Slashdot Mirror
Impoverish a Spammer Today
esj at harvee writes "Recently the Camram project released its latest version of a hybrid sender-pays anti-spam system. The project has proven that sender-pays works and has demonstrated how to make it work with existing e-mail systems. Camram has developed hybrid sender-pays techniques that scale down to the desktop and up to the enterprise. It's a completely decentralized system that can put spam-fighting power in the hands of individuals. It gives you control of not only the current generation of spam, but also any future commercial spam -- why replace Viagra ads from a scam artist with Viagra ads from Pfizer?"
The problem is that I've seen no good way to stop non spammers from paying as well.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
So how will this effect hobbiest/enthusiest webmasters like myself who own and run our own web and mail servers and send out thousands of emails per day to users who are subscribed to our site and need to get these emails (they're updates about transactions they're involved in -- NOT spam). Messages that, when they aren't delivered for some reason, the recipients get upset and ask what is wrong -- that's how important the email is for us.
So how will this affect us? I make no money off of my site and I can't afford to spend any money sending email (on top of the costs of my site already). Even 1/100th of a cent would be difficult for me to spend (that would be an additional 10% to my monthly expenses which already come out of my own pocket!).
For the average home user who sends a dozen emails a week, this won't matter. At 1/100th of a penny, they'd only pay a couple bucks a year - but for someone like me who is volunteering to run a service for people but does not, has not and enver will spam - it is unfair to expect me to pay out 10,20 or 30 bucks a month or more. Especially when all that would be necessary is for the SMTP protocol itself to be retooled to be more secure in the first place.
Others have mentioned that this will make it easier for the user to notice that their PC has been hijacked, but another side-effect is that it will perform a rate-limiting service on that zombie. If each zombie can only send 100 messages an hour instead of 100,000 then that is another important benefit.
It seems to me that one should need only one stamp generator. I receive a payment request containing a message encrypted with a short private key, and as "postage" I need to decrypt the message and return it. As computers get faster, the key length used to encrypt the message gets longer. The receiver can thus decide how much postage is required.
This way the stamp generator doesn't need to have any secret component, and could be written in any language. It could be part of the mail client.
The only ones that can stop spam in its' tracks are the credit card companies. You have to make a purchase with a card. Have the credit card companies stop any payments to known spammers - problem solved. This is the bottom line - stop the flow of cash - stop the problem. Is there any reason this cannot be done? Why is this never mentioned. The companies that facilitate spam can stop it today.
Stay tuned for new sig...
Like whitelists and keywords, this is a special case of a token-based system. Token-based systems depend on the sender performing some action that is, at the time they send it, sufficiently hard to predict, unusual, or onerous for a spammer to bother with it.
For example, I have certain addresses that bypass my spam filter either partially or completely, and I have set up a scheme for my kids whereby a sender has to know a "magic word" to get in. Whitelists, of course, make the sender address the token.
Right now, these are good enough.
Spammers are beginning to respond to whitelists, though, and trying to guess sender names. It's only a matter of time before they start using the address books in their zombies to build up lists of probable whitelists, and start sending spam using pairs of addresses from the same address book the way viruses already are.
Not all devices will have enough computing power available. My grandmother has an Amstrad E-mailer. How long will it take the 4Mhz Z80 in there to generate a stamp? How about the cpu in my phone?
From the Faq "You only generate a stamp the first time you mail someone." So when all 20 of the biggest spamhouses have generated a stamp for you, you are right back at square 1? Net cafes with changing clientelle pay a higher price than spammers? Forged headers cliaming to be from friends don't need a stamp?
A pizza of radius z and thickness a has a volume of pi z z a
I agree - worms are the biggest problem with this scheme. You can't hold the spammer accountable because the spammer is most likely not even sending the spam but using millions of zombie machines.
The best way to deal with the problem is follow the money then show up at 4am and stick a Glock in the face of the spammers and their family members. After they shit the bed give them the option to play nice or die anonymously. Harsh? Yes. But not quite as bad as prior reform methods such as the Pyramid of Skulls*. I may be biased, my computer system was compromised by trojans from those bastards last week and pretty much I am still pissed about it.
* Historical note on the making decortive yet functional pyramid of skulls (taken, I shit you not, from kids.mapzones.com): 1258 Baghdad was conquered and sacked by Hulagu, grandson of the great Mongol conqueror Genghis Khan. Hulagu killed all the scholars in Baghdad and erected a pyramid from their skulls. He destroyed the elaborate irrigation system that the Abbasids had established. Iraq became a neglected frontier area ruled from the Mongol capital of Tabriz in Iran. In 1335 the last great Mongol ruler of this region died, and anarchy prevailed. The Turkic conqueror Tamerlane sacked Baghdad in 1401, again massacring many of its inhabitants. He, too, built a pyramid of skulls. Tamerlane's invasion and conquest marked the end of Baghdad's greatness.
And then watch the user list fall to 2%.
My heart bleeds for you. Oh woe! You want to send your users with messages that you think are legitimate (something they may disagree with)
Listen, retard - I run a heavily used auction site and trust me that people get mighty pissed off if they aren't getting their email notifications of new bids, being out-bid, lost passwords, lost usernames, closed auctions and whatever else. This isn't shit *I* think are legitimate. This is shit THEY DEPEND ON TO CONDUCT THEIR FUCKING AUCTIONS.
but do not want to be bothered with the inconvenience of putting up with your users asking you to participate in a spam rate-limiting mechanism or ask them to add you to their whitelist.
No - what I don't want is to be bothered with having to teach users how to use a whitelist and count on them to use it consistantly. I have enough trouble with users who don't realize their mailboxes are full and why mail from me is bouncing or why they aren't getting email when they couldn't spell their own email address correctly or why they aren't getting my email - when they are and it's just going into their spam folder because hotmail sucks ass - that's what I don't want to be bothered with.
It may not seem fair to make everybody go thru a security checkpoint, just because of the actions of a few -- but you can bet your sweet ass it is necessary.
As an aside, I would wager that the percentage of your messages that are actually read by the recipient goes up, after this protocol is put into place. Because for the simple fact that your legit messages will no longer be lost in the noise of illegitimate ones.
Why can't they send out the messages via RSS or some simliar technology? You'd email your message to the list, & the list would RSS it to all the interested people. This has the advantage of letting people read without subscribing.
Seriously, does anybody know why this hasn't been done? I'm not an expert, so I wouldn't know of any limitations. I'm thinking of a cross between newsgroups & mailing lists.
testing out my trending skills
The problem should be obvious.
Right now spamming hurts ISPs so they are our biggest allies in the fight against it.
This proposal would make spam profitable to ISPs.
They would become our biggest enemies.