Slashdot Mirror
How to Kill Spam Without the State
WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.
No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam. Whether it hits your inbox or not, somewhere along the line someone has had to relay that message to your mail server and the bandwidth is already wasted.
Get a good filter, use whitelists, whatever. Just don't think that you will be able to eradicate spam without governmental help.
Firstly, stop buying things from spam!
My friend once commented on how all he hated getting so much spam the everyday. I myself get maybe one or two pieces a week, so I started to show him the basics of filtering out some of the crap.
So what do you think he says? He doesn't want all his spam automatically deleted he said, because sometimes something interesting comes! He even likes to follow the links two visit the sites.
Fuck I wanted to smack him right in there and then. Actually I'm in a bad mood right now I want to go back and find him and smack him anyway.
It's obvious what to do about the #1 problem: people who run web pages should stop listing e-mail addresses in readily spammable form.
On my London Blog I don't use any form of obfuscation. The reason for this is I want people to contact me about my writing. I want to know what people think, and any barrier I put in the way will reduce the number of legitimate emails I get. I'm not confident that most of the Internet population would understand that they need to remove the REVOVE.THIS.TO.EMAIL.ME part of my address.
Sure, I drastically increase the number of spams I get, but popfile takes care of them all. The author of this article is still correct in his economic analysis. There is little burden for me using this method, but a much larger burden for my ISP.
They really wanted to give it a libertarian twist,
no matter what, didn't they?
99% of the users can't block spam serverside, and just putting the burden on them, will make them pay for the costs, since they have to download it (telephone, burden on bandwidth).
Not putting a brake on the origin will cause even more spam.
There is only one solution: put cost on sending spam AND their ISPs that try to get away with it. Moneywise, or with penalties.
1) Set up a "trade site" anonymously. Very anonymously.
2) Get your hands on a spammer's mailing lists.
3) Send out several millons of spam with "new better penis enlargement" or some other viagra.
4) Receive all the offers. Even don't bill them, just send out the product. TRICKY PART: Don't send any viagra or other penis enlargers, send out cyanide or some other really lethal poison.
5) Run, wipe all your tracks before your mail reaches its destinations. Leave the "spamming server" with a note on the harddrive for the police to find: "These idiots deserved to die. As long as anyone answers to spam, such 'accidents' will happen. This is not our last action". Take care that it gets to the news.
Fear is a powerful weapon.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
We need more than this to stop spam. There's too many idiots about who'll buy spammer's products.
.com/.net, and Nominet is not allowed to be the licensing authority for .uk, and Domicilium is not allowed to be the licensing authority for .im) There can be more than one licensing authority per TLD.
I don't think SMTP itself is fundamentally broken - we just need some improvements to the administration.
In the early days of road transport, drivers were unlicensed - anyone with the money could buy a car and drive it. As traffic built up, eventually this was no longer tenable. As email traffic builds up - lack of licensing for MTA operators is becoming untenable. My server has rejected over 1.2 *gigabytes* of malware in the last week (mostly Swen worms). SpamAssassin kills 80 spam messages a day in my mailbox alone - and still about 15 a day get through. The option of "doing nothing" about email is no longer viable. Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use bandwidth I'm already paying for once?)
What is really needed is a licensing scheme for people who operate MTAs, just like there is for amateur radio. In brief, here's an outline of what could be implemented. I know this will probably draw the ire of Slashdotters who think they should be able to just run an MTA on their cable modem connection with no qualifications - but this is *exactly* where the problem stems from: to be sure of not dropping too much 'ham' we have to accept SMTP connections from more or less anyone. And this means we get flooded with over a gigabyte of Swen worm traffic in a week.
This list of requirements is by no means comprehensive - it's just a starting point for discussion.
* If you want to run an MTA, you must be licensed to do so.
* A licensed MTA operator may only relay mail from their own network or from other licensed MTA operators. In the case of a home user, this means they can only relay mail from their LAN. In the case of an ISP, from their own netblocks etc.
* A licensed MTA operator may only receive mail from other licensed MTAs. This means you must reject email from the unlicensed (virus/spam spewing) MTA on adsl-192.14.5.6.pacbell.net.
* A licensed MTA operator may only send mail to other licensed MTAs.
