Slashdot Mirror
Microsoft Researchers on Stopping Spam
TheBackBencher writes "Scientific American today has a very interesting article about "Stopping
Spam" by Joshua
Goodman, David
Hackerman and Robert Rounthwaite from Microsoft Research. They talk about different types of spam -- spam with emails, spam on IMs, spamlinks
on web pages and image based spam. They mention different techniques for
spam filtering mainly fingerprinting matching techniques, n grams model,
naive bayesian approach, optical character recognition, challenge/response systems and Human Interacted Proofs (HIP) in a very lucid style. They however do not mention fingerprinting approach of using Nilsimsa Hash to
tackle addition of random words by spammers in emails or hypertextus interruptus technique used
by spammers of splitting words using HTML comments, pairs of zero width tags,
or bogus tags. Also, Spam-Research is reporting the
SplitFit
Technique that Spammers are using to fool Yahoo! Mail SpamGuard."
Creating your own spamming division, use illegal tactics to undercut your spamming competition, put them out of business, then stop spamming.
I have an idea for stopping spam. How about sent mail is not flagged as recieved until it is viewed by the user. Once it is viewed, it can be flagged as good or flagged as spam. If the mail is flagged as spam, the mail could be sent back to the orignal host as unreturned mail.
So for every mail that is sent out, once flagged as spam, could be sent back. Of course, normal spam filters would also flag the data as spam. If the e-mail is returned to the host, maybe they will remove the e-mail from thier list. Otherwise they will just recieve a bunch of spam as well as sending it. It could clog up bandwith pretty good.
However this probabally wouldn't work if they somehow spoofed the sent address.
If it was developed it can be reversed engineered. Sorry to say but spam is here to stay unless of course someday the internet becomes regulated somehow.
Also, force all ISP's to monitor how much bandwith a source has. If you get too much usage per day, say 200 megabytes or more, then that person has to explain why they need that much bandwith. If someone gets the RIAA on board, with their lobbyists, that should pass very quickly.
Also, force all email to have some element which identifies the source. Not just a header that can be forged, but something that can't be hacked. And if a source can not be found, but it is selling a product an identifiable site, charge that site just as if they were the ones sending the spam.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Spam is like porn: hard to define but you know what it when you see it. That can be hard to program I would think. But, who knows.
http://www.busyweather.com/
The ebay.com link showed up at the bottom of the browser, but was replaced with some kind of javascript mouseon event. This is probably not new.
Instead of random text to fool Bayesian filters, it had hidden recent news article summaries (bracketed by html comment tags) that would be similar to what you might post to a friend.
Spam filters will probably be upgraded to catch this soon, but it was the first time I had seen it. And of course as mentioned in the article, the ebay specifics where obfuscated by html tags between letters.
Letter To Iran
If Microsoft email clients had a "bounce" feature spam mail wouldn't be such a problem. Microsoft should take a lesson from KMail. Ha!
Nothing like letting them keep their mailing lists up-to-date automatically.
give spammers a 9 year prison sentence.
Msft research tackles war and poverty.
Technology merely enables ppl - whether they choose to do good or evil with it is beyond technology.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
No, Spam is easy to define, it is any unwanted emails. Name elements that make spam:
1) It is a form of communication
2) The communication is unwanted
3) The source of the communication is hidden
4) In recieving the communication, you use your bandwith or incur a cost
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
That'd probably be the best thing M$ could do to help reduce spam.
So, does Microsoft Research plan on combating Spam with a Bob-like approach, or the more refined Clippy approach?
:).
Or are they going to come up with an entirely new file system to combat it, hype it up for every Windows release, but then delay its release a few more years?
Oops, pardon me while I reminisce about all the great advances Microsoft Research has given me
my blog
Don't you mean, Microsoft Mergers & Acquisitions?
"Who says nothing is impossible? Some people do it every day!" - Alfred E. Neuman
Publicity in general is each day more like SPAM.
For example, i don't consider google's adsense SPAM. But, for example, the ANNOYING flash banners m$ pays EVERYWHERE to get their crap into your mind IS SPAM.
With certain advertisement, you only here about a company once in a while. If a giant like m$ spends millions on publicity, and you just here about them ANYWHERE, all the time, regardless of how much you try to avoid them, then, that's SPAM too.
Just think about this: Try to live an hour online whithout listening about micro$oft. It's just not possible.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I don't undertsand this. On one hand, you have the police saying they can't track spammers. Spammers use drones, they remain hidden, they hide their tracks. On the other hand, if you unsubscribe, they know your email is a real one, and you get more spam. That tells me whoever runs the unsubscribe service is in cahoots with the spammer and is just as guilty. They have to know where to send their lists? Just track them as part of the war on spam.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Also, Spam-Research is reporting the SplitFit Technique that Spammers are using to fool Yahoo! Mail SpamGuard."
