Slashdot Mirror
SendMail CTO Sounds Off On Spam and FTC
CowboyRobot writes "Eric Allman takes his well-deserved turn in commenting on the state of spam, the dark future, and the need for intervention.
He calls spam an "arms race" where "in the long run everyone loses (except the arms dealers)."
As you might imagine, he's on our side, and he does a good job of clearly describing the current state of spam, and the possible solutions."
Isn't he one of them?
Forget thrust, drag, lift and weight. Airplanes fly because of money.
of the do not spam registry that they mention in the article. But it seems like a real pipe dream considering how much trouble there has been getting the do-not-call registry up and running.
Also, most telemarketing is done from in-country because of LD charges. Not so with e-mail. It's pretty hard to enforce US laws on a Taiwan spamhaus.
Ah well, every little voice against spam warms me a little at least.
lysergically yours
Spam is the most successful way to use the Internet for the eBusiness sector. Without spam a highly profitable way to earn money will be gone and the internet rendered meaningless for further investment decisions.
Don't cut your own throat by sabotaging spam. Everyone needs to earn money. Money makes the Internet go round.
Less SPAM, more Vienna Sausages!
Is this really necessary to post a different article every day of someone in our field who agrees spam is bad? It's like there's a template for every article on slashdot about spam:
CEO of [NAME] reported today that SPAM is [GOOD|BAD] and recommends [LEGISLATION|CRACKING DOWN|PRODUCT].
There are enough freely available working solutions out there now that work with Mr. Allman's product (such as DSPAM and BogoFilter) where we really have gotten to the point where we can quit complaining about spam and actually succeed in the high 99% at stopping it. If everyone quit whining and installed one of these tools, nobody would get spam, and the spammers would be out of business.
....the more I realize that no amount of technology or legislation is ever going to completely eradicate spam from our lives. More and more it seems to me that the only way we can get rid of spam is through educating the next generation of Internet users to ignore it.
Spammers spam because they make money. Educate people to ignore spam, and the spammers don't make money. Bingo, no more spam!
I know it sounds like a pipe dream, but what other options are there?
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
>The seventh is opt-out with an unsubscribe link that actually confirms your address as belonging to a live account.
The author doesn't say whether he believes this happens, but he implies so by adding another similar case: "The unsubscribe link removes you from the list in question, but it also adds your address to another list."
I'm calling bullshit on both of them. I challenge anyone here to cite any quantative evidence that replying to spam has resulted in them receiving so much as one extra message.
No, anecdotes don't cut it. Neither does common sense, or "Well, it stands to reason" arguments. Neither does the availability of "verified" address lists. I can create a billion psuedo-random addresses, call them "verified" and slap whatever price tag I like on them. It doesn't make it so, and remember what sort of people we're dealing with here. You don't think they'd screw each other over for a few bucks?
As far as I'm concerned, spam is so untargetted that replying to an unsubscribe cannot possibly make it worse. It's vanishingly unlikely to make it better, but how, exactly, does it make it worse?
Examples, statistics please. No more anecdotes, no more gut feelings.
If you were blocking sigs, you wouldn't have to read this.
You have a point. In the early days of spam, I'm certain that replying to spam would definitely get your address marked as alive. Nowadays, though, spammers have so many addresses and are sending so much spam that I highly doubt that they could deal with any replies to the crap they send out. And even if they do get a reply, they have so many other addresses to cycle through that they probably at best ignore it, and at worst might actually mark it as valid.
I agree with you. Does anybody have linkage to a Web site that actually explores this?
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
When 99% of the spam on the internet passes through your product at some time, I'd say you should have an opinion.
In Soviet Russia, the current state of spam is 0 ..
Politicians are all the same, they promise to build a bridge even when there is no river.
Sendmail, promiscuous relay for all, Sendmail, providing remote root access since Day 1 on the Internet, Sendmail, of the indecipherable rules file , is on "our side" ? Are they even relevant except for inertia?
Lets talk to DJB, to Wietse Venema, to the MS Exchange developers first, before giving soapbox time to some suit.
