Spam is Dead

Vainglorious Coward writes "Two years on from Bill Gates' promise to eradicate spam, an article in The Observer claims that spam has passed its peak and is now declining. Is it just me that hasn't noticed this?" I got almost a third more spam in 05 than 04. I guess I exist outside the bell curve on this one.

Oh Please

[GmAz]

As soon as 2006 hit, my gmail account started getting spam. I have gotten 7 today alone. Argh.

Re:Oh Please

[GmAz]

But considering that I only use this e-mail account for family, its quite amazing. I have another account for online purchases and other online stuff. I used to have an account that I quit using because of hundreds a day. I left it be for about 6 months and I had over 55,000 unread messages when I closed it. Good 'ol yahoo mail.

Centralized Email

[(1+-sqrt(5))*(2**-1)]

The problem with the micropayment- or trusted-sender-model seems to be: What stops someone from setting up pop3 cum sendmail and ignoring the illicit contract?

Gates and co. would have to have an effective monopoly on email traffic for that to work. (Which might have been conceivable before the advent of Gmail, by the way.)

Re:Centralized Email

[James_Aguilar]

My understanding is that if it someone were to attempt this, they would have to somehow pay the account of the *receiving* program, not the sending program. So, for a person at Hotmail to receive your email, you must pay ten cents. That would be the only logical way to run this kind of system.

Re:Centralized Email

[Phat_Tony]

Here's how I assume micro-payments work: You come out with a standardized system for handling micropayments- that is an open, say, xml format so that any micropayment applications can talk to each other. Then any company that wants to handle micropayments (Paypal, Yahoo, Citibank, Fred's Bargain Micropayments, etc.) starts selling them. When you (your email app working automatically, or whatever) buy a micropayment, it comes with a tag saying how much it's for, who sold it, and what it's record number is. These get attached in the standard micropayment format as an attachment to an otherwise normal email record. The recipient computer's email program then goes and establishes a secure connection with the person who sold the micropayment and makes sure it really exists and is for the right amount. Of course, maybe Fred's Bargain Micropayments is an illegitamate vendor who exists only to facilitate spam and will "confirm" payments but never give you the money. This is why your email client will automatically go get lists online of known, valid micropayment vendors.

Who will maintain these lists? Anyone. Google? Consumer Reports? will they be free, or require micropayments or subscription fees to access, or be ad supported? Who cares, markets competition will work it out between vendors and consumers. At any rate, the basic system is sound, and does not necessarily require any sort of vendor lock-in to work.

To the user, all you have to do is set up your email client with the secure server(s) providing lists of valid micro-payment and email-insurance vendors (or use whatever defaults it comes with), and then tell your client how much money you require (reject, or move to SPAM folder, all messages that don't come with a payment or insurance policy of over $0.015) or whatever. Then say you get a piece of marketing mail you don't want insured at $0.02. Your computer checks the micropayment insurance vendor list and finds the vendor specified is valid, then it goes to the vendor and finds that the listed payment is valid, so the message goes in your inbox. You look at it, you decide it's spam, you click the "get insurance payment" button in your email client, and it goes and retrieves the $.02 and puts it in your account. The spammer who sent it will then see that you collected their payment, and either decide it's worth $0.02 to them to get stuff to you, or else take your name off their list so you don't collect any more of their micro-payment insurance policies.

Re:Centralized Email

[shanen]

Typical of the bogusity of the /. moderation system that the relevant posts are downmodded, eh?

Anyway, the OP is only half right. Yes, you cannot solve an economic problem with legal or technical bandaids, but you don't have to completely centralize things as long as you make it impossible to divide by zero. At least that's how the spammers think of their costs. If there is even 1 of the red real kind associated with each piece of email, the spammer's 'economic model' collapses into dust.

Okay, so let's blame Al Gore. After all, everything else is his fault. Because he was so effective in getting unconditional funding for those pointy-headed hackers, they didn't even think about building real economic models, and ever since then we've been cleaning up the resulting mess.