How much credence should we put into an analysis from a guy who goes to the spammer's web site to unsubscribe?
I thought the name David Hackerman was a bit too good to be true, and it turns out it was. Following the link shows that his name is David Heckerman . Note to /. eds: please proofread your posts. It's not like they're very long...
ISP's just have to restrict the number of emails that each account can send in day. After all does John / Jane Doe need to send thousands of emails a day ?
Robert
If the people who click on and buy things through spam--and therefore making spam a profitable business--were all horrifically murdered somehow, that would solve the entire problem without the need of any of this technological muckery. The only technology you would need to develop is be some kind of device that can murder people cheaply and efficiently.
Dera Blcraays Mbmeer, Thsi eamil was stne by the Barclays serevr to vreify yuor emial adsserd. You mtsu competel thsi pssecor by ccilking on the likn bewol and entireng in the smlal wiodnw yoru Braclays Membership nrebmu, passcedo and meelbarom word. Tsih is doen for yruo proteoitcn - buacese semo of our mrebmes no lonegr haev assecc to theri emlia adserdses and we muts virefy it. To vyfire yruo eiaml arddess and accses yruo bnak anuocct , cilck on the lnik bolew:"
That email is extremely difficult to filter out because the only 'real' words are no, of, our, and, etc. Simple words that occur so many times in legitimate emails that most spam filters practically ignore them. But I have to wonder.. who would actualy 'cilck on the lnik bolew' anyway? I hate to use the term 'you get what you deserve', but if you are naive enough to click the link, then the problem isn't your spam filter, it's you.
You know, sometimes in software industry, they are stuck with old code, and over the years they keep adding bug fixed and work arounds, to make it still usable, until at some point, the cost of keeping that code updated requires more effort than a complete rewrite of the software.
:)
All these bloated technologies like optical character recognition and flawed baysian and other content scanning techniques, just to keep a very simple and perhaps extremely outdated SMTP server operational, seems quite absurd in todays advanced technology world.
I'm thinking we need to start introducing secure mail servers, linux based of course, which deal with trusted security certificates.
Now I think that Thawty, Verisign and Microsoft, just like domain name registrars, are ripping us off our money for a few lines of text, but we need mail servers that have security certificates, so that only trusted mailservers can relay e-mail and all other sources are rejected.
Or another white listing mechanism needs to be used. I really haven't thought about this much, but if we assume we get rid of Simple Mail Trasfer Protocol and turn it into a Highly Secure And Paranoid Mail Transfer Protocol of some kind, what would be the options?
Currently whitelisting sources and using an automatically generated confirmation e-mail to the sender as a verification method, is I think the best, though not always user friendly, way to fight spam. Another way is a distributed spam fingerprinting like they exist.
While I love to beat the shit out of spammers, because in today's world, nobody can spam without knowing they are pissing off the majority of the people, I think using legal means to fight technological flaws, including prosecution of hackers or other admirable technological curiosity, is the wrong way to go.
Technical problems require technical solutions. And I'm sure we can come up with something better than SMTP.
I'd like to see a technology that protects the privacy of the majority, but where the majority (not the govt) can reveal the identity of a spammer (by comparing distributed spam resources and using replacement for SMTP protocols) when the majority of the users think so.. a democratic way to public scrutany so to say, though there's a danger in that too. I trust linux users' healthy level of paranoia, but not that of windows users.
Cheers
Lest we forget that Microsoft wants to control everything that appears on our desktops.
Anybody remember Microsoft's 'Push Technology'?
Neither do I.
Bar
a couple of dead spammers and the problem will be radically reduced.
especially if law enforcement decides not to waste resources investigating dead spammers.
The article barely mentions economics, and only in terms of the real costs of email--which only shows how much room there is for a real economic model with real business, real email, and *NO* spam.
I really wish one of the major email players would offer an option for prepaid email. That would be an absolutely spam-proof system. It doesn't matter if the postage is two cents, the spammers can't afford it. Two cents against 50,000,000 spams turns out to be *REAL* money. Any email via that address would be at least some kind of real thing.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Sorry. I couldn't help myself :^(
My digital rights don't need management.
Here's my solution to the greater unwanted communication Anti-spam paper submitted to Conference on Email and Anti-Spam
Error: Id10t detected
Each year they will announce that This is the Year of No More Spam on the Desktop (of course this never happens).
Or they will invent a brilliant new way to stop spam but as it requires the user to recompile all their OS and apps every 3 days it never gets used.
Or they just tell the end users "Why dont YOU code some anti-spam software?"
