Slashdot Mirror
Impoverish a Spammer Today
esj at harvee writes "Recently the Camram project released its latest version of a hybrid sender-pays anti-spam system. The project has proven that sender-pays works and has demonstrated how to make it work with existing e-mail systems. Camram has developed hybrid sender-pays techniques that scale down to the desktop and up to the enterprise. It's a completely decentralized system that can put spam-fighting power in the hands of individuals. It gives you control of not only the current generation of spam, but also any future commercial spam -- why replace Viagra ads from a scam artist with Viagra ads from Pfizer?"
This could really change the way e-mail is distributed.
Craig Steffen
http://www.craigsteffen.net
What happens when your box has just been highjacked by the latest MS exploit and used as a Spam server/relay.
"We all know that Crap is King" - Don Henley
Or maybe businesses should find a new way to communicate internally?
they should be able to survive just fine according to the SPAM nutrition fact sheet
why replace Viagra ads from a scam artist with Viagra ads from Pfizer?
Because I only trust my penis to professionals.
RTFA, it handles mailing lists fine. You whitelist the sender and then they don't need to stamp the mail.
The technology is a hybrid solution to avoid the problem of universal adoption... a nice side-effect of this is you don't demand stamps from your white-list.
I have to say, I think it's quite an interesting combination of concepts, but still requires mass adoption to be useful.
The FAQ says that there is a white list. I assume from reading it that it means that they do not have to pay.
It is just bush and the other idiots who signed the federal law, killed it and made it a recipient suffers system.
Fight Spammers!
Yes, but the point of this is making to make it trivial to send 50 or so e-mails a day, while making it prohibitively expensive in computation costs to send 50 million emails a day.
If it takes 3 seconds per e-mail, the average user won't notice the addition, but the average spammer will have to spend 1700 hours computing stamps to send his 50 million emails.
They have a page with Frequently Raised Objections. Now I've made redundant 40% of the remaining posts to this article.
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
Why is this a problem? If what you are expected to pay depends on volume then it means that a non-spammer who only sends a few emails a day will have almost nothing to pay while a spammer will be unable to afford the work required to send thousands of emails. Since this is based upon proof of work and not an actual monetary amount, it will not be a cost that is difficult to bear.
Yes, some people who run email lists out of their account will be inconvenienced, but not as much as they claim. They will just need to change the signup message to say "this is a mailing list that you signed up for, so add us to your whitelist because we will not be performing proof of work challenges and will drop you from the list when the first proof of work request arrives."
Some will claim that the hordes of spam zombies out there will be able to do the work on the spammer's behalf so this is not a solution, but it will at least provide some rate limiting for that zombie and it will also make it much more likely that the zombie will be noticed by the user when it starts to chew up CPU cycles.
I agree, but this project isn't exactly e-postage... it's more like E-e-postage... you pay in computational cycles, not dollars (or pounds or lira or whatever you trade in your part of the world).
So as long as you're not sending out several thousand messages to new and different recepients on a daily basis, you needn't really worry.
Ah, but the spammers aren't and won't pay for their servers. They will continue to hijack other peoples machines through worms and trojans and just eat up the CPU time of the zombie machines. This might slow down the overall flow of spam some as the total computational time available is certainly less than the total bandwidth available if the computation function is tuned that way but it's not going to eliminate spam at all.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I dont consider a white list to be a "good" method. For one thing, most spam I get is claiming to be from a known source (ie someone who knows me has a worm and is spamming from their address book). So you cant just filter by sender. Also, white lists dont deal with the fact that a lot of email is from first time corresponders such as online retail outlets.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
where is that big form listing why it will not?
Casual Games/Downloads
You will have to change your signup mechanism to notify the user that they have to add you to the whitelist, and you will need to change the list admin email to first send a message to a user reminding them of this fact and only after they reply to this standard response to all complaints message will the message filter up to your mailbox. This is a couple of hours of coding for anyone maintaining a mailing list package.
