Slashdot Mirror
Analysis of Spam, and a Proposed Solution
2bot_or_not_2bot writes "Spam: The Phenomenon is a detailed analysis of spam: products, scams, viruses, obfuscation methods, etc. Failed, and doomed-to-fail, methods of blocking spam are described. A general solution is proposed that does not: invade privacy, perform wide censorship or blacklisting, or involve payment and cooperation with corporations (beyond the transport and storage of data)." Hmmm.
We apply Islamic law.
They steal our time, money, and bandwidth.
We take their hands.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
first post?
seriously though.. the article may be interesting, but the hmmmm link says it all...
there will not be a solution, because like copy protection, everything can be circumvented.
http://www.babysmasher.com
http://www.openingbands.com
I'm glad the author included so many examples of actual spam messages. I was beginning to wonder what spam looked like.
John.
The best way to stop SPAM is to find the person(s) that are sending and post their personal information on the web. Everything email address, phone numbers, cell phone numbers, home address, business address, dogs name... everything there is... and let vigilante justice take over from there...
.5% of the people (s)he sent out spam to call his cell phone and leave a nice voicemail, everyday, all day, he will start to know what it is like to be harassed and for it to cost him money out of his pocket and the grief that he caused so many...
I mean come on, if only
"The word "genius" isn't applicable in football. A genius is a guy like Norman Einstein," - Joe Theisman
There's a reason why the spam-fighters are so pessimistic about the possibilities. You can't match all of the below. (In particular, we want to manage our own mailservers, but won't let others because they are incompetent. We want to receive all non-spam email but also want no spam to get through filters. We don't want legislation and bureaucracy to get in the way. We don't want to pay per email because of our high volume mailing lists like lkml. etc etc.)
------
Your post advocates a
( ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Doing the Right Thing should not be preempted by making a buck.
There's a boycott occurring for Microsoft's Caller ID for E-mail. They're asking for anyone developing a mail client, spam filter or mail transport agent to use a more open protocol, rather than a patented one.
The web page contains lots of images of SPAM that the author has received.
Here is the text of his proposal:
Test 1 2 3 4
John.
Here is another way of looking at it: Spammers exist because there are idiots out there who fall for "vicod1n" or "pen1s enl@rgement" or what have you. We should have users who are purchasing these products pay an additional "spam tax" on it, to compensate for the wasted bandwidth and so on. Sort of like "shipping and handling fee". Actually, it comes close to the Internet tax idea that Congress is punting about, but applied to spams.
This is an interesting page...
æeee!
i don't know about any IT people around here but the biggest problem that I've been facing is getting back control of Hi-jacked computers. The tools out there to fix the problem just don't cut it 3000 search bars, start page hijacking, related pop-ups, malware, programs that just wont un-install. Its bad enough that they install in the background but there should be a "law" to make programs uninstall-able. Also make them from hiding there presence.
Spammers are not very hard to track down. The companies that use their 'services' are even easier to track down. Many if not most are in the US or EU.
I've done it myself a couple of times, and have explained the relevant legal code from spamlaws. I have yet to hear back from either the spammers or the authorities I have explained this to.
I would think if law enforcement would do what it is SUPPOSED to do, spamming would be vastly reduced.
Counter Spam Measure: Negative Feedback.
Imagine if all or some very large contingent of email clients allowed you to
"retaliate" against spam messages. Highlight message, select "negative feedback"
option, a daemon is spun that traces back as far as possible the route of the
message and barrages it some fashion. By pings maybe? By directed replies? Imagine
it does this in some scheduled fashion so as to minimize the impact on your local
network. As 1 million disparate sources converge upon the last traceable source of
the route of the offending spammer, some network somewhere will start to feel the
load. Like the spokes of a wheel converging on the hub, the retaliation traffic will
thicken as it closes in on the source. The pain increases. ISPs inundated by
individuals expressing their right to freedom of speech, will feel suddenly inclined
to exercise their right to refuse service to someone.
The "negative feedback" could be dosed in a coordinated fashion if there were some
P2P means of establishing how many individuals had received a particular spam. If a
spammer hits only a hundred people, the dose of retaliatory traffic would have to be
increased to be felt. If the spam hit a million, it would require only a modest
retaliation to utterly swamp the source.
Just thinking out loud. Could this be made to work? No one's free speech is
curtailed, spam is dealt a serious blow.
fight fire with fire.
This dude has a decent idea, I guess. I've found a method that has been foolproof for the past three years. I only give out my email address to people I directly know. I've had a Hotmail address that's been spam free since 2001, not even a drop in the bulk bucket. Once or twice a year I'll get a Hotmail Services thing, but that doesn't matter to me. I keep a junk address at Yahoo when filling out online forms, posting, etc. It works for me and it works for my friends. My ISP email address has _never_ received any spam.
I also reply below your current threshold.
I have always wondered if the following solution would work: Say you wanted to send an email to your friend Sam. You would then put the word Sam as the very first word in the subject line. When the email is sent, Sam's email program verifies that the first word in the subject is Sam (Or any other word Sam chooses). If this is not the case, the email is blocked. Since 90% of the time, you are sending an email to someone who's first name you know, this might work. As for company email addresses, maybe just the company name or some special name would work. Since only the first word in the subject would be checked, spammers would have a very slim chance to guess the right name and get the email through.
Is it just me, or has recent spam flavor included random sentences (not just random word lists) that are meant to sound like a plausible person is on the other end?
Then, embedding some link to spam inside, in an attempt to get the S/N filters to let it pass?
"Provided by the management for your protection."
You know, if government really focused on penalizing the bottom end product creator for spam, I'm sure it'd be minimized drastically. For example Viagra, made by Pfizer, if they penalized Pfizer for spam and not controlling the methods of their advertising, I'm sure many companies would think twice about their methods to deliver content.
Sure it would need some tweaking, but to go after Joe Blow unsuspecting user who's machine is probably loaded with trojans is moronic. Even a good enough trial lawyer for the most blatant spammer could probably convince a jury that the culprits machine was infected if they tried. It's obvious CAN-SPAM and other moronic laws aren't working so why not take it to the next level?
Pentagon Plane Crash of 2000
MoFscker
Trying to put an end to spam seems to me like software companies trying to end piracy.
People always seem to find new ways around things.
As bad as it sounds I don't think there will ever be an end to spam without white listing.
I hope I am wrong.
It should be self-evident that this solution is not workable. Anything that requires this massive type of retooling of the whole method of using e-mail is doomed to failure.
Any proposed solution cannot cause this type of massive interruption of normal e-mail usage.
Someone is WRONG on the Internet!
Next!
This article links to an interesting piece of Internet history: Richard Stallman ca. 1978 defending DEC's use of email to advertise, his words quoted from http://www.templetons.com/brad/spamreact.html
"Would a dating service for people on the net be "frowned upon" by DCA? I hope not. But even if it is, don't let that stop you from notifying me via net mail if you start one. "
Personally I rally liked D. J. Bernstein's (qmail, djbdns, daemontools) idea for a new mail protocol. The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself. The mail sits on the senders mailserver, waiting to be picked up, and if you want to retrieve it, your mail client does so from his server. Think about it - No more anonymous spam, since you KNOW where messages are coming from if you have to retreive them. Therefore, if spam is illegal, we can punish them... and there is no more faking of where its coming from.
The other cool concept to that is mailing lists vs bandwidth. In old mailing list styles, a message would go out to the list, bouncing back from all people whos boxes are gone or full- witha lot of traffic. In DJs new way, there is only notification of the message sent, and then only those who really want the message download it.
The more you think about it, the better of an idea it becomes. In the wold of terrifying ideas like "postage for emails" or "really super-mega-expensive domain names for mail only" Bernsteins has an elegance and practicality I haven't seen elsewhere.
I administer a mail server for a small ISP. The problem with filtering on the user's end is that my costs are consumed by the time the user deals with the spam. I don't think, as the article suggests, that spammers will slow down if their message is not being read, in fact they will just spew out ever more spam. If a 1/10 of 1% hit rate does not deter them, a smaller hit rate won't either.