Yes, I'm joking about the blame, and if they had been too worried about how the money parts would work, maybe they never would have gotten around to inventing the Internet in the first place. On the other hand, there needs to be some balance between the reality and the abtract, and the Internet hasn't found any good balance yet.

Re:Centralized Email

[Anpheus]

There was an interesting idea a while ago that would institute a 'CPU fee.' Say, force the computer to add some data to the end of the document, and increment it until a certain unique property is found in a hash of the message. Any mail server could check this hash versus the message, and drop any that fail. Say, making the first 20 to 25 digits of SHA-1 to be all zeroes. Tests like this ensure that there is a minimum amount of CPU time being put into processing the message. Bulk mail would provide an even greater challenge, as attempting to send a million messages would require a fee of millions of CPU time for a desktop PC. 1,000,000 seconds is about 12 days. A slight increase in the amount of processing time could occur over time. Say, if some breakthrough occured and CPUs leaped ahead in processing speed, the amount of processing could be increased correspondingly. Spammers will have to pay to buy more computers or have to give up spamming entirely.

Re:Centralized Email

[StikyPad]

That a solution isn't perfect is not a reason to dismiss the solution entirely. Besides, what if there was a whitelist for people who could e-mail you for free?

Re:Centralized Email

[shanen]

Spammers' perspective of the cost of sending email. What's another 10 million spams if they think their cost is zero? It matters because that's how they 'figure' their RoI. If they get another $39 for their verbal Viagra substitute spammed to the extra 10 million people, then they divide by zero and think their RoI is 'infinite'. Of course, the flaw is that email is *NOT* really free, and millions of other people are bearing the costs for the spammer.

Maybe not declining, but simply changing

[chriss]

My spam peaked early 2004 with about 30,000 mails per stuffing not only my inbox, but also my DSL connection. I had a "catch all" option on several dozen domains and most of the spam I received was addressed to non existing mail boxes. Due to my local spam filters very efficient handling of the problem I only started to worry about the situation when downloading all the spam started to take hours and my provider complained about the daily traffic.

The problem with the non existent mail addresses became a large one sometimes in 2003, when enough people had some kind of spam filtering that deflected most of the usual spam. I guess that sometime in 2004 even the last catch all rules have been disabled, so that today simply guessing email addresses will gain nothing for the spammer.

So maybe spam has not really peaked, but there are simply different waves of spam techniques. Some of them rely on mass, others on tricking the filters. We may simply be in a "smart spam phase". A lot of the spam that reaches me today shows the message as a picture instead of text and I have not yet figured out why thunderbird will display those pictures, since I disabled this.

But the article is right in spam becoming something like a background noise. I still have to manually mark about 100 mails per day as spam, but I got very fast in recognizing it and it only takes a few seconds. I'm always astonished if I meet friends whose email address have not been public for more than a decade and who are very annoyed if one or to mails per week pass their spam filter. To me it is like complaining about banner ads. It's just an unavoidable part of the internet ecosystem, like mosquitos.

Chriss

--
memomo.net - brush up your German, French, Spanish or Italian - online and free

Re:Maybe not declining, but simply changing

[sp3d2orbit]

If anyone annoys me with their ads, I leave. I don't block their ads, I simply don't read their website any more.

This strategy isn't too well thought out, it just makes sure that everyone loses. Using an adblocker means that I get to see the content on X site while not having to see the add. I come out ahead and it costs the company a little bit to show me the content. They also don't recoup any of that cost in terms of advertising dollars since I never saw the ad. Overall the company is slightly worse off and I'm slightly enriched.

The strategy of avoiding the site, however, means that no one sees the content or ads. No one is any better off, and no one is any worse off. A better strategy would be a combination. Adblock, and visit, sites that have annoying ads. Don't adblock the non-annoying ads. Viewing non-obtrusive ads on certain sites leaves both you and those socially responsible marketters better off. On the other hand, annoying advertisers will see their costs soar with revenue stagnant. ...and knowing is half the battle.

