Another Whack at Spam

mmoncur writes "Tim Bray just put up an article called Another Whack at Spam that has been getting some attention. It just looks like a variation of the old pay to send idea to me."

Wrong title?

[jkrise]

Should've been "Another Scam at Work"

Re:Wrong title?

No, because it does really work.

How could a pay mail service even work?

[192939495969798999]

I looked at the article, and I still don't see how payments would even work. I have to send a few emails a day -- so I'm paying pennies per day? That's ridiculous. Plus, there's already all this software that sends and receives email for free... it's all going to have to change. It's a herculean effort, and will still result in spam -- regular mail costs a ton in comparison, and I still get junk mail in there. Perhaps filters plus busting bad offenders will eventually make a good difference... just taking my name off of lists has helped me a great deal.

Re:How could a pay mail service even work?

[Kombat]

You don't get it. You wouldn't have to "change your email software" - you'd simply change the SMTP server you're sending your email through. You'd send it through this "pay" server, instead of your normal server. The pay server would recognize you every time you send an email through them, and automatically debit your (pre-arranged, pre-paid, or credit-connected) account. Your email client wouldn't have to do anything. The "pay" part happens on the server.

Re:How could a pay mail service even work?

[Twylite]

The big problem with any pay-per-send idea is spam economics. Somehow everyone believes that paying a poultry sum will scare spammers off, despite ongoing problems with spam calls, snail mail, SMSs, and the like. Charging money won't take away the spam.

Re:How could a pay mail service even work?

[192939495969798999]

Actually, Yes, I do get it. EVERY SMTP server would have to be changed... is that realistic? I don't think that it is... especially since all the spammers I know own SMTP servers. In fact, they report great revenue streams by owning several SMTP boxes and spamming people, hence the reason there is so much spam.

Re:How could a pay mail service even work?

[Twylite]

Just trolling for anonymous chickens ;p

Re:How could a pay mail service even work?

[letxa2000]

I wish people would just stop talking about ideas that are "non-starters." The success of email is that is free. That is, of course, also what leads to spam. But I'm not willing to kill email to kill spam.

The author also complains that his Bayesian filter is no longer working effectively, with a few percent of spamg getting through his each day. If that is the case he has most definitely made a mistake in implementing Bayesian. It is not consistent with Paul Graham's latest report where he cites 99.7% effectiveness, nor is it consistent with my experience with my Bayesian filter which is just this month creeping up to 99.8%.

Spam is a problem. But if I had to choose between spammers and those that would charge for email, I'll take the spammers. At least I can filter them and it'll probably cost me less to do so than pay for email.

Re:How could a pay mail service even work?

[Kombat]

No, "every" SMTP server would NOT have to be changed. You'd simply point your mail client to one of the (huge) new ones that uses this model. As the article noted, they would probably be run by the Post Office, courier services, or maybe even telcos. You'd use one of their giganto-STMP servers, instead of your ISP's piddly local one.

Incoming mail from an SMTP server that is not one of these authenticating-and-billing ones would be subject to the scrutiny of your Bayesian filter, which could have its threshold cranked up from "healthily skeptical" to "downright cynical."

Re:How could a pay mail service even work?

[RetroGeek]

paying a poultry sum

Sure, I can send in a chicken, but will the Post Office accept it for shipment?

Re:How could a pay mail service even work?

[lightspawn]

I have to send a few emails a day -- so I'm paying pennies per day? That's ridiculous. Plus, there's already all this software that sends and receives email for free... it's all going to have to change.

How about this: The recepient indicates whether or not the sender should pay $0.01.

Regular folk will take ages to spend $1 (spiteful receipients, etc), and spammers will have to pay $0.01 for each message.

Re:How could a pay mail service even work?

You obviously did not read the article carefully enough. He said soon some would find a method to bypass the filters and even a few percent would mean a few dozen spam messages for him.

Re:How could a pay mail service even work?

[letxa2000]

I did read the article. He said that a few percent were *already* getting past *HIS* Bayesian filter. My response was that he must have made a mistake when he wrote his Bayesian filter, because Paul Graham's and MY Bayesian filter are just getting more successful by the day. I started at 99.5% effectiveness with my Bayesian, it inched up last month to 99.7%, and so far this month I have 99.8% spam caught. I've seen spams that spammers tried to get through Bayesian filters by inserting random paragraphs or text. Of course, those were filtered with a Bayesian score of 98%, so it didn't really work. :)

The amount of spam I see in my inbox is going DOWN each month even though my spam went from 2171 in April to 6300 in October (projected).

My point being... If spammers are somehow getting past his Bayesian filter, it's not that the spammers are getting smart at getting past Bayesian. The problem is that something is broken in his Bayesian filter.

SPAM filter

The only viable solution to spam using the current infrastructure is learning algorithms such as Bayesian spam filters. (Would be interesting to see if similar techniques could be used to beat such spam filters and get spam through..)

Trying to get everyone to change from SMTP to something else just isn't going to work. There is too much for an instant change. This principle is basically why we're still using IPv4.

Re:SPAM filter

[Sheetrock]

The change from SMTP to something else is probably the only thing that will work, in my opinion. Every other proposed option is a kludgy workaround.

Bayesian filters work pretty well, but there is still a cost being borne by every system that must transfer the mail that's just being thrown away. Pay-to-play e-mail punishes everybody. SPEWS and similar are error prone as SomethingAwful have demonstrated and are reactive, not proactive.

We've got a greater need for SMTPng than IPng. I'm pretty sure that if a solution was available that was interoperable with current mail setups until a cutoff date a year or three in the future and deployed gradually we'd see something implemented that did the trick and cut way down on wasted bandwidth.

Re:SPAM filter

The change from SMTP to something else is probably the only thing that will work, in my opinion. Every other proposed option is a kludgy workaround.

People will just start using IM more and instead of mailing lists IRC and Useneet will flourish. Afterall, there's no spam with any of those right? :-/

Re:SPAM filter

No, spam filtering would actually work very well indeed if most people used it.

If hardly anyone reads the emails then their current business model becomes ineffective. The amount of people that respond to spams is a very small fraction of the recipients as it is now. If most were filtered automatically then it would barely achieve any effect.

All that needs to be done is to get popular ISPs and mail software client manufacturers (such as Microsoft) to include spam filtering modules as standard with the software they distribute (ISPs would include it on the CD you get when you sign up.) Everything which may be spam gets sent to a separate folder on their email client.

The best attack against spammers is an attack on the readership of their products.

Re:SPAM filter

[NearlyHeadless]

Here's my blog reply to Tim Bray:
Tim Bray proposes having people pay 1 cent per email. It's not much, but it would make some many non-profit email lists unworkable. Most other proposals like this charge only for the first email from an unknown sender, and usually a lot more than one cent. This does require the recipient (perhaps at the ISP level) keeping track of who is already authorized to send free mail.

There are actually quite a few workable schemes for preventing spam. Tim Bray is right that any system where sending is both free and anonymous will always be open to spam, but it's not necessary to charge on a per-message basis. One system that is beta-testing right now is Bonded Sender. With this system, the owner of an outgoing mail-sending server puts up money to guarantee that his system won't be sending spam (on the order of $1000 per server, with $500/year renewal). There's a contract that specifies what is spam and a third-party arbitrator for handling disputes. Existing mail-filtering software can easily check the BondedSender status via the DNS system, as they generally already check the DNS status of senders.

There are a couple of drawbacks to this. First, the IP verification won't work with dynamically-assigned addresses. Second, some smaller email senders may not want to spend as much as $1000 on this. Third, it doesn't help you if your ISP is not participating. All of these can be overcome by using a paid relayer, as Tim Bray suggests. It would be up to the relayer to determine how to prevent abuse of its own system.

Other systems work by verifying a digital signature and certificate of the sender, either on a per-message basis (S/MIME or PGP) or on a per connection-basis (using SMTP over TLS). This doesn't require a static IP address to verify identity.

Although it may seem complex and even chaotic, more than one mechanism will exist to prevent spam, even in the long-term. For a variety of legal, political, and financial reasons, no one solution will please everyone. We need to have some sort of meta-email system for allowing these to co-exist effectively.

What I propose is that an independent group be established which will provide a framework for interoperability. What needs to be done?

• A description of anti-spam policies. For example, Tim Bray's proposed SMTP4ALL charges $.01 per message. Or FirstClassEmail may charge $1 per message. BondedSender contractually forbids spam and requires a cash bond up front, as well as identity verification.

  There are a lot of possible policies. It should be up to the recipient to specify what policy is acceptable, but there needs to be a concise list so that the decision can be coded in a program.

• There also needs to be a way for the recipient to find the policy. For certificate-based systems, the policy can be encoded directly into the certificate, but the exact syntax needs to be defined. For other systems, something else needs to be devised.
• A way to describe the properties of an individual sender or message. It may be part of the sender's anti-spam policy that unsolicited mailings are allowed, but that each mail will be labeled with what type of mail it is, e.g. commercial, personal, political, charitable soliciting, etc. Similarly, a system such as Hotmail may want to label each user as to whether they are a verified, paying customer, or an anonymous, free customer.
• Some sort of meta-enforcement scheme. There needs to be a way of knowing if SMTP4ALL is really charging $.01 per message or if it's letting spammers send through at 1/1000 of that price. Is a CA shirking its duties?

  We don't want the chaos of the current RBL system. This is not something that should be c

Re:SPAM filter

Bonded Sender. With this system, the owner of an outgoing mail-sending server puts up money to guarantee that his system won't be sending spam (on the order of $1000 per server, with $500/year renewal).

SO what?!? Spammers will just get together and set up an ISP to send from. $1000 a year is still a small price for, say, 10,000,000,000 spam emails.

Re:SPAM filter

[Anonymous+Spammer]

Absolutely! DO AS THIS PERSON SAYS. Do not in any way try to make changes that would stop spammers from sending spam, just close your eyes to it.

As a professional sender of UCE, I just want to tell you slashdotters to keep on playing with your spam filters. As long as you use spam filters on your e-mail, I can continue to reach my real intended targets, those non-slashdotters who do not know better and will buy my products or click through to my client's websites. Your filters really help cut down on the complaints to the Internet service providers I do business with, and as long as not too many complaints come in their marketing people assure me we can do business. Of course, I still waste your bandwidth and mailbox capacity, but you no longer complain to uce@ftc.gov, my access providers, or anyone else who might cause me problems. My yahoo and hotmail and other accounts for replies are lasting much longer before getting shut down because someone complained to these service providers. And my clients are even reporting that they can start mailing out 800 numbers like 1-800-901-3719 again and they will not have you damn geeks set up your modems to keep autodialing them, since you spend your own time and effort to filter the e-mail and only clueless users who might actually call will see the numbers.

Please don't bother your Congressmen or Senators proposing legislation that might not work 100%. Just keep on filtering the spam I send you, I know you would have never bought from me anyway. That you can filter legitimizes my business and my waste of your bandwidth.

P.S. To be sure of not getting a false positive, be sure to send all filtered mail to a special folder. Waste your storage space storing the mail until you manually go through every piece to be sure you didn't accidentally filter something important. Of course, this will take exactly as much effort as it would have to just check the e-mail when it first came in, not to mention the extra effort spent in setting up the filters and the extra space for storing your incoming spam folder, but what the heck. If you think that you can scan e-mail for false positives faster this way you are just fooling yourselves, if you are scanning faster e-mail that you expect to be all spam, you will miss the very false positives that you think you are looking for. And any false positives that you do catch will have been delayed, perhaps days or more. You geeks enjoy wasting time this way, and I certainly appreciate it. It makes the work of all us spammers much easier. After all, slashdotters like Moderation abuser tell you that Bandwidth is cheap, disk is cheap, CPU is cheap , which is good, because at the rate spammers like me waste it the costs still adds up. I am gald I never pay for it, and I would just as well that everyone else takes the additude that all of the resources I waste are cheap than band together and pass laws against us. No one should care about spam because Bandwidth is cheap, disk is cheap, CPU is cheap and it is your job to filter it.

Think you've seen this before? Don't complain. Just go through lots more work to set up special filers on your computer so that you will not see it again. Crawl into your holes. You should have to do that. It's the true geek solution, and I would really like it if you did.

And don't pay any attention at all to the fact that those anoying telemarketers suddenly stopped calling you days ago, not because you wasted time and money getting caller-id and setting up systems to filter them out, but rather because the do-not-call list became law. You know, the law they said wouldn't work. Heck, in my case, even those annoying calls where someone who hangs up as I answered, which used to happen several times a day, completely stopped. But just recite that laws can't work, the end user must have their bandwidth wasted and go to extra work to filter their spam themselves. How else can spammers count on reaching the sheep who don't filter their mail and will respond to our great offers?

Re:SPAM filter

[The+Evil+Couch]

usenet and IRC are easy to filter. IRC, particularly.

and spambots result in fun articles for me to write. http://www.evilcouch.com/tiki-read_article.php?art icleId=58

Re:SPAM filter

[p2sam]

you son of a bitch ...

+5 insightful though.

Re:SPAM filter

[fmaxwell]

No, spam filtering would actually work very well indeed if most people used it.

But they won't use it. The Internet is ravaged on a regular basis by worms that exploit security flaws on unpatched systems. If you can't get people to even install patches that have been out for months, or even years, how do you think that you will get them to install, configure, and use filtering?

All that needs to be done is to get popular ISPs and mail software client manufacturers (such as Microsoft) to include spam filtering modules as standard with the software they distribute (ISPs would include it on the CD you get when you sign up.) Everything which may be spam gets sent to a separate folder on their email client.

ISPs (other than AOL) are moving away from the software bundle model because they don't want the cost or risk associated with supporting third-party software. Users aren't going to tolerate their familiar e-mail software being replaced by some client-licensed-at-the-lowest-cost off of an ISP's CD. ISPs don't want to be dragged into court because their spam filtering software dumped some important business or personal e-mail into the seldom-read spam folder. I can just see the story now: "Patient Dies From Allergic Reaction to Viagra: E-mails To Doctor Filtered Out As Spam."

All of that said, I strongly oppose the e-mail postage models that are being proposed. I'm sure that the Verisigns, AOLs, and Hotmails of the world are working full time to find some way to profit from such a scheme, but it's not in the interest of the common user. The approach that I favor towards combatting spam is multi-tiered:

1. Strong federal legislation banning the practice, making it a crime, and providing for large fines, civil penalties, and jail time. If some spammer is selling Viagra, then let him worry that his cell mate might be taking it. The legislation should be crafted such that it makes it a crime to "cause unsolicited commercial e-mail to be sent." If you live in New Jersey and hire some Brazillian ISP to send your spam, you've committed a crime.

2. Streamline the process of getting information on a spammer. If you receive spam, you send it to a government office, they investigate, get the subpeonas, fine the spammer and press criminal charges, and then pass the information along to individuals who might wish to press a civil suit. I live in Virginia. We have laws against spam with forged headers. But I could be looking at multiple $150 subpeonas and time off of work to track down a spammer, possibly to find out that they paid the ISP with a stolen credit card and that no one can identify them.

3. Laws that require cooperation from foreign governments in the fight against spam. If the foreign government does not lean on their ISPs to stem the flow of spam, then we start employing some port 25 blocking at our perimeters. If AT&T stops routing the port 25 traffic for some spam-friendly Chinese ISP, then you can bet that the ISP will quickly become cooperative.

4. A legal requirement that ISPs terminate the access of any spammer and turn over the information on the spammer to the government for prosecution under the laws described above.

Please don't reply to tell me that such laws would not stop all spam. I know that. Laws against child molestation, burglary, shoplifting, and jaywalking are less than 100% effective, too. But they serve as a deterrent. I'd rather ruduce spam by 90% than do nothing. I don't care about your "taxes" and how much you think it would cost. Prosecution of crimes and protecting people's rights costs money. But in this case, the savings from the reduced spam, combined with the money collected as fines, would more than offset the cost of prosecution.

Re:SPAM filter

I suggest this: drop all e-mail that comes from a machine not yours and from a domain that the sending manchine is not on.

Re:SPAM filter

[UpnAtom]

Spammers will just get together and set up an ISP to send from.

Should make them easy to block then. Anyone see anything else wrong with this idea?

Re:SPAM filter

[rifter]

If hardly anyone reads the emails then their current business model becomes ineffective. The amount of people that respond to spams is a very small fraction of the recipients as it is now. If most were filtered automatically then it would barely achieve any effect.

Unfortunately you are wrong. The current business model is already ineffective if you are trying to sell something with spam. Fortunately most spammers are not selling products. They sell the service of sending millions of emails to suckers^wcustomers who think it might result in some sales of their product.

More and more, businesses are catching on to the fact that this might not work so well, but that is okay because the product becomes your information. Spammers make money by selling information about their victims to legitemate businesses who are then able to contact you without you knowing they are responsible for the spam, or who simply want marketing information like "how many people responded to product X."

But even if 100% of the respondants filtered out the spam, the spammers would still make money because they would continue to sell the service of sending the spam. And even if all teh spam was filtered, it woudl still result in the bandwidth suckage people are reporting. Like the recent near-outages in .au which were solely caused by spam.

Blocking traffic from spam-friendly networks at the router level is going to be the only solution. That and outlawing spamming in every country we can.

Re:SPAM filter

[SkunkPussy]

3. Laws that require cooperation from foreign governments in the fight against spam. If the foreign government does not lean on their ISPs to stem the flow of spam, then we start employing some port 25 blocking at our perimeters. If AT&T stops routing the port 25 traffic for some spam-friendly Chinese ISP, then you can bet that the ISP will quickly become cooperative.

why do you think any foreign government would respect laws passed in the U.S.!!!!! the laws govern the citizens of the US or something like that.

do you think the U.S. governement respects the laws of any other country? pffff!!

Re:SPAM filter

None of that stuff is a "viable solution".

The only viable solution is to track down some spammers and force them to star in snuff movies, that are then made available on the net, pour encourager les autries.

It raises the cost of sending spam "on average", does not require the entire net to change sofware, and avoids "jurisdictional" issues that prevent legal solutions.

Re:SPAM filter

[fmaxwell]

why do you think any foreign government would respect laws passed in the U.S.!!!!!

Because the laws would require that U.S. service providers to stop routing inbound e-mail from foreign countries who aren't partners in our "war on spam." That's a pretty significant economic hit to those countries.

Why do you think that we have cooperation from foreign government on our anti-terrorist actions, our "war on drugs", and our efforts to stop software and media piracy? They fear the consequences of not cooperating.

Re:SPAM filter

this whole idea just isn't going to work. Here's why....

Most spammers hyjack ordinary people's pc's by installing spam trojans. Lets suppose you sign up with these SMTP relays. Great! Fine and dandy.... now you can send your mail at 1 cents a pop. Now, lets suppose your computer gets infected by a worrm of the likes of Sobig, or some future worm or virus... This is how a large percentage is spam is sent today.

So, your machine gets infected, spammers install a spam trojan on your PC, and starts spamming away (FROM YOUR PC) at a penny a pop.... Guess who's going to get the bill.