MTA licensing can be based on digital certificates. The MTA oper's signature will appear in the header of the email.
To obtain a license, the MTA operator would have to take an exam. The awarding and administering of licenses will be done by TLD. (A good idea would be that the licensing authority must not be the same company or subsidiary of the company that runs the TLD, so VeriSign is not allowed to be the licensing authority for
The upshot of this is that if a licensed MTA operator passes spam or malware, they can have their license suspended or revoked, or fines levied. MTA operators at the ISP level will be *very* careful to ensure they don't harbour spammers because they'll lose their MTA license. They will be *very* careful they configure their system to not allow executable attachments, or at least scan them for malware. Small MTA operators will be *very* careful not to accidentally configure their mail server to be an open relay.
To obtain an MTA license, an exam should be passed not for a specific MTA such as Exim or Sendmail, but general good practise in operating an email server, and general knowledge about internetworking - just like amateur radio licenses don't have exams on a specific model of ICOM radio. Additionally, the MTA operator must provide positive ID when applying for the license - this way, we make sure the MTA oper is accountable for what their MTA emits.
Of course, an actual implemented system like this will be more complex than what's outlined in this posting. Of course, most Slashdotters will hate the idea expressed above - I wouldn't really like to have to take exams to keep running the mail server I already
Oolite: Elite-like game. For Mac, Linux and Windows
There is the technology available to avoid spam. Spam blacklists, Bayesian filters, and Challenge-Response systems will handle the vast majority of spam, if not all of it.
And all of these either have either costs, drawbacks, or don't really solve the problem (i.e. Bayesian filter on MUAs don't avoid the traffic etc.), while I can't for the life of me find anything bad on the thoughts of spammer rotting in jail.
</half joking>
Spam exists because it works; enough people buy products that are advertised through spam that the increased sales more than make up for the cost of spamming.
Companies choose Microsoft solutions because Microsoft provides the most flexible, stable and secure systems, with lower TCO than the competition.
I believe both of these statements are false, but are believed to be true by people making the decisions. Why? Because spammers and (to a much lesser extent) Microsoft salespeople are dirty rotten lying scumbags out to make a buck by cheating whoever they can. On top of that, spammers also sell their service by claiming what they're selling is not spam - it's direct marketing to a targeted opt-in list of interested consumers over the Internet. We all know in reality it's completely untargetted and their definition of "opt-in" includes allowing your e-mail address to appear unobfuscated on any web page, using it to register a domain name or post to a newsgroup, or simply choosing an e-mail address that could be guessed at random. We know that, just like we know Windows almost never has a lower TCO than anything. But the people paying the money don't, because they simply don't know better.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
who is more technologically savvy, your average spammer or your average politician?
Who is more technologically savvy--your average bank robber or your average politician? Who is more savvy about poisons and guns--your average murderer or your average politician?
See, by your argument, most laws are useless because they were made by people not as good at committing the crime as the people who actually did commit the crime.
I just got a legitimate email returned because spamcop claims that the smtp server of the webhosting provider has an abnormal rate of spam.
Your e-mail was returned because whoever runs the mail server you were trying to deliver the message to has chosen to bounce mail from any IP in SpamCop's blacklist, which SpamCop has always recommended against. Complain to the people who made that decision, not SpamCop.
And, the reason the IP is listed in SpamCop's blacklist is probably because the server you're relaying your mail through has also been relaying spam, and people have complained about it (using SpamCop's reporting service). Go here to find out exactly why an IP is listed, along with sample e-mails that users have reported as spam and some statistics about how much spam has been reported from that IP.
The worse thing about spam is that filtering systems create false positives...
SpamCop says this is why their blacklist should not be used to block mail. Their list is entirely automated; it's based on reports from users, and SpamCop does not verify it. Read more on SpamCop's site about exactly how it works.
My provider requires authentication but everyone knows that you can create spam using a IP address from a well behaved smtp server.
SpamCop is really very good about identifying where a message actually came from, not just where it's been relayed through - unless there's something suspicious-looking about the server it's been relayed through (such as, for example, the hostname the server identifies itself as [the Dj line in sendmail.cf] doesn't resolve to the server's IP).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
In order to deal with spammers, we have to analyze their vulnerabilites. Understanding their weaknesses is easy once you answer this question: What do spammers fear the most?
