Spam Bits

Let's mush a few things together into a nice pink rectangular solid: ipandithurts writes "The FTC Chair Timothy Muris doubts the ability of the "CAN SPAM" law to stop SPAM." ElementCDN writes "The Ottawa Citizen has a story on Bernard Balan the King of Spam. Bernard has closed up shop and moved to cottage country near Huntsville, Ontario." CactusMan writes "CTV (among others) is reporting that a Ontario trio has been named in a suit filed by Yahoo under the new CAN-SPAM legislation. Yahoo is claiming that the father and two sons were 'responsible for sending millions of unsolicited messages to users of the company's e-mail service.'" ilsa writes "According to this AP article, as much as 19% of e-mail sent by commercial entities never reaches its destination. 'Promotions and greeting cards were the types of messages most likely to disappear, the study found.' Although this study may have been intended to be alarming, forgive me for thinking this may not be a bad thing." Reader chrisbtoo responds to an earlier spam story: "In today's story about Spam solutions, monstroyer challenged people to crack the Spam Interceptor Captcha. Turns out it was pretty easy." Finally, we can't fail to mention an attempt at making the world's largest spam musubi.

19% of commercial email? At least!

[neiffer]

I run a small publishing firm that relies on email to sent updates to our materials. Every email we send to customers has at least 10% bounce (sometimes as high as 30%); many of which worked a week before or a week after. However, I think the 19% number mimics my personal mail as well: messages allll the time get lost in the shuffle!!

Wow, they requested this?

[Faust7]

e-mail recipients risk losing newsletters and promotions they've requested.

Who with an ounce of sense would request any sort of e-mail promotion, given the tendency those things have to multiply of those accord? Don't answer that.

Re:Wow, they requested this?

[IO+ERROR]

The truth is, SOMEBODY is buying penis enlargers and breast kits, otherwise nobody would bother sending out such spam in the first place.

Re:Wow, they requested this?

[squiggleslash]

Set up an email address for each entity you do business with, and this becomes possible and easy to control. There are some entities I do like to receive newsletters etc from on a regular basis, simply because I buy enough from them for it to matter and they've put a lot of work into making them relevent - Amazon.com is one that springs to mind. People I know subscribe to things like newsletters from airlines that highlight specials, as another example.

You know, if ISPs made it easier to implement this particular solution, rather than requiring we run our own email servers to do it (or even doing what they can to prevent us from running our own incoming email servers - many ISPs block *incoming* port 25) the spam nuisance would end overnight. Businesses would stop selling email addresses because they know that their ability to contact you stops the moment they do, and people wouldn't buy them because they'd know the email addresses are blocked immediately on receiving the first spam.

I note Yahoo! is implementing such a scheme. More power to 'em!

Re:Wow, they requested this?

[schon]

SOMEBODY is buying penis enlargers and breast kits, otherwise nobody would bother sending out such spam in the first place.

OB Simpsons quote:

"That's specious reasoning, dad. That's like saying that this rock keeps tigers away."

"Really? How does it work?"

"It doesn't! It's just a rock! But you don't see any tigers around do you?"

-----
Even if nobody buys it, spam will still exist, because spammers think exactly like you do..

Re:Wow, they requested this?

[Phroggy]

Who with an ounce of sense would request any sort of e-mail promotion, given the tendency those things have to multiply of those accord? Don't answer that.

Each time I sign up for something with a particular company or organization, I create a new e-mail address at my domain, and give them that. That way, if I start receiving spam at that address, I know who sold my address.

What I've found over the few years I've been doing this surprised me a little. The results: legitimate companies do not sell my e-mail address. Never. None of them. There have been times when an e-mail address has gotten listed on a web page in cleartext (e.g. on an eBay auction page) and those get spam because spammers harvest addresses (I believe eBay has stoopped listing e-mail addresses for this reason). The address I actually use as my return address when sending mail to friends gets spam all the time. Once an address is harvested from somewhere, I'm sure it gets sold on CD-ROM or whatever. But the addresses I create for companies and organizations to use (I've got about a hundred of them) simply do not get spam.

Re:Wow, they requested this?

[pla]

Who with an ounce of sense would request any sort of e-mail promotion, given the tendency those things have to multiply of those accord? Don't answer that.

I've answered you not because I disagree, but to add a bit to your point.

You have pointed out what I consider a major flaw in most companies' marketing strategy; namely, assuming I want to know about product updates.

When I want a new product, I search for it on the web. I read a number of independant reviews to find the "best" product to meet my needs, then I use a few price search engines to find the best price on that product, then I buy it from the cheapest place that doesn't have half its users complaining about their service.

So, now, marketing gurus, take note of that process. Notice where mass mailings from your company fit in? Bingo, they do not. Not even a little. In fact, if I find your mass mailings just a tad too spam-like (or if I EVER notice you've sold my address, which I can tell since I use disposeable email addresses), you can guarantee that I will never buy from you again, even if you do have the best price, and will also warn anyone that asks my advice (which for the typical geek means "almost everyone they know") to avoid you as well.

So, my suggestions...