Re:SPAM filter

I have a few comments to make on this posting. first off, "last mile" filtering is not going to stop the huge amount of bandwidth being wasted by spammers. It's still going to be floating out there, only to be stopped at the person's pc "last mile".

item 1: Strong laws... Might work, but ONLY if a large number of known spammers are arrested and jailed as deterrant. but the laws have to reach beyond international borders.

Item 2: Tracking spammers - great idea. we've already got a lot of tools that do this, but spammers are getting trickier all the time. Doing this is very difficult, and only possible of the spammer/hacker fucks up and leaves a trail. usually the trail goes cold in hours, long before an ISP would ever think of taking action.

item 3: could only be done of this issue were brought up at large Economic Summits. Perhaps this might happen of we can elect a president willing to deal with these issues.
The idea of blocking port 25 at the upstream level won't work. For the simple reason that spammers already have thousands of home PC's to spam from, and thousands of IP addresses from many backbone providers.

Item 4 - Very good. However we have to go one step further. Since most spammers use hyjacked home PC's to send spam, we have to prevent these PC's from being hyjacked in the first place. So ISP's have to also crack down on individual home users (DSL and cable modem users). So when an ISP gets a spam report on one of their users, they should cut the connection, then contact the PC owner and require them to dis-infect their machine before being allowed Internet access again. They also should act faster then the time they take now, which is up to 3 weeks, because by that time, it don't matter, the spammer already moved on, but might come back and use that person's machine again in 6 weeks from then. ISP's have to act within HOURS of getting spam reports in order for item 4 to work.

Re:SPAM filter

[UpnAtom]

So, your machine gets infected, spammers install a spam trojan on your PC, and starts spamming away (FROM YOUR PC) at a penny a pop.... Guess who's going to get the bill.

Exactly who should get the bill - the user. And sooner or later, the users will demand secure software. Bingo, problem solved.

Re:SPAM filter

"The only viable solution to spam using the current infrastructure is learning algorithms such as Bayesian spam filters. (Would be interesting to see if similar techniques could be used to beat such spam filters and get spam through..)"

I'm sure that's what we're seeing already. It's very clear that spam has evolved to evade filtering over the period since filters came into widespread use.

"Trying to get everyone to change from SMTP to something else just isn't going to work."

That's not what was suggested. The idea is that people sign up to an authorized SMTP relay. The key point is that people have to pay, a small amount.

I'm an economist, and I have to say it's perfectly obvious to me that this is the only way that spam can be stopped. Of course I don't *like* the idea of paying for sending emails, but I like it better than spam at the level (and rate of increase) that I've seen this year. The vast majority of spam is driven by the economics of (virtually) free transmission, and would simply disappear if a very small charge per mail were levied.

Re:SPAM filter

[zcat_NZ]

Well DUH!

They pay $1000, and get added to the DNS

They send out spam. They can't hide where it came from, because otherwise the system can't tell they're an authorised sender. So almost immediately there are complaints, and less than 24 hours later they're removed from the database for violation of service.

Let's say they're really determined and have an unlimited supply of stolen ID's. They put up another $1000 and are able to spam for another 24 hours before they get shut down.. and so on..

They're not paying $1000 a year. They're paying $365000 a year, or more likely $1000 to spam for one day before getting blacklisted.

possible to forge?

[whitelines]

Wouldn't it be possible to forge the source address as the paid server? Once you've achieved this you can get into everybody's inbox, filtered or not.

Re:possible to forge?

[Xentax]

That wouldn't work, because the author is proposing that the paid relayer sign the message before sending it to you. They can fake the source address easily, but spoofing their certificate is much harder -- not impossible, but impractical to do on any significant scale.

Xentax

Uh.... no!

[TopShelf]

It sends email from anybody to anybody for 1 ($0.01) each. You open an account with them, drop in say $10 and you've bought the rights to send 1,000 emails.

Even though a penny an email sounds innocuous, this just won't fly. For one thing, the infrastructure you'd need to track the financial side of things would probably prevent the figure from being that low. Plus there's the whole loss-of-anonymity that goes along with paying for email rights. The biggest problem is that while this service might appeal to those on the receiving end of email, I can't see a wide market wanting to sign up as senders...

this will never work

[eddiecore]

spammers are some of the slimiest people out there. i can picture millions of people giving their OK to be spammed, sitting at home waiting for a check that will never come. THERE IS NO GOOD WAY TO LOOK AT SPAM. NONE.

another fatal bullow for unprecedented evile?

we don't know how much more real IT those whoreabull georgewellian fuddite southern baptist freemason payper liesense softwar gangster felons can attempt to censor buy use of false advertising, but we're keeping the pateNTdead eyecon0meter online until the last won is cornered/surrenders.

those foulcurrs best get ready to see the light.

consult with/trust in yOUR creator.... see you there.

Any generic word should work the same...

[KarmaPolice]

So the basic idea of the article (I guess I'm not a real hardcore /. reader since I bothered to read the article) is that every mail is sent through a common SMTP relay and everyone that wants to e-mail you, must sign up with that company.

Then you filter all e-mail not sent through that relay...i.e. e-mails not signed by them!

Here's a cheaper idea: I tell everyone I know to start the subject line with "goat" if they want to e-mail me. Then I filter all e-mail without "goat" as the first word in the subject...

Re:Any generic word should work the same...

Then I filter all e-mail without "goat" as the first word in the subject...

As a slashdotter, you should filter all mail with "goatse".

Re:Any generic word should work the same...

[Kombat]

Here's a cheaper idea: I tell everyone I know to start the subject line with "goat" if they want to e-mail me. Then I filter all e-mail without "goat" as the first word in the subject...

Sure, sounds good, but you might want to pick a different word ....

Re:Any generic word should work the same...

[dwsauder]

Here's a cheaper idea: I tell everyone I know to start the subject line with "goat" if they want to e-mail me. Then I filter all e-mail without "goat" as the first word in the subject...

Yes, this is a very simple, and very good idea.

There are many variations on the idea, one of the best being the use of an alias that contains the password. If your email address is john.doe@example.com, then you could use the alias john.doe+goat@example.com. The nice thing about this varation is that the "password" is stored in the address book with the email addresses, without any changes to the address book.

But it would be a simple thing to include an extra field in a web form where you add your email "password." Imagine an e-tailer allowing you to optionally include a password, so that you could reliably filter their email to you. It's a good solution to the whitelisting problem.

In short, using a knowledge proof in order to send email to someone is smart. It works in many situations, like when you want to receive and filter email from friends and family. It would also work for mailing lists. The basic idea is to be a moving target to the spammers.

Re:Any generic word should work the same...

[dspyder]

Scott Adams (of Dilbert fame) currently does this with his aol email address. You have to have the word "Dilbert" in the subject line somewhere. He simply filters that in and dumps everything else. Dilbert is uncommon enough, and not likely to be seen at random.

Pretty simple, but it fails for exactly the same reason pure whitelists fail... I am expecting to receive email I definitely want (mailing list signups, purchase/order receipts, etc.) but don't know the sender and/or the subject. And there's no way to add that sort of to all the applications that are likely to be sending me legitimate email.

Interestingly, Bayes kind of does this suggestion on it's own... assuming the word is fairly uncommon. In my ham for example, the word "AutoX" appears hundreds of times in ham and never once in spam. That's almost like a magic password to get something through to me and people don't even need to know it. Bottom line with Bayes is that stuff that looks like stuff I've seen before will get through. Downside is again on those spammy looking announce lists and bulletins.

Better than a secret word, why not send me a secret "key"? That way not only do I know it's really to me, I'm the only one that can read it. Of course, that has many (several) downsides that we all know about.

--D

Few Flaws

[L-s-L69]

1. Paying 1c/1p for sending an email may still allow some spam to be profitable. 2. I dont want to pay to send email. I just dont, I like the fact its free to anywhere in the world. 3. Limiting the number of emails sent in a day is going to be very restrictive for companies. 4. There is no way everyone in the world in going to use this system. 5. It sounds too much like a single point of failure for email.

On a personal note i just stop spam by removing all html mails, if my friends send me junk in html format i explain carefully and with a pointy stick that I dont want html emails.

Re:Few Flaws

[shut_up_man]

1 - Exactly. Most spammers would gladly pay 1c per email - these guys are (unfortunately) making lots of cash doing what they're doing, so they can easily afford it. Then all this idea does is make something cheap expensive, and the spammers continue on their merry way.

Re:Few Flaws

[Kombat]

I dont want to pay to send email. I just dont

Then learn to live with spam. The bottom line is, as long as it is free, spam will flourish. That's what it really comes down to. That's what every spam-attacking strategy must work with or against. It has to cost something, and these compromises are all about finding a "something" that is insignificant for normal users sending < 1000 emails a month, but prohibitive when it reaches up into the millions of emails per month.

If you are unwilling to compromise on your "zero-cost" requirement, then you will never be rid of spam. It's as simple as that.

Re:Few Flaws

[Kombat]

Most spammers would gladly pay 1c per email

You're wrong. The only reason spam works is because it is free to send. If they send out 5,000,000 emails and get a 0.1% response rate, with a profit of $5 per sale, then they've just earned $25,000. Since it cost them nothing to send those emails, then that is $25,000 of pure profit. Hell, even if they only sold one product through those 5,000,000 emails, then the $5 profit is worth it, because it is more than their cost (which was nothing).

If the emails cost 1 cent to send, then those 5,000,000 spams now cost them $50,000 to send, which obliterates their $25,000 profit, and then some. Suddenly, it's not worth it. And they'll stop doing it.

Re:Few Flaws

the $5 profit is worth it, because it is more than their cost (which was nothing).


You mean spammer don't pay for their 'net connection?
Or electricity?
Or their computer equipment?
Etc?

Re:Few Flaws

[red_gnom]

... If you are unwilling to compromise on your "zero-cost" requirement, then you will never be rid of spam. It's as simple as that.

Even if people pay a penny for each email spammers would still pay nothing for sending those millions of mails. The hacked and trojaned Johny Broadband would pay their bills.

Re:Few Flaws

[lightspawn]

The bottom line is, as long as it is free, spam will flourish.

Only if it's free AND anonymous.

There's two ways to fix it: Either make it non-anonymous, or non-free (at least if the recepient so indicates). Of course a combination is possible (I may want to spend $0.01 on an anonymous email once in a while).

Re:Few Flaws

[eaolson]

If the emails cost 1 cent to send, then those 5,000,000 spams now cost them $50,000 to send, which obliterates their $25,000 profit, and then some. Suddenly, it's not worth it. And they'll stop doing it.

Except many spammers now routinely use fake credit card numbers to get the ISP throwaway accounts they use now. OK, $50,000 is a bit much to put on a credit card, but if the price were a bit lower, it wouldn't be much of a problem.

Re:Few Flaws

[ajs318]

You mean spammer don't pay for their 'net connection?
Or electricity?
Or their computer equipment?
Etc?

No, a lot of them don't pay for such things. They infect vulnerable broadband-equipped home PCs with worms that propagate spam. This not only saves the spammers bandwidth, it also makes it harder to trace the source of the spam.

Re:Few Flaws

[JuggleGeek]

If the emails cost 1 cent to send, then those 5,000,000 spams now cost them $50,000 to send, which obliterates their $25,000 profit, and then some. Suddenly, it's not worth it. And they'll stop doing it.

I don't think so. More likely, they'll find a way to forge the messages so that someone else ends up with the bill. Spammers already forge domain names in their spam, sell items that are clearly illegal, or fraudulently advertise items which simply don't exist. Why would we expect them to suddenly say "I have to play by the rules?". Spam is already sent by way of machines the spammers have hacked. They already run DoS attacks on sites with spam fighting tools, blacklist distributors, etc. Shouldn't we expect the same kind of tactics to continue - or get worse?

I beleive we need a totally new system, but I don't beleive that pay-to-send needs to be a part of it. Most people only think about how that will effect the spammers and the 10-20 emails they send every day or so. (And even then, they don't seem to think it all the way through.)

Imagine the cost to SlashDot. I receive emails from /. every day with the new headlines/stories, to let me know about replies/moderation of messsages I've posted, etc. I'm sure many of you get the same messages. The costs to /. would jump enourmously - or their whole model would have to change, either removing those services or requiring a paid membership, in order to cover the cost. The NYTimes, Reuters, LockerGnome, and many others have similar email lists. Very useful, generally free - and pay-to-send will put an end to all of them.

Are you on any discussion mailing lists? I have several programming related lists which send me 25-50 mails a day. I'd lose those under a pay-to-send system.

Pay-to-send would have an enourmous downside for legitimate emailers, and for the users who receive those emails, while having a fairly small effect on spammers, who will seek to circumvent the system if possible, and who will disrupt the system via DoS attacks if they can't find a way to send their messages without paying.

Bureaucracy: The best solution

[PaneerParantha]

I have posted before that introducing a bit of bureaucracy is the best way to control spam. B'cracy kills any enterprise. (It was modded as funny although that wasn't my intent).

The article linked to above suggests steps in the same direction although baby ones.

Ask people to fill forms in triplicate, deposit a refundable amount with the ISP and only then would you be allowed to send emails. Introduce a bit more red tape with emailing and that will be the end of frivolous emails and spam.

As it is, even at workplace everyone CCs everyone else, you get emails of births, promotions, checkin notices, build notices, resignations, business deals, mailing lists and what not.

We should seriously consider limiting the number of email even ordinarily (i.e. without spam in the picture) and the amount of information thrown our way or failing that attaching an external storage and processing device to our brains.

Re:Bureaucracy: The best solution

[velo_mike]

I think he covered that by suggesting the various postal services could handle this.

2006 ?

[cwernli]

from the problems-that-won't-be-solved-until-2006 dept.

Sounds rather like 3006 to me ...

Re:2006 ?

2006 is the start of the biggest problem of all.... Longhorn!

Convert that .01!

[Angram]

I think the bigger problem is the lack of consideration for currency exchange rates. $0.01 in many third-world nations is more than a family would spend on food for the day. In England, it's only a fraction of a pence. Wouldn't this just drive spammers to wealthy nations and prevent poorer ones from interacting at all?

Re:Convert that .01!

[Kombat]

If a family spends less than a penny on food for the day, then I respectfully suggest that the cost of email is not their primary concern.

People that poor don't have email. They don't even have a computer. They barely even have food, as you just illustrated.

Re:Convert that .01!

[Angram]

Many struggling nations have public computing facilities.

I want more value for my money!

[Walkiry]

It'd be much better if that money could buy me time alone with the spammer that sent me the mail, in a basement. I'll bring my own cane. If they could guarantee I'd get that every time someone spams me I'd pay a buck per mail and not even blink.

Re:I want more value for my money!

Which idiots modded this up? Promotion of violence is not funny. Spammers are people just like everyone else you know. This is the same sort of kneejerk reaction peadophiles get as well.

When will you all realise that violence is not the answer to our problems?

Re:I want more value for my money!

Chillingham Road in Newcastle, UK. Obviously, in self defence I would be forced to beat the crap out of you. Bring it on.

Re:I want more value for my money!

Which flat are you in? And would you prefer I beat your ass with a cricket stick instead?

Looking forward to watching you plead for your life and wetting your pants.

Re:I want more value for my money!

237, it's an upstairs flat just above the Spar.

What time can I expect you round? If you even dare to visit, that is.

Re:I want more value for my money!

[Follis]

Ever watch the simpsons?

If only everybody did something differently...

[winkydink]

...this is a recurring theme in the "how to solve the spam problem".

You will not change every person's behavior. Especially if it changes from doing something for free to paying to do the same thing.

The spam problem will only be solved by changing the underlying technology that is invisible to end users.

That way, you only have to change the behavior of every postmaster. :)

Re:If only everybody did something differently...

[kaoshin]

Or change the underlying technology that is invisible to postmasters :)

It will never work

[Robmonster]

Barring all the previous comments people have made relating to the infrastructure required jsut to set up a scheme like this there is another far more compelling reason this scheme will not work.

People will not agree to pay for something they previously had for free.

Email has been free to send for a great deal of time now. People just wont agree to pay for it.

This whole story sounds a lot like the Urban Legend along the lines of the US government planning to introduce an email tax for each mail sent.

Re:It will never work

[Ripplet]

>People will not agree to pay for something they previously had for free.

As an example to the contrary, I use a Bigfoot email address. It was free for about the first five years, then they started charging for it. I paid up, because it had become too useful to me.

I think people *will* pay for something they previously had for free if one of the following is true:

The service they now have would no longer be available otherwise (

The service would improve considerably (There are probably more cases too.)

I'd say all the above would be true in this case. You probably won't get everybody paying for it sure, but I bet the majority would do.

Re:It will never work

[mad.frog]

>People will not agree to pay for something they previously had for free.

In the US, tapwater from your home faucet is cheap enough to be "free" for our purposes here, but people buy bottled water.

Re:It will never work

Its called tapwater for a reason, that thing you call a faucet. It's a tap.

The protocol is not the problem

[kjba]

Plenty of protocols have been suggested that would all kill spam if used BY EVERYONE. It seems to me that the problem here is not the protocol at all. IPv6 was designed quite some time ago now. Has everyone adopted it? Nope. The problem is that email has become so pervasive that it has become very difficult to change the standard.

Unless several main organisations and companies join forces to introduce a new way of sending mail with massive support, it is not going to happen. Yet another paper about yet another protocol is not going to change that.

Re:The protocol is not the problem

[lurker412]

If a new protocol could really eliminate spam, I would guess that large organizations would be among the first to adopt it. Yes, it's a hassle to change--and some may choose not to. Still, the benefit would be considerable, especially to ISPs and corporations that are spending lots of money on their email infrastructures.

In *Britain*

[Gordonjcp]

It's a fraction of a pence in Scotland, Wales and Ireland too.

Re:Uh.... no!

[kiatoa]

Being responsible for several email lists I'd second those thoughts and add that I don't understand why more people are not using Active Spam Killer. I've been using it for a couple months and love it. No spam, no hassles (once set up admittedly) and no fear of missing a legit. email.

What's the benefit?

[moehoward]

It costs me less than a penny a piece to deal with an individual spam. Hit delete, turn on my filter, etc. Is it really such a nuisance that we have to waste billions of dollars to "solve" it?

This seems to be an ISP solution, not a user-oriented solution. A user-oriented solution would be authentication based. Why not put a system in place to check the validity of the "real" sender and be done with it? What does the penny solution have over this? Both require all SMTP servers to be upgraded.

It is easy to see that there are SOME spammers who would pay. Just like with telemarketing. It costs them. We would just end up with the problem all over again.

No thanks. I already pay for ISP service. Next, they'll want to charge Web hosts for every page they serve up in order to stop pop-up ads. Sounds like a vast left-wing conspiracy! We'll TAX the problem out of existance! Never works.

Re:What's the benefit?

[JuggleGeek]

It costs me less than a penny a piece to deal with an individual spam. Hit delete, turn on my filter, etc. Is it really such a nuisance that we have to waste billions of dollars to "solve" it?

We are *already* wasting billions of dollars on spam. That happens right now, it's getting worse, and it will continue to get worse.

Side notes :
There are additional costs. You're ISP costs are higher, for instance, due to the spam.

I do not believe pay-to-send is the solution.

Re:What's the benefit?

