SendMail CTO Sounds Off On Spam and FTC

CowboyRobot writes "Eric Allman takes his well-deserved turn in commenting on the state of spam, the dark future, and the need for intervention. He calls spam an "arms race" where "in the long run everyone loses (except the arms dealers)." As you might imagine, he's on our side, and he does a good job of clearly describing the current state of spam, and the possible solutions."

The more I think about it......

[The+One+KEA]

....the more I realize that no amount of technology or legislation is ever going to completely eradicate spam from our lives. More and more it seems to me that the only way we can get rid of spam is through educating the next generation of Internet users to ignore it.

Spammers spam because they make money. Educate people to ignore spam, and the spammers don't make money. Bingo, no more spam!

I know it sounds like a pipe dream, but what other options are there?

Re:The more I think about it......

[pirhana]

I beg to differ with you. Regardles of any level of education , there will be fools who will fall in to this fraud. I admit they are a microscopic minority .But that doesnt matter and spammers can keep moving with that as the per capita expense of spam is near to zero. It bas been reported that even the manager of a 6 billion dollar mutual fund had placed orders for "penis enlargement pills" (http://www.wired.com/news/business/0,1367,59907,0 0.html).

Re:I like the idea

[Nuclear+Elephant]

The do-not-spam registry will not work primarily because A. spammers are already breaking the law to spam, and B. it's easy to set up an offshore spam factory outside the US to send spams. Unlike telemarketing, where making phone calls to other countries is too expensive, it's fairly cheap to bypass legislation and spam outside the US...not to mention a do-not-spam registry is stupid in the sole fact that it gives spammers a huge list of millions of VALID email addresses - doing their job FOR them.

Re:Spam is bad...mmmkay?

[Nuclear+Elephant]

Bogofilter may not be for everyone, but DSPAM implements server-side...which means it's the sysadmins for the ISPs who install it and allow their users to opt-in or opt-out of spam filtering. All the average user has to do is forward messages they deem as 'spam' to an email address. pretty brain-dead easy.

why can't mail servers talk to each other?

[LennyDotCom]

Why can't certain specified mail servers be something like the look outs. If a certain percentage of them recieve the same email in a specified amount of time then they can designate it as spam and delete it from all the mail servers. then ISP's could subscribe to the "lookout server" list and delete any messages that have been designated as spam?

Re:why can't mail servers talk to each other?

[clifyt]

"If a certain percentage of them recieve the same email in a specified amount of time then they can designate it as spam and delete it from all the mail servers."

Mailing Lists...

Thats the big problem. I run a few mailing lists and I'm on a few others. I was on a spam filter just like this.

You get idiots that don't know how to subscribe, so they just press THIS IS SPAM button and then it filters its headers and otherwise out to everyone else on this service telling them its spam, and then after a while that list is just blocked.

This sort of thing was easy for me to fix...I'm a geek. I would periodically (like every few hours...kinda mitigating the idea of a spam filter) check my deleted messages and click the THIS IS NOT SPAM button and I would get it again.

BUT every so often, folks would start complaining on the mailing lists...they might be good musicians or great psychologists (depending on which list I was admining), but piss poor geeks (which is why I'm around). I'd look and they'd be getting the messages. I'd throw in an hour or two of free support only to find out they are running a spam filter their wife / husband / son / secretary / whomever installed...and it was categorizing this stuff as spam.

Its a good idea, but until we can moderate the idiots that continually click on anything they don't want to deal with as Spam, then we will have a problem.

Re:Spam is advertising!

[Analysis+Paralysis]

Spammer ahoy! Lock up your open relays! Ready your blocklists!

In case you didn't bother reading the article, it mentioned that the volume of spam was doubling every 10 weeks. This is nothing short of a threat to the viability of email itself. Would you even bother opening your inbox, if you knew that you would have to delete several thousand irrelevant, unwanted and (in many cases) fraudulent emails just to get to the 10 or 20 useful ones from friends and family? Spammers are intensely selfish - being quite happy to abuse the network infrastructure provided and paid for by others for their own gain.

Your statement about the meaninglessness of the internet shows that you haven't a clue (outside of those spam-rimmed spectacles) what the Internet is about. People do not wish to be deluged with unsolicited junk any more than the likes of Alan Ralsky likes receiving tons of junk snail mail.

Of course, you can try to prove me wrong - post your email and real address and let's see if you can swallow your own medicine.

Secure email protocols won't help.

It sounds like a good idea on the surface, but it won't work.

I got hit by a spammer last week who was changing his host names every couple of messages. And not just on the envelope - he was changing 'em in DNS because he had his own nameserver! He got shut down by the mid-level carrier after about 12 hours, during which my servers received thousands of messages that I had to block by IP. Today, though, I am getting the same stuff, now coming from a cracked cable-modem user.

Hundreds of the spams that hit here every day are sent from cracked systems connected to Comcast, RoadRunner, and Verizon DSL.

If you allow anyone to send mail, regardless of how that mail is encrypted or secured, the spammers will find a way to illegally take advantage of that legitimate mailserver and send their trash.

This is because they are criminals. Not "legitimate businessmen" and not "entrepreneurs exercising their freedom of speech". Criminals who purchase accounts with stolen credit card numbers and move on as soon as an ISP shuts them down.

Person to person communication in the future

[Filik]

Darn, article got slashdotted before I could read it, so this reply is just general musings.

The spam problem has to do with the whole future of person to person communication, as well as the whole future of adverticement. Whichever way it will be solved, a very likely outcome is that in 10 years it will no longer be possible in any way to get in touch with someone you don't already know from outside the Internet, and the first decade of Internet will be looked back upon with nostalgia as the only decade of totally free communication. This is because the real problem lies in the initial contact.

