Analysis of Spam, and a Proposed Solution

2bot_or_not_2bot writes "Spam: The Phenomenon is a detailed analysis of spam: products, scams, viruses, obfuscation methods, etc. Failed, and doomed-to-fail, methods of blocking spam are described. A general solution is proposed that does not: invade privacy, perform wide censorship or blacklisting, or involve payment and cooperation with corporations (beyond the transport and storage of data)." Hmmm.

I dont get it

[JeanBaptiste]

Spammers are not very hard to track down. The companies that use their 'services' are even easier to track down. Many if not most are in the US or EU.

I've done it myself a couple of times, and have explained the relevant legal code from spamlaws. I have yet to hear back from either the spammers or the authorities I have explained this to.

I would think if law enforcement would do what it is SUPPOSED to do, spamming would be vastly reduced.

good and good

[maxbang]

This dude has a decent idea, I guess. I've found a method that has been foolproof for the past three years. I only give out my email address to people I directly know. I've had a Hotmail address that's been spam free since 2001, not even a drop in the bulk bucket. Once or twice a year I'll get a Hotmail Services thing, but that doesn't matter to me. I keep a junk address at Yahoo when filling out online forms, posting, etc. It works for me and it works for my friends. My ISP email address has _never_ received any spam.

Spam of Mass Destruction

[segment]

You know, if government really focused on penalizing the bottom end product creator for spam, I'm sure it'd be minimized drastically. For example Viagra, made by Pfizer, if they penalized Pfizer for spam and not controlling the methods of their advertising, I'm sure many companies would think twice about their methods to deliver content.

Sure it would need some tweaking, but to go after Joe Blow unsuspecting user who's machine is probably loaded with trojans is moronic. Even a good enough trial lawyer for the most blatant spammer could probably convince a jury that the culprits machine was infected if they tried. It's obvious CAN-SPAM and other moronic laws aren't working so why not take it to the next level?

Pentagon Plane Crash of 2000

Re:Spam of Mass Destruction

[Doctor7]

For example Viagra, made by Pfizer, if they penalized Pfizer for spam and not controlling the methods of their advertising, I'm sure many companies would think twice about their methods to deliver content.

Actually, it should be Pfizer going after them, since any Viagra advertised by spammers (if it even contains the drug at all) will be an unlicenced rip-off.

Which just goes to show - even spammers who leave themselves open to prosecution under what most of us agree are overly-restrictive IP laws, still don't get punised.

"Solution" is ridiculous

[cipher+chort]

It should be self-evident that this solution is not workable. Anything that requires this massive type of retooling of the whole method of using e-mail is doomed to failure.

Any proposed solution cannot cause this type of massive interruption of normal e-mail usage.

The article is total dreck

[Animats]

After scrolling through a page about a hundred screens high, containing many extracts from this guy's spam, you finally discover that this bozo has reinvented the whitelist.

Next!

RMS defending the first email spam, classic

This article links to an interesting piece of Internet history: Richard Stallman ca. 1978 defending DEC's use of email to advertise, his words quoted from http://www.templetons.com/brad/spamreact.html

"Would a dating service for people on the net be "frowned upon" by DCA? I hope not. But even if it is, don't let that stop you from notifying me via net mail if you start one. "

Re:IM2000

[Bronster]

The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself.

Options:

a) Notification contains no sender-modifiable content. No way to know if you want it or not. You say yes and wind up with spam from unknown server.
b) Notification winds up containing the entire spam as subject line, and the supposed server it's coming from doesn't exist.
c) Spammers break into millions of unsecured Windows boxes and run 'mail servers' on them.

Nice try, but no cigar.

Re:hmmm..

[cmowire]

I have 1 email address that I have used for many many years, far before spam was a problem. The problem is, my email address has passed beyond my control. You can still find it on the 'net in usenet archives, mailing list archives, and who knows what else. The point is, 10 years ago, we didn't think to conceil their addresses... they wanted to make them easy to find so that people could find *us*!

Even better, somehow, there's a database that matches names to email addresses. People other than me map to my email address, so I get "legitimate" spam.

Furthermore, not loading the images and not clicking on the links doesn't fix the problem entirely. I've checked, depending on which address they've spidered. Contact addresses for my web-design business that I shut down 3 years ago are still getting spam.