I have to put some upper limit to the amount of storage I can give each person (right now I allow 100M, which I think is quite reasonable). But if a user goes on vacation and does not check their e-mail for a month, they could have their inbox filled with spam and viruses (not much difference these days, from a server admin point of view). This will preven legitamate messages from coming through. Therefore, I use the following technical measures to help reduce spam:
- RBLs: dnsbl.njabl.org, sbl.spamhaus.org, xbl.spamhaus.org, and dul.dnsbl.sorbs.net
- SPF:Sender (not adopted widely yet, but it does block a few messages a day even now)
- Blocking specific subject lines (during virus outbreaks this can help)
- Blocking mail "from" non-existant domains
I really have no choice, I cannot afford not to take these measures. I explain all of them to my clients, nobody has had a problem yet. These measures catch roughly 75% of spam and viruses, and as far as I know, no false positives.instead of spending thousands of hours fighting spam, just hit delete when the shit hits your inbox. problem solved.
Tell that to the people at Habeas, Inc. who have spent the last four months under attack by a spammer who works exclusively from hacked broadband hosts. Their latest update on this guy was posted april 6 promises legal action but STILL does not name the guy who's been doing this. Meanwhile my ISP changed the SpamAssassin score for Habeas to -16 because the only marked mail we get is drug spam.
His email is cfahey@blah blah and the article is on colinfahey.com. A little warning is in order. Thank you!
Q: What did the comedian say to the crowd?
A: If I knew, this joke would be funny.
I think the only solution to spam is something like SPAMNAZI (http://www.spamnazi.org).
My spam folder is full of mail with all sorts of crap random words.
The one or two which have gotten through look like they could have been written by a Perl guru.
Government of the people, by corporate executives, for corporate profits.
Funny, I was just thinking about some of the problems with spam the other day. I came up with an idea. Note that I am not suggesting we adopt this approach (I haven't thoroughly considered it yet), I am just posting the idea here so that others can consider it, be inspired, identify weak points, come up with improvements, thrash it, or generally do whatever they feel like with it.
First, some talk about scope ani justification of the idea. This method does not, in any way, eliminate spam. My take is that you want to be able to receive all email that is sent to you. Some have argued that they would rather receive spam than not receive sincere email (false negatives vs. false positives). Also, consider that telephone numbers and mail addresses can be used as spam targets, but cause much fewer grievances.
So, instead of eliminating spam altogether, we could try to reduce the damage it does. Part of the damage is in the bandwidth it uses, and the storage it takes up in users' mailboxes. The idea, then, is that, instead of sending the _message_ to all recepients, one sends a _reference_ to the message (comparable to pass-by-reference instead of pass-by-value). This reduces bandwidth and storage costs (for the recepients, and for the net as a whole), and incurs storage costs at the sender's side. It also exposes the sender to some extent. All these factors conspire to reduce damage done to victims, and make spamming less attractive.
Please correct me if I got my facts wrong.
As far as companies go, no company is going to want to prevent people e-mailing them easily.
Code numbers probably won't work, for the same reason that charging for mail won't work. People will accumulate a list of people's code numbers. How? You'll have to give out the code # to apply for a credit card at college and get that free t-shirt. I get TONS of paid spam at my house. Do you know how much it costs to print a color flyer and send it to thousands of people? A LOT!!! But I still get them. We all do. Nothing will stop advertising, charging for it will just mean more expensive ads being mailed out (i.e. the super bowl ads cost a ton, but there are still ads there.)
stuff |
Uh, I think this guy just invented signed email.
See that "Preview" button?
If you have to give a code out to someone, why not just add them to your whitelist? No additional mechanisms needed.
Shooting spammers when you find and convict them might make it a less attractive field to enter.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I know it is probably more effective to stop spam at the mail servers, but what if users don't want this? What if the spam filters make a 1 in 8192 mistake on an important email? There are already mail-server-side email filters, but this seems like it'd only take that further. I guess simply adding in an "X-Spam" header to be read by the client is okay, since servers add their own "Received" headers anayway... I wonder how this applies to forwarded messages or messages with many recipipents.
Are different well-known mail servers around the world to share eachothers' email to compare messages?
In any case, if I want spam prevention, I'd prefer to set up my own set of filter rules or borrow a pre-made set from an ISP who provides such a service.
I ignore any proposed solution to spam that does not consist of the simple phrase:
Now, if even .5% of spammers had their walls decorated with their own brains, that would cut down on bandwidth wastage.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
That's a rather simplisitc approach, but it fails to differentiate between online purchases made in response to spam, and an those made in response of solicited e-mail. For taxation purposes, how could you possibly make that distinction? And how could you possibly enforce it?
Socialism: A feeling of discontent and resentment caused by a desire for the possessions or qualities of another.
And when I send a message to both Sam and to Jane? Or Sam forwards my email to his friend Mike, but leaves the subject as "Fwd: Sam ...", so Mike's email rejects it.
Or spammers just start sending you more stuff until one "breaks through",
Sean, great dealz now
Susan, great dealz now
Steve, great dealz now
Selma, great dealz now
Sam, great dealz now...gotcha
Note the special keyword trick can still be useful for certain personal communications...for instance if I tell all my friends to put the word "green" in their subjects...and my mail client then *whitelists* all subjects that contain "green". This may prevent me accidentally deleting their mail. But it's not a general purpose solution to spam.
Post your email address and I'll forward my spam messages to you. That'll train your bayesian filter.
Government of the people, by corporate executives, for corporate profits.
The bases of the problem are twofold:
1. You want to accept mail from strangers.
2. Some strangers insist on anonymity.
Simply put, if you insist on accepting email from anonymous strangers, there is no way to guarantee that all of it is wanted.
Even if you don't want mail from anonymous entities, but still want mail from strangers, the problem of identity management is non-trivial. The only solution I see is a "web of trust," based on a very large relationship database like Orkut or PeopleAggregator.
I filter any mail with a link to a .biz domain. It's the trailer park of domains.
Hands in my pocket
While I'm pretty strongly of the opinion that a PKI system with a trust network and signed content is ultimately going to be the only effective long-term way to deal with spam, this isn't great.
It's essentially just a PKI system, but requires effort on the part of the individuals to manually set up a trusted transmission channel for authentication data for each person, breaks security if an email is exposed, does not provide strong authentication benefits, and seems to be open to forgery containing data from an original email. It still requires the installation of software.
Instead of transmitting each "set of formulas" via a trusted channel, one could hand over an RSA pubkey, and instead of some weird proprietary embedding of secrets, one could simply sign the email. This provides all the benefits of the proposed system, operates in a regular manner, is strong against compromise of a client machine or of sent email, and there are, to some degree, systems in place to handle signing.
I would advise against this solution. It provides no benefits that a conventional email signing system lacks, and has some serious weaknesses.
May we never see th
What will be done with the money?
emt 377 emt 4
It should be self-evident that this solution is not workable. Anything that requires this massive type of retooling of the whole method of using e-mail is doomed to failure.
This attitude is what keeps real solutions from occuring. SMTP/POP3 is antiquated, designed for a simpler time, and it needs replaced, period. If there were anything in its standards that could truly prevent spam, don't you think someone would have come up with it in the last 15 years?
And so what if we have "interruption of normal e-mail usage" for a while? What do you think we have now? Millions of tiny "interruptions" bouncing around 24 hours a day. Slowing things down, wasting resources, wasting time, etc.
These band-aid fixes are just that. They are not a solution. So I don't have to see the beastiality or xanax ads anymore, great. That doesn't mean they aren't still consuming mass resources in their continuous effort to reach me.
"retooling of the whole method of using e-mail" is exactly what needs to happen, and not just because of the spam epidemic.
Seriously? Go to a syn-syn/ack-ack system.
The sending SMTP box says to the receiver "I've got a message for you" Receiver caches the message, hands the source box a 32 digit random number and says I'll call back in 30 seconds by your FQDN. It does so. Receiver says "did you send me a message with the serial 'x'"? If yes, then the source in the header wasn't spoofed, and the message goes through, if not, the message gets dropped.
Almost all spam these days comes from spoofed sources. But if in this case it's still spam, it's a lot easier to track the source immediately and deal with it. Take away the ability to hide, and like mold in the sunlight, most of it will vanish without further effort.
...is to have the text component of a multi-part HTML email contain totally innocuous text whilst the HTML component has the actual spam.
I don't think it's too effective (the spam far outweighs the ham in my Bayesian corpus), but I think it's an interesting trick that could pollute the creation of a corpus over time.
