Slashdot Mirror
SendMail CTO Sounds Off On Spam and FTC
CowboyRobot writes "Eric Allman takes his well-deserved turn in commenting on the state of spam, the dark future, and the need for intervention.
He calls spam an "arms race" where "in the long run everyone loses (except the arms dealers)."
As you might imagine, he's on our side, and he does a good job of clearly describing the current state of spam, and the possible solutions."
of the do not spam registry that they mention in the article. But it seems like a real pipe dream considering how much trouble there has been getting the do-not-call registry up and running.
Also, most telemarketing is done from in-country because of LD charges. Not so with e-mail. It's pretty hard to enforce US laws on a Taiwan spamhaus.
Ah well, every little voice against spam warms me a little at least.
lysergically yours
....the more I realize that no amount of technology or legislation is ever going to completely eradicate spam from our lives. More and more it seems to me that the only way we can get rid of spam is through educating the next generation of Internet users to ignore it.
Spammers spam because they make money. Educate people to ignore spam, and the spammers don't make money. Bingo, no more spam!
I know it sounds like a pipe dream, but what other options are there?
SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
I am sorry to tell you that you dont understand the average internet user at all. Installing any such spam filter or tool is well beyond the capability of 95% of the users atleast. Classifying mails as "spam" and "ham" and training the bayes engine and all are good for geeks, but not for the average user.Belive me for this. For him/her, these are just unacceptable solution and spammers exploit this weak point. As long as substantial chunk of users are non-geeks, spammers can flourish.And anti-spam laws are relevent in this context.
http://www.nasirudheen.blogspot/
When 99% of the spam on the internet passes through your product at some time, I'd say you should have an opinion.
Why can't certain specified mail servers be something like the look outs. If a certain percentage of them recieve the same email in a specified amount of time then they can designate it as spam and delete it from all the mail servers. then ISP's could subscribe to the "lookout server" list and delete any messages that have been designated as spam?
http://Lenny.com
Your last paragraph, however, shows that nevertheless you completely don't get it, and, by completely, I mean that you really sound as clueless as can be on the topic of spam.
Let's see how many standard spam-thread replies are required for your two sentences of nonsense at the end.
- SPAM is an arms race - single tools don't work, because eventually they will be beaten, as has happened to ALL tools as yet, including bayesian filters.
- SPAM tools such as you suggest are basically for the 3l337. you are basically saying "spam is not my problem if *I* can avoid it. this is a) antisocial and b) bs, because
...
- your note does not in any way address those billions of dollars of bandwidth wasted before spam gets to your personal box.
- if you stop 99% of spam now, by a rough guesstimate of what the parent article alluded to, you can roughly expect to get 100 times more spam than you currently do in 2.5 years time. ergo, problem not solved.
- you still haven't worked on the issue of spam definition.
In short, any article, post, or message that claims that Product X is an acceptable solution to SPAM just doesn't get it.All you can do is look at the spam industry itself, and ask, "why wouldn't they harvest opt-outs for future spamming?" By opting out, after all, you've just given proof that the email address in question is valuable to you. Why wouldn't they want to take advantage of that piece of information. Do you think spammers suddenly adopt scruples on this point? Given how unscrupulous spammers are in every other aspect of what they do, I think it's absurd to think they treat opt-out lists with any integrity.
That opt-out lists will be abused by spammers is common-sense. I think the burden of proof is on you to show otherwise.
I'm generally "Interesting," "Insightful," and even "Funny" here. What the hell happens to me at parties?
How about the story the other day where they actually interviewed a spammer who said he "loved" unsubscribe emails?
It may well be an "anecdote," but it's an anecdote straight from the pigs mouth.
KFG
Spammer ahoy! Lock up your open relays! Ready your blocklists!