That's easy. Look at spam messages. You'll see forged return addresses, redirections through open relays, spoofed Received lines, etc.
What does this mean? Spammers are most afraid of being tracked and identified.
And they have a good reason to be afraid. When spammers are identified, they get their ISP accounts terminated, and may get stuck paying hundreds of dollars of cleanup fees. They're harrassed, sued, threatened, they quickly earn a terrible reputation. They'll go to extremes to remain anonymous.
The key is to make it difficult or impossible for spammers to forge headers and obfuscate their emails' points of origin. How do we do this? Require cryptographic authentication of all mail going through any MTA. No exceptions, ever. Every time a mail goes through an MTA, it must be signed by that MTA. Any message without a signature or with an invalid signature gets dropped. By requiring crypto signatures, responsible MTAs can be easily tracked, and spamming MTAs can be blocked.
Key creation, distribution and endorsement can be through a central authority, though I prefer a PGP-style web of trust because central authorities can abuse their power. Naturally, any MTA caught distributing spam should immediately get their keys revoked, and the revocation should be distributed to MTAs as widely as possible, causing all emails from that MTA to be blocked in a matter of minutes. If an MTA wants its emails to reach its destinations, it will crack down hard on spammers.
The difficult part is convincing ISPs to require authentication and drop unsigned messages. However, if a large ISP such as AOL or Comcast can be convinced to do this, MTAs will have a strong incentive to start signing messages, and authentication will start to catch on.
Meldroc, Waster of Electrons
So if someone is pissing through our letterbox, the libertarian response is "Get a bucket", rather than stop the person pissing through the letterbox. My that's brilliant! And the way to reduce gun deaths is for people to learn how to dodge bullets matrix-stylee.
"You know you want me baby!" - Crow T Robot
who is more technologically savvy, your average spammer or your average politician?
That is the totally wrong question.
Politicians know that they don't know everything. That is why they have staff and expert advisors.
Politicians, however, have something that we the tech-community do not: Police, jails and option to use them.
Spam won't go away 100%, ever. But if the spam rate were on par with the murder or robbery rates (i.e. I have a single-digit percentage chance of getting one spam during my life), then I'd be satisfied.
What we, the tech-community, can do is help them find the culprits. All we need are bounties high enough to make it worth our time.
Raise your hands, you unemployed geeks who would jump at the chance of becoming paid-for spammer hunters.
Assorted stuff I do sometimes: Lemuria.org
The author of the article says he is not a techie. Does that make him clueless? No. He says in the article that he would welcome response from the technical community. Too bad that a certain vocal percentage of techies are so egotistically arrogant that they insult anyone who is less technical than themselves.
So if a non-techie says he is willing to learn, he correctly evaluates the economic reasons that spam continues, he suggests something quite sensible about graphical email addresses on web sites, and asks for further technical input... then why not give him the benefit of your technical knowledge? Or on the other hand, if you have no ideas of your own, you could just insult him.
The thrust of his argument is understanding why spam exists. Until this is understood, the psuedo solutions will fail, because they miss the mark. I thought the article had a valuable point to make. Good on you, Ari.
Surely in vain the net is spread in the sight of any bird -- Proverbs 1:17
If not for users, how about 'personal responsibility' for admins?
On a mailing list I help run, we turned on Postfix's DNS checks(not RBLs and the like, just "does connecting host have valid forward DNS? Does it match what they claimed?" etc- postfix can do a half dozen DNS-related checks to make sure you're legit. It was ENORMOUSLY successful, virtually killing off all soam overnight, because so much spam has so many fake headers.
We had zero problems with users with funky setups(ie sending work email from home, their own domains, etc). We had ENORMOUS problems with a dozen ISPs whose freaking mail servers often didn't even have FORWARD DNS! Worse, some claimed, when contacted by their users, that it was a problem with OUR dns.
The problem was mostly with clustered outgoing mail servers, where ISPs didn't give a shit enough to set up proper DNS for each cluster member. Do you think they had reverse DNS? :-)
So, we can take personal responsibility by a)refusing to accept connections from servers which have bad/no DNS and b)fixing our own mail server's DNS. That would be a biiiig step...
