Slashdot Mirror
The Battle Against Junk Mail and Spyware
wildfrontiersman writes "A New York Times editorial by Brent Staples, The Battle Against Junk Mail and Spyware on the Web, laments 'The story of technology is the story of noble aspirations overtaken by a hard-core huckster reality. This process is on vivid display in the debate about electronic junk mail, which makes up more than half of all the e-mail that travels on the Internet.' He criticizes the new spam law, the lack of attention to spyware and how it threatens our beloved internet."
Try this link. However, for what it's worth, the editorial can be summarised to "Congress' new law won't work. Won't somebody think of the children!"
for the tin-foil hat crowd, posted AC to avoid Karma-whoring, here.
Is this the black activist Brent Staples? The guy who wrote "Parallel Time"? If it is, then he seems to really be branching out in terms of subject matter. He's not a regular for the NYT, is he?
A year ago, spyware wasn't nearly as bad as it is now. I was at a friend's house trying to show him some stuff from my gallery on his P4 2.0ghz, and it choked by starting Internet Explorer. 3 toolbars over each other, hard drive spinning like hell because all the ram is eaten up by spyware...
Had to run Spybot, ad-aware, spybot, ad-aware over and over for like 2 hours while rebooting to get rid of everything...
At least the latest Norton Antivirus scans some of it and so does Network Associate's antivirus. I wish Trend Micro's would do it too, it probably will soon...
Even though spyware may be annoying, it's the price that must be paid to allow for a more user-friendly computer. The more we automate our PC's, the less control we have over what runs on them. Or, one could buy a Mac and forget about it entirely...
------- "A true friend stabs you in the front." -Eliot
I was expecting goatse. Nice touch on the subtlety.
The new spam law does nothing about the invisible programs that invade our computers as we move from one Web site to the next. These insidious programs -- variously known as adware, spyware and snoopware -- can cause computers to call up aggressive ads or can actually track a user's movements through the Internet for use by marketers later on. The most sinister programs can record everything the user does, whether offline or surfing the Net.
And what the article does not discuss at any length is that we have Microsoft security (or lack thereof) to blame for most of the spyware problems. If Windows had better security, then most of these problems would not be there to the same degree as they currently are.
Visit Jonesblog and say hello.
In most other forms of media, it seems that advertising has had its day. Television is no longer able to subject us to ads and is threatened, Radio ads in internet radio are able to be skipped. So we only have to deal with the advertisements that arrive in our inbox.
There are a variety of ways of dealing with this detritus, the easiest one is make it a social stigma to admit to buying anything from spam.
Have any enlargements or pharmaceuticals ever been sold using this method? Has anyone ever received one of these messages and replied and then eagerly waited for their postie to drop by with their delivery of "Hot Teens"?
Turn Spam purchasing into the Venereal Disease of the new century and it will cost these folks more to send the messages than is returned in sales.
Legislation is pointless in an area where geography is no longer a method of control.
I for one have 3 email accounts: a personal one, one for my work and another one where I receive my lists and all the junk, and I do get ALOT OF JUNK. Even though I don't really have any problems with virus or spyware, the spam over email is a real pain in the neck and even though there are many initiatives to strike it, it is (at least for now) still getting the better of us. If it continues like I really can't even think what will become of us all (in the terms of virtual lives and tecnology)
Both problems, the spammer and the salesman, can be solved with the use of a good 12-gauge shotgun.
Trespassers will be shot. Survivors will be shot again.
Mea navis aericumbens anguillis abundat
I was visiting my parents when they got their Dell and out of the box it required over 20Mb of security fixes and had a virus scanner (Mcafee) that was set to explode after 90 days if they didn't subscribe and the firewall off by default. Oh and of course their account that they setup with the instructions made them an administrator. We got that patched up and hardened quickly but your average Joe who buys a system and plugs it in is just a sitting duck and he has no clue. It's pathetic that companies like Dell can't harden the things a little before shipping them out.
Given what it's costing companies to reduce spam, and what they're paying in network bandwidth, wouldn't it be more economical to just hire people to track down the major spamers and then just post 10 million dollar international bounties on each head? I bet it'd cut the spam level alot more effectively for alot less money.
As for spyware, maybe it's just me, but how about say, not letting files download onto your local disk and set up with executable permissions? You'd think that maybe a modern OS would have some kind of setting to disable this kind of thing? Maybe even just lock out c:\program files\ from being able to create new directories? Yeah I didn't think so. I'm sure the new "security focused" development has better things to secure than the filesystem from malicious executables, because we all know this is a new and infrequent problem right?
One of these days I'll run into someone who gives you these "free offers to improve your life" and talks about how beneficial they are. Then I'll give them some nice theraputic blows to the face to increase the supply of oxygen giving blood to the skin. Look, it works! I can see it turning purple with extra blood now. You should thank me for preemptivly solving a case of skin irritation from lack of bloodflow. How about I remove some of those teeth so you're protected from dangerous cavities too?
Introducing the new Occam Fusion! Now with sqrt(-1) fewer blades!
author also notes there is a terrible conspiracy for the sun to rise in the east and set in the west! When will the madness end!!! The problem of spam is lately being overshadowed by the subject of spam saturating the media.
This is an obvious troll, but how is it a non-issue if one in 5 prople gets hundreds of spam messages a day and have to wade through all that to find their legitimate mail?
I run a Windows XP machine for music editing and I use it online plenty too, and to date I have yet to worry about spyware, or worms. I don't have some ultra fancy shmancy set on the Win machine because I don't care that much about it. Now... I do contracting work at a mid sized Uni from time to time (I work at an ISP), and whenever at the Uni, I would see students' machine flooded with tons of spyware, viruses, you name it they had it. After fixing things for some of these kids while there, a call would come in an hour later, ONE HOUR, same kid, same viruses, same spyware.
See what happens is, people who are using Windows are using it mainly because of ease of use, at least that's my take on it, and it's easy to trick many Windows users to open up stupid mail, get horny guys to open up "Bratney Spears nude!" emails, as well as leechers to swap files a-la kazaa. ... Sorry to say I have no pity on most Windows users. Me I have everything from sparcs to ultras to i386's, and I've NEVER, NEVER, let me repeat, NEVER have gotten spyware, nor a virus. And no... I don't use antivirus software because my home gateway (NetBSD) filters garbage out before it comes in.
MoFscker
[Internet Service Providers] understand that keeping users online and happy will require a vastly improved fly swatter: a technical fix that allows people to screen out more junk mail and to protect themselves from covert programs that shadow them on the Net.
I guess the author has never heard of the Mozilla project?
From article:
The story of technology is the story of noble aspirations overtaken by a hard-core huckster reality.
I think that's a little too narrow of a generalization to make about all of technology. But it is a symptom of a larger truth about technology. The story of technology is the story of technical progress outpacing social progress. We have not, as a society, come to a consesus on privacy, security, information as property, and who should regulate these matters. Similar, perhaps tougher, problems in biotech. This characteristic of technology driving questions about social morality is something I don't think was ever seen before the 20th century.
And oh... 20% on one extreme, 50-60% on the other extreme leaves 20-30% in the middle. Not really "hardly anyone" is it?
Yes it is an obvious troll. I think that the fact that his nickname includes "gnaa" should be a strong indication. (Every Slashdot reader has come across GNAA, among other troll posts i am afraid)
Slashdot Sig. version 0.1alpha. Use at your own risk.
this is stupid - this doesn't threaten the internet, the only thing it threatens is windows users.
is any of this a problem on any platform?
i thought so.