[scrytch]

> It costs me less than a penny a piece to deal with an individual spam. Hit delete, turn on my filter, etc. Is it really such a nuisance that we have to waste billions of dollars to "solve" it?

What is your IT cost for mail storage? Double it. Spam is 50% of all email.

Now imagine spam unabated.

Ever seen a joe-job?

Spam does real damage.

What's so hard about authentication

[tbase]

Wasn't the post office supposed to start a service to give people some sort of certificate to authenticate people in the virtual world? It seems to me the only viable solution (and a simple one at that) is some form of authentication. Even if certificates are too much hassle, why is it so hard to change the protocol to verify IP addresses before allowing mail in or out? If you couldn't spoof IP's in e-mail, then you could reliably blacklist spam-friendly ISP's and easily track down who sent the spam.

Take it a step further, and tie IP addresses to an organization or individual. Then if you never wanted another e-mail from ZD Net, you could block the organization and it wouldn't allow any mail from any of their IP addresses.

Re:What's so hard about authentication

[ragnar]

I was thinking about this problem this week. When I first heard about the US postal service offering email I thought it was a total waste since the private sector provides this service for nearly free. Now I'm much more interested in some manner of official email, even if it means some added beauracracy. I still hope the private sector can straighten out this mess, but I've been hoping that for years. (for what it is worth, my company even made an effort to build a spam fighting solution that didn't work out)

As for the protocol to verify IP addresses, I think this is a variation on asking the sending relay to verify the authenticity of the sender. I've played with this idea multiple times but I keep coming back to a conclusion that the sender could fake it.

no, the recipient must be the payee

[edwinolson]

Why do people keep inventing new organizations that they want to give money to? Why should I pay some third party so that I can send email from myself to someone else?

No, no. The only thing that makes sense--if you want to consider a pay-for-email scheme-- is to pay the recipient. THEY are the one whose resources are being consumed. They are the one who can determine what price is a suitable deterrent for the spam that they receive. Nobody else can do it-- it's as simple as that.

It's true that the infrastructure to implement this system would probably require a third party financial clearing house, and they'd probably have to get a cut, but fundamentally, the payment must be receiver driven.

So imagine that to send an email, you contact an escrow service which gives you a token for your email: a promise of payment equal to the amount required by the recipient for delivery. The mail gets sent, the receiver can choose to collect payment or not to (friends don't pay friends to read their emails with this system). Obviously there are some technical challenges, but there are a lot of bright people out there.

Just, for god's sake, don't make me read another article where someone invents a company that they want to give money to when the recipient is the party being injured by spam!

Here's to the Scots!

[Angram]

I was providing just one example, mate.

Re:Here's to the Scots!

That's the trouble with you Australians. By the way, "pence" is the plural. The singular is "penny".

Re:Here's to the Scots!

[Angram]

Australian?

Had I said "penny" the point would have been confused (esp. for Americans).

Re:Here's to the Scots!

[popeydotcom]

Bah!

Who invented the term "penny" in the first place?

Re:Here's to the Scots!

It was derived from the Anglo-Saxon word "penig". This is also the origin of the German "pfennig", though of course they don't use that word as frequently now they have moved to Euros.

spammers would still make a profit

[SageBrian]

The spammers would still make a profit... they'd just charge more for their services. Though, charging 1 penny each is not a bad idea. And, you can still keep it 'free' by allowing upto a set number per day. Start at 100 emails a day, then after a set period of time, go up to 500 per day, etc. Businesses that need more than a set number can simply verify themselves as 'valid' senders. Perhaps just allowing mailserver owners to validate their servers/IPs might be enough. If you are running a mailserver, join a 'circle-of-trust', and create certain standards for the circle.

Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

Tim fails to understand that he's still getting spam only for the reason that his Bayesian filter sucks. Most other Bayesian-style filters (and friends) are up to a 99.9% filter rate and working towards five-nines efficiency. Their learning potential continues to improve as well with new concepts such as inoculation. It's no longer a question of "can we filter spam" it's a question of "how do we stop that one in a thousand spams that get through"...and that's soon going to be one-in-ten thousand. The problem is that only a small number of people have actually done any research in this area and tried Bayesian-style filtering. If they did, they would realize it worked ... very effectively. There are also server-side tools that make it easy for the 95% of non-tech people on the Internet. Bottom line, Tim needs to quit his bichin and go rewrite his spam filter - or install someone else's.

Re:Mebbe learn to write a bayesian filter?

[Liselle]

Perhaps Tim needs to re-write his filter, but I think that Bayesian filters are not the solution to the problem. They are the solution to a symptom of the problem. Hiding spam email under the rug is not going to reduce the overhead incurred in transferring around junk. Those emails do not magically appear in your inbox. This solution of his is flawed in many ways, but it does what filtering doesn't: it attacks the root of the problem, instead of playing defensive hot potato.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

The only thing that keeps spammers in business is their message getting to their recipients. In the long term, filtering _is_ the solution to shut down spammers. If we can prevent the messages from being delivered, spammers will not be able to make any money. As it is now, 100,000 addresses may only generate a few hundred hits. Cutting this supply chain off will no-doubt shut spammers down.

Re:Mebbe learn to write a bayesian filter?

[AndrewRUK]

The problem with Bayesian filters is that, if they are used enough, they will drive spammers to make their spam look less spammy, and then getting those extra 9s of efficiency without getting a bad false-positive rate gets harder.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

This is a good thing; I would rather see future spams say "hi, please look at this web page: [link]" than have to see big porn banners and red text. spammers don't make any money off of the innocent-types of spams because they don't captivate an audience...so by the time this happens the spam industry will have suffered severely.

Re:Mebbe learn to write a bayesian filter?

[ajs]

Keep in mind that 99.9% success on identifying spam is meaningless on its own.

When you talk about succes in spam filtering, you need to talk about several statistics: 1) false positive rate 2) false negative rate 3) both initial and limit values for the above 4) function for rate of change.

That is, you have two (somewhat independant parameters) and they are going to start at a "less acceptable" rate (e.g. perhaps 5-10% false negative and 1-2% false positive) and there will be some function that describes how fast it approaches its "optimal" performance (e.g. perhaps 0.1% false negative and 0.001% false positive).

This is where something like SpamAssassin shines. It comes with a huge database of rules for identifying spam by looking at the text, blacklists, header formatting, received chains, etc, etc. SA's Beysian component is then trained automatically based on the results of the rest of the ruleset. In comparisons with other systems, it seems that this sort of automatic training is significantly more accurate than self-training off of itself (as most Beysian systems do). Over time a user can tune up the Beysian part so that its results are weighed higher than the rest of the rules, thus giving you a more "Beysian" system and less static. Personally, I find that a combination of global checksumming (Razor2) combined with a large number of blacklists and the Beysian part of SA will yield the best results after it has "gotten used to" a user's mail.

SA 2.60 has just come out. Give it a look, you may be impressed!

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

> 1) false positive rate

Most filters are down to below 0.03. DSPAM is down to 0.01% and lower with some of our users.

> 2) false negative rate

That's the accuracy I was referring to; 99.9% catch rate.

Re:Mebbe learn to write a bayesian filter?

[Liselle]

What is your reasoning for this? Spam has done nothing but increase in volume since email came about. Spam filtering software and algorithms have accordingly ramped up in complexity just to keep up with the flood.

Where do you see spam dying off? I see the two approaching a point in the future where I'll need to hire armed guards to open my inbox. The silly people who reply to and purchase these products (ie: the people who keep the spammers in business), what do you think the chances are they they are running SpamAssassin? Your theory sounds alright, but is ultimately unrealistic.

Re:Mebbe learn to write a bayesian filter?

[fizbin]

Bayesian filters are the current hot technology on spam-fighting.

They are at the moment effective against most spam out there.

However, I still see stuff get through. I'm even starting to see spam get through at my work, where spam has to evade both spamassassin's (run on the mailservers) and mozilla's (run on my desktop) filters. (And yes, I tell mozilla to mark as spam everything that spamassassin flags, after manually reviewing the subject lines) Single word Bayesian filters are now being evaded by the smartest spammers. As AOL, Earthlink and other large ISPs implement similar systems, the evolutionary pressure on spammers will increase and the proportion of spam that is written to evade Bayesian filters will go up.

Those amazing accuracy rates? They'll go down. Single word Bayesian filters can be defeated; it's just difficult to do at the moment. I understand penicillin also used to kill a very large percentage of harmful bacteria...

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

We're working on some new technologies to help pre-train new spams. The inevidible fact is that new spams are going to come out and need to be learned. We're collectively implementing a new standard for inoculating users within a particular group. This standard will allow the different spam tools to talk to one-another and share information. External inoculation is also a new feature I've implemented in DSPAM, which enables you to have the spammers inoculate you before you ever receive their message.

Re:Mebbe learn to write a bayesian filter?

[ajs]

So that's the first two... The others are equally (if not more) important. Your false positive rate is admirable. It took SA a long time to get down into that range, so any other tool that does it meets one of my benchmarks. Still, how long it takes you to get there, and how much pain new users suffer to achieve that is important, especially when new users are probably the ones who need to get zero false positives the most (e.g. students who have just started at a college and are getting somewhat suspicious looking course information via email or new employees at a company). It's a limit thing, and you never achieve 100% of your ideal, you just move toward it, along some sort of function. You need to figure out the integral of that curve over t=0 to t=x where x is some "reasonable" amount of time for a user to come up to speed. Then you can compare the first two values start, limit and integrals to determine how good they are.

DSPAM's author (was that you? I don't know Slashdot IDs, sorry) and I have spoken about this a lot, and he actaully added a number of "pre-processing features" to DSPAM that make it sort of an inside-out SpamAssassin. Where SA has an overall scoring system and uses Bayes as just one of the tests to feed that, DSPAM uses Bayes AS the scoring system, and has some rules (like header analysis and he was going to add some blacklist support last I heard) as Bayes tokens. It was interesting that he chose this route, as I was trying to get him to consider integrating with SA as a replacement for the existing Bayes in SA (Bayes in SA is fairly reasonable speed-wise, but DSPAM is faster). He chose instead to add more "SA-like" features to DSPAM, which is cool too.

In the end, I'm glad there are at least two tools that are taking the "no one solution" approach. I don't buy the idea that any pure-word-analysis approach is going to work, but those who understand that Bayesian analysis is just a statistical tool can make it work far harder for them than that.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

> It took SA a long time to get down into that range,

Not to be picky, but unless this is a change in the new version of SA, most people have been a reporting 0.06% or worse FP rate. I'm very glad though if they finally did make it down to that rate.

> Still, how long it takes you to get there, and how much pain new users suffer to achieve that is important

There are two types of users: users who want out of the box filtering, and users who are willing to sit and train. Merge tools to create seeded dictionaries and perform other types of "prep work" for new users to have instant filtering certainly make the learning situation a lot easier. In either scenario, I believe false positives are unacceptable, and software should make every attempt to avoid these at all costs (including filtering). DSPAM does a good job of this, but some people still run into some FP's during initial training - those folks should be running with a seeded dictionary.

> DSPAM's author (was that you? I don't know Slashdot IDs, sorry)

Yes that was you and me talking a while back. I lost your email address BTW so send me some more mail =)

> In the end, I'm glad there are at least two
> tools that are taking the "no one solution"
> approach. I don't buy the idea that any
> pure-word-analysis approach is going to work,

It's all about that last 1% of spam when it all comes down to it...regardless of your approach, you can achieve 99% filtering on a bad day (that's 1 in 100). To get to 99.999% though is the real trick, and I think a lot of different approaches can help. I am still experimenting with "Tokenized Rules" although I am much more interested in the inoculation thread and development of an inoculation standard amongst filters. I don't think the buzzword 'Bayesian' is going to solve anything (on a side-note we implemented three different algorithms into DSPAM lately including Chi-Square).

Re:Mebbe learn to write a bayesian filter?

[GregWebb]

I'd love to know what I'm doing wrong with my Bayesian filters.

Running Moz1.4. It's collecting from two accounts, one of which can easily hit 70 spam a day so it gets plenty of information to work from. I've got a bunch of keyword matches to catch anyone mentioning viagra, webcams and so on. _All_ misses are getting marked and deleted, all false positives are getting unmarked and dealt with as necessary.

To top it off, I've never been very good at remembering to empty trashcans so I trained it on that too at the start. You can probably account for 5k messages of training in that one batch, and a mixture of spam and ham.

It's never got more than about 1% false positive rate though it doesn't seem to be getting any at the moment. It's only averaging about 70-80% spam detection maximum, though. Mails in non-European character sets get through, mails that are almost identical to ones that get caught get through. I get Viagra, Xenical, 401s, all manner of types of porn spam all missed.

Now, don't get me wrong, keyword filters were down to around 15% catch rates so I'm still delighted with 70-80%. But when I keep hearing about high 90s from other users - how, exactly? I don't get sent much HTML mail or any mail at all on pharmaceuticals, porn, dodgy information on CD and so on that isn't spam. So it's not like it's got an impossible task to judge the content and it's been being trained at over 70 a day average (guessing) since within a week of Moz1.4 launching, plus a big load on historic mail that was manually checked and corrected.

So why the heck am I getting so many more spams through my filter than most users? And why didn't they put a keyboard shortcut in place for marking as spam? Would make my life easier...

(FWIW, I still want to go for a proxy client approach and will as soon as I get the chance. I want to be able to _bounce_ spam - that'll learn 'em.)

Re:Mebbe learn to write a bayesian filter?

[Tony+Hoyle]

Spam changes a *lot*, often to get around bayesean filters, plus the filters vary in effectiveness. For example at work SA catches ~2000 spams a day. With SA 2.55 I had a cron job wiping the bayes database once a week because after that it started to give a lot of false negatives. 2.60 seems to have cured that one (although there's one spammer who seems to score BAYES_00 every time, and I'm damned if I can work out a rule to stop him because he's using servers all over the place, and there's only about a dozen words in the spam).

Since SA 2.60 it seems bayes is about 80% accurate, with the rules catching the rest... unfortunately most spam now comes with 'bayes poisoners' so the bayes effectiveness seems to level off with time (it might start dropping off again, depending on how much poisoned spam we get).

Eventually bayes poisoning will reach the stage that it'll be rendered useless, but hopefully another technology will come along that'll replace it.

I'm not sure I believe the 99% stories... with a carefully constructed corpus anyone can get figures like that, but they're not representitive of the real world.

btw. Never bounce spam... the bounce will simply end up in some poor suckers inbox and the spammer will never hear about it.

Re:Mebbe learn to write a bayesian filter?

[GregWebb]

Bounces - er, yes, I'd more want to bounce cases of people who are sending from legit addresses but just _will_ _not_ unsub me from their lists, which I get a reasonable amount of. The pure spam that's coming through forged addresses is certainly a waste of time to bounce.

Re:Mebbe learn to write a bayesian filter?

[JuggleGeek]

In the long term, filtering _is_ the solution to shut down spammers. If we can prevent the messages from being delivered, spammers will not be able to make any money.

The people who run bayesian filters are, most likely, not the people who respond to spam. The few idiots who support the spammers are, most likely, not going to run any decent filters. And that's where your theory falls apart.

I don't run Bayesian filters, because of the time involved. In order to use them, you have to download the entire message. On dial up, receiving 200+ spams a day, that isn't worth it for me. I use MailWasher, myself. It downloads the headers. Mail from whitelisted sources isn't shown at all in Mailwasher. Everything else (which is mostly spam) is shown. Mailwasher then looks to see if those mails come from sites that are on a DNS blacklist and tags that mail. I sort so that the non-blacklisted emails are at the top, and glance through them. Legitimate mail? Add another whitelist entry. Everything else gets deleted off the server. Only after the junk is gone do I have Eudora download the rest of the mail.

If I run a bayesian filter, I would have to download the text of all 200+ spams, because you can't run the filter until you have the message, and because you're supposed to tell the filter "This is spam" to help it learn. It isn't worth the time to download it - it's junk.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

> The people who run bayesian filters are, most likely, not the people who respond to spam.

This is why more ISPs need to implement server-side solutions.

> In order to use them, you have to download the entire message. On dial up, receiving 200+ spams a day, that isn't worth it for me.

If your ISP ran one on the server, you wouldn't need to download them all except for initial training (which can be easily accelerated with a seeded dictionary).

> sites that are on a DNS blacklist and tags that mail.

Good luck with the whole DNS blacklisting. Just about every single spam our system receives comes from a different IP address.

Re:Mebbe learn to write a bayesian filter?

[ajs]

I lost your email address BTW so send me some more mail

Will do. It was a good conversation.

Not to be picky, but unless this is a change in the new version of SA, most people have been a reporting 0.06% or worse FP rate

I'm not sure what the numbers are in development versions these days, but SA 2.60 was just released, and the tests that are used centrally show 0.02-0.06% FP rate depending on corpus... however, I see a much lower rate in practice. My explanation for that is that the database of spam and non-spam used by SA for evolving the scores is populated by a statistically improbable number of worst-case messages submitted specifically to point out false positive test cases.

So, while SA is nominally only getting around 0.05% success on average, it's really a much rosier picture, and here's the really nice part: SA gets this rate out of the box, before Bayes has a chance to really train up.

I still think that using Bayes instead of a genetic algorithm would be a better way of scoring messages. The genetic algorithm has some serious problems in terms of reacting to changes in score makeup (e.g. a test is removed or a whole class of tests cannot be run) which have been band-aided for now, but the long term solution is to have a more dynamic reaction to changes in rule behavior.

There are also a lot of tokens that are spotted via regular expression that could probably just be turned into message tokens to be handled by Bayes the way you suggest.

I think the perfect arcitecture for spam analysis lies somewhere between SpamAssassin and DSPAM, but I have to admit I've not yet looked into tangential things like inncoculation.

I don't think the buzzword 'Bayesian' is going to solve anything (on a side-note we implemented three different algorithms into DSPAM lately including Chi-Square).

Agreed. I told a co-worker that SpamAssassin was using Bayesian analysis and he groaned, saying that naive Bayes was just the worst case scenario that you apply when you don't understand your data. I had to point out that a) SA uses a variant of Chi-Square not naive Bayes and b) SA uses a whole heck of a lot more analysis tools than just Bayes. Buzzwords don't solve anyone's problems, and I think spam filtering is probably the best place to get that point across to naive users.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

I've heard rumors that SA is heading more in the direction of probability-based filtering rather than score-based filtering; disabling all your negative rules seemed to be quite a step. I still think converting all the rules into a "Tokenized Ruleset" for probability-based filtering would be a better solution...you could have either a separate calculation for content and rules, or you could reserve N slots in your single calculation for rules-based calculations. If you go with standard '15' bayesian filtering, open that up to 30 and allow up to 15 rulesets to get thrown in there. If there aren't enough interesting rules for a message, allow tokens to take an extra slot.

Anyhow, I think the big problem most people have with Bayesian is that they don't do any research on it...they just look at the surface, maybe read a few flames about it...there is so much work going on in the bayesian field you can't just discount it without a fair examination...especially when you've got things like Chained Tokens (we discussed those before), inoculation, functional groups, merged dictionaries, etc.

anyhow we can pick this up via email ... i'm sure we'll both get "Off topic" troll scores from this.

