Analysis of Spam, and a Proposed Solution

2bot_or_not_2bot writes "Spam: The Phenomenon is a detailed analysis of spam: products, scams, viruses, obfuscation methods, etc. Failed, and doomed-to-fail, methods of blocking spam are described. A general solution is proposed that does not: invade privacy, perform wide censorship or blacklisting, or involve payment and cooperation with corporations (beyond the transport and storage of data)." Hmmm.

Here's a solution...

[Tuxedo+Jack]

We apply Islamic law.

They steal our time, money, and bandwidth.

We take their hands.

Re:Here's a solution...

[markan18]

Your post advocates a

( ) technical (*) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(*) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(*) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Doing the Right Thing should not be preempted by making a buck.

Re:Here's a solution...

[Krow10]

(*) Killing them that way is not slow and painful enough

This is really my only problem with his suggestion.

Cheers,
Craig

Examples

[JohnGrahamCumming]

I'm glad the author included so many examples of actual spam messages. I was beginning to wonder what spam looked like.

John.

Re:Examples

[nizo]

Also, apparently the author doesn't get enough spam, because he included his email address at the end of the article.

Revenge on Spammers

[Kushy]

The best way to stop SPAM is to find the person(s) that are sending and post their personal information on the web. Everything email address, phone numbers, cell phone numbers, home address, business address, dogs name... everything there is... and let vigilante justice take over from there...

I mean come on, if only .5% of the people (s)he sent out spam to call his cell phone and leave a nice voicemail, everyday, all day, he will start to know what it is like to be harassed and for it to cost him money out of his pocket and the grief that he caused so many...

Boycott of Microsoft's Caller ID for E-mail

There's a boycott occurring for Microsoft's Caller ID for E-mail. They're asking for anyone developing a mail client, spam filter or mail transport agent to use a more open protocol, rather than a patented one.

Wrong

[JohnGrahamCumming]

From TFA:

Salting the message with random words thwarted Bayesian filtering.

No, it hasn't. That's utter nonsense. This entire article is filled with statements like this with no justification. How about reading my presentation at the MIT Spam Conference that showed that random word insertion did not fool POPFile (or other Bayesian filters).

John.

Have the users pay for it...

[Vexler]

Here is another way of looking at it: Spammers exist because there are idiots out there who fall for "vicod1n" or "pen1s enl@rgement" or what have you. We should have users who are purchasing these products pay an additional "spam tax" on it, to compensate for the wasted bandwidth and so on. Sort of like "shipping and handling fee". Actually, it comes close to the Internet tax idea that Congress is punting about, but applied to spams.

Re:Have the users pay for it...

[chris_mahan]

I'm going out on a limb here, but I think that actually, spam does not create enough customers of legitimate products.

What email harvesters do is convince poorly informed people and businesses that by buying their $499.00 mailing list of two million valid email addresses, they will rake in thousands upon thousands of dollars in profits.

It is those poor sods who send the millions of email, using the email autosender conveniently provided on the cd-rom, who are then blacklisted to hell and lose their $49/mo super gold premium windows 2003 10MB (Front-Page enabled no less) account and wonder with growing bitterness how the jerks at "MakeMegaBuxWithEmail.Com" could have flat out lied, LIED, to them...

Then they realize they can make $499/CD by just finding another sucker...

Of course, like all good pyramid scheme, the thing will implode under its own weight, but it has not yet run its course.

A solution? Of course. A study needs to be made showing the average Joe that paying for a list of email addresses is a snake-oil scheme to lift money from their wallet.

Then people can charge money for the "Don't Be Fooled By Email Scam Artists. Send $29 And I'Ll Show You How To Protect Yourself Today!!!" and spam will be a thing of the past.

(yeah, that's it...)

I dont get it

[JeanBaptiste]

Spammers are not very hard to track down. The companies that use their 'services' are even easier to track down. Many if not most are in the US or EU.

I've done it myself a couple of times, and have explained the relevant legal code from spamlaws. I have yet to hear back from either the spammers or the authorities I have explained this to.

I would think if law enforcement would do what it is SUPPOSED to do, spamming would be vastly reduced.

The article is total dreck

[Animats]

After scrolling through a page about a hundred screens high, containing many extracts from this guy's spam, you finally discover that this bozo has reinvented the whitelist.