I do tech support for ~10,000+ clients. When Windows 98 was common, the biggest problems were stability and trying to keep it that way.
Now that win2k (and winxp) is out, the stability issue has been resolved. Now the most common thing I see is tons of spyware slowing the PC down to a crawl (obligatory slashdot humor: The difference between a PC infested with spyware that crawls, and Windows XP hogging all the resources making the PC crawl, is sometimes hard to discern.)
And of course lovely viruses from that oh-so-wonderful default-installed e.mail program, Outlook Express.
Most (nearly all) the *major* spyware issues stem from PEBKAC, a little knowledge (on the end-users part) would go a long way, but much of the spyware out there cloaks itself in "official" looking popups, all happily Verisigned, which can sometimes even trip up sys admins.
The next version of windows is rumored to fix this (to what extent is unknown) but undoubtedly will introduce a ton of new spyware.
Now isn't it nice that we BeOS and *nix users are immune to all that crap? I know I'm glad I use BeOS.
So rise up, all ye lost ones, as one, we'll claw the clouds.
But the Solution to Spyware is fairly simple. Make the sender pay, like normail post. That is why I don't get hundreds of posts in my physical mailbox. (and the fact I don't participate in competitions every chance I get) Simply put, for somebody to send me email they have to perform a task. Say calculate the first five primes that end in five. For one persons computer this will be trivial. But for somebody mailing out millions of posts it becomes impossible. In fact I can increase the computation difficulty depending on what I want to filter out. I might not mind some major retailers who are happy to spend money sending out mailouts, so they have to do their home work, and target me from my opt in options and stuff. They end up with a computation that will cost the 50c per posts. I guess the algorythim for the computation should have some method showing how much it will cost the mailer to be fair. All is fair, and the fat lady can start her song Giorgis PS: Hmm, I think there is only one prime tha ends in 5
BATTLE SPAM!
Most acts detrimental to the free state, such as murder, can be solved to within an acceptable degree by simply illegalizing it. Deterrence acts on would-be offenders, and the number of murders in the country is small enough that it generally does not disrupt life for most of us.
Spam works by entirely different rules. It is not enough to deter MOST spammers. It takes only a sufficiently capable handful to bring the mail systems of the entire country to their knees. The economies don't work in the same way: a typical murderer affects the lives of anywhere between one and a hundred people; a spammer affects between one and a hundred MILLION every week.
So relying on a citizen to be rational -- to realize that it's not in his best interest to spam, given the consequences -- will not work. There are more irrational actors than it takes for spamming to remain alive and well. There must be some sort of technological barrier in place -- with the support of the law, I believe -- to ensure that even these irrational actors are incapable of spamming.
What are some examples? Require by law that all ISPs -- be they mom and pop shops, tremendous corporations, or colleges and universities -- provide information in an email sufficient to identify the sender. Then prosecute the ISP harshly if it allows a user to spam; hopefully, ISPs can be deterred more consistently than individuals. Overseas ISPs are obviously beyond this jurisdiction, but the FCC might take it upon itself to publish a list of overseas ISPs that comply, and recommend blocking all that don't.
Alternatively, institute a microcharge on email -- be it monetary or computational -- to disrupt the economies of scale. When a user receives an email from an address not on his whitelist, his computer (or the ISP's) responds with an NP-hard computation problem that the sender's computer must solve before the email is delivered. Solving one -- or one hundred -- such problems would be no problem for a user's computer, but solving one to one hundred million would be much harder. Spamming would require computation like Japan's Earth Simulator to pull off, and the amount of computation might scale each year according to Moore's Law.
how will you shoot these spammers? bullet over ip?
mayebe I dont remember the law very well, but wasn't there some type of law back like 20 or more years that made it illegal to steal computer time. This applied mainly to mainframes. Couldn't this be applied to spyware,adware, and snoopware, stealing computer time on pc's?
Ok, I understand if your a network provider you might have a legit beef with spammers and spyware makers, but end users are just being lazy jerks.
Computers are no different then cars. If you drive a car recklessly sooner or later you wrek the car. Everyone acepts they have to learn the controlls of their car, dive at safe speeds, and pay attention, and that to do otherwise is to take their chances. The computer is no different you should take the time to disable activeX and set the other security settings related to cookies and stuff appropriatly. You should look at the subjects and the senders before opening those e-mails especially those with attachments. Read that SSL cert before selecting alwats trust XXXXX. Think about where you are posting your e-mail address. Ask questions like "who made this CD?" before you put it in the drive and let autoplay do its thing. You should consider running a more secure operating system. The list goes on. I take just the most basic precaution and care and I do just fine without shelling out big bucks for anti-spamm/spayware/virus. For anyone who has taken the time to read the docs follow the recomendations and is basicly careful this stuff is not a problem. Its the Lusers that have all the trouble, and its thier own damn fault. All of this type of stuff is no different then the bag of nails in the road which fell off the truck, slow down watch what you're doing and go around it.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
This is an obvious troll, but how is it a non-issue if one in 5 prople gets hundreds of spam messages a day and have to wade through all that to find their legitimate mail?
It isn't a non-issue. The nature of the troll is that the trolling bit about it being a non-issue is in the sig and when people object to it, the poster changes the sig and demands to know what they're talking about. It's rather similar to the ones he does where he switches the linked to contents between goatse and something else.
It's fascinating to watch really, the behaviour depends on the 'troll' not being merely stupid as such, but on a sort of vacancy of any normal thought process at all. It's really quite extraordinary.
It doesn't help that spyware databases software databases have gotten so undiscriminating. You run a spyware scanner, and even the best ones raise red flags over stuff that has some of the features of spyware, but simply isn't. These include customer support tools like backweb. Yes, these can be abused, but ultimately anything you install in your system can be abused. It's simply a question of whether you trust whoever provided the software. Gator and Alexa have used up our trust. Backweb and the CS orgs that use it have not.
There's also the cookie issue. Yes, cookies are a grave threat to privacy. But the solution is in your browser: configure it use a good privacy policy, or if you totally hate cookies, not to accept them at all. Scanning the cookie database is a waste of time. Yet all adware scanners insist on doing it.
I still remember the stories of my grandfather who worked at the federal post office how the amount of advertisment letter rised with the introduction of railway post transport.
Before that messengers on horses of coaches had to be used. This had the effects that letter where relatively expensive and traveled very slow (4 months from east to west coast). And it was insecure due to hostile natives.
However all this changed with railway post transport. And so the amount of advertisment letter increased greatly. It even delayed the transport of legit letters, so that the post office had to use special (more expensive) rates for advertisment transport to keep to flood under control. Note that hiding advertisment letters as normal ones didn't work: the post offices clerk were allowed to open every letter and check which they really did regulary.
Over 90 years and counting !
It would work better to go after the sellers than the buyers. DDoS them, harass them, whatever. This would require a little investigation, i.e. who exactly is trying to sell me this organ enlarger, but it wouldn't be to long before the e-stores got the message.
A blog about stuff.
If you know what you're doing with email, and use a statistical filter such as spamprobe (or SA/other bayesian) from procmail, consider joining the community wpbl experiment. This is essentially an IP blocklist built automatically, in real-time, from many statistical filters (no manual user action ). IPs from mail are automatically extracted, classified as spam or good by your bayesian filter, then reported to the central server 24 hours a day. This is not like spamcop.
It's seldom that a well reasoned analysis of the spam debacle makes it to the pages of the mainstream press, but the discussed article is well reasoned and quite to the point in emphisizing that this issue (unwanted advertising) is nothing new.
