Slashdot Mirror
Spam is Back With A Vengence
Ant writes "The Red Tape Chronicles reports that just last December (2006), the FTC published an optimistic state-of-spam report. It cites research indicating spam had leveled off or even dropped during the previous year. It now appears spammers had simply gone back to the drawing board. There's more spam now than ever before.
In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now."
Wife: Have you got anything without spam?
Waitress: Well, there's spam egg sausage and spam, that's not got much spam in it.
"No matter where you go, there you are." -- Buckaroo Banzai
Until the SEC hasn't gone aggresively against one of the most blatant pump-and-dumps. nothing will change.
Last month I installed the FuzzyOCR on my Spamassassin setup it and I can now testify that rare is the image spam that gets through. I wrote a article about it if you want more detail : http://serendipity.ruwenzori.net/index.php/2006/12 /19/fuzzyocr-hits-debian-unstable-and-eradicates-i mage-spam
I'm sorry but your message from articles.slashdot.org was REJECTED because it has been flagged by our system as spam. You may not be the source of the spam, but our servers do not respect SPF flags and therefore accept, process and then bounce almost any old slutty slice of bits that get hucked our way. We blame you, the owner of the spoofed domain.
To get a hard copy of this message please send $1 to Happy Dude, 742 Evergreen Terrace, Springfield.
Promotional consideration has been provided by the Russian Mob.
These stories are free but worth money.
The problem with punishing the firms advertised is that it is very hard to prove. It could be that they hired an advertising firm which represented itself as legitimate. It could even be that someone spammed in their name to try and damage their reputation.
# cat
Damn, my RAM is full of llamas.
In spite of the rise in spam, you can still keep everything but the stray message or two a day hitting your inbox if you configure SpamAssassin well. Get a guide like McDonalds' SpamAssassin and follow the steps for the usual configuration based on examining headers and referring to Razor. Then, take a massive collection of all sorts of spam, from text pump 'n' dump to image spam, and feed it into sa-learn, SpamAssassin's Bayesian training system. A good setup with extensive Bayesian training will cut out almost everything. And it's not too hard. If you can install a Linux distro, you can configure SpamAssassin.
However, this is obviously only to filter spam coming into your own box. When I am travelling, I try to force myself to leave my laptop behind in order to truly relax, but that means that I have to use my e-mail provider's web interface. And when I see that my Inbox has 500 messages after just 36 hours, then I start to understand the grumbling that SMTP is broken and we need a drastically reformed protocol.
I simply don't get any.
Deleted
Akismet is what a lot of Wordpress users (and many other bloggers) use to prevent comment spam. They've got a pretty neat stats page that shows the volume of spam they have blocked from their creation. They are relatively new, so the fact that the graph trends upwards so quickly also has to do with the fact that their userbase is still growing. But it's unquestionable how large a spike I saw in the end of November and December. Particularly over the Thanksgiving/Christmas holiday weekends. I have a personal server in my house that was MELTED by the amount of hits to my dinky little blog. It would go up and then 30 seconds later would be unresponsive and have to be forcefully rebooted. It even killed my D-Link router.
I'm posting AC so slashdot doesn't melt my server again...
One entry found for vengeance.
Main Entry: vengeance
Pronunciation: 'ven-j&n(t)s
Function: noun
Etymology: Middle English, from Anglo-French, from venger to avenge, from Latin vindicare to lay claim to, avenge -- more at VINDICATE
: punishment inflicted in retaliation for an injury or offense : RETRIBUTION
- with a vengeance
1 : with great force or vehemence
2 : to an extreme or excessive degree
What's a Vengence?
This is the sig that says NI (again)
I do not like spam. Or their tactics or their polution of our servers.
/8 or /24 to the iptables.
But I got to say,
Thank God nobody has EVER been "conviced" yet.
I think you meant "Convicted."
I think death is a little harsh, although I have spent many a night, greping log files, and running trace, on many domains outside the USA; While Drunk and screaming, " die you fuckin spammer. " adding their
There's probably some smartass geek out there that will say, but there's ways to kill spam now, it 2007 not 1996! Yeah, guy there may be ways, but they do not work on ALL systems!
If I can bring up a webpage within a second just by typing the URL, I should be able to bring up an e-mail by sending an equivalent request. By making the protocol *push* rather than *pull* you set the stage for such spam. "Store at sender" would also verify the location the email is coming from.
Well, spam is a technical issue driven by human nature and social ills, IMHO. So I think it would be good to have the various trade and exchange regulators deal with it, at least somewhat. For example, the SEC or various national/international trade blocs could have a task force which more actively does something about stock spam. For example, company XYZ appears in a spam message in country ABC. If the company originated the spam or paid for it, then they are barred from trading in country ABC for a length of time. If they did *not* originate the spam, then the task forces would track down the originators with assistance from local law enforcement. The overall idea is to remove the incentive to spam.