Re:Someone Forgot To Tell The Spammers

[Threni]

> You are opening yourself up to massive spam if you make so much as a single post
> there

I post to Usenet all the time, using an unobfuscated email address and I don't get any spam, so either what you're saying is no longer true, or gmail's spam protection kicks ass!

Re:Spam is dead for me.

[Buran]

I wouldn't buy from someone whose corporate address is run out of a free web-based email service. If a company can't bother to have its own domain name or is blatant about using free-mail for its official corporate functions, then they appear no better than the stereotypical pimply kid running a business out of his parents' basement. I don't know how many customers bypass you because of this amateurish idea, but I know I would.

Why not register a domain and have all the corporate email addresses just forward everything to the corresponding gmail account? (you say you gave up your domain, so I'm guessing you're all joeblow@gmail.com). It would look a lot more professional. Domains are so cheap these days that there's not really an excuse to continue to use amateur-appearing tactics. You'd probably be better off with this compromise, or a similar one.

Big deal.

[Ethan+Allison]

With Gmail, and I think most of the other webmail services (Hotmail, Yahoo, etc.), roughly all spam is sent to the spam folder, and I never have to look at it. So how is spam doing any significant "damage" to email? The average person probably wouldn't be annoyed by having a spam filter.

My Adblock filters

[pinano]

I didn't even notice that TFA had ads. My Mozilla AdBlock filters are pretty minimal, too:

*.falkag.net/*
http://adserver./
*.atdmt.com/*
*.indieclick.com/*
http://adsrvr./
*.burstnet.com/*
*.tribalfusion.*
*.doubleclick.net*
*.loanweb.com*
*/ad.asp?*
*/ads/*
*/sponsors.*
*/advertise/*
*/adimage.php?*
*googlesyndication.com*
*personals.yahoo.com*
*/banners/*
http://ads./
*.valueclick.com/*
*.chitika.net/*
*/bannerads/*
*/marketing/*
*.adrevolver.com/*
*&adspace=*

24 filters, and I don't see more than 10 or 15 ads a DAY. I can't beat Yahoo, though, because they store their ads right in with the pictures for news articles and stuff. Keenspot uses the same dirty trick; I can't read some Keenspot comics without having to see Keenspot ads.

really?

[Phil+Urich]

My own gmail account remains Free and Clear; I actually got one spam message ever on it, and I've had it for quite awhile now (and get quite a few e-mails and even subscribe to a few yahoo groups via it). And it's not like my e-mail address is that obscure, just my own first name followed by two other letters (and then the @gmail.com, naturally). The same could be said of my ISP e-mail address, or my university e-mail, or my hotmail/msn address, or even better my yahoo mail address which I fling around willy-nilly to sign up for things or whatnot whenver they require an e-mail address. And yet none of those e-mail addresses, all of which (except for my Uni one) I use astonishingly frequently and throw around all over the place, get any spam. Whatsoever. None. Except for that one gmail one (which ruined my perfect record, grr).

Note, also, that I turned off spam protection in hotmail, turned it off in yahoo mail, have none for my ISP one or my Uni one (both would only mark e-mail as spam instead of blocking it anyways, so I would know), and etc. Considering how high the signal-to-noise ration is, the possibility for false-positives understandibly outweighs the miniscule spam concerns I would have.

So what the hell am I doing right that most people seem to be doing wrong?

First off, none of my addresses are entirely intuitive or plain. No numbers even, nothing other than pure letters, but nothing that would show up unmodified in a wordlist or namelist (not even with good ol' "two random letters at the end of the string"). My sister has a gmail address of the same length as mine, but gets literally hundreds of spam messages every single day. The difference is that hers is her last name, while mine is my first name with two letters from my last; so hers is likely to show up in wordlists. That seems to be the kicker.

