Slashdot Mirror
You've Got Spam: AOL Blocks 1/2 Trillion Spam
yohaas writes "Yahoo! News is reporting that AOL blocked more than 500 billion spam messages for its users in 2003. That comes to 40 messages a day per user. The company regularly blocks 75-80% of all incoming mail as spam! The article also lists the top 10 spam phrases for the year, including such come-ons as: 'Viagra online', 'Online pharmacy', 'Get out of debt' and 'Get bigger'."
AOL has been losing email for over a decade now.
(is this another dupe story?)
Is this truly the only Earth I can live on?
It's been suggested in nanae that as a brutal display of the efficacy of spam-fighting and, most importantly, blocklisting, major ISPs all simultaenously turn off their spam defenses for a day to show users just how much UCE spew is clogging the internet every day.
Of course, the idea is repeatedly turned down for its utter lack of pragmatism.
But damn, 500 billion spams, and that's only to AOL.
Just imagine.
The instant clogging of mail-servers around the world and subsequent technological disruption might actually get the general computer-using public to take more of an interest in the fact that around 200 gangs of people are effectively raping and pillaging the Internet right under their eyes.
But then again, what can one do when faced with the Tragedy of the Commons?
Now if they'd only block going outbound too!
I know AOL bashing is a treasured hobby of many Slashdotters, but based on those numbers it seems that they're doing a fairly good job at blocking spam. Especially since they're a huge ISP who has to be conservative with their spam blocking techniques.
. . . to make a crack about the Post Office blocking the shipment of trillions of AOL CDs. I prefer to work for my karma. :)
Instead of sending the mails to the bitbucket AOL should do something about the abuse. They've got the IP addresses of half a trillian zombies and open proxies. Where's the AOL goon squad? They should be kicking down doors, not writing press releases.
if they block 500 billion spam messages if a couple trillion spams are sent around in a year? Despite how large that number sounds, I still see client AOL inboxes stuffed with all sorts of junk, and see this more as a publicity stunt on AOL's part. I read the article, and no where in it does it say how much spam total there was in 2003. 500 billion may sound impressive by itself, but if it's 500 billion blocked out of 50 trillion, it's not such a big deal.
They may block a lot of garbage, but they also refuse to admit that my email to my mother is not spam.
Maybe there is something she's not telling me.
Mom!
If you think deeply enough, you will have no single direction for your outrage.
They bounce back ALL mail to addresses that don't exist, and if some spammer users YOUR domain or YOUR email address, you get all the bounces. They also don't respond when you try to get them to stop. It's incredibly frustrating.
I think the phrase "stop spam now" should be added to the list of top 10 spam phrases.
seriously, I get 5-10 spam email / day telling me how to stop receiving spam emails.
Consensus is good, but informed dictatorship is better
I just took a gander at my logs on my postfix-amavisd-spamassassin front ends for one of my smaller ISP's and after doing the math, it's blocking ~36 spam/user/day on average (with spamassassin only blocking at score 9+). It doesn't surprise me that AOL is getting somewhere around ~40spam/user/day as it is more widely visible and the userbase as a whole is generally a lot more likely to do things that would encourage spammers . . .
It has nothing to offer me since I work from home using my degree (obtained online) in pharmaceuticals. I have a huge cock, am quite rich, get my insurance for free and own my home outright. I do have to use viagra occasionally because it is sometimes hard to get it up for some good Oprah XXX action but I can get it through the pharmacy which I run online.
AOL blocks a lot of legitimate email as well, however. If you prefer to run your own email server (for example, about half of all the Linux broadband users on Slashdot) then you cannot send to an AOL user... same goes for SWBell users too I think. Sure they block a lot of email and I can kinda understand their purpose in blocking "dynamic" or "residential" IPs... but that is collateral damage.
In 2003 Spamprobe blocked just over 12000 on my personal domain, which is low compared to many others.
If tits were wings it'd be flying around.
I'm not sure if it has to do with the new United States anti-spam law or not, but I have received the same amount of spam in 48 hours as I would have in 12 hours in 2003. About 45 emails.
=9,765.6 petabytes [I guessed at the average size of a spam email]
I wonder how much that costs AOL?
iiNet is one of the largest ISPs in Australia (third or fourth now, I think). I got an advisory yesterday saying AOL and RR had both blocked all inbound mail from iinet as 'spam' They can crow about 500 billion mails all they like, but if a lot of it involves turning off mail from whole slabs of legitimate users, then it's not much of a service. The other thing is, if spammers are using trojans to create spam relays, then it's a bit hard to blame a particular ISP if a bunch of their users have been infected with this stuff. iiNet has a policy of advising users when they appear to be infected, they're cluey people too, they run everything on Debian as far as I can tell, and they have local mirrors for many Linux distros etc. I guess what I'm saying is that if you're going to block an ISP's mail you'd start with clueless behemoths who don't give a damn. Anyway, they appear to have a work-around in place, but RR is still blocking. Simon
Hal Spacejock: Science Fiction with Nuts
Note: I did some thinking earlier on spam, and I figured I would post this the next time slashdot does a story on spam... You can find a link to this at:
http://sillygoth.com/journal/21669
This is my writing... I just want some feedback on it from the slashdot crowd.