READ THE PROPOSAL FIRST PLEASE!
This is not asking you to spend money, it is asking you to perform a proof of work. This is hashcash, not real money.
From Camran's FRO
One benefit of zombies being used to generate stamps is that the machines will become hot, slow, and probably unreliable, all of which will be noticeable to the end-user. With luck, this means some people will get their machines fixed and reduce the zombie issue.
You just have to love a product that has the potential to toast a clueless luser's computer. I would be more than happy to shell out good money for software that has "Makes PC's burst into flames" listed as one of the features. And this stuff is Free !
--LordPixie
On their site they address zombie machines. They claim that users of zombies would be more likely to notice the infection if it sucked up all their CPU and made their systems run hot...
I somehow doubt that.
But what I can't disagree with, is that getting the same amount of spam sent as they currently are, would take many (orders of magnitude) more zombies. They claim on their site that if you maxed out every known zombie you couldn't generate stamps fast enought to send spam at the current rates.
This could be a step in the right direction, but I am worried about many issues for a sender pays system.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
Ah, but the spammers aren't and won't pay for their servers. They will continue to hijack other peoples machines through worms and trojans and just eat up the CPU time of the zombie machines.
sender pays stamping is a decent solution to spam, but it's not any solution to stupid lusers.
The solution to the luser problem is:
People need to stop objecting to spam solutions based on the existance of other problems. Sender pays stamping doesn't stop viruses and trojans because it's not supposed to, other systems like firewalls, patches, and anti virus tools are supposed to. Rather than complaining that spam solutions don't solve the malware problem, we ought to be educating people on how to use these things and working on improving them.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I'm reading TFA and it states quite clearly "Mailing lists don't really have a good solution"
It seems to me that one should need only one stamp generator. I receive a payment request containing a message encrypted with a short private key, and as "postage" I need to decrypt the message and return it. As computers get faster, the key length used to encrypt the message gets longer. The receiver can thus decide how much postage is required.
This way the stamp generator doesn't need to have any secret component, and could be written in any language. It could be part of the mail client.
This is a calculation based stamp, not anything financial. It's not going to cost anything. It allows for white-listing on a per user basis that exempts senders from the stamp requirement. Therefore, if you wanted to get on a mailing list, you'd add them to your white-list. Yes, it's an extra step, but what's one extra step when you sign onto a mailing list compared to having to dig through hundreds of spam messages a day?
Have some (slightly out of date) documentation:
One section
Another section
Ripped right from their website's Frequently Raised Objections:
If anybody can generate a stamp, what is to stop a spammer from generating stamps?
Nothing. In fact, we want spammers to spend as much time as they can generating stamps because it will undermine their economic foundations. As a spammer generates messages with stamps, people can raise their postage based on the spam. Everyone's rates will increase and it'll only affect the spammer and stranger-to-stranger e-mail. Friend-to-friend e-mail doesn't use work stamps and will be unaffected by any postage increases. "
And....
The second attack utilizes zombies as a compute array. But if you run the numbers, you'll find out that the number of zombies known, if run perfectly and full tilt, cannot generate enough stamps for all of the spam in the world today. A tremendous number of stamps would be generated, but not enough for everybody. One benefit of zombies being used to generate stamps is that the machines will become hot, slow, and probably unreliable, all of which will be noticeable to the end-user. With luck, this means some people will get their machines fixed and reduce the zombie issue. Again, if the zombies the start generating stamps, one can always change stamp definitions or value.
[all emphasis theirs]
It's almost like they anticipated this sort of thing. Or, like, thought out their design beforehand. Crazy concept, no ?
--LordPixie
Require your users to whitelist your address, and then don't stamp your messages.
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
And how many messages does the Linux Kernel Mailing List send per day?
You think large legitimate lists will count on everyone subscribing whitelisting the list correctly?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Did you even read the proposal? I ask because both your original post and your response the the first reply iindicate that you still have no idea how this works, even after someone has been kind enough to save you from your own laziness and point out this proposal is not talking about a montary transation.