Meanwhile, my yahoo address seems to attest to the idea that signing up for things online won't get you spam, BUT the things I sign up for are message boards at places like BeyondUnreal.com or the official The Trews webboard or maybe to view some newpaper online (for those amnesiac days that I don't remember about BugMeNot). So nothing particularily sketchy.

In other words, as long as a person is relatively smart about how they handle their e-mail, they should be fine, 'tis my theory. This theory is not without major flaws, though, I'll admit. And furthermore, sometimes a person just wants a specific e-mail address, and it sucks then that it might just doom them to spam.

And further going down the questionable route of using my own personal experience as a scientific study, seeing as I had no spam until that one message, it would look something like this, starting arbitrarily in 2000:

2000 - 0%
2001 - 0%
2002 - 0%
2003 - 0%
2004 - 0%
2005 - 100% OMFG 2005 IS TEH SPAM APOCALYPSE
2006 - 0% (so far...)

So, in other words, I can prove anyone right. Parent? Sure, spam has
increased DRAMATICALLY in the last while. Naysayers? Bah, spam isn't
a problem! Etc. Ah, subjectivity.

Re:really?

[fingusernames]

So what? Your steps to avoid spam don't disprove that it is a massive problem, or that it is worsening or lessening.

I have had the exact same email address since 1990. It is just three letters long, and is plastered all over the place on Usenet from the 90s, various old web pages, mailing list subscription lists from before they were confidential. I receive about 1300 spam messages per day on average, every day. And that is AFTER the MTA (Postfix) eliminates a lot of spam through DNS blacklists, RFC and RDNS compliance checking, and so on. I'll be doing greylisting next.

I also help to run the mail system of an ISP. Spam and viruses, by far, are most of the email these days. By far.

Spam is a horrible disease on the Internet. It increases the cost to everybody, in bandwidth, the cost of staff at ISPs battling it, and in end-user time wasted on it.

Larry

Re:Spam is dead for me.

[nwbvt]

"We're switching 3 big companies from Exchange to gmail."

Unless you work for Google (in which case you should have mentioned it before you started this thread) that is almost certainly a violation of their Terms of Use.

Re:Technical Solutions solves all problems

[vertinox]

...no: there is no technological fix to ingenious asocial behavior.

Yes there is. It is called a gun.

And its application is a bullet to the head of the anti-social person given by the governmental authorities of the day. The anti-social person can no longer affect society and can no longer by pass any methods intended to keep him in check.

But of course there is a major moral problem with my suggestion and should never be taken as advice.

I'm just stating the theoretical situation in which technology trumps social behavior. Obviously, its an extreme and we don't want to be going around shooting spammers (even though I'm sure some of you want to) but eventually given enough technology you can prevent everything.

Or rather what I am saying is that all social and political problems can be solved with technology. It just depends on your application of the technology and how far you are willing to go with the application. I'll take a bit of annoyance with my freedoms though.

Micropayments for eMail

[lumbercartel.ca]

This couldn't be handled at the client's end reliably because that would defeat the whole purpose (not to mention being a target of all those SpyWare vendors) -- in order to prevent bandwidth waste, it would have to be handled by the server.

For this to work, servers would have to indicate the going rate for messages (either by size, number of recipients, number of messages, etc.), and then the sending system would have to either accept it and actually transfer funds before sending the message, or just abort the transaction. The sender could choose how much they want to pay for this "ePostage" before sending it, and then the server could handle it automatically.

The main problems I forsee with such a system are eMail lists (as someone else already pointed out), and automatically generated eMails from other services (free or otherwise) that the user has signed up for. Why should Google AdSense or PayPal or eBay have to pay to notify me that my contact information is invalid, for example (I'm sure a skilled con-artist can see obvious ways to exploit something like this)? And do the users also deserve a share of this income, or just the ISP?