I want to delete my account but Slashdot doesn't allow it.
Why can't certain specified mail servers be something like the look outs. If a certain percentage of them recieve the same email in a specified amount of time then they can designate it as spam and delete it from all the mail servers. then ISP's could subscribe to the "lookout server" list and delete any messages that have been designated as spam?
http://Lenny.com
All you can do is look at the spam industry itself, and ask, "why wouldn't they harvest opt-outs for future spamming?" By opting out, after all, you've just given proof that the email address in question is valuable to you. Why wouldn't they want to take advantage of that piece of information. Do you think spammers suddenly adopt scruples on this point? Given how unscrupulous spammers are in every other aspect of what they do, I think it's absurd to think they treat opt-out lists with any integrity.
That opt-out lists will be abused by spammers is common-sense. I think the burden of proof is on you to show otherwise.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?
spam - and what defines spam - isn't the pertinant question. The important fact is that spammers exploiting SMTP make 'opting out' impossible.
There is too much assumed honesty in SMTP.
Yes, it was a key factor in getting everything going, and yes, its beauty is in its simplicity.
however, much like open relays, this assumed honesty has outlived its usefulness. It is being corrupted to a degree unforseeable by the original protocol architects, and it is time for something new.
I don't pretend to know the specifics to building a secure, unexploitable system. And it would almost certainly be a messy conversion. That shouldn't mean that it isn't worth doing.
Let each user and ISP decide for themselves what spam is. But we need a secure email system so that when Spam is identified, that particular sender can be effectively blocked.
// "Can't clowns and pirates just -try- to get along?"
--
Male contraceptive '100% effective
Part of the treatment is given by injection Scientists have developed a male contraceptive which was 100% effective and side-effect free in trials.
The hormonal treatment is a combination of an implant under the skin and injections - meaning men do not have to remember to take a pill every day.
Researchers from the Anzac Research Institute, Sydney, Australia, gave the treatment to a relatively small sample of 55 men for a year - and none of their partners became pregnant.
However, it will be some time before the treatment is widely available.
The treatment is a combination of an implant containing the male sex hormone testosterone, which was replaced every four months, and a three-monthly injection of a progestin, a hormone used in female contraceptive pills.
The reversible treatment works by making use of the body's own natural system which is involved in initiating puberty.
The combination of the two hormones temporarily turns if the normal signals from the brain that stimulate sperm production.
But the process also turns off the man's own testosterone production - so he needs to be given extra doses of the hormone to keep him healthy and maintain his sex drive.
In the study, none of the couples used any other form of contraception, and no serious side effects were seen.
Once the treatment was stopped, normal fertility levels returned within a few months.
Professor David Handelsman, who led the research, said: "This is the first time a reversible male contraceptive that will suppress sperm production reliably and reversibly has been fully tested by couples.
'IT WAS MY TURN Chris Hains, a Sydney policeman, is now the proud father of baby Connor. But before he and his wife decided to start a family, they took part in the trial of the male contraceptive. He said: "My wife Nicole was having problems on the female contraceptive pill so the doctor suggested she came off all contraceptive medication. "It was an opportunity for me to take part in the trial, and take on the burden of contraception." Around seven months after Chris stopped having the contraceptive injections, Mrs Hains became pregnant with their son Connor, who is now four months old. "This shows the way for a final product to be a single injection containing testosterone and a progestin which will easily be given by local doctors on a three-four monthly basis and still maintain male sexual health.
He said it was now up to pharmaceutical companies to develop their research into a usable drug.
Longer and larger trials were also needed, he said.
Previous attempts to develop an effective and convenient male contraceptive have encountered problems over reliability and side effects, such as mood swings and a lowered sex drive.
Dr Richard Anderson, a specialist in reproductive medicine at the Medical Research Unit Human Reproduction Sciences Unit in Edinburgh, said: "It's a very significant step forward.
"Nobody else has done real efficacy studies for a long time - and at the end of the day, that's what you need to do."