You might argue that we can still communicate via boards, chat channels and similar things, where you can give out crypt-keys to those you wish to continue communicating with, but remember that these will be the next target for adverticing after open email collapses. I'm sure adverticers will even write AI's to simulate people so that they can lure the crypt-keys from innocents.

Re:I like the idea

[Transient0]

Seriously though. The bulk of spam originates in America.

Personally, I don't buy that that is true, but it's completely irrelevant to my point. Even if most spam does currently originate in America, if the U.S. somehow passes and enforces an effective anti-spam law, there is effectively zero cost involved in these spammers moving there business out of the States and still spamming Americans.

The same is true for any country that illegalizes unsolicited e-mail.

This is one reason (among many), why spam is much harder to control than telemarketing, the fact that telemarketing from another country is expensive.

Re:I like the idea

[aborchers]

Even if most spam does currently originate in America, if the U.S. somehow passes and enforces an effective anti-spam law, there is effectively zero cost involved in these spammers moving there business out of the States and still spamming Americans.

As much as I find balkanizing the network to be philosophically repugnant, there is a second step that is not often discussed in the context of US legislation against spam.

Once spam is banned in the US, we (the network operators) have to block traffic from netblocks assigned to countries that are friendly to spam. The legitimate business and communications needs of those countries will then drive them to enact their own anti-spam policies to get off the block lists. If their only need for the network is to send spam, then they will soon find themselves isolated and ineffective.

I don't like it, but to me it looks more and more like the lesser of evils...

Re:Spam is advertising!

True. If spam doubles every 10 (or even 100) weeks, we only have a short time left before SMTP email is rendered unusable and port 25 itself needs to be blocked upstream (spam rates of multiple megabytes per second are really a DoS attack, no matter what they claim).

There are two solutions:

1) A new protocol to replace SMTP, that _somehow_ provides non-mobile authentication (i.e. a credential that is tied to an identifiable person, not something as malleable as an IP address or even as cloneable as a MAC address)

or

2) A protocol on top of SMTP (e.g. CAMRAM, TMDA, etc) that severely limits the ability of an two previously-unconnected persons from sending each other email, and preferably does so as close to the originator as possible.

Personally, #1 sounds way harsh (you'd have to fingerprint (or worse) every ISP subscriber). Therefore, #2 is the only way left.

That's why I see the future as something like CAMRAM (one of whose layers uses CRM114 as a backstop Bayesian filter before it decides whether to invoke the "Prove You Love Me" protocol. This layering provides some advantages over other protocols).

Perhaps it's time to ask ICANN for a new SMTP port that is only used with CAMRAM or other authenticated email protocols. Then users can shut off port 25 upstream and that will end the DoS issue. Port 465 (smtps) is just SMTP over SSL; a good start, but not what we want here.

Re:I like the idea

[stilwebm]

The do-not-spam registry will not work primarily because A. spammers are already breaking the law to spam, and B. it's easy to set up an offshore spam factory outside the US to send spams.

If the do not spam registery, as proposed by at least some lawmakers, penalizes the beneficiaries of the spam, then the true source will still be subject to the regulations. Sure, some offshore businesses will continue to spam, and some big guys may move off shore, but it really will nullify many of the cost advantages of spam. Few people are going to refinance their mortgage with some stranger in Costa Rica (then again, I never thought people would do that with a stranger who randomly spammed them either).

not to mention a do-not-spam registry is stupid in the sole fact that it gives spammers a huge list of millions of VALID email addresses - doing their job FOR them

This is the hard part. How can you make it a crime to traffic or abuse a list of email addresses? I don't think it would hold up well in court. If it did, the validity of the lists would be come problematic - how do you prove the citizenship or residency of someone just by an email address? This is where it completely falls apart. If there were a DNS (do not spam) list, I think I would first sign up with a fresh new email address, say dnc@mydomain.com, just to see how it worked. I'd be surprised if it did not result in more spam.

Email Marketing Works, Spam Doesn't

[johnnyb]

I think the thing that will kill spam is the success of email marketing. I work at a company that does email marketing - i.e. - VERY targetted campaigns (usually under 1,000 recipients, most of whom have some sort of business relationship with the client), easy ways to unsubscribe, always a valid reply-to address, etc. The results are great - we usually get about 80% opens and 10-30% click-throughs. We have one list/service that has 1,000 emails and gets 500 click-throughs when we send to it!

I get frustrated when I hear about ClickZ calling an email campaign to 800,000 people, where many people got the email up to six times, and they got a 4% open rate with a 4% click-through rate OF THE OPENS (i.e. - a 0.16% click-through rate), and called it a great success. Email marketing is a great tool, but spam really hurts it.

For example, I _love_ getting my email at half.com telling me that a book I want is available at the price I was looking for it. It doesn't even seem like marketing. It's cheap, trackable, targetted, and they can load it with whatever other marketing message they want, too.

Anyway, one thing that annoys me about slashdot is that everyone seems to think that all email-marketing is spam, when there are at least some of us that are trying to do the right thing.

We actually have customers that we tell them _not_ to use our service because they don't have a legitimate list. We tell them to start right now and get everyone's email address they can - have places on every form for people to get their email address, have a "newsletter sign-up" link on their website, etc., and then call us in a year with the list they put together and we'll help them with a campaign.

slightly OT: uce@ftc.gov = disk full

Today, when forwarding the usual spam in my inbox to uce@ftc.gov, this is what I got back:

----- The following addresses had permanent fatal errors -----
uce@lhasa.ftc.gov
(reason: 554 Transaction failed, No space left on device)
(expanded from: <uce@ftc.gov>)

----- Transcript of session follows -----
... while talking to localhost.ftc.gov.:
>>> DATA
554 5.0.0 Service unavailable

...at least now I know, they didn't send it automatically to /dev/null.

:-)
ms