/.
As for how widespread the spam problem is, I cannot really opine as to whether the problem deserves the kind of attention that it is getting, as I have had the same email address for well over three years, it is visible on several mailing lists and usenet, and "I have yet to recieve the floods of spam that I so poften see described here on
I'm not claiming to get no spam, as I do recieve two to three unsolicited comercial email adverts per month at my account, sometimes a few more (I once recieved six in one week), and this leads me to believe that there is probably something about one's user habits that either does or does not attract spam.
I'm also sure that one's email provider has an effect on how attractive that address is to spammers. I'm sure that GMX's anti-spam measures do make thier users less attractive to spammers (If you were a spammer, would you put much energy into spamming a domain of email users if you were certain that the domain admins were likely to adjust thier filters before your ad run was complete? or would you concentrate on those domains that left it up to thier users to face the onnslaught alone?)
Email providers would take common sense measures to protect thier users from the most obvious spam with poorly forged headers, email originating from unsecured proxies and open relays, large numbers of identical meassages targeting alphabet blocks of obviously generated addresses, and emails originating from known spam source IPs (not netblocks), as well as applying "learning" filters (Beyesian and/or whatever), allowing users to submit examples, but apparently few providers do this.
Why do people continue to use thier services?
Has anyone here abandoned an email address after it became such a spam magnet as to be nearly unusable?
Read, L
I think the way to go in fighting SPAM is to make person sending a message to perform some task, which is easy for humans and is hard for computers. The approaches (like 10 secs CPU intensive task proposed by Microsoft Research) or micropayment system does not distinguish between humans and computers. An example of such approach would be to modify SMTP protocol in a way that during a process of sending e-mail mail server would show you some image which and await a response from mail client of the same thing typed as text.
I think the key to fight SPAM is to distinguish messages sent by humans and generated automatically.
If there is spyware sending out packets, one could presumably see what IP address they are going to and maybe even reverse engineer their data format. Then someone could write a program which sends their servers spy packets containing meaningless or misleading information, thereby screwing up whatever market research they are trying to do. Maybe we can create some fake correlations between unrelated items, after all, unlikely correlations come up often enough in real life, like diapers and beer, that they may not catch on until long after their databases are completely cluttered with meaningless crap.
Unknown host pong.
As much as I hate to admit it, thats a kinda clever trick. I've changed my preferences to show the "signature dash"
Its amazing how much effort these loser trolls will go through just to have their message out there for a short time before it gets modded down the -1
The irony is that at the end of the NYT article, if one inspects the source code, there is this little gem of javascript code from:
g .j s
http://www.nytimes.com/js/s_code_remote_samplin
This fetches a few pieces of data and sends it back to 2o7.net in the form of a URL for a 1x1 gif.
Anyone care to reverse engineer this code and see what it's reporting back?
It's been a few years since I've used BeOS, but I recall that packages would install files wherever the package maintainer wanted to, and were installed by you just clicking on the package without any kind of dialog. It seemed like a serious lack of security with the only saving grace being that nobody ran BeOS so nobody would waste their time writing trojans for it.
Why do you say you are immune? Ever hear of installing a program as a user, in your home directory?
Sure, it wont effect other users directly, but it will still slow down the machine and waste bandwidth...
Sure, *nix users arent targeted yet so we are safe for now. But we cant *just* sit back and laugh...
---- Booth was a patriot ----
I assume that spam is one of the last places where people believe that an ad driven business model will survive. In most other forms of media, it seems that advertising has had its day.
What world are you living in? In the one that I inhabit, advertising is a multi-billion dollar industry. All of that brain sapping drivel pushed out on network television every night creates a captive audience to push sodas, alcohol, cars, and everything else that makes the (Western) world go round.
The fact that you and your friends use Tivo or listen to internet radio stations is only slightly more important than the fact that you use Linux at home. The rest of the world still uses M$ products and buys things because a commercial told them it will get them more pu$$y.
As for e-mail advertising, this is the latest (not even latest, but relatively recent) intrusion of advertising into communications mediums. Until people are willing to PAY for things (e.g. HBO) instead of being cheap greedy hypocrites, advertising will continue to infiltrate all communication and entertainment mediums.
Even when people are willing to pay for things, the advertisements will become more subtle and embedded, with product placements as perfectly nailed in the movie The Truman Show.
And the reason advertising continues to happen in e-mail is that the costs to advertise are getting less and less to the point that now if 1/10000 people buys Herbal Viagra or whatever crap is being sold, then it becomes worthwhile. So good luck convincing 100% of the people to stop buying stuff. Let's come up with realistic solutions.
Buy a Mac.
.Mac email addy, I haven't had a bit of spam come thru at all.
I'm not trolling, nor am I evangelizing, but the truth of the matter is, out of the box, Macs are FAR less prone to be susceptible to any of these nefarious internet annoyances.
Spyware: practically non-existant for Macs, and any application needs to be manually copied or installed w/a password verification, so nothing gets by without you knowing it (assuming you trust every user of your computer).
Spam: Mac OS X's built in Mail client has an excellent and easy to use spam filter built in, and in the 2.5 years I've had my
PopUps - Not only can you block pop ups in the default browser Safari, most of the pop up ads are themed to look like Windows dialog boxes, so they're easy to spot as advertisements and whisk away with a single click.
Just my 2
Gotta mention that again here. Fascinating essay.
Google it
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
I'm not sure how it didn't happen earlier, the guy who runs it barely even seems to know HTML.
Of course they haven't. They still haven't forgiven Franklin Delano Roosevelt for being so uncouth as to die in office.
NYT writers are well known for making things up, so I'm sure that any word about software that would indeed make things better would be considered obviously false and get the writer fired. One must not be quite so obvious about the fraud, so as to get awards rather than fired.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
Because spyware and junkmail isn't a crime committed upon us by little criminals. Microsoft includes spyware in their products. The government passed a codicle excusing the junkmail they spew. O'Reilly pages are loaded with links to doubleclick. And Barnes&Noble sells your electronic soul to akamai.
Is there a correlation between spam and spyware?
Does any spyware collect email addresses from adress books?
Does any spyware submit the user's address with it's data?
Do people who's machines are or have been infected with spyware get more spam?
Just wondering.
It seems that spyware that tracks a users web viewing habits would be a no brainer as a data feed for a targeted spam operation.
Read, L
what a prize!
Most apps that install spyware usually have something in their license that says "we have the right to install whatever we want on your system". When a license says something like that I usually back away and not install it. There is a certain sense of apathy where people no longer read the End User License Agreement, but with freedom, and freedom from spyware, you must read the EULA and make sure a phrase like this is not present.
Granted EULAs are usually long and cumbersome and rightfully so, that is what makes most end user just click 'accept' right away. Also if you search the program you want to install on the web you may come up with a review or someone else stating that spyware is installed with it.
A majority of spyware programs are installed with legally questionable software, file sharing. To minimize your chances of installing spyware do not install any "legally" questionable software and read the EULA!
Make me your friend. All my friends get +1 modifier and I need friends :)
Wow, I'm gonna have to reformat my hard drive and install Linux again so I can stop getting spam emails!
But then you would filter out emails coming from Bugtraq, confirmation emails from online retailers, opt-in email that you want to recieve, not to mention creating a huge pain in the ass for people that just send alot of email.
;-)
You have to look at this from an abstract viewpoint to realize why nothing works so far (except bayesian filtering - to a limited exent).
