Spam Doubles, Finding New Ways to Deliver Itself

An anonymous reader noted that the times is running a piece on the rise in spam that you might have noticed in your inbox over the last 6 months. Gates promised the end of spam by 2006, but they figure it's doubled in the last few months. And best of all, a huge percentage of spam is now images that circumvent traditional text analysis.

Bill Gates promised !

[Rastignac]

Gates promised the end of spam by 2006. He still has one month to succeed. It is still possible. I'm waiting. I really want to see that. Thanks, Bill.

Re:Bill Gates promised !

[eln]

You won't be saying that when Microsoft takes off and nukes the site from orbit in order to stop the spam.

After all, it's the only way to be sure.

Re:Bill Gates promised !

[Gospodin]

Actually, he said "two thousand six..... ty". The last syllable wasn't heard because of the applause.

Spam is a non-issue for those in the know.

Spam is really a non-issue for most end users. Even just using Bayesian spam filter software will eliminate the vast majority of spam. Using three or four such filter systems chained together virtually guarantees that no unsolicited commercial email will get through.

Of course, having separate public and limited-distribution email addresses helps, too. Not getting your address in the hands of spammers is obviously a good first step.

That's not to say spam isn't a problem for server and network administrators, who have to deal with higher server loads and wasted bandwidth. But for your average user, it's rather easy these days to avoid spam. With some common sense and the use of modern filtering technology, spam becomes virtually a non-issue.

Spam 2.0

[choongiri]

"The new breed of spam -- call it Spam 2.0"

No, no, no... please, please don't!

Different ways of thinking about the problem

[anotherone]

Do any large email services compare all email over the entire system to check for spam? If gmail receives 4,000,000 messages from the same IP in 5 minutes, each with the same image attached; you can be sure it's spam. That's still defeatable, though.

The only way I can think of to totally stop the problem is to make it unprofitable. Maybe Bill Gates could stop the problem by producing a high-profile ad campaign telling people to stop buying things from Spam.

A solid solution

[east+coast]

We can hire the A-Team to come in and stop them.

I pity the fool who litters Mr T's inbox with ads for home equity loans.

Re:ban images?

[mgblst]

Agreed, I tried to send a cdrom driver to a friend today, and gmail told me that I couldn't. Thanks a lot spam. Even though the file was zipped up.

Re:Wrong.

[A+beautiful+mind]

You're advocating a

() technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's life or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid guy for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Just do what I did (only better, I hope...)

[mmell]

(1) Get an ISP that isn't currently doing "traffic shaping" (you hear me, Charter Communications? Qwest gave me what you couldn't - a "not shaped" connection to the internet).

(2) Run *NIX on (at least) one machine in your LAN. (3) Run Sendmail on that machine (or postfix, or whatever MTA you like).

(4) Listen to your wife and kids complain that their family/friends aren't getting e-mails from them.

(5) Correct the configuration on your MTA (oops - mea culpa).

(6) Listen to your wife and kids complain that they're not getting e-mails from their family/friends.

(7) Correct the configuration of your MTA (again).

(8) Listen to your wife and kids complain that they're still getting spammed into oblivion.

(9) Configure mail filters to hold the spam.

(10) Listen to your wife and kids complain that they're missing valid e-mails.

(11) (Repeat steps (8)-(10) recursively until (8) and (10) no longer happen.)

(12) ???

(13) Profit!^H^H^H^H^H^H^HRelax!

Re:WE INVITE YOU TO COME SEE THE 2020

[Shazow]

ASCII art to the rescue.

Re:Wrong.

[TheRaven64]

Well, I am against the death penalty in general, but it's an interesting question. Assume the average person lives for 70 years. 70 years is 2,208,984,820 seconds. Now, assume you kill someone aged 30, you are taking away 40 years, or 1,262,277,040 of their life. If a single spam takes 1 second to delete, and a spammer sends out one billion of them, they have done as much damage as killing someone aged 30 - they've just spread it around more. Are the two morally equivalent? Well, that depends on your personal ethical system; there's no objective answer.

Re:Wrong.

[fredklein]

I have a simple, foolproof idea to help eliminate spam.

Email certification.

If you want to be able to send Certified Email (CE), you apply for Certification from the company that gives you internet connectivity. They check you out, and 'Certify' you as being a legitimate emailer (ie: not a spammer). Then, you generate a private/public key pair and give them the public one. In the headers of all your email, is their certification, and an encrypted header line that's createdusing your private key.

When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.

Due to the public/private key cryptography, there can be no certified email spoofing. (Assuming the private keys are secure, the keys are of decent length, etc.) All emails are traceable back to the originating server. CORRECTION- all CERTIFIED emails are traceable. Anonymous email is still possible. People can still set up email servers for mailing lists without "having" to get them certified. And people can still receive non-certified mail.

If an email server sends out spam, the complaints go to it's certifier. They can drop the certification, deleting the public key from their server. When this happens, ALL the email from the spamming server is now 'uncertified', and gets handled accordingly by email clients. If nothing is done, complaints go to THEIR upstream, etc. Individuals and groups can keep their own blacklists, if they wish, and anyone can choose to filter emails according to those lists.

Now, I've looked over that 'form email' that people like to post to shoot down anti-spam ideas. And nothing applies to this idea. (If something seems to apply, it's because I either left out details, or explained something wrong.) This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. It's primarily a way of reliably tracing (certified) emails back to their originating server. The anti-spam part comes later: if you receive certified spam, complain and get the server un-certified. If you receive un-certified spam... well, just have your email client dump all uncertified emails in the trash. (Not nessisarilly, you could just use it's un-certifedness as a factor in filtering your email.)

This idea does not require anything be changed with SMTP. It simply requires a second connection be made to the certifying server. Now, before you bitch about the extra bandwidth, I'd like to remind you that, once this idea catches on, spam will be greatly reduced. This reduction will MORE than make up for the slight increase in bandwidth created in querying the certifying servers. Also, the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.

To sum up: Email Certification is reliable way of tracing the certified emails back to their originating server. This allows spammers to be identified unequivocally, and have their certification pulled. Email servers are NOT required to be certified, and anonymous email is still possible. Email recipients can, if they choose, set up their client to send uncertified emails to the trash, or to handle them however they wish. White lists and black lists are still possible. 'Hobby mailing lists' are still possible, certified or not. The extra bandwidth is minimal, and easily overshadowed by the reduction in spam being sen