Okay...
One of the things that I've been tired of recently is dealing with lots and lots of spam in my inbox. I've become even more tired of hearing about how there's a lack of solutions for dealing with it. It's one of the things that slashdot has been endlessly parading about.
To me, the primarily problem with spam is that emails are too easily spoofable. Solve this, and spam will become *much* more managable.
So, what technology is there right now that deals with certifying legitimacy?
Digital Certificates!
When you go to a site that's protected with https, the owners of the site usually have to get a certificate from a trusted source (Verisign, Thawte, etc) signifying that the site is legitimate (so that you don't end up giving credit card information to someone fronting for that company).
You actually *can* get a digital certificate for your email, but it costs money. Plus, to make something like that mandatory, each user would have to set up a certificate individually. Evil.
Why not move authentication to the domain itself? When accounts are setup on a user's machine, create an RSA public / private key per account. Simple enough.
When a user sends an email, force this user to relay the email through the mail server rather than directly from his/her computer. Force the user to authenticate their email / password to send the message. Some servers already force this, I believe.
When the user authenticates him/herself, encode a confirmation id using some elements of the email (first xx characters of message, subject, date, etc) using the RSA private key and attach it to the message.
Here's what should change with the receiving server... When a mail server receives the message, the mail server should initiate a separate connection that looks up the domain's MX server, and communicates with it.
This MX server should then provide the RSA public key for the account listed. The public key will then be used to decrypt the stamp that the MX server included with the message. If the stamp is legitimate, deliver the message to the inbox.
If a stamp is not legitimate, or there's no stamp, simply don't deliver the message. Simple enough.
This method has its series of strengths:
There would be absolutely no point in spammers taking over people's machines with viruses in order to send email if email must be sent through a qualified mail server. It's possible that worms could be written to auto-send messages through these relays, but at least then the mail server could detect it and shut the person out.
If mail sent is authenticated from a domain, people would then have the option to blacklist domains that aren't responsible for keeping tabs on its users.
Mail *will* come from where it says it's coming from. If not from the exact user on the domain, it'll come from that particular machine.
Of course, there are possible weaknesses to this strategy too.
If the mail server is hacked, hackers would be able to still send mail from it using the private key. Fortunately, they would only be able to send from email addresses listed under domains they own.
Spam software like SpamCop / Spamassassin / etc would be able to keep tabs on servers that exhibit hacked behavior, and temporarily blacklist these servers until resolved.
This doesn't necessarily stop users with legitimate email addresses from sending spam. Someone with a legitimate email address can still be spammed.
But at least when you block their email address or domain, it'll be a real email address, and a real domain name.
This method is not 100% in eliminating spam. But it's a damn good start.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Whitelisting makes sense--trusting certain mailservers more and not bothering with intense heuristics on mail coming from them. But blacklisting anyone you don't know makes none. The Internet is too vast to really implement something like this without huge costs and huge losses; I think solutions like this likely do far more to Balkanize the Internet than to protect it.
The solution mentioned in a previous Slashdot article a few days ago of making SMTP servers run a small computation per e-mail makes much more sense. This allows you to impose restrictions on non-whitelisted servers without completly ignoring them, either.
But when you talk about the anonymity preferred by the spammers, you ignore the fact that they are, in fact, selling a product. Forget the spammers. Track down their clients, the ones paying for the ads. Problem solved.
Do you think that a bunch of poor people in China are all of a sudden picking up laptops and peddling viagra? It's not the Chinese, it's the same people who have always sent spam. They are just buying their hosting/bandwidth from companies overseas, where regulations are non-existant.
...why AOL users have such small penises and breasts.
they simply want everyone to use AOL. if you cant email your friend on AOL, its your fault, and you gotta use AOL to fix it. maybe one day they will block mail from any non-AOL members. i could see it happening.
http://ipod.fresh27.net/
if you couldn't send anonymous snail mail.
Or anonymous e-mail. That's where this "signed" e-mail crap is going.
Imagine every message you send being tracible right back to you.
But hey, what's the trashing of rights in the name of convienience.
If you can send e-mails without being traced, so can spammers.
If spammers can't send e-mails without being traced, neither can you.
"Spammers are most afraid of being tracked and identified. "
Yeah, and nobody has a legitimate reason to not want to be traced.
I spent all of 2 hours modifying RinetD to do proper logging in between senders and my mail server. I spent another 3 hours writting a simple program to parse that log pulling out who a message is from, who it's going to, the subject line and what links it contains and the domains of those links.
Any entry "to" entry that isn't one of my e-mail addresses is deleted. The remaining are then examined for spam domains by looking at the froms and subject lines and the domains themselves.
A short list:
If expression both matches "*imgehost.com*" Delete ""
If expression both matches "*mydailyoffer.com*" Delete ""
If expression both matches "*topofferz.net*" Delete ""
If expression both matches "*adweawen.biz*" Delete ""
If expression both matches "*divineprice.com*" Delete ""
If expression both matches "*stamps.com*" Delete ""
And poof, no more ads from those companies and nobody's right to privacy is infringed. If they happen to have multiple domains for the same campaign I'll catch them as they come.