"How soon it is available depends on how much the pharmaceutical companies are going to become involved.
"Once they start developing a product, it could be available in just a few years
Liz Davies, of Marie Stopes International, told the BBC: "We welcome any advance in contraception, and particularly those that broaden the options for men to take responsibility."
She said women were likely to feel able to trust their partners to have infrequent injections.
"Whether they would have confidence in a man having a pill every day is another thing."
The research is published in the Journal of Clinical Endocrinology and Metabolism.
As the subject says. Eric is the creator of sendmail.
http://www.sendmail.org/~eric/
...because the 'email' economy doesn't have to connect to the real economy, as long as you (or your ISP) sends roughly as many emails as you receive. Which is true of personal emails. Genuine mailing lists would need a free pass, which could be set up when you opt in. ISPs Of course, an ecash mechanism imposes a cost in CPU cycles. But spam prevention doesn't need as strong a mechanism as the real economy: even if the spammer manages to spend each incoming email 100 or even 1000 times, they still can't send enough to make money. Maybe an ecash algorithm can be devised to take advantage of that. The real problem is adoption. Unlike filtering, the above has to be applied to all or most of the email system; people can't adopt it on their own and expect to get any benefit.
He doesn't provide material directly to the combatants (spamers and spam fighters), but is more interested in helping the people on the ground. Think of it as support for NGOs like the Red Cross or Doctors without Borders. His software is used by both sides, but in real wars aid convoys get ambushed routinely.
At worst he'd be a medical or pharmacetuical company selling to the victims.
I think it is clear which side he wants to win, but his efforts are more dedicated to keeping email functioning than fighting spam
It sounds like a good idea on the surface, but it won't work.
I got hit by a spammer last week who was changing his host names every couple of messages. And not just on the envelope - he was changing 'em in DNS because he had his own nameserver! He got shut down by the mid-level carrier after about 12 hours, during which my servers received thousands of messages that I had to block by IP. Today, though, I am getting the same stuff, now coming from a cracked cable-modem user.
Hundreds of the spams that hit here every day are sent from cracked systems connected to Comcast, RoadRunner, and Verizon DSL.
If you allow anyone to send mail, regardless of how that mail is encrypted or secured, the spammers will find a way to illegally take advantage of that legitimate mailserver and send their trash.
This is because they are criminals. Not "legitimate businessmen" and not "entrepreneurs exercising their freedom of speech". Criminals who purchase accounts with stolen credit card numbers and move on as soon as an ISP shuts them down.
That already exists.
It's called the Distributed Checksum Clearinghouse (http://www.rhyolite.com/dcc). I use the DCC as part of my SpamAssassin configuration (sitewide, called by Exim) and around 85% of spam I receive is already listed in the DCC. The latest version (2.60) of SpamAssassin, plus the SBL plus the DCC works as a very effective shield. My JE (link in the sig) describes my recent experience with SA 2.60.
Oolite: Elite-like game. For Mac, Linux and Windows
I had to kill one of employee accounts a few weeks ago because she had clicked on an unsubscribe. I do all I can [spamassassin on webhost, mercury32, popfile, and my eyes] but that one got thru.
A while back I ran across site that had been putting together who owns/sells/buys what. The jpg prints on 40" X 105" which is bigger than our HP755C [36"] and guess what the center blocks are comprised on only about 5-6 people.
The currrent regs/laws say if I "unsubscibe" that business can not send mail but says nothing about giving the "validated" info to all its child orgs and then passing it own.
Your another here suffering from TWHUA [talking with head up ass].
If the government would enforce the laws against fraud, deceptive advertising and some of the outwardly criminal schemes advertised via spam by following the money trail, it should put a big dent in the spamming business, perhaps enough that the trailer-court spam king seen on Slashdot lately would have to figure out something else to do.
I do not believe that a "do not spam" law would work; at worst, the law of unintended consequences guarantees we'll end up having to give John Ashcroft a sperm sample to get a license to run a mail server due to the slippery slope of regulation. At best, we'll have an empty law that punishes no one.