Or they produce an anti-spam system but the user must install 3 desktops and window managers, requires a 10,000 line config file that must be written by hand, comes with either missing or misleading documentation depending on the version you download and randomly purges any non-free software from the hard drive.
Legally, this is promising. First, there's no free speech issue. Second, in most jurisdictions, it's illegal to operate an anonymous business. So most spammers are criminals. Third, laundering transactions through intermediaries is usually a crime, too.
The problem for law enforcement is that following the money is difficult. Additional technical support for that would be a big help.
A good starting point would be to get a credit card issuing bank to cooperate in a scheme where, when one of their credit cards is used, full transaction details, including the payee's full identity, are immediately returned to the cardholder, using encrypted E-mail or some other secure means. That would make "following the money" much easier. This only requires one cooperating bank. That bank's credit cards might become popular with heavy Internet users. Especially if this works for prepaid credit cards, so you can find out who's behind a web site by using some disposable credit card.
The next step is to crack down on "credit card intermediaries". Non-bank credit card intermediaries that handle spammer transactions should be stuck with the legal liability of the spammer. Legally, they're the "merchant". They shouldn't be allowed to pass the buck to some other party. This will make "cheap merchant accounts" harder to get, which is probably a good thing.
A very simple way to stop spam would be to charge someone a small amount of money for example a penny for every email that is sent. That amount will go to the person who is receiving the email. Thus for every email that you send you need to pay a penny and for every email you receive you get a penny. Thus the total cost of sending an email will be zero if whoever you wrote to writes back to you. This will even out the cost of sending and receiving emails. The only person who this would hurt is the spammers who send out millions of emails to total strangers who most often just delete the junk that they receive. So this solution is good for people who use emails for legitimate reasons. Heck this way spammers can send me all the emails that they want, I will just be making money off of them.
Why not use a hidden markov model to filter spam that use random digits as filler?
A very basic filter will work this way:
Train a network of say, 30 to 40 units, with any english text. The training text doesn't just have to be limited to letters and numbers, it can include other ascii characters as well, because the hidden markov model will create distributions for them as well.
Now, for each new email that comes in, grab random chunks of text (maybe random 30-character strings) and see how probable the text would be in this hidden markov model. If it turns out not very likely, then scrap it.
Any thoughts?
First, I guess you didn't see the guy in VA who just got something like 9 years in jail.
That said, spam doesn't obey jurisdictional boundaries. Any single country can only solve a small part of the problem, and any spam incident often involves over 3 jusrisdictions that may be in separate countries (sender, spambot, recipient, etc). That's a logistical nightmare that isn't soluble outside of a dream world.
Also, force all ISP's to monitor how much bandwith a source has. If you get too much usage per day, say 200 megabytes or more, then that person has to explain why they need that much bandwith. If someone gets the RIAA on board, with their lobbyists, that should pass very quickly.
That's fantastic. Trade a bad problem for one that's much worse. Get the RIAA to legitimize their practices by using a guise of stopping spam? Let's not.
Also, force all email to have some element which identifies the source. Not just a header that can be forged, but something that can't be hacked.
Now by force, what do you do if they don't? Enforement issues again here.
Ultimately, legislative solutions for spam DO NOT and CAN NOT work for much but a small part of the problem. It's satistfying when some moron is clumsy enough to get caught (as with the guy in VA), but mostly these days the spammers aren't that stupid. Technological solutions work far better.
Yes the ISP could monitor the bandwidth on port 25 or just block port 25 and people could still download ISO or large updates. This still wouldn't stop it. Why? What about servers in Russia or China. Do you think american laws have any effect on them? Have you ever tried to contact an admin in China? What a joke.
Just who is going to charge this site for the spam? Even if you find the site how are you going to find the owner? All whois info on a site like this is a lie. ICANN will not drop a site for bad whois info.
Talking aobut the ISP they are using, most use someone like UUNET or a 100 others that do not give two sh_ts what they are doing as long as they are paying the bills. There are ISPs out there that this is where thay make their money. What are you going to do about them?
Why this is modded intresting I do not understand. It is obivous that you don't have to chase these kind of people for a living. None of your ideas will work.
I wish they could....
Is there really such a thing as a solution to spam? For every new technique that is developed, the spammers will find a way to circumvent it. Spam is a multi-million dollar business. I'd go so far as to say that it's a science. At least, the spammers seem to have it down to a science.
Trying to find a solution to spam is an idea in the eyes of experts and analysts. But to spammers, it's a road block that they must work around to stay in business.
Spamming techniques will no doubt end up as signatures in spam filters that are not unlike those signatures used by IDS and virus scanners. The experts don't seem to understand that if there's a will, there's a way. And the spam will just keep coming in another form or by some other technique. All that can be done is to keep up with changing techniques and patterns and treat spam for what is truly is -- an attack vector.