You own server X. Out on the internet are servers A, B, C, D, and E. You know that you don't want any mail from D and E because they're spammers. You *might* want mail from C, sometimes but not all the time (a retailer, let's say). Messages from B you'd like to let through because that's your buddy's ISP, but A is a server used by both your friends and spammers (for example, AOL).
Now then, give us a simple algorithm to make sure that you always block D and E as long as they're sending spam, sometimes/never from C, allow from B, and block some mail from A depending on whether or not it's spam.
If that sounds too hard, then just come up with a simple algorithm to determine whether or not an email is spam.
See why it's still a problem
"It is seldom that liberty of any kind is lost all at once." -David Hume
here
Help fight continental drift.
wow, i didn't know that half of all email is just anti-spammers discussing how to torch spam. jeez, talk about collateral damage ;) hehe
"You never want a serious crisis to go to waste." - Rahm Emanuel
The boycott you propose has already been around for a long time. It's called the "Boulder Pledge". Unfortunately, it doesn't work.
The people who advertise through spam are fly-by-night operations. They typically hope to make a quick buck by shoving a message at a million people and getting a 0.0001% conversion rate. (Do the math.) Often they aren't even the ones with products to sell; rather, they're "basement operations" with little in the way of resources or business sense hawking merchandise on behalf of the less-reputable amongst affiliate programs.
The people who make the real money off spam don't make the money selling stuff through spam. Instead, they get paid by aforementioned fly-by-nights to send the spam. They are the few fat sleazeballs sitting at the top of the pyramid being supported by everybody else. Just ask Alan Ralsky (if you can get a letter through to him under the massive number of catalogues he receives).
This convoluted chain of middlemen is the reason why normal market forces haven't stamped out spam, even though spam is net unprofitable. Losers pour money into the spam system and are dealt out of the game with a high turnover rate; but there are always enough new losers coming in to keep the system afloat. Meanwhile, professional scam artists know every trick in the book to squeeze money out of an activity that truthfully causes a net loss for everybody else involved.
From the fly-by-nighters lured in by the promise of easy riches and duped into paying hard cash for spam advertising to the victimized ISPs and end users who have server, bandwidth, and support costs shifted to them, everybody else comes out in the red anyway. So how, exactly, is a boycott supposed to work?
Microsoft Windows is, fittingly, the official Desktop OS of Olig
Automated messages from BugTraq (or banking statement notification) is not a big deal, because I already know where they are coming from and it is very easy to whitelist such messages. This is what most people do anyway before passing e-mail to filters such as spamassasin.
The problem arise specifically with messages from random people. You can not whitelist them, and blacklist solution, as it was dicussed many times on slashdot, would never work well.
I think that proposed solution: whitelist for automatically generated messages and requiring to perform "can be done only by human" task would solve most of SPAM problem.
She can suck a better cock then you...wait...maybe not.
I used to run my own mail server on my home computer. In early summer I stopped. A couple days ago I started up tcpdump to gather up IP addreses to block because I am getting ready to fire my mail server up again. In 24 hours, I got attempted delivery of >24,000 emails from 377 separate sources. If any congress critters are interested in seeing it, I still have the raw file to prove my assertion. Since when does someone elses right of free speech require that I be denied lawful use of a mail server? Spam is nothing more than graffiti that denys me the right I have to enjoy the fruits of my labors. It is destruction of my property the same as if a garbage truck dumped its load on the front lawn of every congressman who failed to fight spam when they had the chance.
... now look at it ... sold to the highest bidder by traitors in office.
Out of 377 URL's, one -just one- of the sources was legitimate.
The new anti-spam law was moronic. It's time to vote those ancient bastards who cannot keep up with events around them out of office. This was once a country of / by / for the people
Image recognition (OCR) is just an example. There exist many other tasks which can be done only by humans:
Show a picture and ask a question: whether this is a man or a women.
Image recognition is just an example, there are many problems which are easy for humans and hard for computers. To have human=computer you should have artificial intelligence.
mod parent down!
Spammers need images to get past word filters and to make an ad "stand out." Images can't be sent with the e-mail so src tags are used. href tags are also used for links they expect people to click on. "http://" is a unique identifier that absolutly cannot be obfuscated or it will not work. You can add a lot of junk before an @ symbol but eventually the real link must be there. Simply block that link and poof, no more spam from spammers advertising using that domain. You can block countless spammers by blocking a single 100% unique URL that no legitimate e-mail will ever contain.
The full write up of my take on what I see as horribly flawed ways to combat spam and source code for the custom programs I use to strip links out of e-mails.
I have an example of spam posted there where everything is just a mess in the e-mail. The headers are forged, the text is all obfuscated. But there, clear as day is an "HTTP://"
Poof, killed the spam domain. And there's no way to circumvent my method except by not having links of any form in the e-mail. If you put a link in a spam, I will find it and I will block it.
Ben
Work Safe Porn
Really, many things together contribute to this problem. In no particular order:
A rabid consumerist/capitalist economy. Everyone wants you to buy something. Everyone NEEDS you to buy something or the whole thing unravels.
As a result, advertising in general has become a tragedy of the commons. It's so pervasive that it's becoming ineffective. Nearly everywhere you turn, there's an ad for something. Most advertising doesn't even improve sales, it just keeps them from slipping. The culture of advertising has gotten so embedded in business that few have realized that superbowl ads are usually a net loss. Perhaps the crassness of spam would turn off the 1/10th of a percent who buy if all other advertising wasn't so crass.
A general acceptance of legalese. If products carrying a EULA over three paragraphs (normal paragraphs) long or using words that have not otherwise been in use for 3 centuries was simply rejected, there would be none. With EULAS cut short, there'd be no fine print on page 123 to hide the spyware disclosure in.
Another way to accomplish that would be for the legal system to admit that it's just not practical (or even financially possible) to hire a lawyer everytime someone shoves a document at you. Further, it should recognize that a contract must be understandable to an average person with an average amount available to devote to such things. Anything not meeting that criterion is null and void. Fine print on page 123 does NOT constitute disclosure.
Loosened community ties have opened the door to scam artists like never before. In a worldwide community where the number of people you actually know is vanishingly small, social shame is not very effective.
Society is well behind the growth of technology. When it becomes more socially acceptable to proclaim that you sell drugs to 8 year olds than to admit you're a spammer, much of it will stop (OK, they may not be that bad, but it's close).
We need for it to be socially and legally acceptable to spit on a spammer's shoes in disgust. It's good that we as a society are (slowly) learning to accept diversity, but at the same time, some things are NOT reletive. An obnoxious ass who deliberatly annoys millions of people a week does NOT deserve understanding, he deserves contempt. Nevermind jail, ostracise them.
Law enforcement. If you or I produced the very same spyware that's out there with the very same barely existant (or non-existant) disclosures, we'd be up on charges. Just because it's incorperated doesn't make it OK!
</soapbox>
true - which end are you relying on the authentication to be done by. If it is by the receiving end then you run into language barriers, problems with understanding etc, if it is sending end then the spammer will use their own server without authentication.. These tests also need to be written. If you make a standard set then the spammers will obtain these and write applications which recognise them, if you rely on ISP's/server admins then many will not bother or will use simple charactor strings.
Even simplier example. Just imagine: all e-mails you receive marked by a flag "sent by human" or "generated automatically". This way most people whould have NO SPAM PROBLEM.
Read messages from humans every hour and automatically generated messages from unknown sources (such as online retailers) either when you expect such message or once a month.
Even more. Some people (me) would even agree to receive ONLY messages from humans on main e-mail account.