Instead we've got Ashcroft forming an American Schutzstuffel to protect us from ourselves, and his big anti-crime initiative is to go after people that make bongs. Gee, I feel safer already.
As long as people willing to commit fraud or other "entrepenuers" feel they can lie, cheat and steal via email with no consequences they will, and someone will be willing to deliver the message for them. Get the seller via the money trail and you stop the spam, and can probably nail the spammer as an accessory as well.
The first question was, "What is spam?" This is much harder to answer than it at first sounds. For example, some people define spam as "any e-mail I don't want to get," even if the mail is for a list that they really did sign up for. As one panelist pointed out, some people really do want to receive pornography. Most people agreed that getting a newsletter that the recipient has actually requested is not spam. My personal take on the only "reasonable" definition comes down to consent: If you request that you receive something, it's by definition not spam. However, reselling such a list may or may not result in spam, and not everything unsolicited is spam.
It occurs to me that spam is better defined by the sender's intent rather than by the victim's lack of interest or want of it. I'd define spam to be randomly targeted bulk e-mail, similar to junk snail-mail. A blanket coverage message. The sender intends to sell the reader something, be it a product, idea, etc. I get bills in the mail all the time that I don't want, but they're different than junk mail in that they require attention, and are specifically targeted.
The spam problem has to do with the whole future of person to person communication, as well as the whole future of adverticement. Whichever way it will be solved, a very likely outcome is that in 10 years it will no longer be possible in any way to get in touch with someone you don't already know from outside the Internet, and the first decade of Internet will be looked back upon with nostalgia as the only decade of totally free communication. This is because the real problem lies in the initial contact.
You might argue that we can still communicate via boards, chat channels and similar things, where you can give out crypt-keys to those you wish to continue communicating with, but remember that these will be the next target for adverticing after open email collapses. I'm sure adverticers will even write AI's to simulate people so that they can lure the crypt-keys from innocents.
I think such a product already exist. Lemme remember the name of the company that makes it... soft-something? Ah, there I remember: Softmicro!
So, using an unsubscribe link could work with those. Not sure however, whether typing ' or ''=' into the unsubscribe box would work: even the dumbest spammers have backups, unfortunately.
I just installed a spam filter for the first time, SpamPal. However, of the 50-70 spam messages I get per day (and perhaps 10-15 non-spam), it flags non-spam around 1% of the time, and lets spam through about the same percent. I can handle a few spams a week.
So my question really is, is the state of spam-filtering still improving, or have we reached a plateau where the spammers will just find more and more ways of defeating them. Much of the spam I receive contains characters like: Viagra so the filtering is a bit harder.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
Why doesn't Slashdot mirror articles? The slashdot effect, while being somewhat charming, is frustrating. As long as slashdot would respect the "Disallow: /archives" robots.txt tag this should be ok, no?
I assume I am not the first person suggesting this, but anyway...
White listing may be the only way to go. Have a list of people that are allowed to send you messages in your mail client, which would drop mail from them straight to your inbox. Anybody not on the list gets dropped to the Junk folder, which you could sort through and add the people you wanted.
I honestly don't understand the logic of spammers. I've been contacted by a spamming service before (they spammed me offering their services), and it just blew my mind.
At this point, I think there is a mass-marketing laziness about the entire thing. In order to get the spam email through all the filters, you have to have a fake email address. You also have to keep changing email addresses, as the filters will pick up on your email address and you'll only get to use it once or twice at best.
And yet, with all this in mind, I still have received more than one spam talking about how wonderful spamming is as a marketing tool. Reach hundreds of millions, they advertise!
And in reality, get ignored by them.
Robert B. Marks
Author, Demonsbane in Diablo Archive
Personally, I don't buy that that is true, but it's completely irrelevant to my point. Even if most spam does currently originate in America, if the U.S. somehow passes and enforces an effective anti-spam law, there is effectively zero cost involved in these spammers moving there business out of the States and still spamming Americans.