In addition to that, a few technical matters will need to be resolved before anyone can start thinking about even implementing such a system:

0. A new protocol to replace SMTP will be needed (it's not appropriate in my view to add this to SMTP, which is based on a trusted model rather than a costed/financial model). The protocol could be exactly the same as SMTP, but with one additional step inserted immediately after the "HELO/EHLO" stage in order to reduce development overhead for everyone.

1. Automated micropayment transfer protocols will need to be available to these new mail servers, and high-volume servers will need to be set up by the various providers of these financial services. Features will need to be able to handle currency exchange in a simple manner. Dispute procedures will need to be very, VERY well thought out.

2. The potential for criminals to launder large amounts of money by setting high rates or just claiming high volume when it doesn't exist (and both sides indicating this to be correct) in order to facilitate transfers between one another would be of great concern to government and military organizations aiming to impede the funding of so-claimed enemies (e.g., mafia, terrorist groups, trade blocked nations, etc.).

3. Micropayment service providers will likely compete on such things as percentages (e.g., they keep 0.05% of each micropayment to help cover their costs), various service charges (including fees for dispute resolution), usage fees, monthly service fees, etc. Banks are well-known for these types of tactics, and these micropayment providers will likely earn the same notariety.

In the end it will all just end up being very expensive and time-consuming, and I suspect that people will simply abandon it in favour or reverting to SMTP again in order to save money.

It's an interesting pipe dream, but I don't see how it will catch on in our current global economic climate given the current costs of doing business.

Huh??

[Eggplant62]

Based upon my logs and those of two other machines that I do mail admin for, I'm not seeing that at all. If anything, there are more infected Winboxen out there than ever before, spewing tons of trash, and it's usually the Russians, Soloway, or some mysterious spammer hosted in a block of Chinese servers, all sending via these compromised Winboxen. If anything, my numbers are down at home, though that's because I can be a bit more restrictive about my firewall rules. Spamassassin is doing a very good job at filtering a large majority of this drek.

How Lucky You Are To Get Mail In English

[patio11]

I keep three email boxes -- work (also has my old college address forwarding to it, for business/professional/family use only), gmail (general use, except I give all US-based or English-using websites this address), and yahoo Japan (general use, except I give all Japan-based websites this address). I get zero spam at work in my inbox because the address is non-published, and all of the spam comes to my university address where it gets munched by Spamassassin and spat out by Thunderbird. I've never gotten a single spam at gmail in a year of using it. Yahoo, despite everyone telling me "Their filtering is great, gets almost as much as Google", is *buried* in spam every time I open it, all very sickeningly spammy content in Japanese (can you imagine an email saying, in plain text, "Local girls want to meet you tonight to have SEX! Join our matching site, only $10 a month!" getting through your spam filter in this day and age? Thats what all my spam looks like -- they don't even bother trying to obfuscate.) I can only assume that this is because yahoo and Thunderbird's content analysis breaks down on Japanese... probably for lack of a decent segmenter for languages which aren't written with whitespace. Someday I've got to take a look at Thunderbird's filtering and see if I can't improve it a little bit. I work at a technology incubator in Japan and when they say, "Hey, patio11, got any ideas for what you would do if we gave you a lot of money?" I've got a pretty good idea :

1) Take Spamassassin
2) Make it work in Japanese
3) ???
4) Profit.

Reductions in Spam

[Exter-C]

I have been system administrating several large scale email servers with around 50,000 users or so in total. During the "spam peak" we would have over 400 spam emails a minute being marked which was around 60% of the total email volume through that period. Now we are seeing around 60 emails a minute with more users and domain names on the system than before. However statistics are not everything. If we look more closely at the stats we see that while we would have an average of 400 emails per minute as spam it would peak up to several thousand a minute at times and sometimes it would be less than 20-30 spam emails a minute. While now we are almost flat lining at around 55-65 spam messages which means its not as big a drop as would have originally expected but it is still a drop. One of the issues we also note is that many of the cable providers are now blocking port 25 which was traditionally a large percentage of the traffic spam on our service.