Spam might not be a problem on your platform, but who wants to run Commadore 64s?
$5 / month hosted VPS on linux = awesome!
I can personally attest to this. I've been doing on-site PC service for a local company for the last couple months, and our #1 call by far is for problems that end up being spyware/ad-ware related.
In my experience, SpyBot works extremely well, but it has a few quirks in its interface that lead people to not get everything cleaned up that it can clean up.
Most importantly, when it finds spyware it tells you requires a reboot to remove, you'll notice that it rescans everything during the system restart. The thing is, though, it isn't *removing* everything during this stage. It's only setting itself up so it *can* remove what it finds successfully, if you click to "fix problems" on its console window after everything finishes and the Windows desktop comes back up!
Also, I'm seeing more and more virii/trojan horse type infections that are smart enough to kill processes of any known virus scanner. These wouldn't have the chance to infect a PC in the first place if people kept their virus scanner running and updated, but many people don't. Then when someone like myself comes in and tries putting an updated one on the PC, the install won't even complete successfully. (This also manifests itself as a scanner that shows itself as "disabled" in the system tray, but which won't ever stay enabled when you try to toggle it back on.)
I'm at a loss as to why Symantec, McAfee, AVG, and the other popular scanners don't allow doing a "reboot and scan/remove virii before system startup", so the virus code can't get a jump on the scanner??
Thereby denying blind users the ability to e-mail you.
Not only is the FTC now required to study a do-not-email list, there's even talk of the DMA's worst fear - a do-not-mail list for paper mail. Bills have already been introduced in New York and Massachusetts.
This is the year to go for a do-not-email list with teeth as sharp as the do-not-call list. It worked for fax. It worked for phones. It can work for e-mail. And it's an election year. Keep pushing on your elected officials and the FTC. Push the FTC to implement a do-not-email list. Insist that it include domain-wide opt-out.
And yes, it will work if the law goes after where the money goes. Any competent cop and prosecutor can find out where those Viagra orders get fulfilled and who collects the money. It just takes some routine police work and a few court orders.
Alternatively, institute a microcharge on email -- be it monetary or computational -- to disrupt the economies of scale.
Spam is coming from zombied hosts these days, computational charges will be distributed to the point that they are useless. Monetary charges will destroy mailing lists like the numerous developer lists I subscribe to.
I believe there is a way to stop spam without any government intervention. We can make it so that spamming only costs the spammer money. I believe the widespread use of encryption would eliminate spam completely.
For the sake of argument consider that everyone does use encryption with all of their email messages. Now, instead of worrying about where the email came from, all people like Brightmail and Spamcop have to worry about is who the email came from. Receive spam and report it for blacklisting. Send spam, have your public key blacklisted. Get blacklisted and anyone who decides to trust their list filters your message straight to the trash.
In this scenario, if you receive an unsigned message, it is probably spam. Anyone respectable will sign, and everyone in your address book can be filtered to the 'good' inbox whether they sign or not. Unsigned spam won't be read. Spammers, knowing this, are going to be left trying to generate disposable keys. A small charge by the folks who certify the keys would then force them to reuse their keys, because generating the hundreds of thousands of keys needed to give each message a signature with a disposable key would be far too expensive for them. The speed at which we could blacklist keys in combination with the per key charge would reach a point where the 'economics of scale' no longer apply. Spam would disappear because it would no longer be profitable. Locating the spammer for prosecution would be easier too, since we could trace the payment for the keys.
And of course, this all would have the added benefit of keeping all of our private email guarded by a warm fuzzy blanket of strong encryption.
Would anyone here like to tear down my theory? If so, please avoid the obvious. The obvious being that not everybody uses encryption, Joe Sixpack could never figure out encryption, etc. Those are usability problems. What I would like to know is if I am overlooking a problem with the solution itself.
I am a full time Linux user, however I am always drafted to work on my families trashed Windows computers. Anyway after a long hard search I found good freeware solutions for detecting & removing Keyloggers and Spyware.
These are also good if you want to safely use a strange machine. These are the programs:
SpyBot S&D safer-networking.org
Pest Scan pestscan.org
Keylogger Hunter http://www.styopkin.com/keylogger_hunter.html
Patent: from Latin patere, to be open
The worse part about all of this is that they had a technology there that could be used effectively and to the benefit of both companies and consumers. Advertising on the Internet is a given, and unless somebody figures out a better way to make a profit on otherwise "free" Internet sites, it's here to stay.
Personally, I don't see a problem with the idea that if I have to see advertising it would at least be tailored to my interests. If that means that an anonymous profile is put together on my Internet habits and that information is used to custom direct an ad towards me, then hey, why not.
What I do have is a problem with the way the industry has chosen to approach this. Instead of asking me weather or not I want to have my Internet movement tracked, they do it covertly. They either use cookies which I didn't expressly give them permission to use, or worse hidden in software which at best asks my "permission" by hiding the true nature of the software deep in the fine print of the EULA.
For me, this has ultimately removed any sense of credibility and consumer confidence I might have in the industry. Between spam (which I don't want), pop-up ads (which are annoying to the point of being a major distraction), and Internet tracking spy-ware (where it is assumed that I want it unless I take great lengths to remove it), I've come to the conclusion that legitimate businesses simply don't advertise on the Internet.
Unobtrusive advertising, like a simple non-flashing or beeping generic banner ad is one thing. Hey, somebody who runs a website giving you content for "free" needs to pay the bills. But when it gets deeper--running software on my computer that I didn't want it to run or collecting personal information I don't want it to have--then it's reaching the point of being unacceptable.
If advertisers want to turn the industry around, they'd have to follow a few simple rules.
1: Ask my permission first. Make it abundantly clear, not hidden away somewhere. "We are going to track what websites you go to, in order to have custom tailored ads delivered on your page", or "We are going to send you e-mail about our products and services . . is that OK?". Always have 'no' selected by default. Make it so I have to go out of my way to get your advertising.
2: Make it easy for it to stop. If I have your software which reports back on my web usage on my computer and I don't want it there anymore, make it simple to uninstall it. Hiding parts of your software in different parts of the computer so it's nearly impossible to get rid of it is something virus writers do, not companies I want to do business with. If I tell you to take me off your e-mail list, that means stop right away.
There probably are companies dealing in Internet advertisement that follow those simple rules, but the problem is enough of them don't that it has made the entire Industry suspect, and at the present time I want nothing to do with them.
The Internet is generally stupid
In ye old days, AV scanners would not only scan for malware that wasn't strictly a virus, but would invariably include an "innoculate" feature which would create checksums for executables and libraries, and the on-access scanner would refuse to run altered or non-checksummed executables. The latter is handy to protect against users installing or running malware. Windows XP includes this, but in a very, very cumbersome manner (Software Restriction Policies) but which at least can check certificates so windows updates will work..
Any one know of any free checksum-checkers-on-execute, preferably with some sort of centralized checksum database, for windows?
SCO employee? Check out the bounty
Spammers can't get away with e-mailing millions of messages if they're too large.
It would take 10 months or more to e-mail a message with a 20KB image 25 million times on a typical high speed connection. By referencing images off of hosts they can send the same number of messages in a week and the hosts can serve up the bandwidth required in half the time it takes to send the e-mails.
Ben
Work Safe Porn
sheesh... come on people.
options:
1) EGRESS filters! hello!
if all the big ISPs did this, spam would probably disappear, but they are too busy getting PAID to carry spam!
2) black, white, and unblocked lists on a global scale
thats all for now.