How about taking the current spam fighting techniques and just adding some spellchecking? Too many mispelled or gibberish words/phrases - it is spam. For folks using IM, that think beeing 1337 is so cool, this might not work. But for unsolicited email it should work fine, shouldn't it?
/ALLIU..
/ALLIUM, V1C0DD1N, Z0LOFT, S0MMA, V1AAGRRA..
Here are the subject lines of the last couple of SPAM notes my daughter got:
Re: VALLlUM C1ALlS VlAGRA
use C0DE1NE, C1AAL1S, V1AAGRRA, V1C0DD1N,
profession Z0LOFT, C0DE1NE, V1AAGRRA, C1AAL1S, V..
AAA replica LV Bags & Rolex Watches at good prices
young
These were all caught by comcast's built in filter, so she never actually received them, but since SPAM filters are so good now it is obvious that these louts are relying a lot more on misspelling to get through.
Well they weren't really a spam company, they sold software that allowed you to generate spam messages. I was going to do some telephone sales for them, cold call their market (I know, it's evil but I was calling corporations, not individuals, and I needed some cash) but after I got a copy of their software and became familiar with it's capabilities I felt icky, like I stepped in something, I couldn't in good conscience work for them. It had been presented to me as a customer contact software package - but it had too many little sneaky features that marked it to me as spam software, (built in SMTP server, throttle control on smtp activity so your ISP didn't get mad at you, and a bunch of message generation/tracking options) or at least there was nothing stopping customers from using it in that way, no matter how the company described their product.
The rock, the vulture, and the chain
Any spam defense model that analyzes the text is doomed (until the advent of bona fide AI).
Domain Keys is similar to an idea I had a while back for a trivial thesis topic (stupid prof dismissed it out of hand). I think authentication to remove the anonymity of spammers, combined with laws to regulate it, is the solution. Since any domain can serve up its own public keys, there is no need to have a centralized certification authority, either.
hackerman or heckerman?
I wish my last name was legally hacker. I'd change my first and middle to black and hat respectively.
-Tim Louden
Try to live an hour online whithout listening about micro$oft. It's just not possible.
Especially if you spend that hour on slashdot.GETPKG - Package Management for Slackware
I see all this time and money being invested into research to block spam. But we need to rethink our premises: does spam even need to be blocked? Is it actually a problem?
What you call "spam", I call "emails that help me learn about the latest products, websites, and business models". You want less of it? I want MORE of it. "Spam" keeps me informed about the world. And the fact is, consumers LIKE spam. Why do you think spam is profitable? Because people buy the products advertised! Studies show that 3 in 5 people who dislike "spam" have actually bought something online. So frankly, you need to be real careful about how you define "spam" because you could be targeting something you LIKE.
or hacks users makes no difference to the spammer
As an evil company, they probably spam better than filter.
That hypertextus interruptus technique is, in fact covered in the article (at least in the print edition - it may have been a sidebar that did not come through in the web page.)
I'm always kind of surprised that no one mentions cloudmark Spamnet in any of these discussions - it's worked for me for years, and it takes advantage of that one remainging vulnerability of spam - you know it when you see it.
Spam damages productivity, period. I, for one, don't want and don't need to know about "V14gra and C1Al15", can I shove it upon your ass?
3 in 5 ppl who dislike "spam" have actually bought something online Hm... you mean, from the spammers? I guess not...
Doesn't Outlook let you filter for only messages that come from addresses in your contact list? That cuts down on most spam - even spoofed address spams don't usually target people in the address owner's contact list. They just harvest addresses from phishing or web pages, which doesn't access contact lists.
The viral spams, where a virus reads a contact list and sends itself to the contacts from a familiar (and actual) address, are vulnerable to a server-based strategy. Servers could detect identical (or nearly) messages received by multiple recipients. Servers could check hashes of the messages with each other, to see if the duplicates are spread thinly across many servers. Then flag those messages as spam, or just "bulk mail", for client filters. Once a message was identified as spam, its hash (including a fuzzy hash) could immediately flag any matching message as flash.
With Microsoft distributing so many email clients and servers (plus Hotmail), they could drastically cut spam with this simple comparison tech. The time they spend on these exotic research techs are really just a way to generate PR, fanning their image as "smart". I guess their PR delivers better ROI than their product development. And then there's the actual profits they make on spam. Maybe MS isn't so well positioned after all.
--
make install -not war
Glorious! Microsoft Research turns their attention to Spam. Let's hope they're more successful than their research into preventing viruses, fireall penetrations, mail worms and mail attachments (hello Outlook).
The single MOST effective anti-spam is to stop supporting mobile IP and ".forward" mechanism.