I will not support a means to subvert my right to privacy over some stupid ads.
How much are your rights worth to you? Not much apparently.
Terrorists blow up buildings and we get the patriot act. "terrorists" flood inboxes and you demand tracable e-mail.
Get bent.
Ben
Work Safe Porn
No, the regulations are non-existent, and not just overseas, either. Regulations - in the sense of laws, that is - are nearly non-existent in the USA, Canada, and Europe as well. Spammers spam with near-impunity in all those places. The worst thing that can happen - unless they have the bad luck of being in a state that has a spam law with teeth and an attorney general to match - is they get their service disconnected. In a day or two or three, they've bought another connection somewhere else.
/21 bought from some other upstream, and after some digging it became obvious that this entire network provider was nothing but a front for providing bandwidth to spammers.
I used to work for a large, well-known hosting company whose name is taken from a book of the Bible. They didn't have to many spammers or pr0n sites in their space when things were booming, but now they're among the worst for hosting spammers.
There are network providers all over the country that are as bad or worse. I recently ran across one that had a
A lot of spam is sent through China by contract with network providers there, and through South Korea because it's the open proxy capitol of the world, and there is a very large and well organized spam ring operating in eastern Europe as well, and it seems soundly connected to US spammers. The spam business has gone international in a big way.
In none of those places, including the US and Canada, generally, is spam illegal, so it's never necessary to bribe any government official into looking the other way. It's just easier to pay off the ISP to look the other way in some countries, but again, that's pretty easy in a lot of places in North America too. When the economy goes down, pink contracts go up. Many companies and individuals will do just about anything to survive, and network providers are certainly no exception. For every one that will cut a spammer's connection as soon as they notice, there's another that will happily sell the spammer as much bandwidth and IP space as he wants. Then they pass that space on to some other unsuspecting customer, who finds that she can't send mail to a lot of places because that netblock is in every RBL - good, bad, or ugly - in the world.
As much as we rightly despise spammers, those who sheeld them and knowingly sell them bandwidth and colo space are just as bad.
Every now and then we'll wake up to find one or more of our servers blocked by aol, you can test it quickly by telnetting to port 25 on one of their MX's and it'll tell you right away if you're blocked.
Call, stay on hold 45 minutes, and you get "white listed" for 30 days and they ask you to setup a special email to send you spam complaints to if that IP becomes a problem again in the future. Sounds good right? I mean we host nearly 13,000 web sites for over 6000 customers, we DO get some spam sent through us once in a while (open formmail.php is the worst) and we handle it the second it's noticed.
HOWEVER we have YET to recieve ONE, and I mean that as in a SINGLE complaint from AOL for ANY of our ips. Yet 7 times now we've been blocked. Luckily it hasn't happened in a few weeks.
Do you know how annoying it is when 13,000 web sites become unable to talk to aol? Jesus christ.
Here's the funny part, often times it's only 1 or 2 of the (best I can tell) 4 main MX servers blocking us, so much for keeping those in sync.
I applaud them for trying to curb the incoming spam but goddamnit make it POSSIBLE to work with and if you block someone TELL THEM WHY and maybe a little warning please! If I'm notified of a problem I'll GLADLY nuke the spammers ass, or if it's just an open script, we can help the customer secure it, but if we're not informed what can we do? At least spamcop sends us emails with headers of the spam so we can take care of it.
So I gotta wonder how many of that half trillion is REALLY spam and how much is erroneous blocking.
--- www.f-theocean.com
every time slashdot has a story about spam, i again wonder to myself why the world hasn't turned to the obvious solution: a new email standard. i read a comment recently to the effect of "if a given protocol allows cheating, it's a bad protocol". it should be clear to everybody that this technical problem can not be solved with legislation (not that it shouldn't be illegal anyway, but it's folly to expect laws to have any real impact). the world needs an email protocol which is encrypted and authenticated, traceable and secure, and easily combined with whitelist or pay-to-deliver filters.
Now, if only they could do something about the pop-ups, crashes, dropped connections, high prices, incessant self-promotion, etc, they might have a good product.
One time, when my usual ISP was down, I needed internet. Desparate, (back when I ran Winders) I threw on an AOL CD to use some of the 1045 hours of free access, planning to cancel when my regular ISP was back online. Cancelling AOL is interesting, first off, the person who answers the calls has been brainwashed to think AOL is the greatest THING ever, and will first ask you why you want to cancel, then argue with your reasoning. Once you go through all that, they will offer you two free months of service while you reconsider. DON'T FALL FOR THIS. I did, and forgot, and the bastards charged my credit card three months later. I was mad as hell and had to go through the Movementarian "You're free to leave anytime you want, but tell us why you're leaving" grilling on the phone all over again. Of course, they offered me two free months again, so apparently you can stay on AOL for free indefinitely this way (But why would you want to?).
Kaolin may be the only English word with "aol" as a substring.
Unknown host pong.