Slashdot Mirror
How to Kill Spam Without the State
WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.
Spam is revenue for the State, and it isn't a good idea to kill it. Spam has also fetched more revenue for anti-spam s/w firms, than for the purportedly promoted products.
It stands to reason therefore, that the most likely writers of spam are THE SAME ONES WHO PEDDLE ANTI-SPAM WARE.
Thus, to kill spam:
1. Do not trust the State to do anything.
2. Do not buy, solicit or encourage anti-spam software.
3. Use free anti-spam tools wherever possible (this is easier with Linux).
4. Unless spam hogs your bandwidth or disk usage, don't bother.
5. And lastly, or rather firstly, spend money on a CD Writer and media to take backups, rather than on anti-spam s/w.
You will lead a cheerful, richer life.
If you keep throwing chairs, one day you'll break windows....
No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam. Whether it hits your inbox or not, somewhere along the line someone has had to relay that message to your mail server and the bandwidth is already wasted.
Get a good filter, use whitelists, whatever. Just don't think that you will be able to eradicate spam without governmental help.
I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.
The worse thing about spam is that filtering systems create false positives...
My provider requires authentication but everyone knows that you can create spam using a IP address from a well behaved smtp server.
Fear is the mind-killer.
Perhaps it is just Libertarian rhetoric.
But it does have some subtle - if not intentional - points that are very important.
There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.
Shouldn't we just be encouraging the adoption of these technologies rather than empowering the state with more tools with which to persecute people?
If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault? If you have a lock available to you then you use it. The same thing goes for your emails.
Laws are there to be dodged and abused. Community cooperation and prevention strengthens us.
We should be encouraging ISPs to use and support the technologies available to them to destroy spam rather than lobbying for useless new laws (they'll just send the spam from another country you idiots!).
Free Gamer - Free games list and commentary
I work the abuse desk for a regional cable ISP, and end up suspending several customers accounts per day because they're either sending or relaying spam (mostly the latter, and usually unwittingly). The majority of the complaints we get come from giant ISPs like AOL, but from time to time we get a mail header from some end user, and the ip is looked up in the dhcp log and the customer is suspended just as if AOL or RoadRunner were complaining.
"Who's going to believe a talking head?" - Herbert West
The only solution that I believe is viable is to prohibit companies from purchasing unsolicited advertising from spammers. Spammers don't spam for fun - they get paid to send the millions of mails out. In the end, there are companies and individuals behind them who choose to advertise via email. By making it illegal to do so, the need to stop spammers disappers, as the companies would be 100% liable.
A blog like any other.
We need more than this to stop spam. There's too many idiots about who'll buy spammer's products.
.com/.net, and Nominet is not allowed to be the licensing authority for .uk, and Domicilium is not allowed to be the licensing authority for .im) There can be more than one licensing authority per TLD.
I don't think SMTP itself is fundamentally broken - we just need some improvements to the administration.
In the early days of road transport, drivers were unlicensed - anyone with the money could buy a car and drive it. As traffic built up, eventually this was no longer tenable. As email traffic builds up - lack of licensing for MTA operators is becoming untenable. My server has rejected over 1.2 *gigabytes* of malware in the last week (mostly Swen worms). SpamAssassin kills 80 spam messages a day in my mailbox alone - and still about 15 a day get through. The option of "doing nothing" about email is no longer viable. Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use bandwidth I'm already paying for once?)
What is really needed is a licensing scheme for people who operate MTAs, just like there is for amateur radio. In brief, here's an outline of what could be implemented. I know this will probably draw the ire of Slashdotters who think they should be able to just run an MTA on their cable modem connection with no qualifications - but this is *exactly* where the problem stems from: to be sure of not dropping too much 'ham' we have to accept SMTP connections from more or less anyone. And this means we get flooded with over a gigabyte of Swen worm traffic in a week.
This list of requirements is by no means comprehensive - it's just a starting point for discussion.
* If you want to run an MTA, you must be licensed to do so.
* A licensed MTA operator may only relay mail from their own network or from other licensed MTA operators. In the case of a home user, this means they can only relay mail from their LAN. In the case of an ISP, from their own netblocks etc.
