Analysis of Spam, and a Proposed Solution
2bot_or_not_2bot writes "Spam: The Phenomenon is a detailed analysis of spam: products, scams, viruses, obfuscation methods, etc. Failed, and doomed-to-fail, methods of blocking spam are described. A general solution is proposed that does not: invade privacy, perform wide censorship or blacklisting, or involve payment and cooperation with corporations (beyond the transport and storage of data)." Hmmm.
Spammers are not very hard to track down. The companies that use their 'services' are even easier to track down. Many if not most are in the US or EU.
I've done it myself a couple of times, and have explained the relevant legal code from spamlaws. I have yet to hear back from either the spammers or the authorities I have explained this to.
I would think if law enforcement would do what it is SUPPOSED to do, spamming would be vastly reduced.
It should be self-evident that this solution is not workable. Anything that requires this massive type of retooling of the whole method of using e-mail is doomed to failure.
Any proposed solution cannot cause this type of massive interruption of normal e-mail usage.
Someone is WRONG on the Internet!
Next!
The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself.
Options:
a) Notification contains no sender-modifiable content. No way to know if you want it or not. You say yes and wind up with spam from unknown server.
b) Notification winds up containing the entire spam as subject line, and the supposed server it's coming from doesn't exist.
c) Spammers break into millions of unsecured Windows boxes and run 'mail servers' on them.
Nice try, but no cigar.
I have 1 email address that I have used for many many years, far before spam was a problem. The problem is, my email address has passed beyond my control. You can still find it on the 'net in usenet archives, mailing list archives, and who knows what else. The point is, 10 years ago, we didn't think to conceil their addresses... they wanted to make them easy to find so that people could find *us*!
Even better, somehow, there's a database that matches names to email addresses. People other than me map to my email address, so I get "legitimate" spam.
Furthermore, not loading the images and not clicking on the links doesn't fix the problem entirely. I've checked, depending on which address they've spidered. Contact addresses for my web-design business that I shut down 3 years ago are still getting spam.
That I have to change an email address that I've had for nearly a decade... well.. it makes my blood boil.
Gentoo Sucks
Good lateral thinking, but I don't think it would ultimately stop spam. I'd love to see more details.
It would prevent a spammer from dumping a 100Kb email message into your inbox, but it wouldn't prevent him from dumping 100K of 1b "notification" messages in there, and it would be all the same to him. It would make it much harder to sort between the two.
And under the current system, the spammer doesn't know anything about the recipient (or even that the email address is valid) unless he does something stupid like reply or click on a web link. Under this system, the spammer would know which addresses were valid by watching which messages were picked up.
Personally, I'm convinced we'll see no solution to the spam problem until society stops tolerating the selfish behavior spammers represent.
There must be more to this proposal than you've related here. This sounds more like an off-the-cuff suggestion that the usually sound thinking of our qmail friend.
The thing about things we don't know is we often don't know we don't know them.
I'm going out on a limb here, but I think that actually, spam does not create enough customers of legitimate products.
What email harvesters do is convince poorly informed people and businesses that by buying their $499.00 mailing list of two million valid email addresses, they will rake in thousands upon thousands of dollars in profits.
It is those poor sods who send the millions of email, using the email autosender conveniently provided on the cd-rom, who are then blacklisted to hell and lose their $49/mo super gold premium windows 2003 10MB (Front-Page enabled no less) account and wonder with growing bitterness how the jerks at "MakeMegaBuxWithEmail.Com" could have flat out lied, LIED, to them...
Then they realize they can make $499/CD by just finding another sucker...
Of course, like all good pyramid scheme, the thing will implode under its own weight, but it has not yet run its course.
A solution? Of course. A study needs to be made showing the average Joe that paying for a list of email addresses is a snake-oil scheme to lift money from their wallet.
Then people can charge money for the "Don't Be Fooled By Email Scam Artists. Send $29 And I'Ll Show You How To Protect Yourself Today!!!" and spam will be a thing of the past.
(yeah, that's it...)
"Piter, too, is dead."
It's dangerously bad. If email messages accurately identified where they came from, and if spammers didn't maliciously forge addresses of people they want to harass, and if spammers didn't usually abuse free email systems and free web pages or forge purely bogus sender addresses (usually also at free email systems), then that would be a fine idea. Many spammers also frequently put other people's valid URLs in their mail to fake legitimacy, e.g. URLs from E-Bay's news site or the Better Business Bureau or various anti-virus companies, in addition to having their own URL for the suckers to click.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I wish I could find a Perl module to auto dial these number and leave supper long messages with an electornic voice.
Even better, have it read the spammers own spam back to them over the phone, until their answering machine fills up. ^^
Your a and b options are not a complete list. In actuality, you would send a subset of the headers in the notification (the recipient could potentially pick which ones--possibly in the response to the EHLO replacement). One can certainly limit subjects in the initial notification to (for example) 50 characters, not enough to get a real message across but enough to recognize many legitimate kinds of email (for one thing, how many legitimate emails have subjects longer than 50 characters?). In regards c, it is hard to run a POP server on a desktop PC.
Another possibility is that the notification could be just that (no content whatsoever), with you downloading the headers separately (i.e. 3 steps: notification; headers; body and full headers). That would force the server to exist, but you don't have to download the rest of the message if you do not want to do so.
Also consider how this would work with RMX proposals (like SPF: http://spf.pobox.com ). If the email is not from a validated IP, then you can reject the initial notification.
It is also worth noting that a spam method that requires illegal acts (like virus infection) is dangerous for the spammer. It is not really practical when selling everyday items, only scam emails (already illegal) or really high margin items that allow the spammer to change locations often.
Criticizing anti-spam proposals for not completely solving the problem is missing the point. No one anti-spam method is going to eliminate spam. Each one is designed to make it harder to spam, ideally without impacting normal email. IM2000 does this, since it merely shifts from POPping from the recipient's server to the sender's server. This is harder for senders but easier for receivers in most cases. The exceptions are those where the sender does not maintain a persistent (i.e. always on) mail server (e.g. spammers). This is very rare with legitimate emails (if the sender does not have a persistent mail server, then they can't *receive* email; legitimate senders generally want to be able to receive emails in response).