Next!

IM2000

[re-Verse]

Personally I rally liked D. J. Bernstein's (qmail, djbdns, daemontools) idea for a new mail protocol. The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself. The mail sits on the senders mailserver, waiting to be picked up, and if you want to retrieve it, your mail client does so from his server. Think about it - No more anonymous spam, since you KNOW where messages are coming from if you have to retreive them. Therefore, if spam is illegal, we can punish them... and there is no more faking of where its coming from.

The other cool concept to that is mailing lists vs bandwidth. In old mailing list styles, a message would go out to the list, bouncing back from all people whos boxes are gone or full- witha lot of traffic. In DJs new way, there is only notification of the message sent, and then only those who really want the message download it.

The more you think about it, the better of an idea it becomes. In the wold of terrifying ideas like "postage for emails" or "really super-mega-expensive domain names for mail only" Bernsteins has an elegance and practicality I haven't seen elsewhere.

Re:IM2000

[Bronster]

The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself.

Options:

a) Notification contains no sender-modifiable content. No way to know if you want it or not. You say yes and wind up with spam from unknown server.
b) Notification winds up containing the entire spam as subject line, and the supposed server it's coming from doesn't exist.
c) Spammers break into millions of unsecured Windows boxes and run 'mail servers' on them.

Nice try, but no cigar.

Re:IM2000

[mdfst13]

Your a and b options are not a complete list. In actuality, you would send a subset of the headers in the notification (the recipient could potentially pick which ones--possibly in the response to the EHLO replacement). One can certainly limit subjects in the initial notification to (for example) 50 characters, not enough to get a real message across but enough to recognize many legitimate kinds of email (for one thing, how many legitimate emails have subjects longer than 50 characters?). In regards c, it is hard to run a POP server on a desktop PC.

Another possibility is that the notification could be just that (no content whatsoever), with you downloading the headers separately (i.e. 3 steps: notification; headers; body and full headers). That would force the server to exist, but you don't have to download the rest of the message if you do not want to do so.

Also consider how this would work with RMX proposals (like SPF: http://spf.pobox.com ). If the email is not from a validated IP, then you can reject the initial notification.

It is also worth noting that a spam method that requires illegal acts (like virus infection) is dangerous for the spammer. It is not really practical when selling everyday items, only scam emails (already illegal) or really high margin items that allow the spammer to change locations often.

Criticizing anti-spam proposals for not completely solving the problem is missing the point. No one anti-spam method is going to eliminate spam. Each one is designed to make it harder to spam, ideally without impacting normal email. IM2000 does this, since it merely shifts from POPping from the recipient's server to the sender's server. This is harder for senders but easier for receivers in most cases. The exceptions are those where the sender does not maintain a persistent (i.e. always on) mail server (e.g. spammers). This is very rare with legitimate emails (if the sender does not have a persistent mail server, then they can't *receive* email; legitimate senders generally want to be able to receive emails in response).

Bandwidth and storage for the ISP

[RT+Alec]

I administer a mail server for a small ISP. The problem with filtering on the user's end is that my costs are consumed by the time the user deals with the spam. I don't think, as the article suggests, that spammers will slow down if their message is not being read, in fact they will just spew out ever more spam. If a 1/10 of 1% hit rate does not deter them, a smaller hit rate won't either.

I have to put some upper limit to the amount of storage I can give each person (right now I allow 100M, which I think is quite reasonable). But if a user goes on vacation and does not check their e-mail for a month, they could have their inbox filled with spam and viruses (not much difference these days, from a server admin point of view). This will preven legitamate messages from coming through. Therefore, I use the following technical measures to help reduce spam:

• RBLs: dnsbl.njabl.org, sbl.spamhaus.org, xbl.spamhaus.org, and dul.dnsbl.sorbs.net
• SPF:Sender (not adopted widely yet, but it does block a few messages a day even now)
• Blocking specific subject lines (during virus outbreaks this can help)
• Blocking mail "from" non-existant domains

I really have no choice, I cannot afford not to take these measures. I explain all of them to my clients, nobody has had a problem yet. These measures catch roughly 75% of spam and viruses, and as far as I know, no false positives.

Seconded.