;-)
This is only half of it. Apparently much of the spam received outside the US originates from Florida. I can't see this changing, even if the US passes an anti-spam bill since it will presumably only apply to spamming Americans.
What it needs is a multi-lateral agreement. Perhaps it could be done through the UN
Laws are only effective if the punishment is strong enough deterrence. It is what keeps the chaotic neutral in check (I being one of them). A do not spam list will only give the disreputable a list of good targets, hoping to catch that 1 in a million, drunk, at the pc, with a Visa card. I believe legislation only works when it has teeth.
/.end pipe dream./
And as for educating lUsers, don't waste your time. Unless it is with a spam campaign?? Or perhaps threatening lUsers with hostile military action??
Die spammers Die
An email should be registered. Older emailaddresses could be more trusted than super new ones.
"If everyone would just ..."
I hear those words about spam and proposed solutions all the time. But the fact is, and will always remain so, that you cannot get absolutely everyone to do so (whatever that might be).
Consider the first possibility: "if everyone would just stop sending spam". Most of the spam comes from about 200 or so different spam gangs. Most of the rest comes from a few thousand naive victims that try it once or twice, get cut off, and never do it again (and thus losing their investment into the spamware and "list of millions" they paid some spamgang for). Already, 99.999% of internet users do not send spam. A solution that requires getting so close to a percet 100% just isn't possible.
Now for the second possibility: "if everyone would just stop reading the spam and buying from spammers". Spam works because the costs to spam senders is so utterly low, that even sending to every internet user is a lower cost than trying to trim the list down to those few people that really want what the spammers are peddling. This goes along with "just press delete". But it doesn't take much in response for the spammers to actually make a profit from their spam runs. And spammer's for hire are making money even if their clients lose money, so as long as there is a supply of naive vendors who are willing to part with their money to get a spam run in their name, spammers profit. Again, this is a case where closing the gap between 99.99% of people who don't even read the spam and the 100% needed to make spammers and their clients go away, is just not going to happen.
But there is a third possibility: "if everyone would stop using ISPs that permit spam". If even so much as 50% of users who are using ISPs that permit spamming were to cancel and switch to a better ISP that doesn't, that would definitely have a substantial effect on that ISP. I bet even 10% would get noticed, although I think a bit more, like 25%, might be needed to get some of the worst ISPs to act. Of course many people do whine about things like "there is only one ISP here" (not anywhere near 50% face this problem) and "it costs me money to switch" (it costs the victims of spammers even more money for you to continue to support an ISP that is able to give you a discount by accepting pink money from spammers). If we were to simply identify the top 10 worst ISPs for permitting spam to come from or through their network, and get a whopping 25% to 50% of their customers to leave (preferring to go to the top 10 best ISPs for not permitting any spam in or out), this would make a substantial impact and cause some CFOs to panic. And this doesn't require anywhere near 99% to be a successful anti-spam campaign.
The above campaign can also be pushed harder if many of us refused to accept email from those ISPs (and thus anyone in their network) as a sort of boycott against spam support. Of course there will be whiners here, too saying "You have no right to block my email since I don't send spam" (but if they are supporting a spammer anyway, guess what).
My whole point is that we need to avoid any "solutions" that make it necessary for absolutely everyone to do something. There will be plenty of people that won't. Instead, the solutions we need are the ones which only require a practical number of people to take that action. If you don't like the ones I propose, then propose your own and say how many people would have to act to make it work.
now we need to go OSS in diesel cars
I doubt there will ever be an effective defense against spam, just like its predecessors we really haven't solved the overall issue of identifying it or making it unattractive to the sender.
Some random points to ponder:
1) What is spam, one mans spam is another mans ham, so there is NO universal measure (although some good approximations).
2) We've never managed to shut down the telemarketers cold calling. There not too much of a nuisance (depending on your definition of nuisance - why do they alsways call at meal times?) as they have to pay a significant cost per call, and automation is largely unsuccesful.
3) Junk mail is also costly to send, compared to email, and I still get lots of that.
I suspect the real answer, much like with junk mail, is to move house occasionally. It feels rather like giving in to me though.