Just got done switching the wife's machine over to Xandros 2.0. She doesn't play games but she can do everything else. Check her mail, keep a calendar, set reminders, surf, chat, play music, DVD's or movies. And all that right out of the box. I did zero configuration. Zero. Just plugged in one disc, answered a few questions and away it goes. It detected the network card, found the network and Internet connections, configured the three-button mouse properly, detected all my hardware, let me configure a network printer, set up users and set the administrator password. Not just as easy as Windows, it was easier. And it comes bundled with Cross0ver so I was able to get Photoshop working in no time. What a nice distro.
Yeah, yeah I know it's paint-by-numbers Linux, but it sure made my life easier. The wife can get around with it, even for burning CD's and she thought having Photoshop back was totally cool. It's a lot more intuitive for Windows users than SUSE. No more worries about the virus-of-the-day and cleaning off spyware crap.
Windows is crapware. The longer I use Linux, the more I despise Windows. It's...dirty.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Now, Windows is well-entrenched because it's what the current user base is used to. We can't get them to budge because we can't persuade them that the change is worth the effort. But if millions of college students are getting a thorough education in how totally insecure Windows is....
If you happen to live in Spain, you can see milk, juice and other brand products embedded in tv shows. The most prevalent one being the "Puleva 3 milk". It's only a matter of time before this catches on in the U.S..
I've had enough of holding the hands of those who are not willing to protect themselves. If these "people," usually grown adults, can't avoid a "Get Kool Mouse Pointerz Here" link, that's their problem. I'll happily charge them by the hour to fix the problems (and I do), but I'm not going to wring my hands here or anywhere else over how to solve the problem at its root. For friends and family, I've got everything locked down, but I'm not about to waste my time bothering with all others, especially when the warnings are ignored constantly.
Those of us who are Internet old-timers have long chanted the "don't trust anyone you don't know" mantra that keeps these problems at bay, and, unsurprisingly, nobody has listened. So, to hell with them. I made a few hundred bucks last month alone from a "will remove viruses and spyware" ad in the local paper, so let them keep it up, and I'll soon have my school tuition for this semester paid.
Spam and spyware are both hilariously easy to eliminate in one step -- stop being so gullible. Since that will never, ever happen, I'm happy to keep taking their money and patting their soft little heads.
-
Inventor of the term 'pardon my French'.
But that's too late. You need to DDos / harass them BEFORE they spam. You need to stop being reactive and start being proactive. What's your IP address? :-)
Everyone is complaining that no solution works against the spam problem. True, there is no single magic bullet. But instead of throwing up our hands and yelling that we are screwed and let the bastards over run us, we need to break the problem down into workable chunks.
.05. Eventually it will make it unprofitable to collect contacts this way. We don't fill in credit card information so we don't do anything illegal.
Do you remember how much Norton Antivirus spam you used to get? It's all but gone now. People complained to Symantec and Symantec went hunting. It's one less profitable avenue for spammers to go down. (Now we just need to get Pfzier/Viagra to get a clue.)
There is a lot out there. Don't burn yourself out on it. Just pick your favorite pet peeve and go after it. Report it to the people who will care the most.
Forward your spam about:
- Norton to spamwatch@symantec.com
- 419/Nigerian scam to 419.fcd@usss.treas.gov
- Ebay account scam to spoof@ebay.com
If anybody has anymore let me know.
I make a point of forwarding any spam that has made it past my filters to my spam cop account www.spamcop.net
I set up a distribution list that forwards to both this account and to the FTC: uce@ftc.gov
Also fun is the FDA's over the counter fraud e-mail address: otcfraud@cder.fda.gov (I know I have more penis pumps than I could ever use).
Are you running Java already? This takes no effort!
www.astrobastards/uc runs a client on your PC that works with a team of spam fighters by filling in the forms for all those "mortgage loan" spams with believable junk. This is not a DOS attack. Since we have been invited to fill out their contact forms we go ahead and do so. Now when all those insurance & mortgage firms pay the spammers $20 per lead they will get pissed that they paid for garbage. Suddenly prices per address will drop from $20 to $10 to $5 to
Do you get a spam with an 800 number? Call it & tell them you are pissed. It's their dime.
The only toolbar plugin I've ever installed was Yahoo!'s but a few weeks ago I had do a clean reinstall of Windoze and I decided not to reinstall it though I might reinstall Yahoo! Messenger. It's the only IM client I've used.
Should there be a Law?
This is an excellent idea. I think you explained it better on your website than here.
It would be cool to see how well your solution works up against progs like SpamAssassin. After all, they fight a moving target, whereas spam domains are a bit slower.
However, it is also true that spammers typically buy 100 domains for some cheap monthly rate plans, and as domains are thrown out of Google or otherwise become worthless, they just move to the next one.
I would definately like to see this idea developed more fully.
You can forget about a lot entirely if you go that route. Not saying Mac is unusuable, but computers are general purpose machines, and the more general, the more attractive they are.
That's a common misconception people have about Macs, that they don't run as many programs as Windoze does. Many of the makers of big programs for Windoze also release them for Macs. For those Windoze programs that don't have Mac releases then you can run Windoze on the Mac. On top of that with OSX many *nix programs can be run as well.
Simply, Macs with OSX run more programs than any other OS.
Should there be a Law?
I think the devil, as always, would be in the details. How would one get a public key? I think this might only lead to the rise of disposable keys: a spammer would fire off a day's worth of spam, and then throw out the soon-to-be-useless key just as it starts hitting the blacklists. But I really don't know much about the state of encryption today, so I may well be overlooking something obvious.
Spam is coming from zombied hosts these days, computational charges will be distributed to the point that they are useless.
Computation microcharges, according to my calculations, couldn't be distributed among zombies. Choose a constant X: this is the number of seconds that a reasonably fast computer takes to pay its computational microcharge. A spammer who tries to send 30 million emails to people who haven't whitelisted him will need 347.2x days of computation. If X is set to five, he'll need approximately 4.75 years' worth of CPU cycles. That much processing power is a valuable commodity; if it's lying on the net waiting to be stolen, it will be snapped up by any number of interests that do not involve spamming. Moreover, the value of X will be up to the user; if you have a problem with spam, set it higher. Or disable it entirely if spam is not an issue.
It need not affect mailing list owners, since the charge is only levied against senders who are not whitelisted. Presumably, the receiver of the email would issue a challenge and it would be up to the sender to respond. If a mailing list owner gets such a challenge, he needs only discard it; it's not his problem if a subscriber did not whitelist the mailing list.
Just thinking out loud.
The problem of spam is lately being overshadowed by the subject of spam saturating the media.
Think of the media business model. Media lives on paid advertisements and subscriptions. Spam doesn't grease their pockets. Of course advertising directly to the public is a bad idea.
The truth shall set you free!
Might try: The story of America is the story of noble aspirations overtaken by a hard-core huckster reality.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Three words:
Feds Hate Encryption!
Why?
They consider encryption to be a weapon/munitition and subject to onerous, labarynthine regulations when used in products that leave the USA/Canada....
It appears encryption is tolerated now thanks to pioneers like PRZ/PGP because the majority of network traffic is still unencrypted, in the clear, an eminantly collectable and analyzable....
If most/all worldwide network traffic goes encrypted, the Feds (or any country's system of government for that matter) will $#!+ bricks, outlaw/criminalize *ALL* non-approved use of encryption (even rot13), and quite possibly pull the plug on the Internet to prevent unauthorized encryption use. Then it's back to the nostalgically inefficient days of dial-in BBSes....