In case you didn't bother reading the article, it mentioned that the volume of spam was doubling every 10 weeks. This is nothing short of a threat to the viability of email itself. Would you even bother opening your inbox, if you knew that you would have to delete several thousand irrelevant, unwanted and (in many cases) fraudulent emails just to get to the 10 or 20 useful ones from friends and family? Spammers are intensely selfish - being quite happy to abuse the network infrastructure provided and paid for by others for their own gain.
Your statement about the meaninglessness of the internet shows that you haven't a clue (outside of those spam-rimmed spectacles) what the Internet is about. People do not wish to be deluged with unsolicited junk any more than the likes of Alan Ralsky likes receiving tons of junk snail mail.
Of course, you can try to prove me wrong - post your email and real address and let's see if you can swallow your own medicine.
Well, you can do your own research, but I've both read interviews with and had personal conversations with spammers who do this. You'd need alot more time and bandwidth than I have lying around to scientifically test it, but I know for a fact that some spammers do so. They certainly don't respect the opt-out links, which begs the question [shut the fuck up, anyone who wants to argue with me about what that means]: Why have them at all?
Do it yourself. Find a few unsubscribe links in some of the dodgier spams that include the email address they were sent to in them. Replace that address with a new non-guessable (and disposable!) email address and "unsubscribe", if you suddenly get spam on that account, then you've just disproved your call of "bullshit". Can't argue with evidence you've gathered yourself, can you?
OTOH, I did read an article about a guy who *did* unsubscribe from everything to see what effect it would have, and his spam level did go down. Whether that would still hold or not is another story, but I certainly wouldn't recommend anyone unsubscribe from a spam list.
UNIX? They're not even circumcised! Savages!
OK, at first you were just the usual whinging slashbot, repeating the "Sendmail is BAD" mantra that people who've never run major mailserver like to parrot. (With the usual complaints, which all sound like "Ford cars must be slow, because the Model T was slow, and they must all be broken, because the Ford Motor Co. has had recalls where they fixed cars for free".)
Then you mentioned "MS Exchange developers" in the same breath as Wietse Venema and Dan Berstein, and finished off by calling Allman a "suit".
You must be a troll, then! Or profoundly, phenomenally ignorant.
If you remember this article from the nytimes posted a while back. This guy really seemed to appreciate out of office reply. An anecdote? Yes, but from a self-proclaimed spammer.
Spam may be the most profitable, but far from the most successful. Considering the amount of capital needed to run a spam/scam campaign, it is virtually all profit. Analysts estimate Google has annual revenue of 60M to 100M, and I have never heard of Google spamming. Our 2002 annual revenue was just over 48M, and we have never spammed. Targeted advertising is far more successful than any spam campaign.
Most spam emails I see in my Inbox are scams, bogus prescription drugs, and Web site affiliates violating their related site TOS. Spammers would never be able to generate revenue comparable to the top Internet properties.
Pete Carr Owner Chatmag.com
...because the 'email' economy doesn't have to connect to the real economy, as long as you (or your ISP) sends roughly as many emails as you receive. Which is true of personal emails. Genuine mailing lists would need a free pass, which could be set up when you opt in. ISPs Of course, an ecash mechanism imposes a cost in CPU cycles. But spam prevention doesn't need as strong a mechanism as the real economy: even if the spammer manages to spend each incoming email 100 or even 1000 times, they still can't send enough to make money. Maybe an ecash algorithm can be devised to take advantage of that. The real problem is adoption. Unlike filtering, the above has to be applied to all or most of the email system; people can't adopt it on their own and expect to get any benefit.
He doesn't provide material directly to the combatants (spamers and spam fighters), but is more interested in helping the people on the ground. Think of it as support for NGOs like the Red Cross or Doctors without Borders. His software is used by both sides, but in real wars aid convoys get ambushed routinely.
At worst he'd be a medical or pharmacetuical company selling to the victims.
I think it is clear which side he wants to win, but his efforts are more dedicated to keeping email functioning than fighting spam
It sounds like a good idea on the surface, but it won't work.