Once done, then ALL mail administrator can then implement DNS verification against the sender^H^H^H^H^H^Hspammer's IP address. If they don't match, NULL-BIT bucket it.
Seems like a small price to pay for restoring normalcy (until the next SMTPv2 comes along).
just a wild guess...
what happend with the senderid thing?
of course they could see a buissiness problem if people stop wanting to use email, and thus thier exchange servers, or maybe even they are tired of it...
but really, i smell another patent grab...
Does this mean HP can take out patents on spam, and sue anyone who uses it without a license?
The spam division could be bigger than the printer division... (Compaq bought DEC, HP bought Compaq.)
Between SpamAssassin, procmail, and MUA filtering rules, I rarely get to see spam anymore. The spam which does slip through is so absurd and surreal that it's more hilarious than annoying.
If everybody did this, the volume of spam would quickly dry up. Because when people don't see the spam, they can't respond to it, and when they don't respond to it, the spammer doesn't have a business.
Educate the people around you and help them reduce the spam that gets to their inbox. Don't support solutions which effectively render nodes at the network periphery to second-class status.
They blocked the block function for microsoft messages in hotmail.
... it's called "HotMail"
How else do you explain getting 50 pieces of junk mail a day even when you never use your account?
Have you ever thought about why these ads are legal and there nothing being doen to stop them? You should get yourself educated.
I just got out of a six-hour meeting, so I'm a bit senseless. But I see no one has posted this yet, so:
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
(X) Incompatiblity with open source or open source licenses [hey, it's Microsoft... they've probably already submitted the patent...]
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Spam = killing babies
see all this time and money being invested into research to block killing babies. But we need to rethink our premises: does killing babies even need to be blocked? Is it actually a problem?
What you call "killing babies", I call "emails that help me learn about the latest products, websites, and business models". You want less of it? I want MORE of it. "killing babies" keeps me informed about the world. And the fact is, consumers LIKE killing babies. Why do you think killing babies is profitable? Because people buy the products advertised! Studies show that 3 in 5 people who dislike "killing babies" have actually bought something online. So frankly, you need to be real careful about how you define "killing babies" because you could be targeting something you LIKE.
The rock, the vulture, and the chain
Disabling javascript is the number one way to avoid phishing scams and annonying email/web browser behaviors. Just say no to bad technology!
This article in Scientific American says /. there was another article about how spam was LESS of a problem for people than in the past.
5 7208&tid=111
"The suffocating effect of spam sometimes seems likely to undermine, if not wreck, Internet communications as we have come to know them."
Which seems to mean spam is getting to be MORE of a problem than in the past.
But yesterday in
People are More Accepting of Spam
http://it.slashdot.org/article.pl?sid=05/04/11/01
So which is it?
Personally I have MUCH MORE spam than I had a couple of years ago.
It is handled marginally better but THERE IS LOTS MORE.
For me Spam is much more of a problem than at any time in the past.
And yeah, it does and will wreck internet communications as we have come to know them.
.
You have to find the distribution of bot nets and wipe em out, then find the bot nets and whipe them out.
1. find all bot net PCs
2. once found, firewall them so they can ONLY LOOK at the ISP homepage, nothing else.
3. dont let them in until the user cleans the PC.
4. find the irc channels that bot nets connect to, and log their servers to see who is controlling the bot nets, if a private irc server, firewall it world wide amongst the big ISPs/international gateways.
5. Find all trojan websites and get the hosters to delete them, if not, then firewall the WHOLE HOSTER.
Liberty freedom are no1, not dicks in suits.
People with a small penis will be killed so there is no need for "Enhancement" And I will personally handle all loans and mortgage transactions.
MS Researcher 1: "I've discovered that the only way to stop spam is to stop using Windows!"
Bill Gates: "Communist. You're fired."
MS Researcher 2: "Uh, I've discovered that convincing everyone on earth buy Windows is the best way to stop spam!"
Bill Gates: "Kiss ass. You're fired."
Steve Ballmer: "Uh...I don't unders-"
Bill Gates: "Hey, firing people is fun, Steve! Why would I give a fuck about spam anyway?"
Ok so your going to make a filter tester for 2000 languages?
Im sure email that is written in PNG or other languages that arent in the top 10 will look like '99% wrong spelling'
Liberty freedom are no1, not dicks in suits.
We're geeks, so we're thinking of technical solutions. However, the best part of a decade's worth of technology haven't even slowed the pace of growth of spam. No technical solution can be anything but temporary.
The problem doesn't lie here, anyway. The problem is that spam is profitible, because people buy shit from spammers.
So, we need to engineer THAT behaviour. The US has some of the world's best marketers and advertising people. It's time to turn them loose on the problem.