That I have to change an email address that I've had for nearly a decade... well.. it makes my blood boil.

Re:Revenge on Spammers

[soh10r]

I mean come on, if only .5% of the people (s)he sent out spam to call his cell phone and leave a nice voicemail, everyday, all day, he will start to know what it is like to be harassed and for it to cost him money out of his pocket and the grief that he caused so many...
The problem with that, of course, is that spammers will then try to make it look like the spam comes from someone else--like an anti-spam activist, say.

Re:IM2000

[ps_inkling]

The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself. The mail sits on the senders mailserver, waiting to be picked up, and if you want to retrieve it, your mail client does so from his server.

And how does this notification get to the user, eh? What's the difference between 1,000 spam messages and 1,000 spam subject lines? The user still has to sort out the difference. Especially when the subject is 'Hello' or other similar innoculous values. The user can't know it's spam until it's downloaded.

Think about it - No more anonymous spam, since you KNOW where messages are coming from if you have to retreive them. Therefore, if spam is illegal, we can punish them... and there is no more faking of where its coming from.

Hmm... Just like I know where those phisher's web sites are located -- on 0wn3d boxes, not their own. This proposal would just move the problem to distributed boxen to serve the spam messages, not the spammer's boxen.

This solution looks just like HTML pages, served via HTTP when you give the notification address. It moves the problem of message duplication off of centralized mail servers; however, there's still all those notifications of messages being send to users to read a copy of the spam message.

Re:IM2000

[lynx_user_abroad]

...only the notification of mail is sent, not the mail itself.

Good lateral thinking, but I don't think it would ultimately stop spam. I'd love to see more details.

It would prevent a spammer from dumping a 100Kb email message into your inbox, but it wouldn't prevent him from dumping 100K of 1b "notification" messages in there, and it would be all the same to him. It would make it much harder to sort between the two.

And under the current system, the spammer doesn't know anything about the recipient (or even that the email address is valid) unless he does something stupid like reply or click on a web link. Under this system, the spammer would know which addresses were valid by watching which messages were picked up.

Personally, I'm convinced we'll see no solution to the spam problem until society stops tolerating the selfish behavior spammers represent.

There must be more to this proposal than you've related here. This sounds more like an off-the-cuff suggestion that the usually sound thinking of our qmail friend.

Re:Have the users pay for it...

[chris_mahan]

I'm going out on a limb here, but I think that actually, spam does not create enough customers of legitimate products.

What email harvesters do is convince poorly informed people and businesses that by buying their $499.00 mailing list of two million valid email addresses, they will rake in thousands upon thousands of dollars in profits.

It is those poor sods who send the millions of email, using the email autosender conveniently provided on the cd-rom, who are then blacklisted to hell and lose their $49/mo super gold premium windows 2003 10MB (Front-Page enabled no less) account and wonder with growing bitterness how the jerks at "MakeMegaBuxWithEmail.Com" could have flat out lied, LIED, to them...

Then they realize they can make $499/CD by just finding another sucker...

Of course, like all good pyramid scheme, the thing will implode under its own weight, but it has not yet run its course.

A solution? Of course. A study needs to be made showing the average Joe that paying for a list of email addresses is a snake-oil scheme to lift money from their wallet.

Then people can charge money for the "Don't Be Fooled By Email Scam Artists. Send $29 And I'Ll Show You How To Protect Yourself Today!!!" and spam will be a thing of the past.

(yeah, that's it...)

Re:IM2000

[Wesley+Felter]

So in the glorious IM2000 future my computer will pull down gigabytes of spam from random trojaned PCs whose owners say "what?" when you accuse them of spamming...

Joe Jobs, Forgery, Legitimate URLs

[billstewart]

It's dangerously bad. If email messages accurately identified where they came from, and if spammers didn't maliciously forge addresses of people they want to harass, and if spammers didn't usually abuse free email systems and free web pages or forge purely bogus sender addresses (usually also at free email systems), then that would be a fine idea. Many spammers also frequently put other people's valid URLs in their mail to fake legitimacy, e.g. URLs from E-Bay's news site or the Better Business Bureau or various anti-virus companies, in addition to having their own URL for the suckers to click.