Re:Mebbe learn to write a bayesian filter?

[JuggleGeek]

I don't understand how "server side" bayesian filtering would work. I can't show it "good mail" and "bad mail" for it to learn from - I'm only going to see what it decides to show me. If it decides to toss mail that I would have wanted, I'll never see it, and therefore, I'll never be able to tell it "This is legitimate mail" so it can do better the next time.

Regardless, most of us don't run our own mail server, and if you don't, you end up with whatever you get. My mail server has Spam Assassain set up, and headers are added to the message saying that it guesses it's spam or not spam, with a list of reasons why. It is wrong quite often (in both directions), so I don't trust it. If it were up to me, they wouldn't run it at all - the SA headers are just more to download, and they do me no good.

DNS Blacklisting doesn't catch every spam - but the vast majority of my spam does come from blacklisted sites. I'm not willing to auto-delete them, though, because I don't want to miss legitimate mail. So I just have it tag them, sort based on that, and look at the headers of the mail that isn't blacklisted first. Out of 200 spams, I'll have 5-10 that aren't blacklisted. I usually take a quick glance through the blacklisted mail, too, but it's so rare to get legitimate mail from them that I don't spend much time on it.

Re:Mebbe learn to write a bayesian filter?

[Nuclear+Elephant]

> I don't understand how "server side" bayesian filtering would work. We use a web-based quarantine box that you can periodically skim over for false positives (you can even set up key words that'll hilight potential false positives in yellow). You can change this behavior, though, if you want it to deliver the messages with a spam header instead or if you wanted some other way to manage them.

Screw payment options

[clambake]

The problem with solutions like this is that it involves money, and thus, is subject to corruption. Spammers would eventually be givien discounts (look at your paper junk mail folks) so that the regulatory company can make an extra buck.

However, there is another solution that would work just as well.

Every email that is to be accepted by an SMTP server must include a digital signature of some root SMTP-signing servers of some kind, otherwise it's automatically rejected. This server will only allow, say, 10,000 signatures per IP address (or per registered user, whatever) per day, maximum. Additionally, it will only sign one message per second per IP addresss, no faster.

There are many variations on this, all of which would work great. For example, have the rate of signing be inversely proportional to the number of messages sent that day. Maybe also have "registered users", meaning people who have an actual credit card number or bank account linked to their name and will be charged $1,000,000 per message after 10,000 have been sent in a day (Sure, there will be spammers using fradulent cards, but in that case spamming has become a real, high-stakes felony).

The point is, as long as you have a few central authorities, just like DNS, where we can go to validate email, then we'll end spam.

Re:Screw payment options

[iapetus]

Of course, that suggestion has a number of drawbacks: say goodbye to mailing lists, for a start - one message a second isn't going to be enough for them.

Re:Screw payment options

[G.+W.+Bush+Junior]

Spamming HAS become a high-stakes felony

corepirate nazis declare kode blew alert

that's right. they're more aFraUD than ever now, that the gnu millennium is kicking in.

there's some growing notion that we can do at least as well/much better with a few less felonious FraUDuleNT billyonerrors.

lookout bullow. the daze of the greed/fear based corepirate nazi payper liesense stock markup FraUD execrable, is WANing into coolapps/the abyss.

consult with/trust in yOUR creator... get ready to see the light.

Why would anyone agree to pay for email?

[hendrix69]

What next, paying per HTTP request?
This will never happen, the second that SMTP transactions cost money people will switch to another, perhaps rogue, protocol that is free and that would be the end of stardardized email.
Whoever came up with this idea lacks some basic understanding of the Internet and information in general.

Dstorted picture with serial number = No money

Why pay monetarly.. it's just a mess. Plus the suggested infrastructure is prone to single point of failure.

Let people type in a serial number from a distorted picture (ocr proof). Which will give access to send email. Bad users get deleted. And mass signup isn't viable.

Any infrastructure should be distrubuted with NO single point of failure. And goverments and corporations easily get corrupted. Don't trust them ever.

Re:Dstorted picture with serial number = No money

[ericspinder]

BTW, that is called an automated Turning test. I've (and I am sure many others) have see this many places on the internet. I know Yahoo and Hotmail both use it to prevent bot from signing up spam accounts. I have heard of anti-spam ideas which use a central "challenge server" and another which the client sends back a response before it will allow the user to see it. Both have thier individual problems and neither allow for proper use of mailing lists (without whitelists). I believe that to reduce spam many solutions will be needed.

We will fight them on the client, We will fight them on the server, and We will fight them at their access.
We must win, We will WIN !!!

Re:Dstorted picture with serial number = No money

Isn't it Turing Test after Alan Turing? And "whitty" is not the same as "witty." You do know that, right?

Re:Dstorted picture with serial number = No money

[ericspinder]

Yes, a Turing Test is named after Alan Turning who had certain theories about AI, an automatic Turning test is becoming a common sight on the internet.

Also, I found another one in my previous message -"thier" is really spelled "their".

Still hurts the honest ones

At my company I'm in charge of our opt-in newsletter which goes out to just under a million people a week. I guarantee it's opt in, we comply with every rule you could think of (such as including the date when you subscribed, and unsub instructions in the newsletter that we really respect). We take the time to get on "white lists" so that we don't piss off ISPs.

I've been told to prepare to scale it to 5 million.

A penny an email would kill us.

Posting anonymously because I'm sure there are slashdotters out there that don't believe that a million person opt-in list is possible, therefore I must be a spammer.

Re:Still hurts the honest ones

I know what you mean - with that sort of logic they also wouldn't believe that a web page could be read millions of times. Fools.

So why post it?

[KDan]

It just looks like a variation of the old pay to send idea to me.

So why'd you bother posting it? Too much free time?

Daniel

Email Classification

[TheSpoom]

Here's an idea. Instead of blacklisting domains that spammers use (because we all know that they have effectively an infinite supply) or going to extreme lengths such as paying for each email sent, why don't we make it so that emails may be classified based on the volume of mail they send, and such classification be mandatory? Hence, we could block certain accounts that were sending, say, more than 10,000 emails per day. If, for example, there were a digital certificate in each email that added one to a remote counter for that email operated by an independant entity, and our emails were configured to only accept emails sent with such a certificate, I think it would be a feasible idea (except perhaps for the bandwidth costs involved in keeping track of said counters, but I don't have the answers to everything).

Re:Email Classification

Instead of blacklisting domains that spammers use (because we all know that they have effectively an infinite supply)...Hence, we could block certain accounts that were sending, say, more than 10,000 emails per day.

But spammers also have an infinite supply of "accounts" (by any definition). They would just send one message per account.

Re:Email Classification

[TheSpoom]

Admittedly, but such classification would also allow us to see when an account started sending messages. Hence, we could block messages from accounts that have, say, never sent a message before yours. Might make Hotmail a little annoyed, but meh. ;^)

that's it?

payperview web pages. that's just duckIE.

then, you'll only get spam from the FraUDsters you pay to get it from. a corepirate nazi marketeer's dream.

funnIE how everIE fauxking "solution" (to everything) offered buy the /.puppets, involves paying the known thieves/felons/sponsors, even more of what's left of yOUR monIE?

Re:that's it?

I don't know who you are or where you come from, but I love you.

Please continue to post like this for ever, as it warms the cockles of my heart.

Thank you.

Re:that's it?

[Zeriel]

I think he must be some kinda prophet.

Either that, or Slashdot itself has somehow gained sentience.

Another option...

[r1ch]

Another interesting option would be to use deposits rather than payments - you'd lose your deposit if the mail was unsolicited. That way sending mail is free unless it shouldn't have been sent, and if the deposit was of a big enough size spamming would no longer be profitable. I started a discussion about this a few days ago here

The best answer is not guaranteed to be easy

1. Paying 1c/1p for sending an email may still allow some spam to be profitable.

Certainly there will be leakage in any solution, but the major problem with spam is its preponderance. Eliminating all but "some" spam produces a more than proportional benefit.

2. I don't want to pay to send email. I just don't, I like the fact its free to anywhere in the world.

I wish I did not have to get a driver's license, but the fact that everybody does it protects me.

On a personal note i just stop spam by removing all html mails,

I use that technique too, but I understand that I am still paying (because my ISP is still paying) for their receipt.

Re:The best answer is not guaranteed to be easy

[letxa2000]

Eliminating all but "some" spam produces a more than proportional benefit.

And using Bayesian to accomplish it does it for free and with no changes to the cost or anonymity of email.

Someone else: 2. I don't want to pay to send email. I just don't, I like the fact its free to anywhere in the world.
You: I wish I did not have to get a driver's license, but the fact that everybody does it protects me.

It protects you? From what? People still drive without a license, with an expired license. Many others get licenses even though it can honestly be argued they don't know how to drive, especially in rain or snow.

I use that technique too, but I understand that I am still paying (because my ISP is still paying) for their receipt.

And I understand that while receiving spam and paying for the bandwidth is a real cost, it is insignificant compared to the cost of my time to deal with them. If I don't have spam in my inbox, I've just addressed 95% of the cost of spam to me. If everyone uses Bayesian filters then we've just addressed 95% of the cost to society. Sure, it'd be nice to get 100%--but if everyone used Bayesian filters then the remaining 5% would just dry up and die anyway.

I've got the solution...

[nathanh]

The problem with all these spam preventing ideas is that they don't get to the root of the problem; the spammers. I have a foolproof solution.

Capital punishment.

Simply kill the spammers. Send spam? Instant death. No jury. No judge. Maybe the spammers can be the first to appreciate the benefits of "Real Cheap Life Insurance" when they're frying on the electric chair.

Don't moderate me funny. I'm not joking.

oh great, junk mail, here we come!

[martin-boundary]

I really don't see what possible benefit a paying scheme could have for email.

If I get this right, the idea is to lose the one clear advantage email has over regular mail, namely no cost (let's ignore actual ISP costs, those are together paid by the sum total of all internet subscribers in the world).

By artificially making each email cost something, the economics of the email system become identical to the economics of postal email, except it's faster. That's the idea, unless I'm missing something.

Now in the real world, we already have an example of a system with such economic properties, namely the postal system. Unfortunately, in the real world, we also have an example of the way spammers have adapted to that economic system. It's called junk mail, and I get tons of it in the physical mailbox.

So maybe the companies pay for their junk mail to be delivered to my physical mailbox. Guess what? I still don't want it. But they paid for it, so I guess it'ts allright....not.

Thanks but no thanks. I'll take my chances with a personal junk filter.

p.s. I accept that ISPs have a huge problem, but this way is only going to legitimize spammers who are willing to pay.

Re:oh great, junk mail, here we come!

[lightspawn]

By artificially making each email cost something, the economics of the email system become identical to the economics of postal email, except it's faster. That's the idea, unless I'm missing something.

Again: The sender is only billed $0.01 if the receipient so chooses.

Re:oh great, junk mail, here we come!

[martin-boundary]

I guess I missed the optional aspect of the cost in the article. Can we call this a "statistical discount"? ISP to junk mailer: it costs 0.01 per email, but 47% of our recipients tend to be lazy or clueless and won't charge you for it. Therefore your average cost over several spam runs is 0.053 per email. Our competitor has only 42% clueless subscribers, so you're better off with us.

They'd get shut down pretty quickly

[AtariAmarok]

If they ever got off the ground, they'd be shut down in short order due to the trouble they would be in for being a spam-cannon.

Waiting for the day

[floydman]

when i find am email in in my inbox saying :

__C __T___G____R_____O_____S___
__l __o___e____i_____F_____P___
__i ______T____D_____F_____A___
__c _______________________M___
__k ___________________________

This email has been sent upon your request, click here so we can send you more.

or better yet

[AnEmbodiedMind]

Just auto respond to everyone who is not in your email white-list with a challenge/response. If someone I don't know wants to contact me they can take the five seconds it will take to respond. Spammers wont have time to make this work on bulk.

Re:or better yet

[smack_attack]

This is what I predict will become standard. It's like automating caller-id, and it's so simple in concept.

Re:or better yet

[gaijin99]

Just auto respond to everyone who is not in your email white-list with a challenge/response. If someone I don't know wants to contact me they can take the five seconds it will take to respond.

A good enough idea, for those techie enough to comprehend the responsibility. The responsibility, of course, is that when you sign up for automated email of any sort you must whitelist the automated mail server yourself. Otherwise the yahoo group, or whatever, will quickly find itself faced with a barage of mail...

The other problem with whitelists is that some addresses simply must be put onto the list to avoid clogging systems, and otherwise causing problems. If the all mail deamons aren't universally whitelisted than you'll never get a bounce notice if you send mail to the wrong address. The hassle with universarally whitelisting mail deamons is that the spammers will simply take to forging their headers so they look like they come from the mail deamon (actually, I've already gotten spam designed to look like a bounced message).

I'm not saying that whitelists are a bad idea, I'm just saying that they aren't a universal cure all. I tend to think that the only real solution is a mixture of several techno-fixes. Along with education to try and let people know that buying from spammers is a very bad idea. You'd be surprised how many non-geeks have no problem buying from spammers.

Re:or better yet

[esj+at+harvee]

any good challenge response system will try to identify mailing lists so they won't send out a challenge. This is a relatively safe behavior because at worst, if a spammer tries to mimic a mailing list, they won't get a challenge and their e-mail will sit in the spamtrap.

As for Mailer demons messages, I will argue for making them generate postage as well. That way, you do not need to white list them. Of course, this assumes you are using a proof of work postage system which doesn't need any centralized infrastructure. See hashcash.org/camram.org

You are also quite right that it will take a series of fixes which is analogous to the drug cocktail approach that medical sciences using against drug-resistant diseases. Camram currently incorporates automatic white listing based on traffic and a Bayesian style filter with user settable thresholds in addition to the postage stamp and a handicapped user-friendly postage due notice mechanisms.

Re:or better yet

[letxa2000]

Just auto respond to everyone who is not in your email white-list with a challenge/response.

Ah, yes, challenge/response. The spammy solution to spam.

Challenge/response is a broken approach because it requires that for every spam you receive you send out a "spam" back (the challenge). If the reply-to address is forged (normally is) then you just spammed some innocent person so you can be spam-free. While sending email to the wrong person by mistake is not spam, an entire anti-spam system that is built on the premise asis that you will send challenges to addresses you you will be forged is a broken system.

Micropayments Still Suck

[David+Gerard]

The problem with this idea is:

1. Micropayments still suck.

2. Why the hell should I trust this company, particularly when Verisign buy all successful competitors - as they did for digital certificates?

3. Most importantly: there is no natural reason for the cost.

Now, if there was an easy way to pay me one penny to receive each email, with free channels set up on a case-by-case basis ... that would work wonderfully. All we need then is a workable mechanism for single-penny transactions to be workable for almost everyone ...

Another problem

[Duhavid]

Remember the days when ATM's were bright shiny new? Then came some interoperability, and some token fees. What happened to the fee's then? They went up. Revenue. Not many companies ignore a revenue source. And many know one when they see it.

My point? Simply this. That penny fee will go up, after some period of time.

Netscape filter that works for me

[Chatmag]

My Netscape email has some settings that I can do that filters emails.

In the email program, it says, "match any of the following", so I typed in abcdefghijklmnopqrstuvwxyx and chose "move to trash" It must work great because I don't get any more spam.

Re:Netscape filter that works for me

In the email program, it says, "match any of the following", so I typed in abcdefghijklmnopqrstuvwxyx and chose "move to trash" It must work great because I don't get any more spam.

wrogn. you still get it, you just don't see it. but it fills your mailbox at your isp, you have to get it to your pc, and basically your, your isp's and your isp's upstreams' resources are being wasted.
(apologies if some or all apostrophes are wrgnly placed).

Re:Netscape filter that works for me

[Chatmag]

It's a joke.

An honest one

[AtariAmarok]

It is good that you go the extra mile and actually document when someone opts in.

Thanks to the spammers, the term "opt-in" has no meaning at all: I've gotten hundreds of spams claiming that I opted in and never did at all.

This whole idea is a joke. It would be treated as something to be worked around.

Misguided

[mishehu]

This concept is nice and dreamy, but the reality is this - most spammers are pretty much on the low end of the internet evolutionary chart, and don't have many morals to begin with. Trying to change the business model on those whose business for those who already crack other organization's systems to spit out millions of emails is simply not going to happen - they'll just find some way to get around this as well. What should happen is either an extension to SMTP or a completely new protocol for MTA's. Perhaps one that would use some sort of SSL certification to authentificate itself as the MX of a domain would be more effective? (At least it *might* put an end to all the forged emails.)

right on

[RMH101]

monitor spam. report to ISP. if they ignore your complaint, blacklist them. if they continue to ignore you, blacklist their whole IP block.
go after the people whose products they're advertising. with a big stick.

Mailing lists

[thorrbjorn]

"That means that some formerly-free list subscriptions are now going to cost you a penny a message. Deal with it; it's the price of killing spam."

I'm on quite a few mailing lists, due to my wide range of interests. I can receive 400-600 messages a day from these lists. So I should spend $4-$6 a day to fight spam, eh? The largest estimate of the cost to ISPs for dealing with spam has me paying about $8 a month.

Its a nice idea, but it just won't fly. Try again.

This sounds like it might actually work.

Re:Mailing lists

[scrytch]

> This [habeas.com] sounds like it might actually work.

Oh please. Haiku? I suggest a solution that might have some chance of actually working because the trusted sender pays up first instead of some goofy legal posturing. Run an aggressive filter, and let anything through with a bond, so you don't have to worry about those FP's. Locksmiths already have to post a big bond. Why shouldn't marketers be the same if they want our trust?

Just won't work

[rf0]

Its human nature why should I pay you for something that is already free. Unless there was a massive simaltenous move then its just not going to work

Rus

nailing the bastards

[tarzan353]

It's not that hard to take down a spammer who causes you problems beyond just sending you unwanted email... I had one friend who had a spammer run a couple hundred thousand emails thru his system (a bug had made it into an open relay). It took one stern call to the ISP hosting the advertised websites to get his hosting and DNS cut off at the knees.

This is more than just sending off a single email to a scantly watched abuse email.. This means getting hold of a real person and explaining, realistisay, what sort of legal liabilities they might be open to if they continue to support the spammer's actions. (Hacking laws, aiding and abetting, Trademark infringement and vicarious liability) often fit in there.

If more people would do this, life would get a lot harder for spammers.

Re:nailing the bastards

[Ripplet]

>to get his hosting and DNS cut off at the knees. Yeah right, for all of half a day while he sets up a new one. >This means getting hold of a real person... >If more people would do this... Unfortunately, these two statements are contradictory. Most people can't be bothered. Hey I'm not knocking you, just being realistic. It was great what your friend did, but it sounds like he must have been fairly computer savvy to sort it out. Most people aren't, and wouldn't know what to do about spam if it bit them on the ass, even if they *could* be bothered to do something!

Re:nailing the bastards

[Ripplet]

(Sorry, repost with better formatting, must remember to actually *look* at the preview next time)...

>to get his hosting and DNS cut off at the knees.
Yeah right, for all of half a day while he sets up a new one.

>This means getting hold of a real person...
>If more people would do this...
Unfortunately, these two statements are contradictory. Most people can't be bothered.