Ok, yes, I realize that the page the submitter of this story linked to must have been written by a GNU hippie or a person who obviously has "their own way" to eliminate spam, but michael's "Hmmm" link to the old slashdot joke where you check off all the things your post is promoting is just mean and stupid. First off, if you even scan all the way through the main article, it becomes clear that this is hardly "news for nerds, stuff that matters" as it's yet another way 'eliminate spam' which we all know will never completely work. Con artists and telemarketers still operate on the telephone system, how will it be any different on the Internet? Secondly, I'm sure michael did little to no checking of the validity or feasability of the story details, and instead thought it would be funny to be a smart ass and post the story along with his own little pithy link to the joke about posting. How lame!
And yet michael thinks that this news item was worthy of posting to the main page just so he could troll it with his "Hmmm" link. michael, we still don't like your lame ass opinions, so just shut the hell up already and quit your sad "editorializing" (I shudder to think of you as an 'editor' of content) and just post the stories.
Slashdot has become michael's dumping ground for things better left said in his own PERSONAL blog, not a public forum. Although I suppose we could call slashdot a blog of sorts, but it's more a public forum than a personal "I think this sucks!" type of site.
I couldn't agree more. I've had my e-mail address (waldo at waldo dot net) for many years, and last night, I snapped. I'm getting my ducks in a row to change my e-mail address, using a new domain (waldo at jaquith dot org), and to simply inactivate my current domain. I'll phase out this address over the next few months, and jealously guard my new address.
What a pain in the ass.
-Waldo Jaquith
Domain Name: BUYE-SOFT.BIZ
Registrant Name: Giscard Rutten
Registrant Address1: 115 Beachhaven RD
Registrant City: Auckland
Registrant Country: New Zealand
OMG thats just down the road from me. Maybe I should check if that's his real address and sign him up for some junk mail.
This article is dumb. It is a whitelist, only more complicated and awkward. Every person has to establish a "secure channel" with their recipient prior to sending them mail. GREAT idea. If I've established a "secure channel" with my message recipient so that I can give him this goofy code/formula/thing, then why don't I just go ahead and give him the whole message while I've got his attention? The author says that the secure channel can even be a face-to-face meeting. Brilliant.
Hey, buddy, let's get together for lunch tomorrow. I want to give you my latest e-mail code-number so that we can send e-mails.
I can't deny the fact that this idea would definitely reduce spam... because no one would use e-mail any more.
Step (1) Create spam solution site with dozens of spam samples (i.e. meta-spam site)
Step (2) Publish a "solution" that requires scrolling through said dozens of spam examples.
Step (3) Get Slashdot to post your site
Step (4) Reap profits from all the extra traffic, as well as the newly-minted cynics who will be convinced there is no spam solution.
Under capitalism man exploits man. Under communism it's the other way around.
This 'article' dismisses laws outright. Sure, bad laws, like in the USA, haven't worked. But look at europe! Successful laws, minimal spam.
It never ceases to amaze me what crap articles get accepted while quality ones get rejected.
I imagine the problem is upgrading all those servers, or coming up with a transitionary system that allows both to exist (via trusted gateways?).
Ultimately the real solution as suggested here is on the server/protocol side (not anything on the email client side, as the author of the article suggests). I'd have to agree that the biggest problem about SPAM is (un)traceability and spoofed addresses. If my mail server would reject anything with a spoofed address, I'm sure most of my SPAM problem would go away.
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Domain Name: colinfahey.com
Created on..............: 23 Oct 2001 12:25:20
Expires on..............: 23 Oct 2004 12:25:20
Registrant Info:
Colin Fahey
Colin Fahey
1068 Stanford
Irvine, CA 92612
US
Phone: 9498239921
Fax..:
Email: cpfahey@earthlink.net
Administrative Info:
Colin Fahey
Colin Fahey
1068 Stanford
Irvine, CA 92612
US
Phone: 9498239921
Fax..:
Email: cpfahey@earthlink.net
If i wrote one simple function that looked at content, I'd eliminate 90% of my 1000+ daily spams trivially (all commercial solutions that i have tried have prevented too many of my customer emails from going through).
That worked for me until I emailed a customer feedback comment to a somewhat large corporation which makes a product I really like. I also got a satisfactory reply from their customer representative.
:(
A few months later, that *expletive* customer representative forwards one of those stupid urban myth chain-letters (about some missing kid/fake amber alert), using that company's email address book, which included my email address!
Then the spam deluge started.
Each item in the following list was suggested by the words or actions of people who presented themselves to the IETF or elsewhere as having discovered the FUSSP. Some of the items may seem obscure to those who have not dealt with the IETF.
Prevent email address forgery. Publish SPF records for y
That way you can use different addresses for mailing lists, orkut, random recipients, each Slashdot posting, etc., and blacklist addresses that get abused and/or only whitelist addresses you've sent people. There are some risks - the subdomain version occasionally gets hit by dictionary attacks, so you might receive 10 million messages on an occasional really bad day (this mainly happens if your subdomain doesn't run its own SMTP server that can milter it.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Without spam, how can I be sure my mailbox is working?
...
Kidding aside, spam has become easier to filter IMO.
Filters:
">[a-z]"
"lessthan[a-z]" - interesting, slashdot filters lessthan
"src"
"acirc"
Less and less of the standard emails are being sent out, so you don't need to filter out all those taboo words like , free, sex, god
The above filters stop a large number of spam messages.
Couple that with a common word to use in the Subject line, eg/ "knockknock"
and your almost free.
Are we sure spammers don't care about bad addresses in their lists? Because I used to get as much spam as anybody before I started using something called MailWasher. Gradually the amount of spam I was receiving decreased from enough to make me consider the address unusable to the level it is now where it's an unusual day if I receive even one spam email. The novelty of the MailWasher approach is that in addition to deleting the spam you have the option of replying to it with a forged bounce message from a mailer daemon. MailWasher is a Windows-only application, but the principle should be relatively simple to code into any of a dozen different approaches. I know the Hmmm link suggests that this should be completely fruitless because spammers won't care. But I'm just old-fashioned enough to find success difficult to argue with.
Chuck
The problem with your solution, is that I have never given out my email other than a hand select few whom I trust. However, I am now receiving spam by the handful daily (though overthecounter anti-spam software has been next to perfect for filtering it out).
The problem is, that my email is somewhat generic with my first initial, last name, plus a numeric conditioner. This email was assigned by the provider. Unfortunately, many spammers, once they realize how emails are formatted for an ISP, can easily run through a list formatting it with the most common names and values. They will no doubtedly waste some emails to addresses that don't exist, but they also hit a large number of valid addresses without the use of a list.
So you must have a fairly unique address or creative provider. That, and somewhat lucky that your address hasn't gotten out yet. But it will, eventually.
My proposal for Spam is that we string up anyone and everyone who actually respond to Spam. Other than that, it's a lost cause, don't waste your time, just filter it for Christ's sake, and don't stress over the 10 or 15 a day that get through. Spam is such a non-issue, and please dont blather on and on about bandwidth, the fiber in the ground and the networks attached to it is used at a small fraction of it's capacity. Why people get bent out of shape about Spam is beyond me, I guess either people do not have enough to do, or they really want to stress out over anything.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
It's dangerously bad. If email messages accurately identified where they came from, and if spammers didn't maliciously forge addresses of people they want to harass, and if spammers didn't usually abuse free email systems and free web pages or forge purely bogus sender addresses (usually also at free email systems), then that would be a fine idea. Many spammers also frequently put other people's valid URLs in their mail to fake legitimacy, e.g. URLs from E-Bay's news site or the Better Business Bureau or various anti-virus companies, in addition to having their own URL for the suckers to click.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This is simple and requires no changes to a mail client to function, but one small change would make things easier. The solution does not need to happen all at once to be effective, and does not change any of the current protocols for email (POP,IMAP, SMTP).
The idea: multiple, sender/use specific addresses on the client side. Basically instead of having one address with your ISP, you would have the ability to create up to 50 aliases to your account. Not that these are not 50 accounts, all of your mail still winds up in the main mail account at your ISP.
Lets say you have bob.smith@myisp.com as your email address. The goal here is that you would NEVER give out that address. Instead, you log in to your ISP's web site and create addresses that you then give out. These addresses can be set to expire after a set date, or only be removed manually.
So you like to pay your bills on-line, create an address bobsbilling@myisp.com and use that on all the registration forms for your utilites, credit cards, etc.
bobs-shopping: use it to register for any on-line shopping sites
bobs-long-ebay-address, sendmailtobob, tossaway32341, etc....
You create an address that you give only to your family/friends, you create an address for each mailing list, create an address that you put in the public LDAP systems and other person-search sites, create an address for sweepstakes/contests, etc.