So, for your benefit, here is the "proof of work for complete idiots" version:
-You send your spam. Each recipient asks you to perform a proof of work, a mathematical problem that requires some CPU cycles.
-Your CPU starts chugging away at the requests and eventually performs all of the required proof of work.
-Your system responds to the proof of work request and the message is delivered.
-Your spam to your users is delivered, but not instantly because several hours of CPU work were required.
-Cost to you: nothing except a bit of electricity to keep your CPU chugging.
It doesn't matter whether spammers hijack others' machines or not. proof-of-work stamps will still reduce the amount of spam. Without PoW stamps, a spammer with the same number of machines will be able to send an order of magnitude more spam.
Proof of Work stamps don't magically give spammers a horde of zombie machines to spam with. They have those machines whether or not real people use stamps.
Combining challenge/response with cpu stamps, java and other factors. It allows the problem to change over time, requires no new software at the sender's end (which is the big non-starter) and still allows anonymous mail.
It's at this page on cpu stamps and challenge response.
Has it been over a year since you last donated to the Electronic Frontier Foundation
Also, white lists dont deal with the fact that a lot of email is from first time corresponders such as online retail outlets.
Er, if an "online retial outlet" is sending me email I did not sign up for, then that is SPAM and is exactly the thing this is supposed to prevent!.
If you *do* want email from a certain company, and you signed up for it, then you should add that domain/email to your white list. Simple as that.
So the next spam zombie worm will just whitelist everyone?
I suspect the goal of a program like this really is not to stop spam. The goal would be to increase the marginal return from the spam that gets sent and for the network to grab a piece of the action.
When someone is paying you, it is extremely difficult to make judgments on quality of the mail. I've seen lots of email lists and newsletters start with good intentions then devolve into a garbage fountain.
In the end the pay to send networks will take money from anyone.
The real goal of such schemes is simply to increase the marginal returns from the spam. As the amount of spam sent to open email accounts reaches astronomical proportions, I can't help but think that the amount of cash the spammers get per email is dropping. I can't help but think that the end goal of pay for spam is that by throwing a rich third party into the equation, they will increase their return.
The first is semicorrect, but remember the system falls back to whitelisting and CRM114 if an email arrives without a stamp. You can always whitelist mailing lists even if you feel confident enough to turn off the CRM114.
Yes, but to perform a useful brute force attack, from the point of view of a spammer, you'd need to hijack more computers than exist on Earth. Again this goes back to the fall-back. This is a "only if both parties choose to play will they benefit, and if one chooses not to they lose nothing" scheme. So users of email will put up with it. No it doesn't. Again, players benefit, those who opt out lose nothing, they end up back with their sent emails screened by users with whitelists and CRM114, which is no different to the situation right now. Again... Doesn't require a centrally controlling authority. In fact, this is touted by the proposal's proponents as being one advantage it has over the stupid identity verification systems proposed by anti-spam zealots. This proposal has nothing to do with taxes. No money is sent. Look, it's quite simple. You have an email client that, on sending email to someone for the first time from a particular email addresses, generates a "stamp" which is computationally difficult to generate - ie it'll take some time. There's no money involved, except in that people wanting to send huge amounts of email may - may mind you, not will, depending on how they send the email - have to invest a few billion in Apple twin G5s. No, spammers can be as dishonest as they wish. They'll have to be unbelievably smart to get around this. What blacklists? It still will be. I think this is a remarkable idea, and is the first rational anti-spam system I've seen proposed for a while. It solves the false-positive problems inherent in AI filters like Bayesian and CRM114. It doesn't hurt innocent parties. It's interesting, I'd like to see more analysis but I think it actually has a chance of working.Which presumably means the anti-spam zealots will fight it with all they can muster...
You are not alone. This is not normal. None of this is normal.