Hey I'm not knocking you, just being realistic. It was great what your friend did, but it sounds like he must have been fairly computer savvy to sort it out. Most people aren't, and wouldn't know what to do about spam if it bit them on the ass, even if they *could* be bothered to do something!

Fake costs won't work

[doodleboy]

When you send snail mail there is some actual, legitimate cost involved in transporting the letter for A to B. But email can be zapped to any net.connected machine pretty much instantly and for a vanishingly small cost. Layering on some expensive infrastructure will never work, for exactly the same reason that charging big bucks for easily reproducible media won't: everyone will use a cheaper way, and the expensive way will be ignored.

In the article Tim Bray says the problem with the current email system is no cost coupled with relative anonymity. Ok then, lets pull back on the anonymity a bit. Let's find a way to identify and block hosts that are sending millions of mail per day. Anything is better than enabling some massive new bureaucracy, which will inevitably put the screws to us the same way Verisign has.

I mean Jesus, haven't we learned anything?

Re:Fake costs won't work

[Tony+Hoyle]

Fake costs work for eg. the telephone network (network maintenence is fairly fixed-cost so charging by the minute is pretty bogus.. half the traffic goes over IP anyway)... it's all about market forces in the end - if you can convince people that paying is 'better' they'll pay (you can bet MS will try something like that soon).

Pay to whom?...

[SolitaryMan]

This won't eliminate spam, though it will reduce the amount of it. And this can allow web services providers to make more money, but who will pay me? The enduser, who still will be reading that crap...

Yet another idea

[NibbleAbit]

I have had this idea floating around for some time now. Anyone seriously interested is invited to look at my journal

but how would I get email from...

[howhardcanitbetocrea]

strangers who I want to contact me e.g. from business card or that I've given my email adress to?

Pay for send will never work

Most people will never agree to even paying one cent per message. They would rather continue to pay with their time eliminating spam. I know I would. I hardly get any spam at all after my filters are done with it. If you mean to pass the cost to the ISPs, well they wouldn't want to take the gamble of pissing of their consumers either I would think

downside

[Ubi_NL]

With the recent connection of Sobig to a spam network, what if:
* Grandma has a box that got hax0red
* box is used to send 100.000 emails

Who is going to pay?
* Grandma?
* OS manufacturer for making lousy OS
* Spamming company

I'd prefer the latter but it required having to trace the company through complicated follow-the-money-go-overseas-FBI-CIA type of actions. So in reality they'll make grandma pay

No thanks

Re:downside

[NearlyHeadless]

With the recent connection of Sobig to a spam network, what if:
* Grandma has a box that got hax0red
* box is used to send 100.000 emails

Who is going to pay?
* Grandma?
* OS manufacturer for making lousy OS
* Spamming company

Tim Bray is proposing people would prepay say, $10, ahead of time. At 1 cent per email, the relay would cut off after 1000 emails.

So, yeah, Grandma would lose $10, but that's a good thing; it'll teach her to switch to Linux :-).

Right now, hacked systems just keep sending and sending and sending. Tim Bray's system looks like a plus to me.

Re:downside

[kawika]

When the infection rate of SoBig-style spamming worms is into the millions, having a limit of 1000 emails isn't much of an impediment to a spammer. There is a limitless supply of clueless users who can be fooled into running them.

If you try to force Grandma into paying the $10, she will just get the AARP to lobby for a law that protects people from paying in cases of "fraud". (For a template, see the rules on credit card purchases.) The ISPs will raise the rates from 1 cent to 2 or 3 or 4 cents to cover the money lost through fraud.

In other words, only clueful people will end up paying for email, and they will pay a lot to cover the mistakes of the clueless.

Re:downside

[lightspawn]

With the recent connection of Sobig to a spam network, what if:
* Grandma has a box that got hax0red
* box is used to send 100.000 emails


Again: If the sender only pays $0.01 when the recepient indicates they should, $1 will probably last people a year, so there's no point ever having more than $5 in your email deposit. If somebody hacks into Grandma's box, they can send 500 emails, or $5 worth of emails. Hardly seems worth it.

Re:downside

[Styros]

If this happened, then wouldn't it necessarily make that act a crime, because, there is now a real financial damage? Whereas before, people just theorized that spam costs $X billions, now you can actually calculate it. If you can calculate the damage, you have an legitimate reason to prosecute for fraud.

Re:downside

[Flunitrazepam]

God dammit Grandma!!!

Too late now....

[Chanc_Gorkon]

It's just too late now. The REAL problem with spam is that addresses get forged, and e-mail as it stands now is too insecure to be totally fixed. We'd need a new replacement for e-mail and I think that instant messaging could replace e-mail. Instant messaging can be set from the get go (easily) to ask permission before you get on the list. Once your added, you can send mail. If someone pisses you off too much, you yourself can ban em.

Re:Too late now....

[KarmaOverDogma]

Umm.... MSN Hotmail on the "Exclusive" setting is already here.

.

Re:Too late now....

[Chanc_Gorkon]

Which is exclusive and proprietary (not that MSN Messenger isn't). Most folks don't use Hotmail for anything but a spam dump.

Ok, ok...

[Gordonjcp]

... smartarse. Utterly offtopic but amusing nonetheless:

One of my friends is the Production Manager for a small touring theatre company. They had a tour in the Republic of Ireland just as the Euro was coming into use. So, some of the receipts for the tour were in Pounds sterling, some were in Punnts, and some were in Euros. The accountant just about shat himself when he was presented with them.

A bit crude; here's a variation I prefer

[isdnip]

Using a pay-to-send relay agent is crude, but it doesn't really address all the issues. Who runs the relays, and who decides if the relay is valid, or is a spammer's? Who decides the price of relaying? What about mailing lists?

I prefer a system of micropostage, in which there is no single postage-issuing authority, but the mail receiver maintains a whitelist of acceptable ones. (If one becomes compromised by spammers, then it gets deleted from the whitelist, a quick anc clean form of RBL.) Micropostage is only needed when the mail comes from a stranger; users can put their friends, correspondents, cow-orkers (whole domains) and mailing lists onto a whitelist. Postage is only checked at the receiving end, where something that arrives without a valid stamp and is not from someone on a whitelist will be rejected.

In this micropostage scheme, micropostage is very cheap (fractions of a cent). It takes the form of one-time digital signatures. The recipient has to query every stampette-bearing email against its issuing micropostage authority, which determines if it isboth valid and has not already been used. The micropostage authority recovers its costs via the sale of stampettes. And if it sets its price low enough for spammers, then its stampettes don't get whitelisted. If it sets its price too high, a competitors' stampettes get used instead.

End users should get allotments of stampettes from their ISPs. If they're compromised by a virus, the allotment will run out, and the ISP will demand virus removal before giving them more.

Let's face it; SMTP sucks, was never intended for a big public network, and needs major replacement. But the insistence that email be "free as in beer" will doom any alternative. Cheap, yes but when a million mails to strangers cost nearly zero (especially with spammers stealing service as they do), it's too tempting to spam. Some tiny cost is needed.

Here's the problem...

This system still needs somekind of authentication system for its users. Obviously, it has to know what mails are coming from you and only you in order to charge you appropriately (and prevent people from costing you money by faking mails from your account). Hence it either needs more infrastructure on top of the current system, or you somehow have to digitally sign your mails. But if we're already signing our mails, what's the point of this system? Filter out the guys you don't want, keep the ones you do, without the added cost, and more inportantly without getting the government involved... Once they know they can tax email, well, $0.01 will be a cheap email.

BTW, you can get free email certificates for digitally signing / encrypting email. For example...

https://www.thawte.com/html/COMMUNITY/personal/ind ex.html

-AC

Since when is Free Anonymous Email a right?

[KarmaOverDogma]

I personally think pay-to-send is only a matter of time, once enough people get pissed off (read as: big corporations losing enough money because of this increasing problem). Five cents per email would cut way down on my most hated form of spam, the illicit/illegal kind.

Yes, yes. I know, there are ways to defeat any pay-to-send system, but under a pay-to-send system the spammers would be easier to trace, and the presumed burden would fall under spammers.

I can't think of *any* other communication system in the world where you can send as much mail you want to as many people as you want for as little cash as you want (often less than $20 USD/ month) while still remaining anonymous for all practical purposes.

Who do you think pays for all of this wasted bandwith of spam now? The answer is Joe User.
.

Legal Dell Sponsored Racketeering.

[Dragoon]

I've Said it before, I"ll say it again.

Spam is that its -Very- big money. Next only to porn. If you spam about porn.. wow :)

Spammers will do -anything- to get around what ever you're doing. A spam company that I used to work for, would sell anti-spam programs which promised to get rid of spam, per a monlty subscription.

If you wanted to get out of thise "service", and you wern't inclined to read your TOS, you neglected to notice the fact that you would be subscriped to all of their lists upon termination of the contract.

This is basically racketeering.

This isn't new, this type of service has been avaiable since the dawn of time. A "Protection" service.

Aka "thats a Nice e-mail account you have there, pitty if it got spammed to hell".

Except guy's Named Guido whose breath smells like mozzarella, you have guy's named Steve who smell like pimpel creme.

And as I state below, in my employment term there, I was responsible for some spam "atrocities" as well.

For example, taking very legit open source software, used for anti-spam filtering, and re-wrote a section of it, so that we could run "copy" through it to be able to 'proof' all our outgoing mail. This way, nothing would be marked as spam, via the world's spam filters.

Spam is a filthy business, but its very profitable. Most of our greatest minds are unemployed, and desperate for work in the industry ( I was ). What's to stop them from taking a big fat pay cheque from an evil company? At least then you're working, and fed. And driving a bmw.

Hell, even dell is in on the action, check out http://www.ironport.com. Look at the C60 and the A60..

The IronPort C60: Powering and Protecting Business Email

The IronPort C60: Powering and Protecting Business Email

aka, what was given with the right hand, shall be taken away with the left.

Legal big-business sponsored racketeering.

Spam isn't going away, it's not possible.


Speaking as the former network admin for a "Direct Marketing" aka "Opt-in Mailing" company, the industry is evil.

I've dealt with the hosting in China for the purposes of sending mail, changing ip's daily, thousands of domains, and the use of OpenSource anti-spam software in some very questionalable situations. (Using an anti-spam filter to 'review copy' to make sure its not going to be picked up)

And from all my experience, There's only one thing I can say. The mailers will get around what ever you do, be it state or personal. If you have an email account, regardless of the fact if you give it out, it -will- be mailed to. E-Mail addresses are a super-hot commodity.

Especially if you can get them with the opt-in information attached.

Think of it this way. You opt-in to company A, company A sells your address to Company B. You opt-out to company A. Company B doesnt care. Company B could have already sold your info to Company C, D and E.

Opt-out's are funny, they basically just prove that you're a real live person using that computer.. true spammers love to buy listings that contain those addresses, they dont give a crap if you opt-ed out, they just want live email addresses.

So in short, you want a spam free email account? good luck, do what most people do, create a hotmail account for a spam account, and have a real account that you use for real email.

I've seen databases of 35 million mailable e-mail addresses, and trust me, thats a highly profitable database (and no, I dont have a copy, so dont ask, heh.)

What about virii?

[screwdriver]

Do you think charging innocent people to send legitimate mail will stop spammers? What happens when they install a virus/trojan/worm onto your computer and use that to send their spam. Then YOU get the bill! It's already been done but not for that purpose (yet).

I hate spam as much as anyone but I would not be willing to pay money to stop it. The spammers are the ones who would find a way around payment.

I'd hate to see

[Locky]

The poor sap who gets a bill from his ISP at the end of month, discovering the latest MS vulnerability left his machine to send off 150,000 spam emails.

How exactly would this scheme work? Would you need verification of every email you send? What if the above scenario occurs and no verification is in place?

An orther "pay-me-for-no-spam" business

[NoSuchGuy]

I don't want to pay to recive normal mail, I want the spammer to pay me to recive their mail!

NoSuchGuy

Not addressing the problem...

Spam is bad. It's really bad. It also exists because there are idiots that respond to the messages.

If the problem is getting bad enough that it's starting to adversely affect the communicatios infrastructure, why not address the root of the problem: the idiots that respond to the messages.

Make it a misdemeanor to respond to UCE. Charge $50 an incident, publicize the law and that a certain fraction of the spam will now be "idiot stings" whereby the spam will come from law enforcement...

If the rate of return on spam mail drops 90%, it's no longer attractive as a medium, and the fines can go to initiatives that increase bandwidth or developing more advanced approaches to getting rid of spam or possible new e-mail technologies.

Re:Not addressing the problem...

[SpacePunk]

That's as idiotic as responding to spam.

But, perhaps it would be a new revenue stream for law enforcement. They could also charge $50 to those that are mugged on the street, and $1000 to those who's car is stolen. Yeah, that's the ticket! Charge the victim!

Pay to send works (sort-of)

[e-gold]

(I can't believe the old linked article mentions my ancient Flying Rat project! That failed, and...) A disclaimer: I'm self-interested (obviously) and I think the media have done a poor job covering it, but...

There are a number of Get Paid To Read email programs which use e-gold for small efficient payments to lots of individuals (*willing* individuals!) all over the world. These explain the huge number of tiny spends at http://stats.e-gold.com and a few of them are quite popular it seems.

It's not a perfect solution, but this does absorb resources which would otherwise almost-certainly go to spammers, IMO. I wish the media would cover this voluntary solution to a tiny part of the problem, but so far they haven't.
JMR

(I speak ONLY for myself!)

easy as dell to FUDge up a bunch of phonIE monIE

A telling glimpse into the relationship between Wall Street and corporate America during the technology stock boom has emerged from e-mail exchanges introduced as evidence late last week in the federal trial of Frank P. Quattrone, the former star technology banker at Credit Suisse First Boston.
Advertisement

While not exposing anything illegal on its face, the e-mail exchanges in summer 2000 between Mr. Quattrone and Michael S. Dell, the founder and chairman of Dell Computer, offer a look at the quid pro quo arrangements that were believed to have been made between investment bankers and corporate executives during the technology stock boom that ended in 2000. During that period, bankers often tried to attract new business by offering corporate executives access to hot initial public offerings, while executives held out the possibility of giving the bankers business in exchange for the shares.

During cross-examination of Mr. Quattrone, federal prosecutors introduced into evidence Government Exhibit No. 1060, a July 2000 e-mail exchange discussing the chance to reserve shares in the initial public offering of Corvis, an optical networking company. Under such an allocation arrangement, the recipient would be able to buy the shares at the initial offering price, while most other investors would have to wait until after actual trading began - often missing out on early gains.

"My team has gotten word to me that you are personally interested in having Dell Ventures receive a meaningful allocation of the I.P.O. of Corvis," Mr. Quattrone wrote to Mr. Dell. "Given the intense interest in this space we anticipate this will be a complete zoo, so I wanted to check if your interest was really there." Dell Ventures is the company's investment arm.

Mr. Quattrone also asked if Mr. Dell would be available to be the keynote speaker at Credit Suisse First Boston's technology conference, an annual gathering for technology chiefs in Scottsdale, Ariz.

And then, in the same message, the supposed wall between investment banking and research was breached. Mr. Quattrone asked Mr. Dell whether First Boston should hire a certain research analyst to cover computing, noting, "We are still trying to finalize our selection of a PC analyst (slim pickings.)'' Dell is the largest maker of PCs.

Mr. Dell's reply was no less direct. "We would like 250k shares of Corvis," Mr. Dell wrote. "I know there have been efforts on both sides to build the relationship and an offering like this would certainly help." He also said he would be available to speak at the technology conference, but only "if our I.R. team wants me to go," he said referring to his investor relations staff. He added, "They may be waiting to see who your PC analyst is."

Mr. Dell made it clear that the proposed analyst candidate would not do, saying he had consulted Dell's senior vice president for business development and strategy, Tom Meredith, who had been dismissive. "I would tend to agree,'' Mr. Dell wrote. "Not sure he has credibility anymore with the street. You might be better off with a fresh new talent."

Repeated telephone calls over the weekend seeking comment from Mr. Dell or Dell Computer were not returned. A spokesman for Mr. Quattrone and his legal team declined to comment.

The e-mail transcript was introduced as evidence Friday afternoon by federal prosecutors who are trying to prove that Mr. Quattrone obstructed a government investigation into Credit Suisse First Boston's procedures for handling initial public stock offerings. Reporters did not receive copies of the messages until after the trial was recessed late Friday afternoon.

The e-mail exchange between Mr. Quattrone and Mr. Dell took place on July 26, two days before the public offering of Corvis's shares. People who received the pretrading allocations would have been able to buy them at the offering price of $36. The stock immediately jumped to $95 as the market opened on July 28, and rose as high as $98, before closing that day at $84.68

Bonded Senders

[Nijika]

Don't know if anybody's mentioned this, but I came across this from Road Runner's site after they blocked a bunch of ISPs (filtering gone awry, I'm afraid, and corrected now).

http://www.bondedsender.com/

Essentially a whitelist of senders, rather than a blacklist. There's been lots of whitelist talk, but I don't think anyone's taking it seriously because it would be difficult to get everyone to fall into line with this concept. Imagine how much mail your clients -wouldn't- get if it was to be implemented. But now, it's gotten to the point where the community HAS to do something, I mean really now. So I propose admins that are reading this hop onboard and sign up to see what they have to offer.

What I'd like to see is a community run list, like a polar-opposite RBL, that would do an open relay test, a reverse IP test, and would be open to human scrutiny. We could give ourselves 365 days to get the word out and implement it, that should be a good amount of time.

Hmm, gotta break out the pen..

Re:Bonded Senders

[Tony+Hoyle]

bonded sender is talking about $1000 per server... There is *no way* I can afford that kind of money to run my mailserver (the hardware didn't even cost one tenth of that). We have three at work here - that would cost us $3000 for zero benefit (yeah, I can really see that one get past the bean counters).

If it was $20 it might be worth it. At $1000 maybe big ISPs might bother (but they're the source of most of the spam anyway... I get shedloads from rr.com, btw.).

Re:Bonded Senders

[pentalive]

There was a guy on CNET radio named Desmod Crisis who setup his own email with a whitelist, if you sent him an email and you weren't on the whitelist, the program would automatically send a reply back explianing you weren't on his white list and what to do to get on his white list if you wanted to.

Re:Uh.... no!

[david.given]

Even though a penny an email sounds innocuous, this just won't fly. For one thing, the infrastructure you'd need to track the financial side of things would probably prevent the figure from being that low. Plus there's the whole loss-of-anonymity that goes along with paying for email rights. The biggest problem is that while this service might appeal to those on the receiving end of email, I can't see a wide market wanting to sign up as senders...

Agree.

My pet idea is that the general principle is sound --- i.e., introduce some obligatory cost when sending email --- but it shouldn't be monetary. Instead, just introduce a, say, ten second delay every time the SMTP server accepts email.

This delay is short enough that most people won't notice it, particularly if their mail software has an outgoing queue. But it means you can only send about 8500 messages a day through the SMTP server. If you also introduced widespread blocking of port 25 by ISPs, it means that the only way to send email is via the delayed SMTP server --- which means the network can't be used to send spam.