If you start to get spam on an address (you can easily check the headers to see which address the spam was sent to), you simply change the address and tell the few people/sites that used that address about the new one. The more addresses you have, the fewer places you need to notify of any changes.
The only disadvantage is the initial changeover does take some time/effort. Once created, the addresses mostly just sit there and don't require any maintenance or routine changing.
The advantages: little to no spam; abliity to easily identify WHERE the spammer acquired your address when you do get any; spam does not take up any bandwidth or storage space on the recieving mail server once an address is deleted after getting spammed; no resource intensive and complicated filter software required on the server.
How well does it work? With about 35 addresses out there (may are web site specific), I receive only about 6 spam messages a month. Each and every one of those is sent to a public administrator address like webmaster, hostmaster or the like, not too bad considering I recieve such email for about 10 domains.
In the last year or so since I've started doing this I have only had to disable a single address due to spam, and since it was for a single web site, it took less that five minutes to effect the changeover to a new address.
To those who say that this is too much of a hassle or takes too much effort, I ask this: would you rather have to spend 30 minutes a year maintaining and changing email addresses and informing senders of the new address, or spend 5 minutes a day updating your spam filters and double-cheking the positive results for false hits?
As I stated, this does not require and changes to the mail clients, but if there were one change it would be nice: when you reply to a message the client should automatically use the address that the initial message was sent to instead of attempting to use the actual account address.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
This article reads as though the author has never actually tried to filter or fight SPAM.
He pokes at content filtering as an invasion of privacy (Oooh, my computer violated me! Come on.), and says it will fail because each individual has his or her own unique types of correspondence. Bayesian filtering along with IMAP accounts allows for each email recipient to drag spam into a spam folder and ham into a ham folder. A cron job can then update the scanner based on each users' unique correspondence.
The core idea from the article proposes to use a formula to generate a code that is inserted into the email subject line to "authenticate" the message based on time and knowledge of the formula.
This is the same concept that RSA uses for the SecurID token-based authentication scheme.
I think the author might run into patent issues with this approach, but it sounds good so far.
Contrary to popular belief, life is not a bitch. It is far far worse.
Interactive filtering of SpAm by targets/users is best.
... maybe a couple other protocol/apps to provide identification and routing within TCP/IP packets for login, email, web-surf, VoIP, ... so many check, verify, route, ....
...), a group of addresses (job change, organization name update, ...), or all addresses (global list update/upload, reduce complexity, dropout, ...).
....
...) added to a user-AEL, or enough URL information to link back to an online business/interest website to track resent online banking, trading/investing, purchases, subscriptions, ... print invoices, or ....
I think; maybe, valid personal email should be the focus.
We want our email, but we do NOT want sPaM.
Currently we use USRID/AccID, DNS, DHCP, ARP-RARP,
I agree, with others, the W3C (someone) will need to add some RFCs on check/verify local "Lookup" user approved filter for email.
As Relates to SpaM/Email:
1. Subscribers, customers, users of an email service must be required to define an "Approved Email List (AEL)". Email client applications should require a user-action (right-click-select option, maybe) to generate a UDP/TCP update-message to add an addressor's email to the user-AEL resident on the email/profile server. To delete any addressors from a user-AEL should require a few extra steps of accessing the user-account web-page and specifically selecting one address (we change friends, someone moves,
2. Email service providers must provide to users a web-app/text-upload process for managing a user-AEL. (1) Either upload formatted text (with total content overwrite option) user-AEL as part of the user account/profile definition, or (2) on the email service domain's open/manage email account website a web-app that allows easy addition/deletion to the user-AEL.
3. New/Unknown email addressors, those not identified in an addressee user-AEL, with a datagram over 128-bytes (standardized size more/less for one name and an email address) are terminated, not delivered, bit-bucket, not replied/forwarded,
4. New/Unknown email addressors, those not identified in an addressee user-AEL, with a datagram under 128-bytes are delivered to the email addressee. This will allow the email addressee their option to decide; if the email addressor should be added to their user-AEL. This will allow an addressor to provide enough information to be potentially (as family, friend, business, hobby,
5. Incoming email are checked for valid local email accounts (NOT, then terminate). Incoming email having a valid local address are then checked by comparing the addresses with the user-AEL with the specific email address (userid@domain.___) of origin (MATCH NOT, then terminate). Repeat email terminations/rejects from same "@domain.___" could be blacklisted as a sPam@domain.___ unless recognized by a local user-AEL.
I'll stop counting here, because I think the rest can be surmised and counting gets boring. This process could be close to transparent for email users, except for the managing of an email account user-AEL. It would reduce spAM and potentially malicious/viral email in obvious ways by limiting allowed payloads/datagrams from unknown (un-validated/vouched for) sources in any email. Vouched for addressors (causing problems) on a user-AEL could be more traceable. The processing/handling overhead of such a systems would (I expect) be about the same as the present process and would significantly reduce email-server storage space requirements. Email is un-trustable, but required tool in the business world, and increasingly burdensome of our personal time.
The spAm-cans could only dump to email users that included them in their user-AEL. Over time it would reduce the spam-flood and/or spam-DDOS on the internet, because few (maybe none) would ever see spam-stuff and SPAM would prove a financi
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I imagine the problem is upgrading all those servers, or coming up with a transitionary system that allows both to exist (via trusted gateways?).
True, but if Sendmail and all of the other big mail packages got together and agreed on a date to have the upgrades available and working and then released the update packages on/by that date, you could have this auth as a switch to turn on at each SMTP server. Then when the implementation date passes, a lot of the big sites like AOL, Hotmail, etc. get it going, and if your company/ISP doesn't do so as well, you can't send mail to those folks anymore.
I remember the days when open relays were the norm and then there was the big push to close them. Our company got on the RBL and couldn't send mail. That got our ass in gear to fix it right away, and nobody died. This would be much the same, methinks.
Finally got to the meat of this guy's idea. I already have implemented a simple form of this. To contact my most critical e-mail account, you must have a specific text on the subject line. Simple, and so far, 99% effective.
The reason for setting up this tagline based account was that, like the author of the article, I get over 100 spam messages a day. Since business contacts use (and apparently then abused, via viruses or bad CC lists) this e-mail address, I can't simply change addresses. What I have done is place an autoresponder on it that triggers if the subject tag is not found. It notifies the user to contact me via other means to find out what the tag is, if they have forgotten, or to simply forward the message with the tag. It is 100% effective at keeping out spam, and about 10% effective at keeping out my customers. As of late I'm considering it to be an IQ test: I'm willing to lose 10% of my business to not work with people who can't type five extra characters or read the autoresponse. (And yes, I white list people after the first exchange, which is where I lose 100% effectiveness: I still have to filter for viruses).
Combine that tag with spamgourmet driven throw away addresses (great perl script, recommended) for newsletters and such, and my inbox is pretty clean.
However, as pointed out in the article, these unique keys are not going to be easy to manage. The suggested solution is software to handle the keys, and fixed keys for the many won't/can't cooperate with such a scheme. My tag is pretty easy to remember, but if everyone has them, this becomes a stumbling block.
Sig under construction since 1998.
I see very little spam these days, and all I've got to stop it is a lot of stuff he says doesn't work.
Maybe he should actually try some of those ideas before dismissing them out of hand.
He'd have been making a better argument that nothing around does much to stop spammers from sending their spam, but the premise that current systems don't reduce the impact of spam is incorrect. The proof is in what isn't in my inbox.
(1) A person who wishes to greatly reduce spam must install software on each computer with an e-mail client application
Well, at least he's up front with his drawbacks. If you're going to require worldwide upgrade of client software, you may as well require the UN to provide gigadollar funding for the Lumber Cartel Black Helicopter Force (tinlcbhf).
Seriously though, I understand that any semi-effective spam solution will require a worldwide upgrade of [SOMETHING]. But thorough end-user LARTing is the most difficult method. Isn't server-side at least 100x more sensible, since the number of humans and machines involved is that much smaller?Open protocols like SPF & blocklists are the right way to go. Over time, they should lead to a de-facto fork in the email network -- the systems that allow spam vs disallow will cease talking to each other, and users will logically flock towards the disallow side.
I use bogofilter and have a corpus of 20k spam messages, I always rescore misfiltered spam, and I still get messages that slip through the filter.
Almost all are messages with a ton of random garbage appended to the message, and one spammer was actually putting whole passages from some book about Abe Lincoln in the messages.
Jamming the message with non-spam words works too well around here.
