sure, I drastically increase the number of spams I get, but popfile takes care of them all. The author of this article is still correct in his economic analysis. There is little burden for me using this method, but a much larger burden for my ISP.

Makes me pay for my spam

[marcovje]

They really wanted to give it a libertarian twist,
no matter what, didn't they?

99% of the users can't block spam serverside, and just putting the burden on them, will make them pay for the costs, since they have to download it (telephone, burden on bandwidth).

Not putting a brake on the origin will cause even more spam.

There is only one solution: put cost on sending spam AND their ISPs that try to get away with it. Moneywise, or with penalties.

who is more savvy?

[penguin7of9]

who is more technologically savvy, your average spammer or your average politician?

Who is more technologically savvy--your average bank robber or your average politician? Who is more savvy about poisons and guns--your average murderer or your average politician?

See, by your argument, most laws are useless because they were made by people not as good at committing the crime as the people who actually did commit the crime.

Solution: Make forging and obfuscation impossible.

[meldroc]

In order to deal with spammers, we have to analyze their vulnerabilites. Understanding their weaknesses is easy once you answer this question: What do spammers fear the most?

That's easy. Look at spam messages. You'll see forged return addresses, redirections through open relays, spoofed Received lines, etc.

What does this mean? Spammers are most afraid of being tracked and identified.

And they have a good reason to be afraid. When spammers are identified, they get their ISP accounts terminated, and may get stuck paying hundreds of dollars of cleanup fees. They're harrassed, sued, threatened, they quickly earn a terrible reputation. They'll go to extremes to remain anonymous.

The key is to make it difficult or impossible for spammers to forge headers and obfuscate their emails' points of origin. How do we do this? Require cryptographic authentication of all mail going through any MTA. No exceptions, ever. Every time a mail goes through an MTA, it must be signed by that MTA. Any message without a signature or with an invalid signature gets dropped. By requiring crypto signatures, responsible MTAs can be easily tracked, and spamming MTAs can be blocked.

Key creation, distribution and endorsement can be through a central authority, though I prefer a PGP-style web of trust because central authorities can abuse their power. Naturally, any MTA caught distributing spam should immediately get their keys revoked, and the revocation should be distributed to MTAs as widely as possible, causing all emails from that MTA to be blocked in a matter of minutes. If an MTA wants its emails to reach its destinations, it will crack down hard on spammers.

The difficult part is convincing ISPs to require authentication and drop unsigned messages. However, if a large ISP such as AOL or Comcast can be convinced to do this, MTAs will have a strong incentive to start signing messages, and authentication will start to catch on.

So if someone is pissing through our letterbox....

[Dj]

So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox. My that's brilliant! And the way to reduce gun deaths is for people to learn how to dodge bullets matrix-stylee.

wrong question

[Tom]

who is more technologically savvy, your average spammer or your average politician?

That is the totally wrong question.

Politicians know that they don't know everything. That is why they have staff and expert advisors.

Politicians, however, have something that we the tech-community do not: Police, jails and option to use them.
Spam won't go away 100%, ever. But if the spam rate were on par with the murder or robbery rates (i.e. I have a single-digit percentage chance of getting one spam during my life), then I'd be satisfied.

What we, the tech-community, can do is help them find the culprits. All we need are bounties high enough to make it worth our time.

Raise your hands, you unemployed geeks who would jump at the chance of becoming paid-for spammer hunters.

Re:The broken-ness of email

[Fat+Cow]

Great idea - in fact we could extend it to solve some other problems...

maybe a license to send email?

how about a license to get on the internet in the first place - you have to be able to recognize spyware.

of course we'll have to expand government bureaucracy to deal with the licenses. and the police to track the new criminals.

Everyone must pitch in

[flakac]

The author is right in one regard, legislation won't do it. If everyone who is capable of deciphering the email headers to try to track down the originators of SPAM would try to report just one piece of spam to the offender's ISP, it would possibly begin to make a difference. The math is simple -- there are only a certain number of reputable (ie., non spammer-friendly) ISPs. If even 1000 people a day would use the available tools (www.abuse.net for one), and report this junk, eventually spammers will be forced to move to the spam-friendly ISPs. Then it's just a matter of adding the spam-friendly ISP to your favorite black-hole list, and you've just done your little part to stop spam.

"personal responsibility"

[SuperBanana]

Take personal responsibility. Yeah, right.

If not for users, how about 'personal responsibility' for admins?

On a mailing list I help run, we turned on Postfix's DNS checks(not RBLs and the like, just "does connecting host have valid forward DNS? Does it match what they claimed?" etc- postfix can do a half dozen DNS-related checks to make sure you're legit. It was ENORMOUSLY successful, virtually killing off all soam overnight, because so much spam has so many fake headers.

We had zero problems with users with funky setups(ie sending work email from home, their own domains, etc). We had ENORMOUS problems with a dozen ISPs whose freaking mail servers often didn't even have FORWARD DNS! Worse, some claimed, when contacted by their users, that it was a problem with OUR dns.

The problem was mostly with clustered outgoing mail servers, where ISPs didn't give a shit enough to set up proper DNS for each cluster member. Do you think they had reverse DNS? :-)

So, we can take personal responsibility by a)refusing to accept connections from servers which have bad/no DNS and b)fixing our own mail server's DNS. That would be a biiiig step...

Re:Again

[StrawberryFrog]

If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?

I never get tired of saying this, because it never stops being pertinent:

No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.

If you believe otherwise, you're not far off from the "women who wear short skirts have no case if they get raped" school of thought.

Libertarian Fantasy ... Again

[looie]

this is the standard libertarian fantasy, that the world would become just wonderful ... if everybody became a libertarian. and, as usual, there's no follow-through as to what it actually would be like to live in a world in which "i'm alright jack, screw you" was the dominant social theorem.

notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."

the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.

i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.

i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.

that would rule.

mp