(Before anyone asks, yes, this would affect mailing lists. But mailing lists are special, and any self-respecting ISP could easily set up a properly authenticating mailing list server that's not subject to the delay.)

Of course, this will never be adopted --- because it prevents an ISPs own customers from sending spam, rather than preventing the customers from being spammed from another ISP, there's no incentive. But it's cheap and easy to implement, involves no cultural or technological changes, no nasty financial penalties, and would probably actually work...

Re:Uh.... no!

[gidds]

Plus there's the whole loss-of-anonymity

But isn't that a necessity? If you can send messages while remaining completely anonymous, cheaply, and expect them to be seen, then you can send spam. I can't see any way around that. All the proposed solutions I've seen have involved breaking one of those parts: either the anonymity directly (e.g. authentication), the cheapness (e.g. charging, which breaks the anonymity indirectly), or the expectation of being seen (e.g. challenge/response, which needs a semi-permanent address and risks anonymity that way). All end up losing anonymity somehow.

better: let recipient choose when to charge

[DulcetTone]

I think a better model is to enregister senders so that they can be charged, but not to charge to send emails as a matter of course. Rather, email clients can sport buttons which, when pushed, charge the email sender $0.25 for what the RECIPIENT determines is unwelcome email.

In such a model, we would be free to send good email, and the fear of the likely costs of widely disseminating unwelcome email would do "the right thing".

Re:better: let recipient choose when to charge

[Tony+Hoyle]

So what happens is 'Joe Greedy' signs up for 100 email lists, and pushes the 'charge' button for every single email he receives.

Nice little 'earner :) $250 for pressing a button 1000 times.

Re:better: let recipient choose when to charge

[DulcetTone]

I didn't mean that you give the money to the button-presser: send it to a charity and/or use some to defray costs of the charging infrastructure itself.

Drugs and Spam

[thales]

The same mistakes from the war on drugs are being proposed for the war on Spam. Going after the "dealers". As long as there are people who are willing to purchase drugs, there will be someone who is willing to take legal risks to sell them. As long as there are businesses who are willing to pay a spammer, there will be people willing to find ways to evade any laws or costs to send it for these sleezy busunesses.

Unlike Spammers who try to hide, the business/con artist has to have a means of contact for the victim to get ahold of them. This is the weak link in the spam chain. Make it illegal to hire a spammer AND to send it out on your own, then start nailing the SOBs.

Punish the Advertisers

If they would just punish the advertisers, this would go away in a hurry. Remember, the only good piece of contact info on a piece of spam is the seller's contact info. They are profiting from it, stick it to them!

(Why is this so hard?)

Just use the mechanism, not the money

[ajb44]

It shouldn't be necessary for people to actually pay 1 cent per email in order to stop spam. You can use the same mechanism (ecash, or rather tokens) without connecting it to the real economy:

Each person (or rather, their email program) sets a 'price' in tokens for incoming mail, depending on how many mails they need to send. They then use the tokens they recieve to 'pay' for their outgoing mail. Everyone refuses to pay more than a certain amount.

For mailing lists you *want*, you simply configure your mail program to accept it without paying.

It may be much less costly to build such a system than to connect to the real economy, because:

1) there are various checks required by the regulators for currencies connected to the real economy

2) real cash can only by double spent by some percentage before the economy collapses. email tokens could be 'double' spent 100 or 1000 times and still spammers would not be able to send enough out. Maybe crypto experts can devise cheaper ecash mechanisms which take advantage of this.

Punish the companies paying spammer.

[NWprobe]

A spam email usually gives you an option to BUY something.

If 0.1% of those of us recieving spam mail placed a false order (or 100 000), the companies advertising through spam would get no value out of it. It would costs them money. Their customer and order systems would get spammed.

If it was impossible to make money from sending out spam, then the spam will stop.

The only way to stop spammers is SABOTAGE!

Re:Punish the companies paying spammer.

That brings me to my Perl script. I have repeatedly received spams advertising this awayoutofdebtfast.com domain. After filing numerous SpamCop reports to no effect, I decided to do just what you suggest here. Here is the Perl script that pciks a random interval between 1 and 10 seconds and fills in their request form with random data. I let it run in bouts of 5000 false submissions. Take it and run with it.

-----ATTACK AWAYOUTOFDEBTFAST.COM SCRIPT-----
#!/usr/bin/perl

use HTTP::Request::Common qw(POST HEAD);
use HTTP::Headers;
use LWP::UserAgent;
@secinterval = (1..10);
srand;
@statearray = qw(AK AL AR AZ CU CT DC DE FL GA HI IA ID IL IN KS KY
LA MA MD ME MN MO MS MT NC ND NE NH NJ NM NV OH OK
OR PA PR RI SC SD TN TX UT VA VT WA WI WV WY);
@unsecdebt = ("\$10,000 - \$20,000","\$5,000 - \$10,000","\$20,000 - \$40,000","\$40,000 - \$60,000","\$60,000 - \$80,000","\$80,000 - \$100,000","Over \$100,000");
@creditors = ("AAFES/Military Star/DPP/NEX","American Express","Aspire","ATT Universal","Bank of America","Bank One","Beneficial","Capital One","Card Service Center","Chase","Citibank","Credit Union","Cross Country Bank","Direct Merchants","Discover","FCNB","First North American Bank","First Premier","First USA","Fleet","GM Card","Household","MBNA","Merrick Bank","Orchard Bank","Providian","Verizon","Wells Fargo","WFNNB","Credit Cards: Other","Best Buy/ Circuit City","Bloomingdales","Dillards","Home Depot/ Lowes","JC Penney","Radio Shack","Office Depot/ Office Max/ Staples","Sears","Wal-mart/ Target","Store cards: Other","Collections","Dell/ Gateway","Gas cards","Judgments","Lawyer bills","Medical bills","Repossession","Unsecured Loans","Utilities","Miscellaneous: Other");

for ($i=1; $i new();
$thecookie = random_cookie();
my $req = POST 'http://www.awayoutofdebtfast.com/index.asp',
Dat e => HTTP::Date::time2str(time),
Referer => 'http://www.awayoutofdebtfast.com/index.asp',
Hos t => 'www.awayoutofdebtfast.com',
User_Agent => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030911",
Cookie => 'ASPSESSIONIDSSDDRBQS=' . $thecookie . '; HitTracked=1',
Content =>
[ affid => '21015',
action => 'log',
FirstName => &gen_rand_string,
LastName => &gen_rand_string,
Address => gen_rand_number(3) . " " . &gen_rand_string,
City => &gen_rand_string,
State => $statearray[rand(@statearray)],
ZipCode => gen_rand_number(5),
AreaCode => gen_rand_number(3),
First3digitsofHomephonenumber => gen_rand_number(3),
Last4digitsofHomephonenumber => gen_rand_number(4),
WorkAreaCode => gen_rand_number(3),
First3digitsofWorkphonenumber => gen_rand_number(3),
Last4digitsofWorkphonenumber => gen_rand_number(4),
TotalAmountofUnsecuredDebt => $unsecdebt[rand(@unsecdebt)],
Email => $tempemail,
CreditorName1 => $creditors[rand(@creditors)],
CreditorBalance1 => gen_rand_number(5),
select3 => $creditors[rand(@creditors)],
CreditorBalance2 => gen_rand_number(5),
button1 => 'Submit'
];
$content = $ua->request($req)->as_string;
#print $req->as_string;
#print $content;
if($content =~ /Thank you for contacting us/) {
print "Request $reqcount succeeded!\n";
}
else {
print "Request $reqcount failed!\n";
}
system("sleep $sleeptime");
}

sub random_cookie() {
my $index=0;
my $element,$thecookie = "";
my @letter = (A..Z);
for ($t=1; $t25; $t++) {
$index = rand @letter;
$element = $letter[$index];
$thecookie .= $element;
}
return ($thecookie);
}

sub gen_rand_string {
my @char_array = (a..z,A..Z,1..10);
my @tempcount = (1..10);
my $count = $tempcount[rand(@tem

It's a matter of degree

[gidds]

It costs me less than a penny a piece to deal with an individual spam.

Okay, that works for you, fine. But I'm guessing you don't get very much spam. Imagine if you got over a thousand spam messages a day (as someone I know has been doing). That's an average of one every 86 seconds. Wouldn't you find it more of a nuisance then? Wouldn't you be considering drastic measures, or even payment, to avoid that?

I'm not saying that this proposed solution is a good one; I don't think that it is. But please don't assume that everyone's experience of spam is the same as yours, because as a problem it varies very widely.

Re:It's a matter of degree

[moehoward]

I get several hundred per day. The ones that get through the spam filter (like 15) are easily selected all together in the swipe of a mouse and then deleted. I empty the junk folder once a day. I'd say that it consumes 5 seconds of my day plus about .001% of my total bandwidth. Darn. It's such a nuisance. I don't pay for my spam filter separately, it's built into my email program.

If the ISPs don't like it, they can start banning these jerks instead of colluding with them by selling them services. Don't drag me into your spam mess. It's not my problem. Go bitch at the people who pay the spammers to advertise. Go bitch at the jerks who actually buy the spammers junk. Go bitch at legislatures who go out of their way to ignore the problem. Change your email address. How many people actually need your address? How hard is it to change every now and then? Sheesh. Have you ever actually tried calling spammers on the phone? I have. Guess what? It works to harass them. Are you involved or just whining?

Re:It's a matter of degree

[halr9000]

if you got over a thousand spam messages a day (as someone I know has been doing).

Jesus Christ! I'd say it's time to change your username, pal!

Re: It's a matter of degree

[gidds]

Not me, luckily. I only see about 10 a day, and my mail client's Bayesian filter identifies most of those. Admittedly, my ISP is running BrightMail, which stops another hundred or so each day before they get near me. Still, very manageable. But I sympathise with those who have it far worse.

What about international spammers?

First off, I'm totally against the whole pay per email thing, it just won't work. But what about international spammers? I watch my mail logs all the time and I see many attempts to use my server as a relay, all coming from china or taiwan. Who is going to police spam coming from countries where its legal, where its even encouraged? The people who will be affected by this will be everyday people who abide by laws, we'll pay per email but still receive hundreds in our inboxes from other countries. I have one email account that I use for buying things online and for newsletters and such. It gets like 800 spams a day, that's just life. McAffee spamfilter takes care of most of them for me so I don't have to look at them. I have many other email accounts that I just use for correspondence and its a rarity to even get 1 spam in a day.

Spam.. it's just like junk mail (physical)

[mcdade]

We all put up with a certian amount of junkmail, it's a given, we already get it with our daily snailmail, in newspapers and with products we buy.. we do tolerate a certian amount of this stuff.

I think one of the biggest things we can do is to cut down the number of open relays (this will help) also have a global ban list of ISP's that allow large scale spammers. I have pretty much banned entire contry codes and class A networks because all that comes out of them is spam. But also all the ISP (in the world, not just the US) need to define dsl or modem connections, these are the worst, i have spammers coming from open dsl connections all the time. They have to define in the reverse lookup that the connect ins a dsl user, like xxx.detr.dsl.comcast.com I need to filter those ip's based on the "DSL" or "cable" portion, right now i can only ban based on city codes they use, as I would love to ban all of "comcast", "t-dial.de" and a few other spam sending ISP's.

I know that my ISP, Sympatico.ca, won't allow me to send out email directly anymore which cuts down on spammers, but allows all dsl users to relay thru their mail server (which does annoy me cause I could run an smtp server I wanted too but I like which relevies me from getting any spam from the domain)

my thoughts..

-b

Re:Spam.. it's just like junk mail (physical)

[gl4ss]

hey, don't do that.

right now i'm pretty sure one of the reasons i DON'T get any spam(to any measurable degree, that means that i get maybe 3 'spam'category mails per month that i actually had somehow managed to subscribe) is that my mail address(that's on clear text on my homepage, linked from my sig, with all kinds of crawlers coming through it) has ".adsl." in it.

eh.. so, i guess my point is that dialup and dsl' lines that change their ip addresses should be banned(but not perm. ip).

Re:Spam.. it's just like junk mail (physical)

[InvisiBill]

I have to disagree. I worked for a small company whose only connection option was a cable modem. We had a "business" account, with static IPs and servers specifically allowed by the ToS. I set up a Linux (E-smith to be exact) mail & web server/gateway. Not an open relay (authenticated SMTP for remote users).

We were put on some DNS blacklists just because the IP addresses were assigned by DHCP. Didn't matter that it was a business acount, with static IPs ("reserved DHCP"), running secure server software. Simply the fact that we were on a cable modem in the ISP's DHCP range got us on a couple blacklists. As far as I know, they're still on at least one of those.

That's the problem with server blacklists. Unless you manually verify each one, you're going to get collateral damage where innocent servers are blocked. Nobody seems to care about this until they're the innocent server.

Remember that we don't need to totally stop the transmission of all spam emails for spam to become ineffective. If everyone deleted every spam they got, spam would no longer generate any revenue. Actually, you'd only have to get rid of every spam going to everyone who actually buys the spamvertised goods. Once nobody is buying anything, the tiny cost of sending email (electricity, ISP, labor, etc.) will outweigh the advantages. The spammers who understand simple math will realize they're losing money overall by spamming, and will choose to stop.

So go install a good, easy to use spam filter for someone you think might actually buy something spamvertised. Once we stop all their spam, all spam will stop.

Pay for Spam?

[Walrus99]

OK, I suggested this a few months ago, right here on Slashdot. I proposed charging or taxing e-mail, even at .1 cents a pop (pun intended). According to the DCMA this is prior art so: "All your e-mail charges is belong to us." I expect a check in the mail shortly.

--The Walrus

Trusted Ring?

There are several problems that I see:

1) There is nothing in place to prevent someone from having multiple accounts, and thus, thwarting the daily limit. (multiple hotmail accounts even).

2) a delay of account activation won't prevent spammers from doing anything. A little bit of forthought will thwart this measure. They'd just have a queue of accounts.

3) The fee is indeed a killer. I know of a MUD that charges an equally insignificant fee just to keep people off of it. Most people are lazy (more than they are cheap). They probably won't go through the trouble. Also, hotmail and the like would no longer be free (although, hotmail could cover the costs)

It seems to me that it would be better for all of the ISPs, buisnesses, etc to have a "trusted ring." That is, they authenticate every message between every machine in the ring. If a spammer gets an account on one of the trusted systems, another admin (of a another system) could notify them when they become aware of the problem. The account is then deactivated. If it isn't, the system is booted out of the trusted ring until they are more cooperative.

This sounds a lot like the system above, but there are some important differences:

1) no fee for the user. The cost of this is a savings when compared to dealing with spam currently. Thus, ISPs, etc, would be happy to fork over the cash

2) There is no "buisness" that might have conflicted interests (*cough* verisign). This is more like a real-time blackhole. But, the odds of suing a consortium of ISPs, buisnesses, etc into the ground are slim to none. AOL and the like have deeper pockets than any spammer. So, frivilous lawsuits (that brought down the RTBHs) are not a problem.

3) You can add an option that allows the user to accept mail from outside the ring (handling the whole fight for freedom in [insert facist country here] thing). But this would be opt-in, not opt-out

Too Easy to Attack

[kmilani2134]

In the las couple of months spammers have managed to use DoS attacks on most of the RBL lists and many of the RBL lists have now gone out of business. The ability of spammers to conduct DDoS attacks using hundreds of thousands of zombie Windows machines against select targets would easily break any system such as the proposed which has a single point of failure. If you do a DoS attack on the mail relay, then nobody's mail gets through. If there are only a handful of relays, then it would be simple to stop all mail using those relays. If you greatly increased the relays and made it easy to set up the relays, then spammers would be back just about to where they are now as it would become much more difficult to figure out the good relays from the bad relays. And if you shut down a good relay that you thought was a bad relay...

Re:Too Easy to Attack

[bmalia]

I was thinking the same thing. Spammers/crackers retaliate and bring down the SMTP4All.com causing a worldwide e-mail outage.

I for one, would rather let a few spams slip through my spam filter than pay for sending e-mail anyway. There's got to be a better approach than putting postage on e-mails. (However it would be nice to be the one who makes money on every email sent) And theres got to be a better way than baysian filtering.

This may not solve the worlds problems, but I think that the FROM address should be required to be correct, NO MORE ANONYMOUS E-MAILS. Sure, you have the IP of the sender, but you can't reply back saying "Stop sending me this crap!" to an IP. You have to go through hastle to report it, which 99.9% of the people don't. I'd like to see a new SMTP be implemented, where the FROM address is authenticated by the ISP before sending.

I wish I had some mod points...

[metamatic]

You'd be getting 'em all right now.

paying to send email is a good thing

[j0hndoe]

but the payment should be non-monetary. It should be something that most people think of as free: time and CPU cycles. There have been various schemes to this effect proposed, but most people still seem to be unaware of it. It requires no money, and no centralization, and doesn't interfere with the anonyminity of email. The basic idea is, that if your SMTP server tries to send me an email, and you are not on my whitelist, my server responds with a challenge of a "moderately" hard problem. Something like factoring the product of two 50 digit primes. Once this is done, you can send me the email.

This system could be put in place at most ISPs transparently, users who send a few emails a day won't notice the difference, but suddenly the spammers can't just sit in their bedroom with a 486 and spew millions of spams a day anymore.

Re:poop

Not really, but do you?

Re:poop

eat it! eat my poop!!

Re:poop

n00b!!!!!1

Content filtering doesn't work ...

[Skapare]

Content filtering doesn't work if you don't have the content, yet. And by the time you do have the content, you already have most of the impact of the spam. You might as well just press delete, since at this point all that content filtering is doing for you is an automatic delete (unless, of course, you're silly enough to set up a spam folder for it all to be put into, which means you'll end up sifting through it for something important, anyway).

There is hope that spammers will just stop spamming if everyone just deletes the mail (even if automatically). But that is a false hope because it only takes a few dumb souls to respond, and the spammers succeed at their goals. Then they will keep on spamming, and they will keep on doing it on the cheap which means they won't clean their lists (because cleaning them costs more than just mass mailing to everyone).

This issue comes down to objective. What is it we are trying to accomplish? Are we trying to take spammers out of existance? Or are we trying to shed the costs that spammers are imposing on us? Adding on things like Bayesian filtering are increasing our costs, not just in the processing it takes, but also in the fact that we have to accept the data stream of every message to do that.

one small modification i'd like to see

[escowles]

is a subscription to this service (with a reasonable number of messages per month free) being a standard part of the ISP package. that solve the main problem is see with this approach -- home users wouldn't have to go through the hassle of setting up a separate account.

of course, i would bet that any large organization could negotiate a better deal than 1c per message -- as long as they kept their spam rate down.

-esme

Get paid to receive spam

If we just extend the idea, so that every system that passes mail to another system pays 1 cent per email. Then people who receive mail will actually make money. Receiving 100 spams a day would net you $30/month. People would start setting up email accounts just so they can receive spam.

Most people receive about as much legitimate mail as they send. So they wouldn't have to pay for their email. It would net to about zero. If they send a little more than they recieve, it might cost them a little. 100 unrequited emails a month would cost $12/year.