Step 1: Salt the spammer's email databases with guaranteed bogus email addresses that no legitimate email sender has ever seen. This is currently trivially implemented as follows. In your website's robots.txt file, list several files that robots must not examine -- these are your honeypot. Then, fill those files with HTML that contains your bogus email addresses. Spammers will, quite reliably, disobey the robots.txt file, use it to discover HTML files that are not linked to from anywhere else in the world, and add your bogus mail addresses to their database.
Step 2: Implement greylisting + honeypot-based RBL. When email arrives that is not whitelisted, see if it comes from an IP address that is "temporarily" blacklisted in your RBL. If it is, you can reject it right now. Otherwise, see if the target address is in your honeypot database. If it is, add the sender's IP address to your RBL and fail immediately. Otherwise, engage the now-classic greylisting algorithm (see http://www.greylisting.org/) to "tempfail" the email. The point of the temporary failure is to give the spammer time to use the same IP address to send the same spam to an address that *is* in your honeypot database, so you can then proceed to reject the retry of the spam to a legitimate email address).
- requires no per-user work, such as "training" of filters.
- requires no changes to any software, except MTAs (and only a handful of them handle most of the world's software). no new laws.
- no false positives. to get blacklisted you *must* have transmitted email to an address that could only have been obtained by illegally harvesting a website.
- even compromised home systems are not terribly harmed. if a spammer takes over your home computer and uses it, well, the IP blacklist need not be permanent, just long enough to cover a single spam run -- a few days is probably plenty. if the spammer is blasting out runs from your home computer continously, well then you have worse problems than finding yourself unable to send email to GrandMa.
- not easy to defeat. right now, anti-spammers must work very hard to locate the "real" email amidst all that spam -- and never, ever mistakenly reject a "real" email. greylisting plus honeypot RBL inverts the equation. the spammer must make sure that not a single "bogus" email address is anywhere in his database! spammers are ingenious, but developing absolutely perfect lists of legitimate email databases is something they have no experience with so far.
- no restriction of free speech. total whacko strangers who aren't spammers can still send you email -- it may just get delayed for an hour or so (a fact which is totally true already).
- nobody makes any money off it. you don't have to pay anybody, except for the effort involved in setup and maintenance (a fraction of the total time wastes on spam currently).
- computationally cheap. most MTAs are already looking up IP addresses and target addresses in databases. cost of this scheme should not greatly slow down most MTAs. especially compared to content-examination schemes such as Bayesian filters.
- no judgement calls in blacklisting. no third party has to decide what is spam and what is not. the rbl in this scheme is totally generated from absolutely bogus email addresses -- the only way you can get in the rbl is to flat-out declare yourself a scumbag by sending to one of those illegally obtained addresses.
No scheme is perfect, but greylisting combined with an RBL that is derived solely from bogus email addresses is pretty damn good.Although a lot of the article just repeats thing we all know (e-mail spam is named after a monty python skit), it's also full of questionable assertions.
Part I -- Laws
The article claims that laws won't work because somewhere there will be a country that won't have an anti-spam law or won't enforce it.
Spam is not the first crime on this planet with an international component. Clearly spam, or more specifically the behavior of spammers is almost exclusively criminal in nature (e.g., viral hijacking of PCs, fraudulent headers and content.) You have to start somewhere! What's the advantage in allowing all this criminal behavior to go unchallenged? If spam is illegal then spammers cannot form corporations and get limited liability, cannot buy insurance or get loans, and a hundred other things that make a (legitimate) business a business. However, if spam is left legal then it will be legal to invest in spam, investors can back spammers legally and share in any profits. Does that sound like a good idea? Most spam is trying to sell something. That means the spammer has to have some sort of business presence in the country the spam is being sent to. That business presence (e.g., the advertisee) can be prosecuted. It's illegal to hire someone to do something illegal.Part II -- Content, filtering, etc
I'm president of an ISP.
The problem I see is that people continue to see spam as primarily a personal problem, which it is, but they're failing to see the problem it's creating for the infrastructure.
As an analogy, imagine if the post office were like the internet and would deliver anything without a stamp.
Pretty soon they'd be overwhelmed.
Sure, you'd be overwhelmed also, and you'd be looking for ways to sort through the big mail bag of junk you got every day (and no you don't get anything like that now!)
But consider the letter carrier and the post offices who are suddenly obliged to carry the tons of mail to your street!
In a nutshell, that's what's happening at the ISP level. Spam strains bandwidth, spam strains disk and computing resources (I've had the same spam being spewed at our servers simultaneously from over 200 hijacked PCs!)
And, of course, spam is turning a lot of people off of the internet, which I suppose is a shared problem. Porn, scams, some people get scared by this stuff wondering how someone got their address or just don't want it in their or their kids' lives. They lose interest, we lose customers.
Consider this one fact: We provide, by default, 32MB mailboxes. Many of our customers use 56k dialup. At 56k it takes about TWO HOURS to download a full mailbox. Oh joy! What a pleasant experience! Some more, sir, please!
Now shout at the screen again that disk is cheap! Go ahead, I dare ya.
The point? If something else doesn't intervene, spam will be solved at the ISP level.
And I bet y'all won't love some of those solutions. But it's getting beyond the point where we can continue to wait for some reasonable solution that makes everyone happy.
Or, the other possible future, ISPs will go out of the e-mail business (mostly because they either go bankrupt or, wounded, get bought out) and the phone companies will inherit it as the only supplier. And then, like SMS, you can get used to paying 15cents (or local equivalent) per e-mail.As an ISP I'm here to tell you in the frankest, most direct terms: Spam is making this business suck, badly. Both in temperament and in the collapsing business model (that's a business person's way of saying there's no money in it.)
Read the EFF's Fair Use FAQ
The section on Colin Fashey's site, way down at the bottom, that reads "Basic operation:"
You have to authorize each sender? The sender computes a code to send you mail?
Right. Most people can't get the clock on their VCR to stop blinking. This ain't gonna happen.
-Charles
Learning HOW to think is more important than learning WHAT to think.
...(*) Users of email will not put up with it Well, after two violations, they'll either be typing up their spamming BS with their toes or actually have to come out of their holes in order to voice their opinions. At that point, Slashdot can post another article listing the guy's home address, phone number, etc. Give him a Real Life /. (tm)
Unsolicited Commando
Everyone says that filtering all the spam in the world isn't going to help if we can't stop users from clicking on it. They're right. So if we can't stop them from clicking, why not do the reverse--flood the SPAMMER'S inbox with false positives of our own?? Basically UC is a little program that goes to companies that spam's websites and fills out their sign up forms with real looking but randomly generated info. At SOME point, there is an opportunity cost to checking up on these false positives. For example, if it costs $0.02 to check up on a false positive, and the companies make $10 for each order they sell from spamming, then we need is a distributed network to put in more than 500 false responses for each positive response they receive. If you've got a distributed network of 1000+ computers, and you put in a false positive every 30 seconds, then in 1 hr that's enough 120,000 false positives or enough to cover for 240 real responses. The beauty of this is that there is no longer any profit for the business using the spammer. It hits them where it hurts most.
But this method requires a large distributed network to work! It could, but nobody seems to know about it! Right now it's just some guy's pet project--if this thing got a serious team and some serious PR, it could really take the spamming world by storm! (Of course you'd have to watch out for abuses--targetting innocent businesses networks--but we already have large blacklists a la spamcop and under an open framework I think it'd be safe enough to use.)
For god's sake people, if we got a large enough network, it could really work!
A portion of my e-mail "Inbox" on 2004 March 29th as manifested by the "Microsoft Outlook Express 5" application. On this date I received 9 "legitimate" messages, 77 spam messages, and 2 virus attachments.
And later:
cpfahey@earthlink.net
Outlook Express, public e-mail address and he is complaining about spam. Surprise, surprise!
Have you overtrained your filter? That tends to weaken its usefulness after awhile. If so, remove the training DB and retrain it from scratch.
We need to start looking at spam-elimination techniques in the same way that we look at perpetual-motion-machines, or massive breakthroughs in data compression.
It's just not worth our time anymore to analyze all of these new nonsense proposals. It's just the same damn flaws over and over again.
All the technical solutions seem to be doomed because (thankfully) we don't (quite) live in a Microsoft monoculture so there are a bzillion of mail applications at every point of the emailing process and it's impossible to change them all in a complicated manner. But there's an easy change: sign emails with pgp or the like. Then restrict your attention to signed emails.