And run a massive education/marketing designed to reeducate the idiots who buy from spammers. Make 'em feel like suckers, make 'em feel unamerican. Make 'em feel scared and alone--publicise stories about spammers running up millions in bogus credit card charges, or working with identity thieves to drain people's banks accounts.
We have to condition the public NOT to respond to spam. This will be counter-intuitive to the powers that be, because all of the rest of US culture is trying as hard as it can to do the opposite with regard to advertising media.
If the bushitters put a quarter of the pressure on banks and credit card companies over spam that they've exerted over porn, the problem would be halfway to being solved.
I'm guessing Microsoft will cripple Outlook or Windows so that it's not possable to spam using that software.
This of course will have zero impact on spam.
As to my solution...
Enforce existing laws.
Most spam violates quite a few laws.
Truth in adverting.
Harrasment.
Dishonnest buisness practaces.
Advertsing to someone who can not legally buy the product.
If any spammer tried any of this via cold calling or postal they'd be in jail but spammers get a pass.
Don't loby for more laws just yet. Loby for enforcement of the laws we already have in place.
If needed bring spam in complience with junk mail and telemarkting.
I don't actually exist.
How many of those "3 out of 5 people" are bitching about getting emails asking them to buy some h3rb4l \/14gr4 and then hitting "reply" and ordering a whole case of p3|\|1s p1LLs? To be contradictory, that is what people would have to be doing. Getting hammered with "R3f1 ur m0rtg4g3!!!" emails is a very different proposition from actively deciding "hey, I need a new router" and buying one from an online merchant.
Never trust anyone in the computer software industry with a last name of "hackerman." Sorry, I couldn't resist.
This morning I got a new kind of spam. It was ascii art promoting valium viagra xanax and many more. The mail was formatted in a pre-tag and the font size set to 2.5. Creative spammers...
> You've gotta sin to get saved.
"Scientific American today has a very interesting article about "Stopping Spam" by Joshua Goodman, David Hackerman and Robert Rounthwaite from Microsoft Research. They talk about different types of spam -- spam with emails, spam on IMs, spamlinks on web pages and image based spam. They mention different techniques for spam..."
I can hear the Vikings chanting now.
To prevent this day from getting worse, I'll just read ERROR as GOOD TH
Don't put fucking windows boxes on networks! If spam wasn't sent via zombies, the real-time blocking list would make all this go away (the tinfoil hat wearers amongst us could make their own lists).
/. didn't have such a damn silly length limit for subjects!
It's only because crappy microsoft machines can be used to obfuscate the source of the mails that they can do send this many mails without being barred.
IT'S FUCKING MICROSOFT'S FAULT FOR PROVIDING MILLIONS OF FREE PROXIES!
J.
PS I'd have put a question mark on the title if
You're only jealous cos the little penguins are talking to me.
The overwhelming majority of spam filter deceiving techniques relies on HTML. If you block messages containing HTML on the mail server, the spam that gets through is near 100% identifiable as spam using bayesian filters.
So why on earth do people still use HTML in their email? Email should be plain text only anyway.
the macintosh asterisk mailing list http://www.astm
> spammers of splitting words using HTML comments, pairs of zero width tags, or bogus tags.
:)
Personally I'd like to be able to specify that I simply will not receive HTML mail. If someone does send it to me then I'd like my mail server (even better my ISPs mail server) to automatically return a "this recipient does not wish to receive HTML formatted email, please either resend as plain text or don't bother" reply (or is it that this is already possible and I'm just too lazy to work out how to do it ?
Maybe I'm old fashioned but I just like plain text. If I want to read it using a fancy font I'll set that myself thanks.
Sky subscribers are morons. They pay to be advertised at !
It's because in this capitalist world money makes the rules, and the big companys rule that they want their product down our throats, all the time. And legislators are part of that system. The law should be a printed reflection of the set of ethical rules of a given society, but in many cases, IT'S NOT, or it's based on the mindset of a group of people that has no ethics, or they ethics has been seriously compromised by their own thirst for power and money. So, NO, the fact that this shit is legal doesn't make it correct or ethical.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Did the researchers also look at making operating systems more secure. Most of the spam that I get these days is from exploited/trojaned or other systems. If we can slow the source we can help eliminate the problem.
Got a question about UNIX ask it here : Unix/xBSD Forum
You can define your willigness to receive a message in programmable terms, thus spam could be:
-Messages whose senders I have not authorized to send me messages (that authorization could take the form of signed emails, white lists, etc)
IANAL but write like a drunk one.
Is anyone going to be stupid enough to respond to this one?