[Moderation+abuser]

My spam folder is full of mail with all sorts of crap random words.

The one or two which have gotten through look like they could have been written by a Perl guru.

Tell you what.

[Moderation+abuser]

Post your email address and I'll forward my spam messages to you. That'll train your bayesian filter.

Re:Spam isnt the problem anymore - Spyware

[SoTuA]

Word. I got married a few months ago, and while me n' my wife did some place hunting we lived at her mother's house, and I managed to keep the computer more or less shipshape.

Two months after we moved out, we went for dinner there, I had to look up something quick in google and *OMFG* the computer is barely crawling, it has half the system tray filled with icons, and it has so much malware that adaware crashes :o

Self-installing and opt-out add-ons suck. Hard.

Why so much opposition to changing the protocol?

[barc0001]

Seriously? Go to a syn-syn/ack-ack system.

The sending SMTP box says to the receiver "I've got a message for you" Receiver caches the message, hands the source box a 32 digit random number and says I'll call back in 30 seconds by your FQDN. It does so. Receiver says "did you send me a message with the serial 'x'"? If yes, then the source in the header wasn't spoofed, and the message goes through, if not, the message gets dropped.

Almost all spam these days comes from spoofed sources. But if in this case it's still spam, it's a lot easier to track the source immediately and deal with it. Take away the ability to hide, and like mold in the sunlight, most of it will vanish without further effort.

You Might Be An Anti-Spam Kook If...

[FattMattP]

You Might Be An Anti-Spam Kook If...

Each item in the following list was suggested by the words or actions of people who presented themselves to the IETF or elsewhere as having discovered the FUSSP. Some of the items may seem obscure to those who have not dealt with the IETF.

• You have discovered the Final Ultimate Solution to the Spam Problem (FUSSP).
• You are the first to think of the FUSSP.
• You started looking for the FUSSP after observing that it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by currently available mechanisms.
• Despite being the inventor of the FUSSP, you are unfamiliar with "false positive," "false negative," "UBE," "tarpit," "teergrube," "Brightmail," "Postini," "SpamAssassin," "DNS blacklist," "HELO," "RBL," or "mail envelope."
• You plan to make money by licensing the FUSSP.
• You don't plan to make a fortune from the FUSSP, but you do expect fame as its generous and public spirited netizen inventor.
• You are deeply hurt and angry because you are not respected as "spam fighter."
• People don't see the value of the FUSSP because they have axes to grind, are jealous, or are too stupid to understand it.
• You learned how to stop spam during the more than six whole weeks you've been fighting it.
• The FUSSP assumes that your attention is so important that strangers, other than advertisers, from will pay money to send you mail.
• Despite having invented the FUSSP, you not only don't know the difference between the SMTP envelope and SMTP headers; you doubt there is such a thing as the SMTP envelope because email doesn't involve paper.
• Despite having invented the FUSSP, your SMTP header and DSN reading skills are so limited that when you send an objectionable message to two separate sites, you can't tell which of one of them rejected it.
• You cannot name several potentially fatal flaws in the FUSSP.
• All you need to do to get the FUSSP implemented and deployed is to publish an RFC or get a law passed.
• You don't recognize any significant difference between deploying and implementing the FUSSP.
• You plan to publish an RFC mandating the FUSSP but have never heard of RFC 2223 or RFC 2026.
• Inventing the FUSSP did not require that you know the difference between RFC 821 and RFC 822 or that they have been replaced by RFC 2821 and RFC 2822.
• You don't know the relevance of "consensus" or "IESG approval" to publishing RFCs.
• You think all RFCs have the same standing.
• Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC.
• The FUSSP depends on spammers or mail recipients changing their behavior without any immediate gain.
• The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
• The FUSSP is easy to implement and deploy, but you have done neither.
• Your job is done after having explained the FUSSP to the IETF or The Industry.
• Programmers will drop everything to implement the FUSSP.
• You think that a violation of an RFC by an SMTP client or server is good and sufficient reason to reject all mail from the system's domain.
• You know that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP.
• You know that the failure of SMTP servers to authenticate the SMTP clients of strangers is a major bug in SMTP instead of an expression of a primary design goal.
• Despite discovering the FUSSP, you don't know the meanings of MTA, MUA, SMTP server, SMTP client, or su