* A licensed MTA operator may only receive mail from other licensed MTAs. This means you must reject email from the unlicensed (virus/spam spewing) MTA on adsl-192.14.5.6.pacbell.net.
* A licensed MTA operator may only send mail to other licensed MTAs.
MTA licensing can be based on digital certificates. The MTA oper's signature will appear in the header of the email.
To obtain a license, the MTA operator would have to take an exam. The awarding and administering of licenses will be done by TLD. (A good idea would be that the licensing authority must not be the same company or subsidiary of the company that runs the TLD, so VeriSign is not allowed to be the licensing authority for
The upshot of this is that if a licensed MTA operator passes spam or malware, they can have their license suspended or revoked, or fines levied. MTA operators at the ISP level will be *very* careful to ensure they don't harbour spammers because they'll lose their MTA license. They will be *very* careful they configure their system to not allow executable attachments, or at least scan them for malware. Small MTA operators will be *very* careful not to accidentally configure their mail server to be an open relay.
To obtain an MTA license, an exam should be passed not for a specific MTA such as Exim or Sendmail, but general good practise in operating an email server, and general knowledge about internetworking - just like amateur radio licenses don't have exams on a specific model of ICOM radio. Additionally, the MTA operator must provide positive ID when applying for the license - this way, we make sure the MTA oper is accountable for what their MTA emits.
Of course, an actual implemented system like this will be more complex than what's outlined in this posting. Of course, most Slashdotters will hate the idea expressed above - I wouldn't really like to have to take exams to keep running the mail server I already
Oolite: Elite-like game. For Mac, Linux and Windows
Spam exists because it works; enough people buy products that are advertised through spam that the increased sales more than make up for the cost of spamming.
Companies choose Microsoft solutions because Microsoft provides the most flexible, stable and secure systems, with lower TCO than the competition.
I believe both of these statements are false, but are believed to be true by people making the decisions. Why? Because spammers and (to a much lesser extent) Microsoft salespeople are dirty rotten lying scumbags out to make a buck by cheating whoever they can. On top of that, spammers also sell their service by claiming what they're selling is not spam - it's direct marketing to a targeted opt-in list of interested consumers over the Internet. We all know in reality it's completely untargetted and their definition of "opt-in" includes allowing your e-mail address to appear unobfuscated on any web page, using it to register a domain name or post to a newsgroup, or simply choosing an e-mail address that could be guessed at random. We know that, just like we know Windows almost never has a lower TCO than anything. But the people paying the money don't, because they simply don't know better.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
No, this isn't a a daft claim like the one that do-not-call lists breach freedom of speech. I agree with the article that it's just not the place of the state, or even infrastructure providers like ISPs or Hotmail, to filter our private mail based on content.
Even if you think that governments might be technically competent to fight spam, should they be given licence to read (even in an automated way) and analyze all private correspondence just in order to stop some junk mail? [1] I'm not so concerned about blacklisting known spammers, etc., but
Spam is really, really annoying, but when does the cure become worse than the disease?
[1] (Obviously they're going to do this anyway, but we don't need to condone this or make it acceptable.)Run SMTP over SSL and make all connections that are not listed in DNS MX records login with local username and password. Then, have the server sign the message of a logged-in user with server's key, which is registered with a certificate authority. If enough ISPs adopt that and there are cheap mail-only services, people will have an option to only accept signed messages or at least move unsigned ones to a separate folder.
Then, once all e-mail (that gets read) is tracable to a particular person/company, outlaw spam. No need for a no-spam list, because nobody wants spam. People can always sign up for whatever mailing lists interest them. No need to harvest e-mail addresses given for totally unrelated purposes.
Will it get rid of all unwanted e-mail? By no means. But its irresponsible to just complain or try to pass laws without making simple changes to the software first and seeing how well it works. You don't install a UNIX system with an empty root password and then whine about intruders, do you?