Luckily this is easier with email than real life, but still a royal pain. Meanwhile bayesian filtering is the best I've found so far.
I think the thing that will kill spam is the success of email marketing. I work at a company that does email marketing - i.e. - VERY targetted campaigns (usually under 1,000 recipients, most of whom have some sort of business relationship with the client), easy ways to unsubscribe, always a valid reply-to address, etc. The results are great - we usually get about 80% opens and 10-30% click-throughs. We have one list/service that has 1,000 emails and gets 500 click-throughs when we send to it!
I get frustrated when I hear about ClickZ calling an email campaign to 800,000 people, where many people got the email up to six times, and they got a 4% open rate with a 4% click-through rate OF THE OPENS (i.e. - a 0.16% click-through rate), and called it a great success. Email marketing is a great tool, but spam really hurts it.
For example, I _love_ getting my email at half.com telling me that a book I want is available at the price I was looking for it. It doesn't even seem like marketing. It's cheap, trackable, targetted, and they can load it with whatever other marketing message they want, too.
Anyway, one thing that annoys me about slashdot is that everyone seems to think that all email-marketing is spam, when there are at least some of us that are trying to do the right thing.
We actually have customers that we tell them _not_ to use our service because they don't have a legitimate list. We tell them to start right now and get everyone's email address they can - have places on every form for people to get their email address, have a "newsletter sign-up" link on their website, etc., and then call us in a year with the list they put together and we'll help them with a campaign.
Engineering and the Ultimate
why is this a troll again?
i sincerely do not understand 90% of slashdot moderations.
The easy solution to spam is to make the identity of the spammer known to all.
Do their neighbors know that they live next door to a spammer?
When a customer walks into your store, do you know if they are a spammer?
When someone hits on you at a bar, do you know if it's a spammer who is hitting on you?
When you're on highway patrol and catch someone speeding, do you know if is the spammer that is speeding?
When you walk down the sidewalk and pass by a car parked on the street, do you know if it is the spammer's car?
When your kids go to school, do they know the spammer's kids?
When you are delivering (paper) mail, do you know if it is the spammer's mail?
When you are serving food to someone, do you know if you're serving food to a spammer?
When you receive a call to 911/poison control, do you know if this is a spammer calling 911/poison control?
Spam is a community problem, and the community is the one best able to deal with it.
All the community needs is information.
The problem will solve itself.
In their configuration management department - until they laid off 40% of the work force. It was a nice place to work. That was my last permanent position. Nothing but short term contract jobs since then.
Eric, if you're reading this, I could sure use a job.
-- Will program for bandwidth
Try www.paulgraham.com instead. The .org address is a photographer in Glasgow :-)
No, at best, we'll rather have a law that means jail time at least for recidivist spammers.
They need some drastic illustration of the harm their "business" can do.
The proverbial one night with Bubba in Cell Block 3 should finally teach them to never ever try and sell penis enlargements again. Oh, and by the way, please webcast close-up video account of their experience to that lovely town of Spam Haven (somewhere in Florida IIRC).
Make your lawmakers make laws... Call your congresscritter now!
The solution there is fairly simple. Spammers have a product they want to sell. That product will usually originate in the country where the spam recipient lives (ie: U.S.A.), so even if the spammer hides behind foreign remailers you can still identify one of the parties that are within U.S. jurisdiction. The government can therefore lay a charge of "conspiracy to deliver spam" against John Doe and the U.S.-based company that contracted the spammer.
The key is not to whitelist, blacklist, etc. The key is to make mass emails impossible.
The answer should be obvious. What do you care if your email to your Aunt Millie takes 20 seconds to send?
All sendmail or other mailers should demand a pain-toll before allowing you to pass. The toll should be plug-in, so that while there's always the first (common) one to fall back on and so new ways to get approval (such as $-based, blacklists, whitelists, etc.) can be added.
But at core, the common one should be a painful calculation -- a large public/private key handshake, for example. If the spammer has to buy a Cray to send out 10000 emails, then WE WIN.