Please help metamoderate.
I for one feel comforted by the fact that if, God forbid, the day comes that I can't get it up for my wife, and I feel so bad and depressed, and my mortgage interest rates are so high.....
I feel comforted that everyday, there is veritable kornikovia(sic) of options.
This article was a waste of my time to read.
For those who haven't read it (and I hope you haven't -- don't waste your own time), basically it says this:
End-users should take responsibility for spam, and the best way to prevent spam is to stop putting email addresses in mailto: links on web pages and in unmunged form in posts to Usenet.
However, it really doesn't explain how the author thinks that people can do something to take responsibility for receiving unsolicited (!) email.
The article fails to mention dictionary attacks and worms, both of which have the potential to find millions of addresses which aren't listed on any web page or in any newsgroup.
I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book. Rather than worry about maintaining lists of email addresses, spammers could feed their message to the network of worms (possibly through IRC, or maybe even an instant messaging protocol), and the network would feed messages to every address listed on an infected user's hard drive, and probably to several variants of the addresses as well.
What the article fails to address is this: how can the person who never publishes their email address anywhere take responsibility for spam in the face of dictionary attacks, and when they have no control over friends putting the person's address in their address books?
The article says that when fighting spam, you shouldn't look to the politicians, because they have not the technical knowledge to make legislation stick.
In response to that, I suggest that you not look to the article for spam-fighting advice, because the author seems not to have the technical knowledge to actually develop a solution, or even offer suggestions beyond never publishing unmunged headers.
To those of you who read the article, I feel your pain. You will never get those wasted moments back. But did anyone else cringe when he suggested using graphics to display email addresses in Usenet postings?
My thought is that people advocating posting graphics to Usenet with every post probably don't have a spam solution either. In fact, they're suggesting placing a higher load on NNTP servers, in effect doing the same thing to news servers as spammers do to mail servers: clog them with extra, unneeded garbage, reducing their overall capacity with respect to legitimate communication.
Oh, and have a nice day, everyone!
Somebody get that guy an ambulance!
If you left your house door open and somebody entered and made a mess in your house (or worse!) then who is to blame? Who is at fault?
I never get tired of saying this, because it never stops being pertinent:
No matter how big a moron you are, no matter if you leave your front door wide open, then thief who walks in and takes your stuff is still a thief, still guilty in the eyes of the law, and still deserves to be put away.
If you believe otherwise, you're not far off from the "women who wear short skirts have no case if they get raped" school of thought.
My Karma: ran over your Dogma
StrawberryFrog
notice the standard libertarian assumption that, if you (a) aren't a libertarian and/or (b) want gov't action against ________________ [fill in the blank with spammers, in this case], you are a person without a sense of "personal responsibility." notice also, the standard libertarian assumption that, as a libertarian, the author is a cut above the rest of us "schmoes."
the fact is, spammers are thieves, stealing services from bandwidth providers. it's not clear to me why the author of this piece, and libertarians in general, regard this behavior as something that can be stopped if i display "personal responsibility" on the internet. it also is not clear just what that actually means, but never mind. and it is not clear exactly why they are less than eager to legally stop this behavior, but my suspicion is that it is because spamming is a business; and libertarians just can't bring themselves to take serious action against that "entrepeneurial spirit." if you're doing it to make money, a libertarian will bless you for it.
i'm dubious about laws against spammers, because i think they will be ineffectively administered. it's not that the technological means of tracking down spammers don't exist, it's that such a process would be time-consuming and expensive. i think that prosecutors just don't want to invest in it. that may be a necessary decision -- funds for attorneys general are not unlimited, and they have to deal with rapers, murderers and wife beaters, too.
i think a bounty law, that would allow individual citizens to bring spammers to book, would be more effective. imagine forming a company comprised of some technically proficient individuals, lawyers and maybe accountants, who working together could track down big-money spammers and present all the technical, legal and financial information about the spammer to a prosecutor, in exchange for either a state-sponsored reward or a percentage of the seized property.
that would rule.
mp
"The secret to strong security: less reliance on secrets." -- Whitfield Diffie