1. Most civilized countries are sick and tired of SPAM too. E.g., most European countries. So there is enough scope for a spam free zone, if the USA does want to get its act together and cooperate. It's not like you're alone against the world on the SPAM issue, except for the fact that:
2. It's mostly your spam that's dumped upon the rest of the world. USA is currently _the_ biggest source of spam, followed by... offshored operations paid for by someone from the USA.
So on one hand, the USA could halve the SPAM traffic on its own, without even needing much international cooperation, if it actually got its act together. And on the other hand, hey, there's a lot of incentive for a lot of other countries to cooperate. Just show us where to sign, if it means we'll stop getting your crap in our inboxes.
3. Once you have secured an EU+North America treaty on that issue, the rest of the world should IMHO be actually pretty easy.
We're talking some major combined economic power there. Any country who doesn't want to play ball with that kind of a behemoth can be whacked into submission in a variety of ways, ranging from economic sanctions to just disconnecting them from the Internet.
Makes that country unattractive to spammers too in the process. See, I don't think spammers want to target the local citizens of Elbonia with their operations. You disconnect them from the rich targets, you've killed that operation. So any country which thought it'll get rich by sheltering spammers, will quickly lose that investment too and be left with just the other disadvantages.
So I think they'll play ball.
4. But I don't think the spammers want to move to Elbonia or East Bumfuckistan and run their operation from there anyway. They might pay some local 5 bucks to run a server for them there, but they don't want to go live in a third world country. Those countries aren't that much fun.
You may see that even for legitimate operations, IBM might offshore their tech support to India or China, but you won't see the CEO of IBM moving there. (And those are already developping countries, not third world ones.)
A polar bear is a cartesian bear after a coordinate transform.
What about making it a crime to purchase products advertised via spam? The spammers may not care about enforcement, but John Q. Public might give it a second thought if he could be held accountable for supporting the industry.
No, that's just one part of the problem. Take a close look at the old Cyberpromo case. The ISP's are refusing to dump spamming custoomers because professional spammers pay bills the ISP's need paid to stay afloat, and the ISP's are very nervous to act on their own due to liability concerns.
Even if an ISP cares a bit, it's expensive and dangerous to cut off a spammer. When Cyberpromo found their colocation sites being cut off before they even spammed because the upstream network providers refused to permit the downstream colocation companies to carry Cyberpromo as a customer, it was a bit of a legal train wreck. It wasn't ended by legal means: it was ended because Cyberpromo's primary ISP, agis.net, had the upstream router for Cyberpromo denial-of-service attacked out of service and kept that way for days, until agis.net threw in the towel and dropped Cyberpromo. Mind you, they had grounds to drop Cyberpromo due to criminal activity by Cyberpromo such as bringing major ISP's to a grinding halt with fraudulently sent spam floods, but this was typical.
The point is that it's not just unsecure machines: there's a real problem with the process where it's very difficult to act against a spammer, and each spammer can stay in business for years.
There is also source code to create your own spam filter (Java)...
I realize that. But Europe isn't the real problem either, it's Asia. And it only takes a few jurisdictions who don't care to keep spam rolling. And it's also easy to find cracks in jurisdictional entanglements even if everyone works together. Look, if we were talking about murder, they might get it together. But I don't see the FBI and Interpol getting their braintrusts together to solve spam.
It's mostly your spam that's dumped upon the rest of the world. USA is currently _the_ biggest source of spam, followed by... offshored operations paid for by someone from the USA.
Don't know why you're making this a US issue. If I were to bite, I'd also say we have more people connected, and I haven't seen stats that say we spam inordinately given our internet presence. But this is an international problem regardless, it doesn't matter.
Once you have secured an EU+North America treaty on that issue, the rest of the world should IMHO be actually pretty easy.
I wish. China will pay lip service but they don't have the resources now to solve a problem they don't really see as a problem. Look at copy protection as an example. They'll sign the treaty and smile, and that'll be that.
We're talking some major combined economic power there. Any country who doesn't want to play ball with that kind of a behemoth can be whacked into submission in a variety of ways, ranging from economic sanctions to just disconnecting them from the Internet.
You only have so much political capital, and I don't think nations are willing to use it on spam. Really, it's not enough of a priority. So no one's going to make that level of a threat against China. China would be insulted, it would set back relations severely, and they're doing worse things (like dumping product against WTO rules). So again, not happening. If our Attorney General went into a cabinet meeting and said that if China didn't cooperate on spam that we'd disconnect them and sanction them, he'd be laughed at. If we don't sanction them for unfair trade and human rights violations, we aren't doing it for spam.
But I don't think the spammers want to move to Elbonia or East Bumfuckistan and run their operation from there anyway. They might pay some local 5 bucks to run a server for them there, but they don't want to go live in a third world country. Those countries aren't that much fun.