The problem with this is that it demands a sendmail replacement. Everybody needs to have the sending component to get email to those with a pain-toll-based recieve version.
But the advantage is huge. Imagine a world where you can decide to allow all emails in for either:
a. A 10 cent donation to UNICEF
b. Those with a public key in your database (known firends/whitelist)
c. Those willing to do a 10000 byte key encrypt/decrypt function (one which goes fast on YOUR end).
SPAM as we know it simply GOES AWAY.
I would hasten to add that actual $-based systems can be added but are entirely optional.
As you might imagine, he's on our side, and he does a good job of clearly describing the current state of spam, and the possible solutions."
I'm a spammer, you inconsiderate clod!
Then I can't become rich by helping out the family of a deceased Nigerian warlord? WHY are u people SO selfish??
Come on Taco, help him out with a direct link to the FAQ!
I must say I am frustrated this morning at not being able to read the
article. Acmqueue seems to be complete toast.
Read Epic the first RPG novel.
All I get is:
Fatal error: Call to undefined function: message_die() in db/db.php on line 88
When I try to access the link. I really want to read this, can anyone help?
HashCash has some limitations that make it unworkable in the wild. The one I noted is that it is necessary for the recipient (e.g. the one who is trying to cut back on the costs imposed by spammers) to keep track of the stamps that have been spent, up to the expiration period. Further, the costs imposed by spammers are still imposed anyway, if the server is not the one verifying the stamps (and thus also keeping a database of spent stamps for every user it serves).
HashCash would also be a burden on legitimate mailing lists. Of course, to solve that problem, whitelisting of the mailing list would be used. But it tends to be inconvenient to whitelist during subscription. This could be solved by using the HashCash only on the initial signup confirmation, and whitelist thereafter for the bulk mailings. But this still has a problem. I get lots of spam already that mimics mailing lists I am on, using the mailing list itself as the sender, and my tagged email which I signed up with as the recipient. So having whitelisted it lets the spam in, and spammers will make more use of this technique by including such details in their spam lists.
If HashCash could be modified to also include information only the real sender can prove she has, without revealing it in the ability to verify it (e.g. PKC), that might help.
now we need to go OSS in diesel cars
Here's a spam-fighting idea - I haven't read of ideas similar to this one.
Not all spam wants you to spend money using a credit card (CC). But for those that do, allow a CC transaction to be labeled as "Spam".
This CC transaction is essentially contested by the customer contacting the CC company, providing a copy of the e-mail and details about the transaction. The CC tells the vendor that the customer really didn't want the item, instead the customer wanted to "tell" on the vendor -- that the vendor is sending spam.
Vendors with too many transactions labeled as "spam" have their accounts terminated.
Yes, there are holes in this: people angry at a company could tag transactions with that company as "Spam". Spammers could advertise for vendors that have no idea that customers are being led there via spam. It can be a pain to go through the entire buying process. Most sites these days require the CC's matching billing address be provided. The item could have been delivered by the time the vendor is notified.
(hmm... maybe it needs some work)
State and federal laws will not eliminate spam. It is nice to have these guys on our side but spam is bigger than the federal or state gevernments. The bad buys will just move off shore to avoid the laws if they are enacted.
Like it or not, the internet is anarchistic in nature and it allows both good and bad things to happen because if that nature. Spam to me is like pollution, it will take the cooperation of many nations to bring it under control and it is doubtfull that even if that cooperation happens that it will be eliminated.
I don't think that the internet is ready to hae a real but virtual government although a set of virtual laws regulating spam and other criminal behavior that could be enforced across international boundaries would be nice it would also be restrictive. The politics would ruin the potential of the internet and it would be a nightmare to make fair for everyone.
For the time being, yes we should have local, state, and federal laws passed that regulate spam but some of the responsibility should be put on the user's end. The laws could require ISP's to filter UCE and they could require tools be built into email clients that would allow recipients to submit (report) the UCE that they recieve to a central repository that the ISP's could draw their filter info from. This would be analagous to the reqirements put on automakers to prevent pollution. As motorists, we are required to purchase unleaded gas and to have catalytic converters.