I got hit by a spammer last week who was changing his host names every couple of messages. And not just on the envelope - he was changing 'em in DNS because he had his own nameserver! He got shut down by the mid-level carrier after about 12 hours, during which my servers received thousands of messages that I had to block by IP. Today, though, I am getting the same stuff, now coming from a cracked cable-modem user.
Hundreds of the spams that hit here every day are sent from cracked systems connected to Comcast, RoadRunner, and Verizon DSL.
If you allow anyone to send mail, regardless of how that mail is encrypted or secured, the spammers will find a way to illegally take advantage of that legitimate mailserver and send their trash.
This is because they are criminals. Not "legitimate businessmen" and not "entrepreneurs exercising their freedom of speech". Criminals who purchase accounts with stolen credit card numbers and move on as soon as an ISP shuts them down.
That already exists.
It's called the Distributed Checksum Clearinghouse (http://www.rhyolite.com/dcc). I use the DCC as part of my SpamAssassin configuration (sitewide, called by Exim) and around 85% of spam I receive is already listed in the DCC. The latest version (2.60) of SpamAssassin, plus the SBL plus the DCC works as a very effective shield. My JE (link in the sig) describes my recent experience with SA 2.60.
Oolite: Elite-like game. For Mac, Linux and Windows
If the government would enforce the laws against fraud, deceptive advertising and some of the outwardly criminal schemes advertised via spam by following the money trail, it should put a big dent in the spamming business, perhaps enough that the trailer-court spam king seen on Slashdot lately would have to figure out something else to do.
I do not believe that a "do not spam" law would work; at worst, the law of unintended consequences guarantees we'll end up having to give John Ashcroft a sperm sample to get a license to run a mail server due to the slippery slope of regulation. At best, we'll have an empty law that punishes no one.
Instead we've got Ashcroft forming an American Schutzstuffel to protect us from ourselves, and his big anti-crime initiative is to go after people that make bongs. Gee, I feel safer already.
As long as people willing to commit fraud or other "entrepenuers" feel they can lie, cheat and steal via email with no consequences they will, and someone will be willing to deliver the message for them. Get the seller via the money trail and you stop the spam, and can probably nail the spammer as an accessory as well.
The first question was, "What is spam?" This is much harder to answer than it at first sounds. For example, some people define spam as "any e-mail I don't want to get," even if the mail is for a list that they really did sign up for. As one panelist pointed out, some people really do want to receive pornography. Most people agreed that getting a newsletter that the recipient has actually requested is not spam. My personal take on the only "reasonable" definition comes down to consent: If you request that you receive something, it's by definition not spam. However, reselling such a list may or may not result in spam, and not everything unsolicited is spam.
It occurs to me that spam is better defined by the sender's intent rather than by the victim's lack of interest or want of it. I'd define spam to be randomly targeted bulk e-mail, similar to junk snail-mail. A blanket coverage message. The sender intends to sell the reader something, be it a product, idea, etc. I get bills in the mail all the time that I don't want, but they're different than junk mail in that they require attention, and are specifically targeted.
The spam problem has to do with the whole future of person to person communication, as well as the whole future of adverticement. Whichever way it will be solved, a very likely outcome is that in 10 years it will no longer be possible in any way to get in touch with someone you don't already know from outside the Internet, and the first decade of Internet will be looked back upon with nostalgia as the only decade of totally free communication. This is because the real problem lies in the initial contact.
You might argue that we can still communicate via boards, chat channels and similar things, where you can give out crypt-keys to those you wish to continue communicating with, but remember that these will be the next target for adverticing after open email collapses. I'm sure adverticers will even write AI's to simulate people so that they can lure the crypt-keys from innocents.
OK: here's a year-old ComputerWorld article documenting a study that did exactly that. Its title? Unsubscribing from spam counterproductive.
The best anecdote/example/statistic?So this study found that unsubscribing made spam volumes more than double.
Feeling better now?