Nice, but it doesn't need to be lethal - just make it bad enough that it makes the news. TRICKY PART: get the media to point the finger at spam in general, not just your actions.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Is there an online bayesian filtering service, that keeps an individual spam profile? I delete most of my spam without downloading it using a webmail service, I'd really like to enhance this to use bayesian filtering but I don't want to download all that spam. I also would like to do this from work (as I do now), and then just download the remaining email over my modem at home. I might even be persuaded to pay for this service.
who is more tech savvy?
what does that have to do with legislating on spam? i'm sure a lot of murderers know more about killing people then most politicians (excluding bush of course, he was getting rather good at it in texas but he's really shining now that he has a military to order around), but we're ok with politicians passing laws about murder. i'm also sure ceo's and financial people know more about illegal stock trades then most politicians (damn, bush is an exception there too), but we want them passing laws to keep our pensions safe. actually, we still want that to happen. the same points apply to healh care, job creation and education (though the parenthetical comments about bush don't apply on those topics)
i guess my point is that politicians pass laws on a wide variety of issues that concern the people they represent. to do that they have to consult experts in various fields - and that's the skill politicians need: the skill of asking for help and sifting through bullshit. and that's how they can best serve their people.
and obviously the other point is that bush knows an awful lot more than people give him credit for. too bad ken lay didn't get some business advice - maybe harvard could have bailed ken lay out too.
US Citizen living abroad? Register to vote!
This article was a waste of my time to read.
For those who haven't read it (and I hope you haven't -- don't waste your own time), basically it says this:
End-users should take responsibility for spam, and the best way to prevent spam is to stop putting email addresses in mailto: links on web pages and in unmunged form in posts to Usenet.
However, it really doesn't explain how the author thinks that people can do something to take responsibility for receiving unsolicited (!) email.
The article fails to mention dictionary attacks and worms, both of which have the potential to find millions of addresses which aren't listed on any web page or in any newsgroup.
I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book. Rather than worry about maintaining lists of email addresses, spammers could feed their message to the network of worms (possibly through IRC, or maybe even an instant messaging protocol), and the network would feed messages to every address listed on an infected user's hard drive, and probably to several variants of the addresses as well.
What the article fails to address is this: how can the person who never publishes their email address anywhere take responsibility for spam in the face of dictionary attacks, and when they have no control over friends putting the person's address in their address books?
The article says that when fighting spam, you shouldn't look to the politicians, because they have not the technical knowledge to make legislation stick.
In response to that, I suggest that you not look to the article for spam-fighting advice, because the author seems not to have the technical knowledge to actually develop a solution, or even offer suggestions beyond never publishing unmunged headers.
To those of you who read the article, I feel your pain. You will never get those wasted moments back. But did anyone else cringe when he suggested using graphics to display email addresses in Usenet postings?
My thought is that people advocating posting graphics to Usenet with every post probably don't have a spam solution either. In fact, they're suggesting placing a higher load on NNTP servers, in effect doing the same thing to news servers as spammers do to mail servers: clog them with extra, unneeded garbage, reducing their overall capacity with respect to legitimate communication.
Oh, and have a nice day, everyone!
Somebody get that guy an ambulance!
Good subject line.
... Libertarians give Libertarianism a bad name. They don't want a solution, they want a sort of quasi secular/quasi religious vindication for everything. (Side note: said leader also ststed in his monthly newsletter that if it would have been the "old days, before gov't intrusion, we'd have settled it with pistols! .... say WHAT???)
Libertarians in my area (Greenville SC) are nothing but whacko anarchists. Their leader is often engaged in vigilante justice.
A few months back he COMPLETELY "ruined the peace and progress" of an anti flag rally by pushing a black guy out of line. (Anti flag = no civil war flag/ACLU/Jesse Jackson issue)
This "leader" of the Libertarians has also sued my business over service - he bought a computer from me - then tried to hook a Parallel printer into the SCSI port - fried the computer - then wanted me to replace it under warranty. He later came on the 6 o clock news stating that it was black judge that handed the decision out because of his "push" and took no consideration of the facts. So, I agree
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
Don't vote either, eh?
Actually, I do. But my personal action has no effect on this problem in particular. The system is only as effective as its weakest link, and since that body includes QVC obsessed housewives and American football fans, I don't think there is much hope.