1) Stop bothering us with mail, immediately. You waste your time, our time, bandwidth, and may well incur our "squirrely wrath".

2) List yourself on every price search engine you can find. At the very least, list yourself in Pricegrabber, NexTag, and shopper.com. And If you sell PC hardware and don't list through Pricewatch, consider yourself as good as nonexistant to me. Seriously, if any marketing folks read this and only remember one point, re-read this one. List with price search sites, or vanish.

3) Don't piss off your customers. If you list a product at a given price, you'd better actually have it, and have it for the listed price (or better, I won't fault any company for that). If you make me wait an obscenely long time to get it, I will cancel my order after the third day it doesn't ship. If you give me the runaround because I don't want your crappy accessories and extended warranties, not only will I cancel my order, I will report you for bait-and-switch; additionally, if you ship via US mail, you commit felony mail fraud (which I will also report you for) by taking longer than two weeks to ship (regardless of whether or not you try to avoid this by some cheesy "6 to 8 weeks" disclaimer). Overall though, if you run a legit operation, none of that will apply. Just list what you have, honor your prices, and don't treat your customers like sheep (even though most of them probably act like it, and will buy anything you tell them to, enough people will get pissed to provide plenty of negative feedback for me to find).

Re:Wow, they requested this?

[squiggleslash]

Unfortunately for the most part they still allow you to email username@isp.com, so anyone reselling email addresses need only remove the +box@... bit and the floodgates are open.

CAN Spam stupid

[broothal]

I hang out in various anti-spam communities (news.admin.net-abuse.email and some IRC channesl) and most of us (tinu) agrees that (I) Can Spam is pretty clueless. Now, I'd like to hear comments from someone who's not an anti-spam zealot. Is there anyone who thinks Can Spam is worth the paper it's written on? (Anyone not associated with Direct Marketing).

Return Path numbers are low

[attaboy]

The AP/ReturnPath story is interesting, in that the actual number of messages that never see their intended recipients is probably even higher than 19%.

The study was based on a snapshot of messages sent by 100 Return Path customers. Return Path set up test mailboxes with 18 major Internet service providers and monitored about one-fourth of the 120,000 marketing campaigns from those customers.

This wouldn't even begin to account for the number of messages filtered by larger companies, universities, and other entities that maintain their own spam-filtering and spam-blocking systems. It also wouldn't account for the growing number of individual end-users who are installing and using commercial or free spam-blocking software on their local machines. Anti-spam software isn't just for geeks anymore. According to download.com, the top 25 results for a search on "anti-spam" have been downloaded 2,493,051 times, in aggregate.

Well isn't that a good thing?

If you are an end user, and missing a message doesn't matter that much to you, then no. If you are a company using E-mail to communicate with your customers, but you aren't sending anything critical, then no.

If you miss the electronic notification from your bank, credit-card, or student loan company that your last payment is late, or the notification from your airline that your flight was cancelled, then it does matter.

And if your one of the,"oh, it can't be more than five or ten", companies in the world that is using E-mail as part of your business processes, whether for sales, marketing, customer service, CRM, purchase or account notifications, etc... well then, hell yeah it matters.

Things are probably going to get worse before they get better, but E-mail for business has so much potential that I can't but hope that we will solve this problem.

Re:Return Path numbers are low

[tanguyr]

And if your one of the,"oh, it can't be more than five or ten", companies in the world that is using E-mail as part of your business processes, whether for sales, marketing, customer service, CRM, purchase or account notifications, etc... well then, hell yeah it matters.

Well, if you are using e-mail as a *critical* part of your business process then you must have a back up plan: like it or not e-mails get lost, there is no guaranteed delivery (e-fedEx?) ,no standardized way of handling return receipts, not to mention the whole grey area of whether emails represent legally binding documents. Check out those disclaimers in your inbox. Any e-commerce site sends you email notifications on your order's status, but they're also available on your account page - ssl encrypted, password authenticated. And you can call customer support for the same info. /t

from Dictionary.com

No entry found for rectagonal.
Did you mean octagonal?

Vigilante justice

[FattMattP]

...has closed up shop and moved to cottage country near Huntsville, Ontario

Come on boys! Saddle up and let's ride on to Huntsville! Don't forget the noose and yer rifle! Yeehaa!

Yet another "King of Spam"

[AndroidCat]

So Bernard Balan claims to be the (ex) king of spam and "one of the best programmers around"? Oh wait, spammer rule #1.

Dutch supreme court rules that ISP may forbid spam

[MathFox]

The Dutch supreme court (Hoge Raad) ruled today (March 12) that an ISP can forbid a spammer to make use of their machines. (press release in Dutch). "XS4ALL has exclusive rights on its computer capacity" and "Freedom of expression doesn't allow infringement on the rights of others".

Summary of the verdict: An ISP can demand that a spammer stops (ab)using the computer systems of the ISP for sending unsollicited email to its customers. If he continues after that, the spammer is infringing the ISP's rights.

Shifting of spammers to entertainment

[Dark+Paladin]

The yesterday, I recieved what had to be the greatest piece of spam mail I've ever seen.