Sure, it doesn't solve any of the bandwidth or storage problems, but it would make filtering so much easier. If the spammers sign their emails to get through, you could at least find out who they are. (If they use certificates from shady certificate-granting authorities colluding with the spammers, you could simply reject those as well.) Having a digital signature would be an easy way to distinguish bona-fide communications from junk mail. It's cheap in every sense, it's proven technology, capabilities are already included in many mail readers and senders, and online mail services and Linux user setup could easily include pgp key generation in new account setup. What are we waiting for?
Regular "white-hat" ISPs won't tolerate spamvertised WWW sites and kick them quite soon. So do many uplinks of smaller ISPs. But anti-spam terms of service seem to stop at backbone level. The German DE-CIX Internet Exchange center, though operated by an institution which is known for successfully fighting against spam, does not forbid spam support or downlinking spam-friendly customers. In fact they can't prevent DE-CIX members from hosting spammers or providing connectivity to other ISPs who do so.
Traceroutes to spammer hosts all over the world show that many spam-friendly ISPs are directly connected to big backbones or even operate them. But why? A backbone or CIX is nothing more than a "better" internet access point. So where is the reason not to enforce anti-spam TOS like any "smaller" ISP? If they did, e. g. Above.net could choose between routing Chinanet and routing Germany, and Alan Ralsky or Scott Richter could host their stuff at bulk friendly intranet access providers or normal ISPs who would kick them. So making a profit out of spam would be much more difficult.
This is funny EVERY time I see it.
The fundamental flaw is that the spammers can and probably will have access to the code formulas. Even today spammers are using trojans to hijack ordinary PCs to relay their spam. The hijacked PC has to have the formulas to generate codes for everyone the PC's owner sends mail to. All the trojan has to do is snag the password, grab and decrypt the formula tables and use them. At that point the codes become useless.
For extra nasty points, the trojan can send copies of the tables it obtains back to the author, who can resell them to spammers and anyone else who wants a way around the blocks the recipients using this scheme have set up.
...except it would require an extra drop-and-reestablish, and it would be DOS-able by asking for and not redeeming tokens. Plus it could have problems with getting through to different machines load-balanced SMTP farms.
It has the same problems as SPF, too. Basically, a lot of client=>MTA message sending relies on the ability to "forge" the origin so as to allow eg: your laptop to send "from" your company email account.
For now, the only real solution to spam is setups simlar to http://spamgourmet.com/
It's very simple and it's effective.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
But AOL's customers will all whine when mail to them starts being bounced. Thousands of small buisnesses with "appliance" servers that have worked for the last five years will be up in arms. etc.
The internet has too many users to expect them to all change software at once.
Pretend that something especially witty is here. Thanks.
Unfortunately, the typical lifetime of a spammer's website is around 2 hours.
So you'd have to id the spam and respond in that time-frame.
It also has the disadvantage of being susceptible to joe jobs and similar, someone maliciously making you or your software believe some innocent site is the culprit. This sort of weakness is common with such vigilante approaches.
Put another way, if you can identify the spam so accurately and quickly why are you seeing any?
Put yet another way, it's not a very good idea, but keep thinking if it keeps you out of trouble.
I have a partial solution that hits one item on the list ("Extreme stupidity on the part of people who do business with spammers"), but I still think it's worth a try. It's called "Spammers are Scammers." We create a TV/radio/print/web advertising campaign to drive home the point that all spammers are scammers, selling fake products, stealing credit card numbers, lying about taking you off their lists, etc. Anyone who buys anything from them is humorously but mercilessly mocked as an idiot. The ads would be created cheaply with volunteer labor and contributions, and run as free public service spots. The goal is to make it common knowledge that buying from spammers is stupid, the same way Smokey the Bear taught generations about preventing forest fires.
Yes, I know this isn't a 100% solution. However, it requires no new laws, technology, taxes, blacklists, whitelists, or anything else. It's 100% voluntary and could be run in an Open Source way. Yes, it smears all spammers with the same brush, but is any spammer going to step forward to sue? I doubt it. If it only convinced one spam-responder in five to not respond, it would be a huge hit on the spam industry.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
This is an interesting anti-spam solution and needs eyeballs more educated than I to examine.
I keep hearing that mail servers should be modified so as to ask the sending server a difficult computational question, which would prevent them from sending mail out too quickly, and possibly make spam not profit effective.
If this would work, would an easier yet identically working solution just be to say that all mail servers (on major ISPs, etc) from now on introduce a 10 second delay after the MAIL FROM statement? This would also prevent spammers from setting up p2p grids of drone machines to do their calculating.
What am I missing? Why do we need some complicated calculation to be done by the client simply to delay the transaction?
Your article advocates a
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
(*) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(*) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(*) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(*) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(*) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
There's no sig like this sig anywhere near this sig, so this must be the sig.
When People Stop Responding To spam
That is to say, as long as people respond to spam and make it profitable for spammers to send spam, spam will continue to proliferate. No amount of changes to protocol, laws, secret codes, filters or anything else will significantly lower spam at all. Anyone who thinks otherwise is being a little optimistic.
but they fixed it. For awhile I was getting 5+ spam messages per day, sometimes more. The latest version of their client put a "report spam" button, front and center. Since that version came out, my ICQ spam has nearly disappeared.
I can still pick up new contacts, new contacts can search and find me, and it's easy. If I don't want to deal with someone they go on my deny list and the issue is settled. ICQ, or others like it, really are quite useful.
It's simple, quick and it has solved the problem, for now at least. If only the email beast was that easy.
Why do I have this? I don't smoke.
It did? Apple's Mail.app uses a Bayesian filter, right? Salting messages with random words haven't thwarted its filter at all. I might see a couple or three spam every week, but considering that's out of hundreds filtered per week with no false positives, I can live with that.
He also makes the following curious claim:
Is this really a problem? I'd say this is one of Bayesian filtering's advantages.
So far, Bayesian filtering has worked wonderfully for me. I don't see that it's been defeated -- or will ever likely be truly defeated -- at all.
Either we change the way email works, or it stops working alltogether. Email was the Internet's killer app that is now killing the Internet. More than one person I know has decided that email is too much hassle and has gone forward to using IM exclusively, or back to a cell phone instead.
It's only a matter of time until Joe on the street starts feeling the same way, and then email systems will look like a lot of the newsgroups. Empty and abandoned except for spam.
Seriously. 1-2 days of pain to save it, or watch it fade away...
And besides, I don't think it'd be all that bad. Hotmail goes down for hours/days at a time and you don't see their users surrounding 1 Microsoft Way with pitchforks and torches.
And any 5 year old appliance server may have far more serious problems (unpatched vulnerabilities) anyway.
Okay folks... move along... nothing to see here...
Does the author really think that I'm going to exchange formulae with everyone I want to exchange e-mail with? Even if the client software made it as easy as "pairing" bluetooth devices... ugh!
Every time I see one of these doomed-to-fail spam stopping schemes, I become more and more convinced that the only way that this problem is ever going to get solved, permanently, is with certificate-signed e-mail. Basically, e-mail client software would cryptographically sign each sender's outgoing mail and the receiver's software could check that their cert was signed by a trusted certificate authority. Most software can already do this; all you need to do is go get a certificate.
Ultimately, it would probably be left up to the individual receiver as to which certificate authorities they wanted to trust (ie, PGP's "web of trust"). But, for the most part, I think most people would default to trusting a handful of "big" cert authorities. On the face of it, there is some loss of privacy, but the loss of privacy would be in proportion to the clout of the CA that signed your certificate.... which, in turn, would be in proportion to how reliably you wanted your e-mail to be delivered. So, the sender would still get to pick how much privacy they sacrificed.
But I just see no other way to stop spam than this. Certificates would add a high degree of confidence that the sender could be reached (either by the receiver or by law enforcement)... and "reachability" is the first step towards accountability. Now, for the cases where someone managed to get an certificate with bogus contact info... well, that's what certificate-revocation lists are for. Basically, it's not really different from the IP blacklists that we're using now, except it would (hopefully) be a lot harder to obtain a new certificate than it is to obtain a new IP.
Are you a spammer? Well do we have a prize for you! If you spam more than 10,000 emails every day, you are eligible to claim your FREE 0.50 caliber bullet. That's right, folks, for a limited time only, all spammers will receive, completely free, one 0.50 caliber bullet in a collectible polished brass casing. Each collectible casing is custom engraved with your name, instantly making it a priceless family heirloom. But wait! There's more! For the first 100 spammers to respond to this offer, we'll deliver your bullet to you via the fastest way possible. Our secret delivery method means that you receive your collectible at over 800 feet per second! Hurry, act now before it's too late!