No? How about Aruba, where all the internet gambling sites run? Bottom line is there will always be enough places that don't play ball, and that aren't worth shutting off from the net. And there will always be spambots, so that wouldn't help anyway. And there will always be enough jurisdictions that don't have enough time/money to pursue this problem that really doesn't hit the radar of (for example) our Department of Justice which generally has bigger problems. So you can forget about the nations of the world getting together to hammer out a solution to this problem. I don't plan to sit on my hands waiting for governments to solve the problem.
Utimately, yes, this problem could be solved if everyone worked together. But if you think that'll happen, you're truly naive.
Out of ~40,000 e-mail, only ~4000 were valid messages.
No wonder I abandon e-mail quite some time ago.
Though, it is fun to reminsis over the past via gmail
Anyone interested in antispam technology should give the Whitedust article 'Defeating Bayesian Filters'. Registration is required I'm afraid but it's free... so... Enjoy ;]
Since we turned on SPF/Caller ID on the barracuda box, our spam has gone down to maybe 3 or 4 messages per day per user. SPF is so easy to implement and it could end all spam.
Really had the mods going there.
Perhaps Mr "Schwab" is selling penny stocks and wants to expand his market?
My thought is simple. White list.
Any mail you receive is automatically classified as spam unless it was sent by a known, approved sender.
Now let me go back to deciding if the sender of the Nigerian Penis-enlarging Hot-N-Horny Virgins is a friend.
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
What I hate is when someone spams a member group so much with so many links in posts that the group ends up breaking up over the attacks. I just quit about 10 groups over the same spammer; Lou Gentile is supposed to be a talk show host on the radio, but he either/or knows 20 or 30 different people that are willing to post all the same posts every day, and I mean long posts that take up a lot of room in your email when they get forwarded to you from your group. So many names and everyday a new header- there is no way to filter it all. So I quit all the groups this was happening in. Of course now I am getting a few from them anyhow as they mined my email, but that I may be able to filter, may mind you, cause they are always finding a way to annoy. As to the rest of it, I skim the rest of my email just to make sure a piece of good email isn't in the junk. I never open anything I don't know. But I can spot a phish a mile away and that is begining to take more of my time as I feel it is my resposibility to report those to the fraud investigators. You see I do no electronic transfers of funds whatsoever, and any financial activity online raises immediate flags, everywhere. Any bank or paypal, ebay and so on, is known to be fraud. I don't even write checks. So I am able to help out a number of investigations groups by reporting and auto-alerting activity which is new. So there is talk of Spam not bothering people as much, well it seems to be screwing up my life pretty good. Ruins good groups, and I seem to be taking up 4 times more this year reporting fraud online.And I don't go looking for it, it comes to me. Jerks.
MYSTERY
why not just run a spell checker on suspected spam?
if there are too many misspelled words, flag as spam:
Thsi eamil was stne by the Barclays serevr to vreify yuor emial adsserd. You mtsu competel thsi pssecor
also, with some adaptation, this can work with HTML e-mail:
1 - do not even parse the HTML
Hypertextus Interruptus: Fi</n>nd N</n>ew </n>Fri</n>end</n>s
Slice and Dice: <br>U<br> <br>O<br>a<br> <br>D<br>u<br>a
Ze Foreign Accent: eárn mõnéy thrôugh unçõlleçted
The Black Hole: V<font size=0></font>i<font size=0>
etc...
none is a valid dictionary word, so that there will be many misspellings...
2 - strip only valid HTML tags, leaving any bogus HTML tags such as ab and run the spell checker again, looking for both misspellings and trigger words.
3 - just strip all HTML codes and check the resulting words, both for spelling and for trigger words.
4 - to avoid possible false positives, since valid HTML will also fail step one when the HTML is not parsed, parse the HTML and see if there are many valid dictionary words. since non-spam usually uses "nice" HTML this should be easy to parse, if the HTML is not valid, flag as possible spam.
can also check the ratio of HTML tags to text outside the tags, if there are lots of html or html look alike tags in the code, relative to the text, possible spam.
-avi
That it is a good idea to stop using email clients that automatically execute live code or allow disguised programs to have the appearance of some other class file luring unsuspecting neos into double clicking into virus heavan. Or email clients that allow access through scripts to the address book with no warnings? For example that odd Outlook product. "satire for the humor impaired warning, well actually so I won't be sued satire warning"
- Tjp
I am in wallow with my inner money grubbing capitalistic pig. ... Oink!
I posted this below and got modded troll! No fair!
J.
You're only jealous cos the little penguins are talking to me.
Clearly, no law of a single country can hope to end spam. Only about half of all junk e-mail comes from the U.S
Well, "only" is a nice understatement. The population of the USA is about 4.5% of the world population. (OK, not everyone on earth has a PC)