Re:IM2000

[dargaud]

Sounds like usenet to me... I remember reading his proposal some time ago and it does make a lot of sense. No more flooded mailbox while you are on vacation... And it's also a good way for the sender to control whether or not the mail has been read (as opposed to only received). And idiot family members who send the content of their new digital camera to all family members without downsampling the images will get a quite useful "Full outgoing mailbox" error message.

Re:Revenge on Spammers

[Genom]

I wish I could find a Perl module to auto dial these number and leave supper long messages with an electornic voice.

Even better, have it read the spammers own spam back to them over the phone, until their answering machine fills up. ^^

Wgets validate email addresses

[billstewart]

The wget solution could be fun, if everybody did it, but it does have problems.

• any spammer URLs contain a code that identifies your email address (and maybe the spammer), so the wget tells the spammer that they've got a valid email address for you. Sometimes it's encoded in the subdomain name, sometimes in the path, often in query contents.
• Another is that these addresses are often redirects, so there might be queries to a simple redirector URL, which don't burn much bandwidth, that point to some free web site (or at least handle the images from the free web site) which does the heavy lifting. If the wget attack becomes popular, there'll be lots more of this, and spammers will play tricks to make it hard for the wget to automatically get the real site.
• Many spammers also frequently put other people's valid URLs in their mail to fake legitimacy, e.g. URLs from E-Bay's news site or the Better Business Bureau or various anti-virus companies, in addition to having their own URL for the suckers to click.

Why this won't work...

[chill]

The section on Colin Fashey's site, way down at the bottom, that reads "Basic operation:"

You have to authorize each sender? The sender computes a code to send you mail?

Right. Most people can't get the clock on their VCR to stop blinking. This ain't gonna happen.

-Charles

Re:IM2000

[mdfst13]

Your a and b options are not a complete list. In actuality, you would send a subset of the headers in the notification (the recipient could potentially pick which ones--possibly in the response to the EHLO replacement). One can certainly limit subjects in the initial notification to (for example) 50 characters, not enough to get a real message across but enough to recognize many legitimate kinds of email (for one thing, how many legitimate emails have subjects longer than 50 characters?). In regards c, it is hard to run a POP server on a desktop PC.

Another possibility is that the notification could be just that (no content whatsoever), with you downloading the headers separately (i.e. 3 steps: notification; headers; body and full headers). That would force the server to exist, but you don't have to download the rest of the message if you do not want to do so.

Also consider how this would work with RMX proposals (like SPF: http://spf.pobox.com ). If the email is not from a validated IP, then you can reject the initial notification.

It is also worth noting that a spam method that requires illegal acts (like virus infection) is dangerous for the spammer. It is not really practical when selling everyday items, only scam emails (already illegal) or really high margin items that allow the spammer to change locations often.

Criticizing anti-spam proposals for not completely solving the problem is missing the point. No one anti-spam method is going to eliminate spam. Each one is designed to make it harder to spam, ideally without impacting normal email. IM2000 does this, since it merely shifts from POPping from the recipient's server to the sender's server. This is harder for senders but easier for receivers in most cases. The exceptions are those where the sender does not maintain a persistent (i.e. always on) mail server (e.g. spammers). This is very rare with legitimate emails (if the sender does not have a persistent mail server, then they can't *receive* email; legitimate senders generally want to be able to receive emails in response).

pgp-signed email as caller ID

All the technical solutions seem to be doomed because (thankfully) we don't (quite) live in a Microsoft monoculture so there are a bzillion of mail applications at every point of the emailing process and it's impossible to change them all in a complicated manner. But there's an easy change: sign emails with pgp or the like. Then restrict your attention to signed emails.

Sure, it doesn't solve any of the bandwidth or storage problems, but it would make filtering so much easier. If the spammers sign their emails to get through, you could at least find out who they are. (If they use certificates from shady certificate-granting authorities colluding with the spammers, you could simply reject those as well.) Having a digital signature would be an easy way to distinguish bona-fide communications from junk mail. It's cheap in every sense, it's proven technology, capabilities are already included in many mail readers and senders, and online mail services and Linux user setup could easily include pgp key generation in new account setup. What are we waiting for?