It had to have been 20 pages long from someone calling himself "Lawrence Jesus Christ", and went on about how they were coming back, and specifically mentioned that the document wasn't spam until the Can-Spam act, how keeping this email from people would allow the sender to sue the company for $7000, a bounce-back would invite a lawsuit for denial of service attack, on and on.

Funniest damned thing I've seen in some time. And I've been wondering if that's the deal with the other spam I've been seeing like how "I had a 36 hour erection with v-i.g.r.@ - click here" or "Bob crossed the room to find the school girls getting rich quick".

No, I'm not making that up. Well, a little - but it seems like spammers are now trying to use humor to get their messages through.

As for Lawrence Jesus Christ or whatever, I deleted it anyway. I'm still waiting for my lawsuit.

Some things are unstoppable

[superpulpsicle]

1.) SPAM

2.) P2P

3.) Pop ups

4.) Virus

Just when US companies think they have it figured out, some kid in a bedroom will figure out a new way to distribute smarter ones.

Spam Interceptor CAPTCHA

[chrisbtoo]

Sorry monstroyer, didn't realise it was your system that you were challenging people on. Guess you'll have some work to do tonight, eh?!

I'd recommend throwing some extra noise in there, and possibly varying the relative darknesses of the background and foreground. If you can distort the characters too it might make it harder to beat.

Monstroyer says congrats!

[monstroyer]

Wow, my challenge has been answered. Seeing is believing. For the record, someone else beat it using JAVA. Here's the email i got:

Hi Simon, I just accepted the challenge that (presumably) you laid on a recent Slashdot
thread to create an automatic registration agent for (again, presumably) your Spam
Interceptor software.

This is the result. If you can see the log of registered email addresses you will note
that some few hundreds of addresses have been added for of the form
"AutoGenerated_@i.am.spamming.you.com".

You are welcome to review the code that I used, although there really isn't
much to it... some 300 lines of java. The approach that I used should be adequate
simple variations of your defence, but would be readily defeated by simply
improving the algorithm that you use to generate the random background noise
in your image.

Feel free to email me at: [removed]@recalldesign.com

As a user, here's hoping a fix to make the image more complex is on the way. Thanks for the insight.

Re:Monstroyer says congrats!

[interiot]

There are some simple steps they can take:

• warp the letters so programs have to actually use OCR techniques instead of simple byte-matching (currently all "A"s have the exact same shape which is trivial to detect due to the small number of hard-edged pixels)
• alpha-blend the background... currently you can easily remove the background because it's the same color all the way across and all the way down (roughly speaking; you have to skip pixels on the horizontal, but it's still trivial)
• don't make the letters be the same color all the way across, contiguous pixel areas are too easy to recognize (better yet, apply randomness to the whole image)
• don't use a clearly different set of colors for the background vs. the text

Was this actually a challenge by the authors? It was trivial to break, and just about every other site on the internet that uses munged letters uses the above methods.

Captcha!

[doublebackslash]

We have been depending on the difficulty computers have recognzing the shapes of obfustacated letters.
Why not make the try to identify things, objects.
There are a substantial number of warping effects that can be applied to a picture, and so long as the users language is known, and they are reasonably congnent, they cold recognize a barn, a duck, etc even if it was warped, twisted, or miscolored to some extent.
(example: there is a picture of a barn in the forground, the question is what is the color of the object in the picture, or what is the object, many questions based on one picture=)
I feel that this is the next generation of captchas. Personaly I like a picture scheme better, it could be easier to decipher than some of theose HORRIBLY degraded captchas I've seen. Plus it relies on a deeper ability to recognize shapes and patterns and colors and resolve them into a recognizeable image in our minds, and computers now cannot hope to recognize a warped human face from a barn.
I feel that this sort of authentication could also be the key to blocking spam all together.
A user could add E-mails to their trused list, and certain sites (ebay, hotmail, etc) could be on there by default, all others will have their message bounced with a captcha included, and an explination of what is happening. When they prove themselves human, they can get added automagically. Put the work on the senders end. If you send an email to someone, add them to the trused list, etc, for ease of use on users.
I feel that computers and spammers will have a hard time with any scheme that does not involve standardized things, like letters.

Holy Shit!

[Mullen]

Bernard Balan, branded as one of the world's worst hard line spammers, has retired to a quiet Muskoka retreat far removed from his bulk e-mail empire that, at its peak, had him sending 30 million unsolicited messages a day, raking in up to $140,000 U.S. a week.

Is this a joke? You can make that much money being a spammer?
No offense people, I but I'm seriously looking at switching careers! I make half that in a year!
I could work less than a single single year and retire. Amazing!

300 lines of Java?

[Wee]

You are welcome to review the code that I used, although there really isn't much to it... some 300 lines of java.

So that's like, what? 25 lines of Perl?

I kid because I love.

-B

Re:19% of commercial email? At least!

[jrumney]

When do they come back? I wouldn't want to keep checking a website just in case there was something new there this week. If I an genuinely interested in something, then I don't mind signing up to hear that there is an update. Maybe you college students have time to go looking for new things every day, but I don't.