What needs to be done is to go after the spammers directly. Can you imagine the law enforcement coming up with a plan to fight drugs that involved making crack vials and little ziplock bags cost $5 each. Sure the people that buy them for legitimate reasons can register for a discount or their volume is so small it doesn't make a difference. Does this make sense? This is not a problem that will be solved with technology. Laws have to change and they need to be enforced.
Legitimate bulk emailers, isps, large corporations and the govt should do something about it. It's gotten insane.
Open Source Java DAO Generator
The algorithm appears to be:
Does it have a stamp? If so, add to white list and PASS
Is it on the white list? If so, PASS
Does it pass a CRM114 check? If so, PASS
Otherwise, FAIL.
The information is on the configuration page. It ought, I think, to be in their FAQ.
You are not alone. This is not normal. None of this is normal.
You might have a point if this scheme involved using money. In this case, however, the "payment" is a proof-of-work. The user is paying in CPU cycles "spent" to send the message.
Your example of "Email from nonspammer - not going to get filtered, if it does, will send again." is somewhat flawed. Do you think a (reasonable) spam filter will not detect two similar emails from apparently the same source and draw the obvious conclusion? Looking at my Yahoo! Mail Bulk Folder, the spammers are sending me the same emails every day, often with the same From: lines.
Ultimately, yes, they'll find a way to contact you for the first time, but it'll take a little trying and they will not necessarily know they failed at all. Or they can send you a stamp with their first email, and everything will just work.
What this system does is provide a mechanism that guards against the destruction of legitimate email and ensures you are always easily contactable by anyone making the effort to contact YOU specifically. If the time comes that your filters are useless, you can turn off those filters, turning them on again for those occasions you're expecting legitimate non-stamped email.
As far as the last sentence goes, the economics are all wrong. Spammers want to send email to everyone. If this idea has widespread adoption, they'll need a few billion dollar's worth of Apple G5s to get a single message out. If this idea doesn't, well, they're not going to even care much about not being able to contact you. It's a win-win situation for you, and a lose-lose situation for the spammers.
You are not alone. This is not normal. None of this is normal.
No, it's not perfect. But not much is. People can and always will be able to spam. However, this measure does help. A lot.
:]) Heck, even mainstream outlets like CNN would be more likely to report on the issue if it's this obvious. Now, there will always be the utterly clueless who will continue to operate regardless. But there will be not be enough of them to provide the critical mass needed for spammers.
For starters, sending out 1/10 your E-Mail means you're no longer making a pile of money. Odds are, it will still be profitable. But that's not very motivating. Some spammers might not mind just running a few scripts to automate getting 1/10 of a pile money. However, the drop in profits will significantly ruin the market for spamming tools. If spammers no longer make a boatload, they're no longer going to pay a boatload for anonymailers, zombies, E-Mail lists, etc. Thus, people are going to be less motivated to code these damn things in the first place. That will make it a lot more difficult for those who actually want to spam to actually pull it off.
And with the more obvious symptoms of infection, more people will get it cleared up. And the more this happens, the more word will spread. Nobody educates a luser like another luser. (They at least speak a common language.
--LordPixie
As for low-power devices, sure, that's a problem. Unless you have a better idea, though, you'll just have to live with TMDA or some other solution that doesn't require as much cpu time. You could even send your key to recipients ahead of time and get them to pre-whitelist it.
As for the other comments, you ought to read about camram. camram whitelists by pgp keys, not by sender. Initial messages have both a hashcash stamp and a pgp key. If the hashcash stamp has enough bits, the pgp key gets whitelisted. Spam operations would have to generate a high-value stamp for each recipient. Sure, they could send to the same recipient address twice, but why would they?
Furthermore, any pgp keys that spammers manage to get people to whitelist could be added to a DNSBL-type blacklist. The spammer would then have to generate a new key and generate hashcash stamps for every recipient all over again to get that new key whitelisted. Think RAZOR with a feature that feeds obvious spammers' keys into a dnsbl.
You may be an anti-spam kook if...
Click Here, it's funny in the so-true-it's-sad way