I pick on these demographic segements because they will buy almost anything.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
That's another advantage to my proposal that the laws should be focused, not on spamming per se, but on the use of filter-circumvention techniques (which should be prohibited just as other forms of computer cracking are prohibited).
The distinction between spamming and normal e-mail is sufficiently fuzzy at the edges (e.g. what constitutes "bulk"?) to give your position a grain of plausibility. However, a mailing that is tailored to get past spam filtering (e.g. forged headers, munging of "spammy" words) is equivalent to lock-picking one's way onto other people's property, and as such is a clearcut initiation of force.
/. If the government wants us to respect the law, it should set a better example.
Speaking as the former network admin for a "Direct Marketing" aka "Opt-in Mailing" company, the industry is evil.
I've dealt with the hosting in China for the purposes of sending mail, changing ip's daily, thousands of domains, and the use of OpenSource anti-spam software in some very questionalable situations. (Using an anti-spam filter to 'review copy' to make sure its not going to be picked up)
And from all my experience, There's only one thing I can say. The mailers will get around what ever you do, be it state or personal. If you have an email account, regardless of the fact if you give it out, it -will- be mailed to. E-Mail addresses are a super-hot commodity.
Especially if you can get them with the opt-in information attached.
Think of it this way. You opt-in to company A, company A sells your address to Company B. You opt-out to company A. Company B doesnt care. Company B could have already sold your info to Company C, D and E.
Opt-out's are funny, they basically just prove that you're a real live person using that computer.. true spammers love to buy listings that contain those addresses, they dont give a crap if you opt-ed out, they just want live email addresses.
So in short, you want a spam free email account? good luck, do what most people do, create a hotmail account for a spam account, and have a real account that you use for real email.
I've seen databases of 35 million mailable e-mail addresses, and trust me, thats a highly profitable database (and no, i dont have a copy, so dont ask, heh.)
Welcome to the End
This is really bizarre. There are almost 300 comments on this item and no one has even mentioned Paul Graham's proposal for Filters That Fight Back:
The idea is to raise the costs of spam to the spammers, if not at the spam sending side, then at the spamwebsite side. Most spam solicits visits to a website. If a relatively small percentage of Net users were to employ Bayesian filters and/or other techniques to identify and segregate spam, then to accept the explicit invitation in each spam to visit one or more URLs provided, and maybe even download the entire sites a few times, the cost of running a spamwebsite server for the tiny numbers of orders they get would rise sharply.
I don't have it completely automated yet. I'm still using filters in my email client, but they are good enough that no spam gets through to my New Mail folder, and a whitelist ensures that there are no false positives in any mail from anyone I already know I wish to hear from. What goes to my spam folder contains a few false positives of people who have never written to me before, but mostly those whose email contains garbage like HTML.
Once a day or so I simply save the cleaned spam folder to a file and ftp it to one of my servers. There, scripts take over and faithfully accept the explicit invitations in the spam to visit their websites.
As more people do this, the traffic will dramatically increase at the spamwebsites, but orders will not increase. At some level or other, either in their server farm or to their upstream provider, those sites pay for bandwidth. As they get bumped up into higher bandwidth pricing tiers, their margins on the small numbers of orders they get from complete nitwits will drop.
Think of it as a servo system: If the level of spam annoys you, set your filter to fighting back. As more people do that, spam will level off and drop. As it drops to a level at which fewer people bother to set their filters to fighting back, an equilibrium will be achieved. There will still be spam, but a whole lot less than there is now. Think mosquitos and birds. Birds control mosquito populations. There are still mosquitos, but a lot less than there would be if there were no birds. Be a bird -- eat spamwebsites.
The weak point in Graham's proposal is that it really needs a universal whitelist to prevent spammers or other malicious third parties from causing massive traffic to innocent websites by sending out spam that provides URLs that are not the spammer's. It's not clear how such a whitelist would work, who would run it, how sites would get onto it (or off, if they turn bad), or whether someone will come up with a neat P2P solution.
It is clear, though, that anyone receiving 20-100 spams a day can easily review the filtered spams or the extracted URLs and simply delete those that appear innocent. Then scripts do the rest.
Look at the bright side: there's always seppuku.