Do you wan't a future like that?
I don't.
There has to be a way to stop email spam without using encryption....
whereas spam domains are a bit slower
Actually, if you have a look at the Spamcop inprogress stats you'll notice that the spamvertised domains change pretty quickly. I use this exact type of filtering at work and I have to stay on my toes to harvest the newest domains. On the other hand, it seems to have VASTLY cut down on the amount of spam my users receive.
The problem here comes back to capitalism, in my view. If money is the motivation, people are going to do sleazy shit to have money. You will submit because you want to be in the system, with its health care and fast cars and enema porn. But is there a greater value than money and material comfort?
Dynamic ;-)
A blog about stuff.
I have an ancient version of NAV on my WinME box, that scans during the DOS bootup and Windows startup. So it's not like scanning/cleaning during startup hasn't been or can't be done.
This ability to simply turn off those meddling virus scanners is yet another reason why I still use FProt for DOS, and do my AV scans manually. (Well, via a simple batch file -- so I merely navigate to the desired directory, open a prompt, and type "FPA".)
~REZ~ #43301. Who'd fake being me anyway?
a) Do not use Internet Explorer;
/., the NY Times, the BBC and a host of other sites without problems. Reuters insists on telling me that they will not support my browser and I've told them that I thumb my nose in their general direction.)
b) Do not use Outlook;
c) Do not use MSN messenger;
d) If you use Windows xxx make sure you use it behind a good firewall or proxy server;
e) Whatever browser you use:
1) Disable Javascript;
2) Disable Java;
3) Disable CSS
Individuals or firms who require such tools to distribute information have way overengineered their sites. They are going for bells and whistles rather than reliability and trust relationships. (There may be exceptions to such assertions but they are few and far between. I can read
I've followed these policies fairly closely for the last 3-4 years and have not had any problems. Sure I still get SPAM but I heavily filter it using both spambouncer and spamprobe and I read it entirely in PINE using CRT (a telnet application) to the Linux server that receives the mail. I.e. there is no HTML or other attachment processing etc. that takes place on the email that is being read on the Windows 2K machine. And I *don't* require virus/spy/ad ware scanners.
Robert
It would be easy to setup an OS so that 1) there is no "admin" for the user to be, and so that installed programs can't do things like scan your hard drive, report crap back to the master server, etc.
Basically, you setup ACLs for both users and programs. Then you deny the program all rights that it doesn't need. You don't even allow programs to automatically request certain privileges (like hooking the keyboard, extracting URLs, or any other data from any other program). Users would need to use the security manager to do that themselves.
You might be able to setup something like this using SELinux, but I don't know. Certainly no OS in existence is really setup to do something like that, but I hope that future all OSs will be, esp windows and MacOS.
autopr0n is like, down and stuff.
Okay, I hope slashdot's ananomizer thing actualy works...
Ahem. In any event. A good way to prevent people from buying spam is by spamming for some great product. Say a $10 DVD player, Porn DVDs, narcotics, whatever. And then rather then sending them the product, you send them a mail bomb.
The media hype would probably scare enough people away from spamvertized products to kill it entirely, in the US anyway.
autopr0n is like, down and stuff.
I guess it would have helped if I'd hit "Post Anonymously" Oh well. Not that I'd ever do such a thing, of course.
Well, like any spam solution, this isn't good on it's own. I'm pretty sure I've sent people e-mails with the string 'http://' in them, letting them know about a website I've found. Or created.
.... check out this website ... talk to you later' the only clue that it wasn't for me was that I didn't know the sender).
It also seems like a Baysian filter would pick up on this by itself. Why write a spesific system to block out 'http://'.
And while images will make a spam stand out, so will getting past most spam filters. Thats why a lot of the spam I've been getting dosn't even register on the Baysian filter I use, and apears to be a regular email even after reading it (like 'hey man what's up?
autopr0n is like, down and stuff.
For the Norwegians here, the relevant laws are personopplysningsloven and straffeloven.
People say I'm crazy, I got diamonds on the soles of my shoes...
Would anyone here like to tear down my theory? If so, please avoid the obvious. The obvious being that not everybody uses encryption, Joe Sixpack could never figure out encryption, etc.
Awwwwww! No fun.
But seriously, if that can't be mentioned, let me first make another point. If the major problem with spam these days is open hosts, and we are ignoring issues of usability and general public acceptance, then it seems to me that the first thing we should do is put an end to zombied machines by getting everybody to secure their machines such that them being usable for spammers (and any other virus, worm, etc that floats around the 'Net) is a statistically non-existant issue. But I certainly digress.
Is there a problem with your theory? One potential problem I see--and I admit I am a novice in both the areas of spam and encryption--is the assumption of security if a valid key exists. I kind of liked the fee base, even if it might not be practical for general acceptance, but once a key exists and is verified, it is assumed to be valid and non-spam email?
1) What is to stop these zombied machines from simply examining a system and making use of the email encryption scheme available? If a spammer got hold of somebody else's valid key and used it maliciously, the email would be accepted as valid. Also, how can the victim of such misuse prove it was a malicious spyware-type program or worm that sent itself to the world rather than them sitting at a computer?
2) If a service such as SpamCop is used to report keys that should be blacklisted, how long would wide public support exist if they had to prove themselves innocent if something went wrong? Remember, this isn't like an email address where I could get a new one for free and with fairly minimal hassle; this is something I paid money for, money that while it may be small, is still my money and I wouldn't take kindly to having it taken away from me. Especially if I really didn't do anything wrong.
Assuming everything worked great, might it not also work too great? What about legitimate businesses with opt-in email listing? How could they not be marked as spam in the system? And how do we feel about things we agree to even if we don't like? I am reminded of comments previous about spyware and how most of the time they basically say they're going to install it in your EULA. What if a spam clause is put in instead? Is this spam or not?
All in all I like the system. And hey, even if there is a gaping hole somewhere we're both missing (even if I'm right about the issues I raise I consider them relatively minor), we do, as you say, have that extra security blanket of encryption. I've never been much of a tin foil hat person, but lately Ashcroft has been scaring the hell out of me!
It might work, if we avoid the obvious. It's unfortunate that we really can't, though. Still, I've begun encrypting my IM's and plan to check more deeply into doing so with my emails. Couldn't hurt to try... or at least help secure my little corner of the world.
I don't know about anyone else but I've seen a dramatic drop in the amount of spam I get at my hotmail account in the last couple of weeks. It's gone from an average of 50 a day to 1 a day. The reduction happened around the same time that the interface changed. Has Microsoft actually put in an effective filter or is there another reason for it?
If I hadn't seen such riches, I could live with being poor.
ad-aware - http://www.lavasoftusa.com
Got me out of trouble more than once.
It's now fun to try out all sorts of downloads and see ad-aware clean up afterwards...
It doesn't block "http://"
It searches for "http://" to gather links.
Which domains end up actually being filtered out is handled manually.
How often do you send friends links to domains dedicated to spam?
And baysian filtering picks up all the words. It's sloppy, inefficient and error prone.
Ben
Work Safe Porn
Well, yes, this is true -- but you're talking about DOS based operating systems. The problem is, people running Windows 2000 or XP typically have an NTFS file system on their boot drive nowdays, so modern scanners need to deal with this.
Symantec Anti-Virus 2004 allows booting from the installation CD so you can scan a boot drive without even starting the OS up at all - but again, they're still only supporting DOS filesystems.