Back in the '80s, all sorts of open forwarding were great ideas. Do you remember having to put someone%domain@att.com because AT&T seemed to have better routing abilities than your local box?
Root access always was a hack, but it is a quick and easy way to get around file permissions. Back before pop/imap when everyone read directly from $MAIL, you needed a way to restrict mail to the user and the sendmail program. Who bothered with complicated groups just for that?
I agree that these justifications have gone the way of the dodo, but anyone who's been around understands where they came from.
I'm not trying to defend how sendmail works today, just to explain why those features are present. Personally, I prefer the old "trust everyone" model for mail than the insanity that we have today, but that isn't realistic. DJB's paranoia is useful thing in these modern times.
- doug
By what I've seen, you are not removed. For those of us that have shell access to our mail files (/var/mail/whatever):
vi your mail file and take a look at some of the 'opt-out' links. Many, many times, they're dead, non-functioning links, that are a) not remotely related to any other link within the email or b) malformed so as to return an error. I look at my mail file this way every day and run into this pretty consistently.
One of the things mumblestheclown is pointing out is that the fact that you personally are currently managing to filter out your spam is *not* sufficent evidence to prove that the software you are using will be an effective long-term solution.
The software you're using (however clever it is, however hard it tries to "learn" new types of spam), has easily exploitable flaws. The spammers haven't gotten around to exploiting them because it probably hasn't seemed worth their while--probably not enough people are using the same type of filter yet. But they will, eventually. At which point filters that take a fundamentally new approach will be required. Which the spammers will eventually figure out a way around. Etcetera.
Most spam filters are designed with the goal of filtering out spam that is similar to currently circulating spam; they make no attempt to resist an intelligent person who has spent some time thinking about how to circumvent the filter.
Bayesian filters are no exception here.
--Bruce Fields
> They harvest verified email addresses and track them seperatly (and in addition to) ones they harvest from un-verifed sources like lists they buy from other spammers, the web, or usenet.
Look, I'm going to type this very, very slowly to make it easy for you.
And. Then. They. Do. What. With. Them?
If you were blocking sigs, you wouldn't have to read this.
"If everyone would just ..."
I hear those words about spam and proposed solutions all the time. But the fact is, and will always remain so, that you cannot get absolutely everyone to do so (whatever that might be).
Consider the first possibility: "if everyone would just stop sending spam". Most of the spam comes from about 200 or so different spam gangs. Most of the rest comes from a few thousand naive victims that try it once or twice, get cut off, and never do it again (and thus losing their investment into the spamware and "list of millions" they paid some spamgang for). Already, 99.999% of internet users do not send spam. A solution that requires getting so close to a percet 100% just isn't possible.
Now for the second possibility: "if everyone would just stop reading the spam and buying from spammers". Spam works because the costs to spam senders is so utterly low, that even sending to every internet user is a lower cost than trying to trim the list down to those few people that really want what the spammers are peddling. This goes along with "just press delete". But it doesn't take much in response for the spammers to actually make a profit from their spam runs. And spammer's for hire are making money even if their clients lose money, so as long as there is a supply of naive vendors who are willing to part with their money to get a spam run in their name, spammers profit. Again, this is a case where closing the gap between 99.99% of people who don't even read the spam and the 100% needed to make spammers and their clients go away, is just not going to happen.
But there is a third possibility: "if everyone would stop using ISPs that permit spam". If even so much as 50% of users who are using ISPs that permit spamming were to cancel and switch to a better ISP that doesn't, that would definitely have a substantial effect on that ISP. I bet even 10% would get noticed, although I think a bit more, like 25%, might be needed to get some of the worst ISPs to act. Of course many people do whine about things like "there is only one ISP here" (not anywhere near 50% face this problem) and "it costs me money to switch" (it costs the victims of spammers even more money for you to continue to support an ISP that is able to give you a discount by accepting pink money from spammers). If we were to simply identify the top 10 worst ISPs for permitting spam to come from or through their network, and get a whopping 25% to 50% of their customers to leave (preferring to go to the top 10 best ISPs for not permitting any spam in or out), this would make a substantial impact and cause some CFOs to panic. And this doesn't require anywhere near 99% to be a successful anti-spam campaign.