Newsletters, legitimate mailing lists, etc. would incur costs. So they might have to charge 1 penny per issue. Ah, go nuts and charge 5 pennies! Then a daily newsletter would cost a whopping $3-15/year. You might opt for the weekly digest edition for $0.52-$2.50/year. If the newsletter isn't worth a penny, it probably is spam.

A spammer generating 2 million emails a day would have to pay an extra $20,000 each day ($600,000 each month). Some spammers might still be profitable. But I wouldn't mind getting spam so much if it paid for lunch once a week.

What might work is

[kalidasa]

a "pay to send, get paid to receive" model. Think of it this way: you get a particular quota of outgoing and incoming email bandwidth per month. For each email you send, you pay $0.001 per recipient copy. For each you receive, you receive $0.001. For non-commercial users, the cost would cancel out. For commercial users, it would be part of the cost of doing business, and would still be cheaper than direct mail (1/370th the cost to send, and no paper, envelope costs, and far less labor). The only people it would really kill would be spammers.

Re:What might work is

[Styros]

Who's going to pay me when the sender's computer was hacked? Or the sender's IP was spoofed?

Re:What might work is

[kalidasa]

Good point. You'd have to track down the culprit and fine him; and you'd probably have to have some kind of insurance system to resolve that. But yeah, a good counterargument to the feasibility of a nano-payment system.

Spammers business model

[slashhax0r]

Has anyone really looked at a spammer's business model? In the article he says that they cannot afford 1c per email, however is that claim substantiated by any research, has anyone done any research on the topic?

1-800-Caning-For-Spam

[Channard]

Which idiots modded this up? Promotion of violence is not funny.

Promoting violence? It sounded like he was trying to buy the Spammer's service, assuming the spammer operates some sort of dungeon facility..

Re:Uh.... no!

[pentalive]

If we all as recievers sign up only for pay mail, then the spammers will have to sign up too if they want to send mail to us.

What if it was say 10 cents to send a mail, but when the reciever got it they could "do somthing" to indicate that they "accepted" the mail and the 10 cent charge would be
dropped. Your friend sends you email, you read it and accept it. Jim the realator down the street sends you email, but because you are thinking of buying a house you accept that email too - jim sends for free. Mike in the big city spammer send out mail, at 10 cents a whack that no one is interested in (get rich quick) and mostly pays for it because no one accepts it.

There's a loophole

[weshart]

Even if you accept the author's premise (I don't), there's still a flaw in his relayer scheme.

The trouble is that it would be awfully complicated and expensive to get digital-signing machinery out there to everybody, and they shouldn't have to put up with the fuss and bother; most people would rather not and that includes me.

The solution is straightforward: create a new kind of business, a relayer.

If Joe User is too lazy or stupid to sign his emails, then how does the relayer verify his identity before charging him his penny?

If the relayer accepts unsigned mail, spammers are just going to forge From: addressess to get their sleaze sent out. And if folks are willing to sign their mail to the relayer, then why do we need a relayer in the first place?

Spamcop

[d_lesage]

Pick this one apart, people.

I've been thinking about the problem for a while, and here's what I got. You forward an email to spamcop (or paste it on their web site), and it analyses the headers for you to figure out where the email originally came from.

Now, what prevents SMTP servers from running a similar check when receiving emails? Walk the IP list in the headers, see where it originally came from, check whether is matches the domain on the "From:" line, and bounce it if the results differ.

Time/Bandwidth overhead? Mailing lists? Anonymous mailers?

Why?

[snakecoder]

For the life of me, I do not understand why this is a debate still. There is an easy client side authentication scheme that works very well. You send me an e-mail, but you are not in my address book. My client automatically sends a request to you to prove you are human (in nice words). Your e-mail sits in a pending folder until authenticate yourself.

How your authenticate yourself can easily be changed and for once, the onus of work is on the spammers to beat the system.
I am using a paid system that uses this method. I will not mention their name because they are involved in a SW patent suit over their solution and that pisses me off, so no free advertising. Anyway, this service helps me filter my hotmail account which gets over 200 spams a week.

And how does it do? It works. Out of 4,500 e-mails, 4 charity spams got through because the e-mailer took the time to respond to the authentication letter. That's good enough for me.

I've heard arguments about businesses not being able to afford losing contacts because of this method etc. This is where the final improvement needs to take place. You could place a reverse baysian filter on your pending folder to pull out e-mail that has a likely hood of being real. Problem solved.

I am convinced that this solution needs to be implemented in a universal, easy to install, and easy to operate way. The system I use is pretty straight forward, and it works. Anyway, I believe the final solution to spam is out there, but no one is noticing. Very frustrating.

Re:Uh.... no!

[cableshaft]

This is actually a working solution to brute-force hacking. By introducing a delay before verification, it's practically unnoticeable to the common user who knows their user/pass, but it deters (and maybe even defeats) the common brute force hacker. Sure, given enough time they'll be able to overcome this obstacle, but it aggravates most from attempting it.

ISPs should charge each other for email delivery

[DanielRavenNest]

ISPs should charge each other for transporting
email. AOL provides Earthlink a service by
delivering Earthlink customer's emails to the
recipient using AOL's equipment. So they are
justified in charging Earthlink for that service.

Now if traffic flow is balanced, no actual money
is exchanged. How you affect spammers is when
traffic flow is imbalanced. An Isp sending more
email than it receives ends up paying the other
Isps. Then the spammer who creates the excess
email will be billed by his Isp, and the Isp
on the receiving end has a new source of revenue
to defray it's costs, leading hopefully to lower
charges for normal customers.

It would take a handful of the larger Isps to
agree among each other to do this, and to
declare that after a certain date they will
no longer accept traffic from senders who do
not agree to the deal.

Daniel

I cringe every time I hear this

[Kakurenbo+Shogun]

Every time I hear someone suggest a pay-to-send strategy for email, I cringe. As the owner of a small business that operates primarily online and generates a fair amount of LEGITIMATE email to people who've SIGNED UP with me, this would be a crushing blow. I would shut my sites down and look for a job with The Man. And when I think of that, I cringe again.

Here are my thoughts:
1) If you're willing to pay a penny a message to send, wouldn't you be willing to pay a little for filtering that kept your spam level low enough that it wasn't a problem?

2) If dealing with SPAM is a variable cost based on how much email you send, rather than a fixed cost, you're going to send less email. This will cut into your business. Every message that goes out is going to require an economic decision. At a penny a piece, you're not going to have to submit an email sending permission request for each one, but you're going to have a little nagging voice in your head saying "isn't there something you can do to avoid sending yet another email?" Is the added effort and stress over deciding whether to send email or find another method worth the time saving from not having to filter or delete spam?

3) You're going to force your customers either to pay to receive emails (probably not directly--you'll just raise your prices) or you're going to force THEM to jump through hoops to get information from you in ways that don't require you to send email. And guess what! People who you get email from are going to require the same of you! You'll either pay more for the privilege of receiving email from them, or you're going to have to go through the inconvenience of some other method of receiving information from them...cancelling out the time you saved by not having to delete spam.

Of course there ARE methods available for shifting some information distribution from email to non-spammable methods. For example, a company could put info they used to email out into an RSS feed which their customers could subscribe to. Since not everybody has an RSS reader, they could give customers the choice of whether to receive email or use RSS. Given that you wouldn't have to give out an email address or any other information to subscribe to the RSS feed, people with privacy concerns would likely jump on that method. In case some of the info to be distributed is personalized, the URL of the feed could even contain some sort of identifier--a customer number and password or something--and the feed could have personal items added to it dynamically. I'm sure there are other technologies that could also help. Maybe what we need to do is work on gradually shifting things that can be handled by non-email methods away from email.

Finally, I would much rather go to a white-list system than pay to send emails. For example, if a message comes from someone not on the white-list, they get a message saying "please do such and such to get on my whitelist". Once they do, they're on a tentative white-list. The recipient then periodically either approves the address on the tentative list or moves them to a black-list, in case a spammer actually bothered to get on the tentative list.

The final, and perhaps most important point I'd like to make is that if every person on the internet is going to switch from the current system to something new in order to solve this or any problem, let's all switch to a system that doesn't throw out the benefits of the internet as it is today. Let's not add artificial costs to the system. Let's not make the system less convenient. Even if we can only find partial solutions that are free and easy, I think that's preferable to jumping wholesale onto a solution that creates a new set of problems or negates the benefits we currently enjoy.

Traffic volume still a problem, solve by signing

[porttikivi]

Bayesian filtering works great, yes (I use SpamBayes). But the the traffic volume remains a problem, both personally and globally. For example on my VPN link to my company it takes half an hour to download and filter all the 500 spam & virus messages I get daily now. And I refuse to give in and disable or completely hide my old and well-known mail address.

I don't have the links handy, but there was a suggestion, and now f.ex. PGP Corp. has the product, which makes the company mail relay sign all outgoing mail by the company private key (S/MIME or PGP). I think it is realistic to make this the norm: all organizational mail relays will sign all outgoing mail automatically. SMTP relays will only accept messages with valid and trusted signatures for further processing.

The beauty is, that the users don't have to do anything.

Of course you can still spam, but not very anonymously. Getting your keys trusted will require some well-known signers, and they will require a contract preventing spamming. Removing trust from the few that manage to cheat the system will be easy.

Nail on the head

[tilrman]

Sounds pretty innovative to me. Maybe we can get Verisign to host the new SMTP server.

Will you STUF about SomethingAwful?

I sware you fanboys try to find something to bring up SA's being listed by SPEWS. Just get over the fact that they chose to host their site with the cheapest provider, only to find out that their provider is a dump.

Besides, considering what the trolling site claims about SPEWS I what they claim Like say this one: "Network admins who use the SPEWS.ORG blocklist are thirty eight times more likely to attempt to hot glue a realistic latex vagina to a skateboard and call it by their mother's first name while having intercourse with it than those who either use no blocklist or one of many less draconian SPEWS alternatives."

So, is this a good example of what are they trying to "demonstrate" here? I also question the "serious" manner in which they address this issue. This site even belives some k00k page about how SPEWS is linked to spammers and the FUD anti-SPEWS sites. But SPEWS is the least of their worries.

They told their retared viewers to spam a anti-spam newgroup and got SA perminitly black listed by some admins. Unlike SPEWS, they will never get out of this blacklist. I doubt most of them care, SA's ISP is a dump and home to a lot of spammers. People are not going to accept mail from you if majority of stuff that comes from your IP range is spam.

Pay plus whitelisting ought to work...

[UtilityFog]

How about whitelists, nicely managed by your mail client, plus pay relays to receive mail from new people? You could set the cost threshold yourself, rather than having one flat rate. Most emailing would still be free (and most legitimate introductions could be made by mutual acquaintances). So you could afford to set the pay rate to, say, $0.30/letter or the like.

What's more, just set the system up so that the recipient gets half the fee. I'll be happy to read anything anyone wants to send if they pay me...

... easy

[Artful+Codger]

I could see alot of reasons why big ISPs or mail networks (eg AOL, HotMail, Yahoo) would consider offering such a facility as part of their service.

Imagine the marketing power of being able to say that all your clients' addresses can be authenticated... that any mail from your domain can be verified.

an idea for possible spamicides...

There are two routes that spammers can take to flood the net with emails.

1) to subscribe to an ISP, and use their smtp server to send emails.
2) to buy their own server, co-locate it somewhere and use it to send emails.

With option 1, the ISP can detect when someone sends spam, by taking statistics of email usage, identify the culprit and kick them out. They can enable user authentication on the smtp server to stop access to non-subscribers, and to identify the user.

For option 2, its up to the mail relay servers. They could conceivably detect if a higher than usual emails are being sent from a single source, and automatically route them all to /dev/null. Spam killed almost at source. Of course, this depends on how easy it is to forge header information details on emails.... presummably quite easy which is why spam is such a difficult problem to solve...

Realistic look at the problem

[mabu]

Estimates are now that 70% of all traffic is spam. As another poster mentioned, ISPs, especially the top-level backbone providers are stuck with a conflict-of-interest, as they profit on the sale of bandwidth, and therefore are not motivated to contain the overwhelming amount of unwanted noise clogging the Internet.

Imagine if you picked up your telephone and 70 percent of the time it was already in use?

Imagine if 70% of the time on the DVD you just purchased was filled with commercials?

Imagine if you had to put 233% more gasoline in your car than is necessary to get from one point to another?

This is the Spamedemic we are faced with, with a bunch of idiots in power who are either clueless or uninterested in addressing the problem. If this level of inefficiency were present in any other system, it would not be tolerated.

Mabu's solution to the Spamedemic:

1. Form a new enforcement agency that is dedicated to cyber crime. Populate the agency with well-trained IT people who know the laws and the nature of the problem. This agency does not need to encroach into areas covered by US Customs or the FTC (i.e. not be concerned with the content of spam, but merely focus on computer/network-tampering/exploitation. The FBI is not adequately equipped to fight cybercrime. A new agency separate from the other law enforcement organizations should be created.

2. ENFORCE CRIMINAL PENALTIES for computer exploitation: mail-relay-hijacking, trojan horse, worm, virus and vulnerability exploitation. There are already laws on the books criminalizing these activities, but since Americans like laws and have a short attention span, it wouldn't hurt to pass a new law which exclusively, specifically addresses the issue of computer/network/communications exploitation by third parties, and levies very initimidating CRIMINAL penalties. There should be no threshold of monetary damage before criminality is triggered: that only punishes diligent admins to catch attacks before extreme damage is done, or further encourage spammers to employ larger numbers of smaller, distributed attacks.

I think 1 & 2 would essentially cut spam traffic immediately after a few spammers were made example of.

Now.. to deal with the international/jurisdictional aspect of spamming and network exploitation:

3. Establish a formally-sanctioned SMTP IP whitelist database.

If you want to send mail on the Internet, you have to "register" your IP with a centralized, sanctioned database, not unlike what you have to do to register a domain. Other SMTP servers have the choice of only accepting mail from whitelisted IPs.

Whitelisting the relays makes a lot of sense. It would require less resources than blacklisting IPs on the Internet proper. It would also DRAMATICALLY reduce the ability for worms and viruses to propagate via e-mail (most worms now turn the client IP into an unauthorized SMTP server -- the SMTP IP whitelist could have halted the spread of many of the worms making the rounds)

How do you pay for this? I think that users would be happy to pay an extra $5 or so for each domain registration/renewal to fund a program of this type.

I think it would work. It would also give people the ability to find out definitively where there mail is coming from, as each person who relays mail would effectively require a "license" in order to operate. Since the ratio of users-to-smtp relays maybe on the order of 1:1000+, it wouldn't be difficult at all for ISPs to quickly and conveniently register.

Obviously anyone could artibrarily start an smtp whitelisting service but the reason why this needs to be formally-sanctioned is for the same reason the DNS root servers need to be sanctioned: to create some organization and authority. This is something ICANN could potentially have the authority of implementing but that organization is devoid of any common sense, so I recommend the United States, which controls the majority of Internet resources, take the initiative and imple

Make money receiving spam

[MeddlesomeKids]

I sort of like the pay-to-mail system, but I don't like sending the money to a big company/government.

You know who should get the 1 cent? The recipient!

If I send you a mail, I pay a penny, you get one. If you reply, you spend a penny, and I'm up. So most "conversations" will cost at most one penny total.

And, if you do something noteworthy in the world, like the Star Wars Kid, and people send you thousands of emails to "congratulate" you, guess what: windfall!

Re: A middle road?

[WuphonsReach]

There is a middle road...

Add metadata to the system that allows a destination SMTP server to determine wether a piece of inbound e-mail is authenticated, anonymous or forged.

Right now, a destination SMTP server has no (reliable) way to tell whether the FROM: domain is forged, the entire FROM: address is forged.

A first step would be to give domain admins the control over which hosts are allowed to send e-mail out on behalf of their domain. (Eliminate joe jobs.) This is what the reverse MX proposals attempt to do (DMP, DRIP, SMTP+SPF, RMX). It answers (2) basic questions: Has the domain admin locked their domain down to a limited number of hosts that are allowed to send e-mail on behalf of that domain. Is the host that is currently trying to talk to my mail server on that list? Poorly administered domains will have loose/missing RMX information, and your server may choose to delay/reject/question e-mail from a domain like that. (Nice part is that reverse-MX is opt-in and puts control in the hands of the local admins.) You can still be anonymous under this system.

Second step is authenticated sender stuff. Where you have to present credentials to the outbound SMTP server and your e-mail gets signed with your credentials. Implementation costs are a good bit higher and you get into the issue of key security, biometrics, etc... That's not to say that it's impossible to be anonymous under this system, there will still be domains that don't authenticate their senders.

A big problem in today's spam fight is that real spam is forged 6 ways from Sunday. If we can at least tell that e-mail is forged, it makes it easier to fight.

Nobody wants Chicken-Flavored Spam?

[billstewart]

You're missing the economics point - the reason big spammers spam is to make money, and the reason little spammers spam is that they think they can M4k3 M0n3y F4$$T using spamware than the big boys sell them. (By definition, big spammers make money or they wouldn't stay big....) The reason they make money is that the cost of spam is so low that the probability that an individual email hooks a customer can be very very low and they'll still make a profit. If one message per million gets you a $100 V14gr4 sale, that's a return of $0.0001 per message, so if it costs you $0.00001 to send a message, PR0F1T!, and if it costs you $0.001 to send a message, you lose money.

So if you could actually get the public to be willing to use penny-per-message email, the big spammers would die, because they wouldn't be able to make a profit, and there'd be fewer of them selling spamware to amateur spammers, and it'd be easier to find and kill the amateurs. The problem, of course, is that nobody really wants to pay for sending email, so businesses aren't going to set up their email that way because it annoys their customers, and home users aren't going to set up their email that way because it annoys their friends. But you could do it today if you wanted to - just set up a Paypal front end, or Peppercoin or something.

The simple solution to spam

We would not have spam if email programs just blocked all mail with email addresses not contained in your contact list. If a person was not on your list and emailed you... that person would be sent an automatic email containing a form to be filled out... name, etc. if the person still fills out that form... or simply just clicks on a link... they can be allowed to send email.

Different levels of authentication can be created. An appoval process can be added so that the email gets sent back to the recipient and asks if he or she would like to receive email from such and such a person. What spam company is going to 1. get the email back in the first place, and 2. actually fill out the form to be sent back.

Same idea, different day, same results

[87C751]

If you charge actual money to use email, the Unwashed Masses will stop using email, which may or may not be a good thing. You will also require a huge bureaucracy to administer the system, which will cost more than the original "postage", so the system will sink under its own weight.

Now, what might work is to criminalize the use of spam as an advertising medium, assign responsibility to the party who profits (that being the party on whose behalf the spam is advertising) and assign half the penalties back to the people who received and reported the spam.

1. Pass this idea into law
2. :0
   * ^X-Spam-Tag: YES
   ! reporting.authority.com
3. Profit!!!

It's a dull rehash of the same idea

[billstewart]

Bray appears to be going over the same territory that's been explored before, without the benefit of reading the previous analysis, so he's reinventing the hexagonal wheel when other people have already figured out that round wheels with axles work better. There are a variety of ways to build services like this, ranging from central-planners imposing artificial costs on senders to recipients charging for their attention using popular payment services. Bray's closer to the central-planning end of the spectrum.