A few years ago, I could not access a website and when I checked with my ISP, they said they had blocked the entire domain that hosted the website for hosting spammers. Assuming that can still be done, wouldn't it make sense for reputable ISPs to simply block all traffic from/to domains or networks that host spammers or the websites of spamvertizing advertisers?
Ignorance is curable, stupid is forever.
in my life God comes first.... but Linux is pretty high after that
Francis Smit
The majority are fly-by-night conmen. But not all. For instance, I received spam email from T-Mobile recently. I complained, and received more spam a couple of days later.
My main point is that some otherwise legitimate companies do send spam. My secondary point is that if you are spending money on T-Mobile based cellular service, you are supporting a spammer.
If most/all worldwide network traffic goes encrypted, the Feds (or any country's system of government for that matter) will $#!+ bricks, outlaw/criminalize *ALL* non-approved use of encryption (even rot13), and quite possibly pull the plug on the Internet to prevent unauthorized encryption use.
A right you are afraid to exercise is no right at all :-) Besides, I don't see that there would be a whole lot they could do about it. Trying to outlaw encryption didn't work too well the first time around. It was the US Government's Napster. They tried to crush it like a bug, but it crushed like a packet of ketchup. They need to get their brain wrapped around the fact that if they can look at it, so can the bad guys (whether that be other governments, organized crime, Terrorists(TM), or other equally 'bad' people).
There has to be a way to stop email spam without using encryption....
I take it that means you think the plan will work?
I think the devil, as always, would be in the details. How would one get a public key?
You would generate it on your own machine. You can't trust a key pair that you don't generate yourself. From there, the public key is sent to a Certificate Authority (CA). The CA receives your Certificate Signing Request(CSR), and performs some test to validate your identity (small charge, validating the address you provide against the card companies billing address for instance)
I think this might only lead to the rise of disposable keys: a spammer would fire off a day's worth of spam, and then throw out the soon-to-be-useless key just as it starts hitting the blacklists.
But there's the rub, as soon as the key hits the blacklist, all spam sent under that key is disposed of for everyone receiving it. Spam in the morning, key blacklisted shortly thereafter, everyone checking email at lunch is spam free. When I say disposable keys I'm thinking said spammer generates 100000 keys for 100000 email messages. This is the 'perfect' defense against the blacklist. But generating 100000 keys takes a good deal of horsepower, and with a small monetary charge, some deep pockets. Key reuse will be forced on them. The 'economies of scale' collapse. And again, since they are being charged a small fee, finding them should be easier. They could use a stolen credit card number, but that's wire fraud. Spamming may be legal in plenty of places around the world, but I don't know of many locales that look too kindly on wire fraud :-)
Computation microcharges, according to my calculations, couldn't be distributed among zombies.
Have you ever looked at Seti@home's numbers? There are mountains of wasted cycles out there. All you need is one worm.
Presumably, the receiver of the email would issue a challenge and it would be up to the sender to respond.
What happens should the sender be unable to respond. Example, I'm up futzing with a computer problem until I'm exhausted and give up. I send a message to customer service at 3am. I disconnect, go to bed and customer service gets my message at 8am. I'm asleep, the computer is off, and customer service bounces me as spam because I'm not online. Scenario two. I'm a retail salesman and being a good salesman I collect the email addresses of my clients that would like to hear about big sales. Well, three days after the sale started, client number 800 finally gets his notification, because 1-799 didn't whitelist me. And that assumes that my message didn't get bounced because of some built in timeout, give up trying to validate sender after 2 days? Sounds reasonable. IMHO, microcharges seem fraught with major flaws and would be easily circumvented by the spammers they are meant to inconvenience. Encryption does none of that. If you don't spam, you buy one key and never worry about it again. All messages are received, and it is up to the client to sort them out with the help of the blacklists.
Spyware on news.google.com?? Or was there a particular link you had in mind?
the first thing we should do is put an end to zombied machines by getting everybody to secure their machines such that them being usable for spammers
Kinda hard to do when most people are running Windows and design decisions, rather than bugs, are what leave Windows users most vulnerable.
once a key exists and is verified, it is assumed to be valid and non-spam email?
Once a message is verified by the email client software as having been signed by the attached public key, it then checks the blacklist to see if that key belongs to a spammer. If it is blacklisted, it gets marked as spam and dealt with accordingly.
1) What is to stop these zombied machines from simply examining a system and making use of the email encryption scheme available? If a spammer got hold of somebody else's valid key and used it maliciously, the email would be accepted as valid. Also, how can the victim of such misuse prove it was a malicious spyware-type program or worm that sent itself to the world rather than them sitting at a computer?
Stolen private keys would be something I would classify as a usability problem. It has always been a potential risk when using public key encryption. To put the question into perspective though, I think OS X 10.3 would handle this quite gracefully. On OS X you have a keychain. You can decide what applications are allowed to access specific keys. When set up correctly, your private email key resides on your keychain and is only accessible by your keychain aware email client software (Mail.app). Trying to access it with any other software fails. So if along comes the worm du jour, the only way it is going to sign messages with your key is through Mail.app. Surely when you see Mail.app launch itself and begin sending ten thousand emails an hour, you will know something is up. Require a password before accessing the key and no message gets sent unless the spammer can beat that. Barrier after barrier exists to stop a determined spammer. If a spammer beats that kind of redundancy, you've got bigger problems than a blacklisted key that might cost a couple of bucks to replace.
2) If a service such as SpamCop is used to report keys that should be blacklisted, how long would wide public support exist if they had to prove themselves innocent if something went wrong? Remember, this isn't like an email address where I could get a new one for free and with fairly minimal hassle; this is something I paid money for, money that while it may be small, is still my money and I wouldn't take kindly to having it taken away from me. Especially if I really didn't do anything wrong.
In many cases, we know who the spammers are already. Blocking their spam is so extremely hard though because we are trying to block based on where, rather than who. Again though, this is a usability problem. It isn't something that is unsolvable. If Microsoft would put money into making their s/mime simple and bulletproof and widely used instead of blowing it on computational schemes... besides, if my key was compromised, I would worry more about who could now read my private messages.
Assuming everything worked great, might it not also work too great? What about legitimate businesses with opt-in email listing? How could they not be marked as spam in the system?
If I opted-in, why would I report it as spam? The blacklist would be fed by end users, and validated by the people who manage it.
And how do we feel about things we agree to even if we don't like? I am reminded of comments previous about spyware and how most of the time they basically say they're going to install it in your EULA. What if a spam clause is put in instead? Is this spam or not?
If it walks like a duck and talks like a duck... :-) But you do bring up a good point. Assuming section 5c on page 163 of the EULA holds up in court... List managers have no idea what t
How will that help? All that means is that users will get used to typing in their root password every time they install something. And they'll type it in just as happily for EvilWare PrivacyInvader Pro as they do for Fluffysoft Bunnies(tm).
Argh, I wish I hadn't just posted; I have mod points, and this should be modded up. (Insightful AND funny...)
I don't think this would work. If blacklists are that fast, why can't we just run a blacklist on individual email addresses right now? Seems to me that the email takes just about as much time to reach the target servers as the blacklist update does. And spammers DO use disposable email addresses, so something isn't working.
What happens should the sender be unable to respond.
Then, like now, your email would bounce. The thing is, this would all be done on the ISP's side. If I send an email to joebloe@earthlink.net, and all of earthlink.net's mail servers are offline, then the email bounces. So the servers don't go offline at 3:00 AM. At least, this is all how I think it works. I might be wrong.
Is there some quirk of NTFS that makes it inaccessable at that level?
~REZ~ #43301. Who'd fake being me anyway?