----- The following addresses had permanent fatal errors -----
... while talking to localhost.ftc.gov.:
uce@lhasa.ftc.gov
(reason: 554 Transaction failed, No space left on device)
(expanded from: <uce@ftc.gov>)
----- Transcript of session follows -----
>>> DATA
554 5.0.0 Service unavailable
ms
That's a rather cogent observation... sorry I don't have mod points today.
I'm coming to the conclusion that what is necessary is to attack the "making money" part of spam. One way that might work is similar to the "release gadzillions of sterile loathsome parasites" method that eradicated the screwworm fly in the U.S.
Or, spam them back.
If the spammers get hundreds of thousands of bogus requests for more information or signups on their web page (signing up other spammers, of course) for every legitimate one, they could never find the dollar bills buried in all the crap.
What it would take would be an Eliza-like program to convert a spam into a request for more information, and (more complicated) a program to download a web page, find the form, and fill it in with data that looks legit enough that it will take a human followup attempt to determine its bogosity.
Yes, this would result in more network traffic wasted in the short run. In the long run, if it were to make spam uneconomical, it might be a net gain.
If people would be willing to fundamentally change the protocol used for email, there would be a pretty simple solution for Spam, and untracable email in general - sender-hosted email.
The fundamental problem is that email is sent to a receiving server immediately, which receives it without much in the way of caring where it comes from. The sender might be illegitimate, or even gone by the time the receiver checks the email. The receiver pays for the storage resources - this is receiver-hosted email.
The solution is a protocol that doesn't sent email - rather, only a header is sent, and the message itself is stored for retrieval on a host that the sender runs, or pays for. The header contains the reference to the waiting message which is retrieved when the receiver wants to read it (and marked as read so the sender can automatically delete it).
What this means for spam - the spammers pay for their own email servers - no free rides. The mail is absolutely tracable - it must be on the specified server to retrieve it. And if the spammer account goes away for abuse, so does the email - spammers can no longer shotgun a million messages from a sacrificial account.
Security issues would be more of a problem, but are fairly easily solvable.
Alas, I have no time to pursue this idea. Too bad, 'cause I'm on the verge of just giving up email entirely.
Spammers will exist as long as somebody pays them to send unwanted messages. Any legal or economic remedy has to allow for the punishment of companies that use spam for advertising, in addition to the delivery service. Kill off the customers, and the business of spamming will become much more difficult.
Focus on opt-in vs opt-out solutions is also half-baked. You probably don't know whether you've ever opted in to an agreement containing fine print that says "this agreement establishes a transferable, ongoing business relationship". If you have, then you're toast regardless of any existing or proposed law, since there's no real control over what the European Union's privacy framework calls "onward transfer" of information unless what's given once can later be taken away.
Do-not-spam lists will not work effectively unless they contain provisions to retroactively revoke any previous permissions. Requiring annual renewal of any opt-in permissions is probably going to be necessary.
Taxation without representation is tyranny! Statehood for DC, Puerto Rico, Virgin Islands & Pacific Territories!
"The first, double opt-in, requires that a subscriber e-mail two messages to get on a list. The first message requests addition of thus-and-such address (this first message can be done via a Web form, e-mail, or even scanned badges at a conference). The list owner then sends a confirmation ("challenge") message saying, "If you really want to subscribe, reply to this message"--usually with some random number in the subject to prevent guessing. Only when that reply is received is the address added to the list."
This is not "double opt-in", this is "confirmed opt-in". Accept no substitutes.
The second is confirmed opt-in. It works exactly like double opt-in, except that the confirmation message says, "You have been added; do this if you want to unsubscribe."
A more accurate name for this would be "confirmed opt-out".
After all, the one main reason we get spam is that spamming is profitable. If people stop ordering Viagra and cable descrambles from strangers who email them, there will be no point in keeping it up. Maybe we should make it easier for ppl to have anonymous access to sleaze, which seems to be the major selling point of spam.