Some of these solutions require changing your email sender client, some require changing your email receiving client, some require changing the sender's or receiver's mail transfer agent, some just require using different options (e.g. unique email addresses per sender-recipient pair to manage accounts), some require middlemen, some require digital signatures, etc. Almost all of them want to charge you something like $0.001 to 0.01 in cash or CPU time to send a message, making it cheap enough that it's not too annoying but expensive enough that 99% of spammers give up because they know they can't make money, and the other 1% who are stupid enough to try anyway lose some money before they give up.

Almost all of the proposed mechanisms require senders to get an account with either a mail forwarding service or a micropayment service if you want to send mail to a recipient who uses them, and either require you to include the account number in your message or a micropayment token in your message (which could require simple client changes) or to digitally sign your message or recognize you based on some login process or your IP address or something else that's out-of-band from your client. In some versions, if the recipient thinks your message wasn't spam, he keeps the money, and if he thinks it was spam (or more generally, thinks it wasn't worth his time to read it), he keeps the money. Most versions include some whitelisting mechanism so that legitimate mailing lists can continue to work for free.

A less radical alternative to paid messages is the auto-responder that requires an unknown sender to confirm that she really exists, either by replying to a "Please confirm" message or clicking a website, and often including some Turing Test such as typing in a number from an attached picture or answering some word puzzle, which prevents spammers from using forged From addresses to reach their recipients. That doesn't cut down on the amount of spam your mailbox receives, but it cuts down on the amount that you see.

All of these technical alternatives can be built in a decentralized fashion - either directly by the recipient, or by businesses that think they can get customers and sell mailboxes to people who don't want to receive spam. The catch is whether enough recipients are willing to annoy people who they want to get mail from in return for not getting spam. So far, the answer is "Not Yet", or you'd be getting a lot more confirm-you're-human requests. But maybe that's just because none of the version out there are friendly enough to become popular, and maybe YOU can write the next one. Most email-provider ISPs offer filtering or blacklisting services of various sorts, because from their perspective, they not only want to attract or retain customers, they want to cut down on the huge volume of relay-abuse spam and dictionary-attack spam because it costs them money, and it's harder to do that without changing the infrastructure.

Corporate Spam

[Detritus]

I'd like to see this implemented for corporate email as well. Many employees get deluged with so much "legitimate" email that it turns into an enormous time sink. Do you want to tell the entire corporation that Joe Frobnitz is the new deputy assistant vice president for efficiency studies? Cough up some cash!

Why do people SPAM?

[witcomb]

I understand why there are telemarketers, at times maybe I do want my windows cleaned. However, the SPAM that I get, there is not a chance that I would ever want to order anything or even open the email under most circumstances. So, those who do SPAM what do they get out of it other than the pleasure of anoying millions of people?

Spammers: My eyeballs are for rent

[mmkay76]

Here's an idea: let's assume it's possible to block out 95% of spam, and everyone can easily set this software up on their computer. What if some of those spammers being blocked were notified that I would be willing to read (glance) at their message for a quarter (or what ever price the user wanted to charge)? They would respond to some automated reply (challenge-response) and the spam would be delivered to my inbox. They could detect that I read their message with a hidden image in the message that connects to their server. The system could be set up so that you only saw messages that matched your interests. Just a thought.

The problem for the spammers is that they're catching on to the filters and just throwing more at them. There's more money right now in getting past the filters than creating better ones. We have Spamassassin here at work, and those picture-only emails are still slipping through from time to time. But there's too much effort on both sides being wasted in this vicious cycle. Let's call a truce on the filter wars, and let spammers pay us to read their stupid emails.

Two major problems: profit and price.

[The+Panther!]

The major problems, as I see it, with the pay-to-send method is there's no incentive for people to read the mail they receive. I, for one, don't care a bit if I receive spam or valid email--if I am being paid to do so.

If the sender pays money to send an email, I should collect it, not some impossible 3rd party that happens to run a relay service and handle micropayments. It's simplistic to expect SMTP (or any other protocol) should connect directly from end users machines to a central server and forward mail directly to other end users machines. The reason for having many mail servers and lots of routing is for connection redundancy and bandwidth control--any inexpensive (non-monthly charge) system would be DDOSed out of existence.

My second issue with the idea is $0.01 is far too little to charge. Instead, make it $1 or $5 per email, so people think a bit before sending one. Each email would have a button that the receiver could click to redeem their money, and it would be common courtesy to not click the button from friends or strangers with legitimatge business. Or you could redeem it and turn around and send them a thank you note, so that you return the sender's money to them. If someone sends you a nasty letter, or spams you, you mutter 'fuck it' under your breath and keep their money.

Suddenly email becomes friendlier, and you now have a way to transfer cash to relatives without bank charges (assuming you can raise the cost of an email arbitrarily).

The only problem is that any decent server that accepts micropayments would want to require a digital certificate for a user to modify their account, so it really doesn't simplify the matter much, except that they (the micropayment service) could issue the certificates and link it to banking information.

An alternative

[Tjp($)pjT]

Assumming (and its a big assumption) you could get people to switch to a different email mechanism than the free one currently in use, I'd suggest the following.

Every email sent results in a "email debit" of $.20 and every email read (as in placed in a email inbox and not filtered by the ISP) results in an "email credit" of $.20. At the end of the month and positive balance is reset to zero. Any negative balance is billed to the sender. Normal business or personal email (as opposed to SPAM) would tend to balance out (or be cost competitive with postal rates), and spammers sending millions of SPAM a month (is SPAM its own plural?) would soon find it not paletable due to cost. Take the money gathered and allocate 10% to the local postal system (this gives the government an interest in collecting, and since they have the "guns" so to speak, the SPAMmers would be more inclined to pay if they play), take the other 90% and split it amongst the sending ISP, the recieving ISP and the consummers who receive the email. Thus the ISPs involved get paid, the SPAM recievers get paid, and the governmental agency doing postal service gets paid. If you want to complicate the system then set the fee and credit at the local first class postage level for in country (by destination IP) email and international rate for other email.

While the above would be a fairer system, it would still be woefully inadequate for "moms" or "aunts" or mailing list operators who send more than they receive and are public service oriented or family interest related. So ...

It would seem to be best to fine the cr*p out of the SPAMmers where possible, and in the meantime increase the filtering tech and for the love of FLCL please don't allow automatic robots to resend virus laden payloads to the poor b*stards who get their email address put into spoofed headers. Really, how hard is it to make the simple check that the originating email address is in a CIDR associated with the domain of the sender. It is not like you'd need to do it for all email messages, just the bounces to be very effective.

Ranting off, sorry, 300 plus and rising SPAM a day now get past the filters, over 500 get killed by them. Lots of that is because I pre-filter all postmaster and administrative addresses since people quote spam in legitimate complaints and these rules lead to holes for the SPAM to follow.

BTW Anyone else started getting ads that look like complaints but aren't from legitimate users. This is right up there with the SCUM (tm) (Spammers Causing Untold Mayhem) using fake virus problem reports for the Sheep to respond to and install the viruses manually. Dog I love Apple since most all (actually all to date) have been Windoze oriented using that tactic.

Ranting off for real this time.

Paying cash for mails is a stupid idea

[Chokma]

It amazes me how often people come up with such crappy ideas and even dare to voice them aloud...

The following reasons are cited for turning free email into something we should pay for:

1. There is too much spam.
Learn to filter. Eg, SpamAssassin (which is free...) is a great tool for this, as well as others. If you think your time is too valuable to install such software, you can still pay for a spam-free mail account. But at least others, who are more clueful or have less cash will be free to implement other solutions.

2. Spam causes hidden costs to your ISP. It is better to pay for each mail than to pay for it via your monthly rate!
So... a 1500 spam mails / month are less than 10Mbyte my, my, this is incredible. How big is the Linux distroy you downloaded yesterday? How many hits does the website your ISP hosts for you get in the same time? The cost of email including spam is still so small that I see no advantage in creating a layer of beaurocracy above it.

3. If mail is no longer free, spam will cease.
Think about it: telemarketers are living people, paid to blab into one person's ear at a time. Let me guess, for the cost of one of those, you can harrass tens of thousands of email users by paying the paltry sum of 1 cent / mail.
Or think about a commercials - for the price of one, you can probably spam 100k people. And of course you only pay for delivered mails...
Paying for mail will be the end of free mailing lists like 'full disclosure' and open source software development lists (linux kernel?). A small price to pay? Bill Gates would think so.

4. But real mail costs money too. Why should you not pay for email?
This is not an argument, it is a trick question. Oxygen in gas tanks costs money. Why don't you pay for breathing?

5. There is no loss of anonymity.
Hm, so instead of sending mail from my pc to someone else, I will have to use a specific mail server where I need to be a registered and paying customer and this in no way will put my personal information about my mail traffic in the hands of yet another agency? Suuure.

Things most of the cash-for-mail people also do not understand:
- they create new bottlenecks and points of failure.
- they hurt free speech and the free flow of information (Where better to suppress unwnated opinions and information than at the central mail gateway? The chinese firewall will pale in comparison to those new super-email-relayers; and best: you can track each and every mail because it is digitally signed or paid for...)
- they think that a new system for mail can simply replace the old system.
- they fail to see why other solutions (filtering, hanging spammers) may be also viable.
- they want the victims to pay as well as the spammers ("A thief uses this road. Quick, install a toll booth!" "Criminals watch PayTV. Quick, make all customers wear special glasses and adjust the programm so that you can only view TV with them!")
- they create yet another barrier for poor countries who wish to use the internet for something else than 419-Scams.
- they cannot conceive of someone hacking this new system. Think about a spammer sending one million emails, each for 1 cent from your account...

Another whack, huh?

[L0neW0lf]

At first I thought this article must somehow correlate to all those single Slashdotters and the rise in pr0n spam. Whack...whack...whack...

dSpam/dt dDisk/dt

[OsamaBinLogin]

> Spam is a problem. But if I had to choose between spammers
> and those that would charge for email, I'll take the spammers.
> At least I can filter them and it'll probably cost me less to
> do so than pay for email.

This is the same thinking that got us into this mess.

"This month, the spam level is 1 spam per month, no problem, I can ignore it!".

"This month, the spam level is 1 spam per day, no problem, I can delete it!".

"This month, the spam level is 1 spam per hour, no problem, my filter can delete 99% of them!".

What brilliant ideas do you have for a few years from now, when it's one spam per second? Whatever they are, we have to get them in place NOW. THinking that the spam density will stay the same is just stupid.

OK, so my vision of the future is this: everybody has two or three layers of spam filters, because when you turn off all but one layer of spam filter, the firehose of spam that comes through cloggs up your disk faster than you can deal with it. Spam volume is increasing faster than disk capacity. It's SKYROCKETING. Pay attention! We have to do something.

One of the biggest problems is this stupid attitude "I don't want to pay money for anything". Guess what. When water is free, some pig hogs it all and belches out pollutants. When trees are free, some pig cuts them all down. When books are free at a library, people steal them, and cut pages out of them. When bathrooms are free, people trash them and walk away. When software is free, somebody wraps it up and charges money for it, at a bigger margin than the for-sale software.

Every single 'commons' that is free, gets abused eventually. And we're in the computer age, so it's all happening faster than yesterday. Every day.

my 2c - gimme a second

[OsamaBinLogin]

> I have to send a few emails a day -- so I'm paying pennies
> per day? That's ridiculous.

Let's see, people around here maybe go for $60/hour? Good order of magnitude. That's $1/minute. That's 1.7c per second.

How much time does it take you to compose an email? Maybe 15 seconds, up to maybe 2 hours for a long diatribe. That's 25c to $120.oo. OK so that means the price of sending email goes up anywhere from 4% to like 0.0083%. Gee that sounds prohibitively expensive. not.

How much time do you spend messing around with your Baysian Filter? I'm sure it's a fun toy, so say half price = $30/hour. I'm sure you've spent at least an hour. Probably days but let's say an hour. That's the cost of 3000 emails.

How much time do you spend looking at a spam, going, waydaminit, Don :Plunkett, don't I know a Don Plunkett? Should I open that? No its spam, forget it. No, Don Plunkett, isn't he the guy... What do you think, 5c or 10c worth of time?

How much time am I spending writing this? Gotta go, this is getting too expensive.

2525

[OsamaBinLogin]

> The change from SMTP to something else is probably
> the only thing that will work, in my opinion.
> Every other proposed option is a kludgy workaround.

I agree. The reason why IP6 hasn't caught on is cuz IP4 works plenty well enough. (doesn't it?)

How about 1c per email, Paid by the sender, Received by the recipient? Horror upon horrors, some MONEY might get EXCHANGED!! OH NO!!!

But if you converse with a friend, it'll all average out between you.

Why not use SMTP on just a different port number? Say, port 2525. Nobody will allow any SMTP servers to connect to them on port 2525 without setting up a proper micropay account. Doesn't even matter what the rules are on this, it'll all work itself out. You know why I know that for sure? CUZ IT'S WORTH MONEY. The SMTP:2525 server has to pay money in order to deliver all those emails, so it'll make sure it collects up front.

Someone SMTP2525's ten thousand emails to your server, that's $100 they owe you, and you'll be damn sure they'll pay up. Some spammer connects to ANY server, and dumps 10 million spams, that's $100,000, which will pay for a lot of lawyers. Any security holes, any way to cheat, will be fixed ASAP. You know it's going to stop the spam avalance.

The existing port 25 email system remains intact, as it is now. So if you refuse to pay a penny an email, go ahead. When you get sick of the spam firehose, you'll join the 2525 crowd.

Bayesian filters degrade fast

[Dr.Ruud]

because spammers react on them. An other alternative (SMTP-with-a-delay)
greylisting

A way not discussed that would fix this

Being a postmaster and running mail servers this is my biggest enemy. I do agree with some points but I must point out some areas where your idea won't float.

First digital signing is a good way to stop spam. My suggestion had always been "Everyone use PGP and sign your emails." This is still free with keys servers maintained my MIT and other sources. Even PGP key servers can be easily set up in a corporate environment. You did mention that people just don't want to fool with it. True, but isn't the set up worth it over paying for email? Its still free. One problem is I know how Microsoft and Versign forces their key structure which isn't compatible to any open source or free platform on the public and doesn't want anyone to know about "free software". PGP is kept in the dark because it is free.

Your idea about the post offices handling is completely full of holes. Talk about Spam I don't know how you mail is but I could build a house if I had the wood in boards from the trees that where turned into paper to fill my box with spam addressed to Resident, and Resident doesn't live here. I can't get my real mail for all the trash in the box. Now think about the post office running things. No matter how much I beg and cry for them to stop putting things addressed to Resident in my box. They can't! THE CUSTOMER PAID FOR IT TO BE DELIVERED! Now isn't it easy to believe that if the post office took over email that soon your box would be full of spam that was paid to be delivered? I sure see it that way. Then it would come under federal laws that would keep you from filtering and rejecting the spam. Now you would HAVE to accept! Snail mail is not reliable these days why? Paper Spam it clogs the system!

You also suggested the larger Telco companies. NO!!!!!!!!! they are some of the biggest promoters of spam. Just one example out of thousands. I called Pacbell one time about one of their customers. After over an hour of wait time I then went through 4 different people trying to get to their security department. They say send an email to abuse@pacbell.com I told them I had and had only gotten auto responses. The traffic hadn't stopped. I wanted to talk to a real person in charge. They told me that there wasn't a phone in that office!!!!! Now do they really expect me to believe that a whole office in the phone company doesn't have a phone? Our solution, we shut down Los Angeles. When people called from LA wanting access to the companies we support that were using PacBell we told them to either change providers or have them call us. They never called and the people with problems changed providers. A hit in PacBell's pocket. Think about what if all smaller ISPs did this soon they would do something when they start to lose money.

And lets not even talk about MCI the owners of UUNET!

The best way to stop this mess I think is strong laws with teeth. Big nasty sharp teeth much like the drug laws we have. If you spam you go to jail directly to jail and fined to the point you are penniless. How to stop the offshore sites? Block the IP ranges going to countries that won't do anything about it. As much as financial organizations depend on the Internet is all traffic was blocked then thing would change. We do that here. Not only is your mail block but ALL traffic is blocked coming into the network. Then if you want in at all you must call. If our records show trash traffic we will turn you back on BUT you should see our charges for that! For $5000.00US we will turn you back on until you spam again and then you get shut off again.

There are organizations in place that could do something about this IF they would get off their dead asses and do something. IP ranges are leased through IANA if IANA would revolk their lease for spamming then they could send! This is the way that the big boys get away with this. They lease 1000s of ranges themselves so ISPs have no power over them. They just set up their own ISP and hide. It would also help clear up

Force me to PAY to GET mail, but not to SEND it???

[mulp]

"How can a pay mail service even work?"

Simple, the current system requires that you PAY TO GET SPAM along with the mail you want.

Your ISP provides email service and bundles the cost into the ISP monthly fee you PAY.

If you're ISP merely provides a connection, then you PAY for the bandwidth required to deliver the SPAM to your mail relay, and you PAY the computer and storage to process the SPAM and PAY for electric power.

Even if you run the best filter in the world, you have to pay for the hardware that runs the filter and you have to PAY for the bandwidth to deliver the SPAM to be discarded and PAY for the power to run the filter.

And those free mail boxes offered by the many "free" mail services make you PAY to use them because MUST agree to PAY for the bandwidth to deliver PAID advertisement delivered along with your mail.

Make no mistake, you PAY FOR EMAIL.

The only question is "WHO should pay"?

The current system is victim pays, not free email

[mulp]

Please explain how you manage to get truely free email?

How do you not pay for an email account
AND
not pay for transporting email
AND
not pay for storing the email
AND
not pay for filtering email
AND
not spend your own time reading email?

Re:The current system is victim pays, not free ema

[87C751]

Please explain how you manage to get truely free email?

I don't. And you should have that knee looked at.

Ok, so we agree that you have to pay to use email

[mulp]

So the only real question is, which is better, the sender pays or the current the victim, errr, receipient, pays.

I've preferred email for most of the past two decades, but in the last couple of years, the best way to get in touch with me is to see me in person.

Email has become just too expensive in terms of my personal time. Once or twice a week I'll check email, but until a way of making the cost to the sender at least as high as it is for me, I can no longer recommend email to anyone.

Btw, if we assume that my ISP is spending $1 a month to provide bundled email, then I'm paying at least $.10 per message I send, and that's on a good month, other months I'm paying $1 a message.

Yep, TANSTAAFL

[87C751]

Honestly, victim-pays. The biggest problem with email postage is, what happens if no one will sell you a stamp? The usual argument is that postage makes spamming a bad business model, but the logical extension is not to sell stamps to known spammers. That's the thin end of the wedge.

The only practical way to do email postage is with some huge beauracracy (USPS comes to mind, though it's US-centric), and would require a digital certificate to associate the stamp with the message. (spam prevention, remember?) That certificate could easily be extended into your Internet Driver's License, complete with procedures for revoking it. See where this can very easily lead?

No, thanks. SpamAssassin and procmail are no hassle. RedHat installs them by default. I'd much rather spend a few of my CPU cycles than have to pay for someone else's permission to send email.