Anyone else notice this, or am I giving the spammers more deviousness points than they deserve?
Here's what I use:
Sneak Email
Don't fear spam from shopping online ever again.
The original disposable email service. Regain power over your inbox from commercial forces, and catch them spamming.
Fully user supported and operating free of exploitable commercial ties. No debt, no operating loss, fully self sustaining... a virtual vault for your email address.
Now with version 2.0 free and premium services.
Quick start: three easy steps to total spam control.
1. Create an account: Providing a username, a password, and an email address you wish hidden from spammers.
2. Every time you need to give out your email address to somebody you don't trust, log in to Sneakemail and create a new Sneakemail address.
3. Give this Sneakemail address to them instead.
Mail sent to this Sneakemail address is rerouted to your real address, and when you reply it is rerouted back to the sender. Your real address is never seen. If you receive unwanted mail through this Sneakemail address, such as spam, you can take control by either filtering incoming mail using the Sneakemail filters, disabling the Sneakemail address itself, or disposing of it permanently. You also now know where a spammer got your address.
You now know all you need to know to protect your inbox from the internet by using Sneakemail.
YOU SUCCEED IT!
Because people will COMPLAIN that they can't send email to people whom they could email yesterday.
What company wants to get all those irritated AOL customers calling them because they can't email Aunt Sally anymore and why did they break the Internet?
No solution will work until it can be implemented WITHOUT annoying real-live people sending email.
Which means that it will always come down to improving the filters on YOUR server and so forth before even suggesting that anyone change anything on their servers. Including changing the protocol.
So, the "solution" is to work with the existing protocol and find a way to reduce the spam on your server. I don't think that any single method will work. And it doesn't have to be 100% perfect, initially. Killing spam will probably be an evolutionary process.
Most of the spam I see is from domains that we have not sent mail to. Just setting up a system to check that would flag a lot of it.
Also, you'd want a way for your firewall to deny connections from verified spam sites. This will cut down on some of the traffic. The question is, how to verify that they are spam sites? Can it be done automatically?
I'd suggest "seeding" the spammers with fake addresses that your email server would then identify and have the firewall drop in the future. Unless you had sent email to one of those sites (that way earthlink and AOL don't get banned).
Multiple levels is the only way I can see this being improved. Spam has to get through your firewall, then the spam filter. You distribute deceptive addresses to actively identify spammers and cracked machines/relays.
Eventually, all the spammers will end up sending single line spams from AOL/earthlink accounts. At least they would be contained.
I like it... I like it a lot...! Turn the tables and destroy any financial gains made by SPAM, you eliminate SPAM. Problem is, how are you going to handle all the different website designs, credit card info requirements, etc,etc..?
About.com had a write-up a month ago.
If the spammer sends to a bogus address, but the spammer sends from earthlink or AOL.
You don't want to "greylist" earthlink or AOL.
I use a less effective method of this by simply dropping bogus addresses around and setting up a rule in SpamAssassin to +20 anything sent to that address which then triggers the auto-learn feature of SpamAssassin.
But you idea will work great when it comes to filtering out spam from cracked home machines.
Spam is not that hard to deal with, as filters are pretty accurate, but for them to work I still have to actually download the messages; an annoying prospect.
My solution was to switch to IMAP and just download the message headers. This allows me to delete the spam messages without downloading the whole email, plus I have the added benefit of being able to read my email from anywhere.
Spam messages may be annoying, and may consume resources, but I strongly
disagree with laws punishing spam. I also strongly disagree with any
efforts to filter messages flowing through mail servers, or the practice
of blacklisting hosts or domains. None of these approaches will be
effective in the long term.
No wonder this guy's got a 5MB long page of examples. What a clueless idiot.
To ease the transition the clients and servers can support both protocols. Incoming messages are tagged as either sender verified or not. Initially all of your email will be unverified, same as it is now. As more and more servers/clients are updated, more and more of your email comes across the verified channel. Eventually you just stop using the old channel by telling the server to disable receiving on that channel. This is not rocket science people, it's all very doable despite what naysayers think. All it requires is a consensus on the new protocol.
What is this?
damn, by the time i've RTFA, this thread will be locked and not allowing for further discussion!
I don't know why you're seeing a reduction in your spam. You must have been getting a different kind from the stuff I get.
"Do not drill any holes in your cat - it will not like it."
-- Nick Davies
Basically bayesian filters have some mechanism to "train" them with example spams and example good mails. The more information you give them, the more skilled they get, up to a point. After that point, adding in more examples actually weakens the filter, and it lets more spam through.
I'm not sure of the mathematical reasons for this, perhaps someone else can explain them?
Members of a reserve branch of the military, I've been issued a swell Common Access Card, with a chip thereon that has digital certificates and enough Privacy Act information to give the paranoid a heart attack.
.mil account can receive from such.
I've been able to send to a non-.mil address, but I don't know if the
For all there is 0 expectation of privacy, you have real confidence of freedom from casual tomfoolery. If they decide you're acting at variance to Good Order and Discipline, they just crush you. Hint: a dab of common sense goes a long way in this regard.
At some point, potentially when the government wants to get serious about e-voting, we'll probably have something similar for all citizens.
Can you foresee the dichotomy? 0 anonymity and a useful network, or some level of anonymity and more noise than Motorhead breaking in a new set of Marshalls.
Would that a middle-ground existed. Or that a company with some Measure of Security and Market Savoir-faire existed that could deliver an acceptible product.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Has anyone noticed how the Readers Digest snail mails telling you that you have been selected for one of their cash draws read exactly like a lot of spam messages ?
Use AIM.
Here's "THE" solution for spamming:
This requires a new feature to be added to mail servers and clients to implement this functionality, but it should be relatively straightforward and is 100% backwards compatible with non-conforming servers and clients.
Basically how it should work is if johnny@aol.com sends me a message at andy@att.com, the mail server at aol.com (the sending server) will store a list of recently sent emails.
All it stores is the sender email address (johnny@aol.com) and a unique id for the email, maybe a CRC number (see explanation at the very end) derived from the message contents and all attachments.
When the receiving mail server (that's Andy's server at ATT) gets the message, it contacts the server at aol.com (derived from the 'from' field) and queries to see if a message from such a person was actually sent.
It sends the email address (johnny@aol.com) together with its own generated CRC number.
The sending server (which was aol.com) now checks its list of recently sent email and either returns a yes or no based on the test to see if the address/CRC pair is on the list.
I'm sure a time-stamp check will be done in this process, maybe to a 60th of a second, then the spammers will be stopped.
Once the user (Andy) downloads the message and removes it from the server the receiving server (Andy's at ATT) sends a message to the originating server (Johnny's AOL) that it's ok to remove the message record from the recently sent email list.
This method makes it impossible to spoof the "from" field---
If spammers can't spoof the "from" field they lose their anonymous/fake cover.
It's possible to trace them back to the originating ISP and that ISP will have records of whom that account belongs to or will simply shut down the account if it's a free mail service.
Basically spam can be traced back to its source (and maybe even viruses).
Of course, not all servers will implement such functionality right away.
The end user can set up their mail client to simply filter email from servers that don't support this feature into a special folder that will contain "unverified" email, but this folder will get less and less email as this feature gets implemented more and more.
If the server does support this feature, and the sender is not verified, you KNOW its spam.
If AOL, Hotmail, Yahoo implemented this feature, and you have a client that supports this feature, you KNOW you won't get spam from any of those servers anymore.
------------
CRC
Short for cyclic redundancy check, a common technique for detecting data transmission errors.
Transmitted messages are divided into predetermined lengths that are divided by a fixed divisor.
According to the calculation, the remainder number is appended onto and sent with the message.
When the message is received, the computer recalculates the remainder and compares it to the transmitted remainder. If the numbers do not match, an error is detected.
Well, that may be true, but we're talking about the guys paying the spammers here. Spam directs people to companies's websites who are paying them to do so. Those are the guys this method goes after.
It also has the disadvantage of being susceptible to joe jobs and similar, someone maliciously making you or your software believe some innocent site is the culprit.
Yes, but, like I said, since you know at all times who you are attacking (the client tells you, it's open source and all) you can easily check for yourself.
if you can identify the spam so accurately and quickly why are you seeing any?