The above campaign can also be pushed harder if many of us refused to accept email from those ISPs (and thus anyone in their network) as a sort of boycott against spam support. Of course there will be whiners here, too saying "You have no right to block my email since I don't send spam" (but if they are supporting a spammer anyway, guess what).
My whole point is that we need to avoid any "solutions" that make it necessary for absolutely everyone to do something. There will be plenty of people that won't. Instead, the solutions we need are the ones which only require a practical number of people to take that action. If you don't like the ones I propose, then propose your own and say how many people would have to act to make it work.
now we need to go OSS in diesel cars
I think the thing that will kill spam is the success of email marketing. I work at a company that does email marketing - i.e. - VERY targetted campaigns (usually under 1,000 recipients, most of whom have some sort of business relationship with the client), easy ways to unsubscribe, always a valid reply-to address, etc. The results are great - we usually get about 80% opens and 10-30% click-throughs. We have one list/service that has 1,000 emails and gets 500 click-throughs when we send to it!
I get frustrated when I hear about ClickZ calling an email campaign to 800,000 people, where many people got the email up to six times, and they got a 4% open rate with a 4% click-through rate OF THE OPENS (i.e. - a 0.16% click-through rate), and called it a great success. Email marketing is a great tool, but spam really hurts it.
For example, I _love_ getting my email at half.com telling me that a book I want is available at the price I was looking for it. It doesn't even seem like marketing. It's cheap, trackable, targetted, and they can load it with whatever other marketing message they want, too.
Anyway, one thing that annoys me about slashdot is that everyone seems to think that all email-marketing is spam, when there are at least some of us that are trying to do the right thing.
We actually have customers that we tell them _not_ to use our service because they don't have a legitimate list. We tell them to start right now and get everyone's email address they can - have places on every form for people to get their email address, have a "newsletter sign-up" link on their website, etc., and then call us in a year with the list they put together and we'll help them with a campaign.
Engineering and the Ultimate
I have replied and 'unsubscribed' to a spam that was delivered to an alias I set up. The mail came to the account "info" at mydomain, and I replied with "myname1964" at mydomain, which I have never used or given out. That was about a year ago,
I began receiving spam to myname1964 at mydomain about 6 months ago.
There's some proof that yes, replying is bad.
All you have to do is follow one of the unsubscribe links, one of the ones that go to a page you tye in your email address, not the ones that encode it. And then type an email address, one that gets no spam.
As I have access to mail server logs, I typed in a non-existence address, a random string of letters.
The address gets about 30 rejects a day.
This not only shows spammers not only ignore unsubscribe requests, but they completely ignore the fact said addresses don't even exist.
And, no, I'm not providing logs. This is an easy enough test to run, and I'm deliberately never exposing that address in any forum ever again as an experiment. It's not dictionary attackable, and it's all from that single unsubscribe.
If corporations are people, aren't stockholders guilty of slavery?
The easy solution to spam is to make the identity of the spammer known to all.
Do their neighbors know that they live next door to a spammer?
When a customer walks into your store, do you know if they are a spammer?
When someone hits on you at a bar, do you know if it's a spammer who is hitting on you?
When you're on highway patrol and catch someone speeding, do you know if is the spammer that is speeding?
When you walk down the sidewalk and pass by a car parked on the street, do you know if it is the spammer's car?
When your kids go to school, do they know the spammer's kids?
When you are delivering (paper) mail, do you know if it is the spammer's mail?
When you are serving food to someone, do you know if you're serving food to a spammer?
When you receive a call to 911/poison control, do you know if this is a spammer calling 911/poison control?
Spam is a community problem, and the community is the one best able to deal with it.
All the community needs is information.
The problem will solve itself.