If you went to the URL, you'll see that the spam is identified by hand. Basically, you get spam, you send it to this guy, he then uses it to generate a template file that is then sent back to the distributed network as instructions for the next attack. Crappy system, yeah, but it's a pretty small project right now. In any case, that's beside the point--everyone can identify spam, I mean, that's not the problem we're trying to solve here, is it?
Most, although not all, spam, has the goal of getting the recipient to enter a credit card number. At that point, the business has a legal obligation to identify itself. Here, for example, are some excerpts from California's law, from Business and Professions Code section 17538(d):
OK. So right there, we have a criminal offense committed by most spammers. With a potential six month jail term. The problem is enforcement.
What we really want is for Visa International and MasterCard, Inc, to require banks offering merchant accounts to police their merchant customers for spamming. If we can cut off spammer access to the credit card networks, and cause them substantial chargebacks, spamming will become much riskier.
So we need to impose liability via the credit card processing chain. Banks can always find the merchant, or at least collect from them.
I'm talking to some banking people about this. Because Visa International, a California-based company, is pushing something called "u-commerce". which will require some regulatory approvals, it's a good time to put pressure on.
The fact that this requires a key exchange first, and then a password for authentication, gives it absolutely zero advantage over PGP. I dowbt there's even a computational advantage.
I'd like to give the guy the benefit of the doubt, but he's pushing snake-oil. This thing also smells like a "Computer Applications 206" semister-project in the making to me. I'd give him a B for the analysis, and knock that down to a C+ because his solution is so unoriginal.
The problem is: you're asking *everyone* who talks SMTP between mail servers to upgrade their software. You're asking *everyone* who produces such software to agree on a standard to replace SMTP to prevent spam. There are many people out there who can't, or won't, upgrade. Yes, it would be nice if they would, but they won't -- lack of technical expertise, lack of time, unwillingness to run bright shiny new code that's been untested in the real world for a reasonable period of time, old systems that updates are no longer available for and they can't afford or aren't able to upgrade... the real world contains many such problems. And I haven't seen any proposal yet that involves changing the protocol and looks like it will actually produce the desired result (less/no spam, with *no* collateral damage).
Most *clueful* people I know just use spamassassin or some sort of bayesian filter, and this returns email to a state of usefulness for them.
Pretend that something especially witty is here. Thanks.
What you have suggested is a good idea.
It is also more or less implemented by Spam Gourmet.
Spam Gourment allows you to specify an email address on the fly that will only accept and forward a limited number of emails (less than twenty). Any emails sent to that email address after the limit is reached are silently "eaten".
Easy.
The email address is in the form of randomword.11.username@spamgourmet.com, where 11 is the number of emails sent to this address that should be forwarded. (As well, if you don't loke the name spamgourmet, or think having that domain might tip some people off, there are a number of different domains that work: namely antichef.net, neverbox.com, spamcannon.net, dfgh.net, antichef.com, or recursor.net...)
To email me, any of the following would work:
Give it a shot: Spam Gourmet - free disposable email addresses.
- dj
-----
SpamGourmet Stats:
Another interesting idea, but the SG idea revolves around these addresses automatically expiring after they've received a maximum os 20 emails. Yes you can "restock" the address when it starts to get near zero, but it's certainly not a service you would want to use for a mailing list, or other high volume or long term email relationship. There are entities that email me 40 times a day, I'd have to reset the counter at least daily. You CAN do this in a more automated way with SG that just turns the system in to a mail forwarder but it takes too many steps in my opinion.
I posted a reply to another person's post mentioning several other services like this, all of my general comments about those services apply to SG, mainly that there additional difficulties and potential problems with third party services, especially free ones (like support). I won't go in to the full explanation again here.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Most of what I've seen looks like faked addresses to me, too. I can't really say all because I haven't thoroughly investigated every spam I've ever gotten. The only explanation I can come up with is that every once in a while (like maybe once every couple of months or so), a spammer sends out one spam with an actual address and checks it for bounce messages. That would seem to explain why it decreased gradually over a period of time (like months), rather than ceasing at once.
Most *clueful* people I know just use spamassassin or some sort of bayesian filter, and this returns email to a state of usefulness for them
I use both. See previous message about 5-15 a day still slipping through. Filters are not perfect. Filters will never be perfect. I am so pissed off about this, becuase I am on the verge of giving up an email address I've been using for half a decade.
You're asking *everyone* who produces such software to agree on a standard to replace SMTP to prevent spam. There are many people out there who can't, or won't, upgrade.
IIRC "we" asked everyone to get off their asses and fix the Y2K issue before Jan 1, 2000 and that worked out pretty well. This would be a much smaller effort. We all agree on a date 1 year down the road to fix the protocol and do the flipover. Hell, maybe we even work in some sort of fallback in all the software that it tries the new method first, and if the mail doesn't go through it falls back to the old SMTP standard on both ends for that message, and spits out an error report. Then we run a 3 month grace period to work out all the bugs. If you can't work in this kind of change in a year, what the hell? And really how many MTA's are there widely in use? 10? 15?
The point is this. The current system, based largely on trust in the beginning, is broken. Wringing our hands and saying "nobody will agree, let's not do anything" will cause exactly nothing to get done. It would be nice if we could get incremental change, but it's probably not going to happen if it hasn't happened in the last 7 years.
"All that is necessary for the triumph of evil is that good men do nothing"
That certainly seems to describe how the spam war is going.
I wish I could find a Perl module to auto dial these number and leave supper long messages with an electornic voice.
I've actually writen a perl program that does something along the same lines. Instead of Email Spam though it deals with Telemarketer spam. It uses CallerID to determine which calls to answer, plays a series pre-recorded wave files, and uses silence detection to carry on a virtual conversation with the telemarketer. Best of all, it records the entire conversation. I haven't had a telemarketer yet that figured out they were talking to a computer. I call it the Telecrapper for lack of a more Madison Avenue name. A description and some example conversations are available at www.pagerealm.com/tc2k. Scroll down to listen to the examples, they are VERY FUNNY.
Legality's not very useful at stopping technical problems unless it's easy to implement technical implementations, which it's not here. Also, there are two or three different kinds of "forgery" which have radically different effects, and some confused legislators are in the midst of trying to write laws that presume incorrect semantics.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I don't think companies want to cooperate that much. The people who own the servers aren't always in direct opposition to spam anyway. And then you have some companies (verizon) that think that avoiding spam justifies them not applying correct SMTP protocols.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
Read it here.
Spam could be identified with the help of IP address profiling.
1. Every (participating) mail client reports the IP address, An Address Hash, and a full content Hash, and a common word Hash to a central server.
2. All Email recieved is assigned a value similar to the google value which identifies that email as unique or - similar to thousands. - As Sent from a human source - or a prolific source.
Spammers would simply sort themselves out of existence by coming in last on the uniquness/prolificness test.
The trasaction with other email servers is something like:
I just recieved mail from 123.23.34.45 with an address hash of fgf3vsd8g7g83hisyeeg97948ekhdu and a content Hash of ^4ehjhdis838eyYe89y9 with a filtered content of GTYijhiuTY9Y986)708y9yoiuy - how many similar emails exist?
Reply:
From IP: 123.23.34.45 -- 200,000
From Address -- 5,000
With Content -- 1
With Filtered content -- 1
Thusly this is unique mail from a human in a medium company
From IP: 123.23.34.45 -- 200,000,000,000
From Address -- 5,000,000
With Content -- 1
With Filtered content -- 1,000,000,000
This is unique item from a prolific source which is common to a huge number of items once the spam words filter is applied.
etc etc etc.
I think IP profiling is different from a white list because the user can decide determine the metrics (for example set his own spam words - if he's a protologist - he may accept spam with words like pen*s for example)
Also because it operates AT THE SAME SPEED as the message stream - it can react in real time to new messages and new ideas - like the insertion of random words) - it also discourages experimentation - since that raises the prolificness of a given IP Address - It also discourages insecure - inadvertant hosts - because their mail gets flagged.
It will however lead to credibity farming - that is the operation of a legitimate mail server for the purpose of using accumulated positive heuristics to launch a high credibility spam attack.
I think this system can operate as an adhock p2p in which some mail servers create local networks - independant of any corporate server. _ The idea is only to get enough email to create useful data on a substantial portion of the internet. Most addresses will be familiar - a unfamiliar address can launch a larger search outside the local group if necessary.
Keeping group count high avoids a monolithic solution - and limits the success of testing - so there should not be a single pool of data.
AIK
As a side-question, have you considered using Markov Chains?
Wikileaks, no DNS