C|N>K
Obviously this won't work, i just don't know why, or at least not clearly.
There are only a few ISPs that connect at cross-network access points. All other ISP, buy their service from up-level ISPs.
As has been suggested before, why can't every ISP have a policy (start at the top (the access points), and the rules will trickle down) that any ISP sending spam has to turn off access within a few hours or be shut down.
Ultimately, the low-level ISP, who actually connect to the users would be forced to recognize the individual computers sending the spam, and shut down their access. These users can even use a virus cleaning program, or never come back on.
When "innocent" computers are turned off, it really isn't that big of a deal. There are free tools to remove viruses, and i'l bet they will be *happy* to know they're a problem, and how to get better.
At first they would be inundated with calls, but then we'd have a clean inter-network.
And noone can just start a new top-level network, because they would be denied entry to the access point, of which there are only a few.
Seriously, why won't this work?
Have you read my journal today?
Score:1, Redundant
By definition, shouldn't any post about spam be marked redundant?
Anyway, I run a mailserver. What I see is surges of email for whatever happens to be the current scam. Last year it was mostly mortgage offers (Get a cheap, misspelled mortqaq3 today!!!) Spamassassin + RBLs eliminate about 70% of the flood. Image-only email is flagged by spamassassin. Now random text is added to get past the Bayesian filters. The arms race continues.
BTW, if you are the type to send copies of spam to abuse addresses, I advise you to remove identifying info and post it through an anonymous account to avoid retaliation. ISPs tend to forward it to the spammer.
The thing that always bothered me about that skit was that the first two things that the waitress mentioned didn't have spam. Egg and bacon, and Egg Sausage and Bacon.
Maybe I think about this stuff too much.
Technoli
All of the above!
There's an interesting artical at Extreem tech about the wave of spam that hit us last year:7 ,00.asp
http://www.extremetech.com/article2/0,1697,206027
Most admins were able to find ways to eliminate that eventually: http://blog.fastmail.fm/?p=580
but now I notice a new trend. Some spammers are actually putting news headlines in the subject field.
On top of that the black hats are now finding ways to spam emule search results.
Every search you make in Emule will return a fake hit... something like *_using_emule_multimedia_toolbar.exe. If you exectute that program your machine will be infected with a virus.
The volume of spam is definitely up, and most of it is pump and dumps from a very few distinct sources. In December, about 20% of the 30,000 spams I received were for one particular stock.
1 4241
/. articles) want you to believe so you'll buy their products. In general, word salads, obfuscated words and image spam do not defeat state-of-the-art statistical filters.
http://it.slashdot.org/article.pl?sid=06/12/21/23
But it is wrong to say that this new spam requires radical new filtering techniques. That's what the spam solution vendors (whose press releases drive these
See, for example, the recent TREC tests: http://plg.uwaterloo.ca/~gvcormac/trecspamtrack06
These results show that filters achieve about the same results on 2006 spam as on 2004 spam, and those results are pretty good. Ongoing tests show that the effectiveness of filters is unchanged for 2007. In general, the volume of spam has increased, and spammers have tried various methods of defeating spam filters. But their efforts have not been particularly successful against statistical filters.
You dont have to kill them, just chop their hands off.
I think an interesting study would be to harvest spam,
scan for pump and dump, and buy stock based on verious
factors. If you refined you algorithm perhaps you could get
an application that would buy and sell pump and dump
stock on your behalf, and make money in the process
I would practice with virtual stock at first.
Could an application buy and sell stock without
human intervention?
Don't make your problems my problems!
Well then I know what to do about my pesky competitors, just have some spammers send spam in their name! Problem solved!
So who do you want to monitor everybody's commerical actions? Actually, to know that the person bought a product because of spam, we'd need to monitor them whenever they check their email. Big Brother go!
In the name of Karl Popper, though, I appreciate your proposals.
Adopt technologies like Spamassassin and SPF.
Use polices that check the senders address and validity. Seems to work on my hobby system. Oh, I get some, but the kill rate is quite good and the false positives are quite low to non-existent. I virtually get none of the botnet spam, which is a big chunk.
Why not just block e-mails that contain .gif attachments?
640YB ought to be enough for anybody.
Ya, i noticed i left out the 't' as i hit send..
:)
I must get in the habit of proofreading
---- Booth was a patriot ----
This shouldn't come as a surprise to anyone One Last Spamhaus Warning Before The End
Two words: Joe jobs.
Try out fish, the friendly interactive shell.
Who is even dumb enough to make their purchases based on spam mail. I mean, surely everyone must know what spam is by now? How can one be so dense as to trust a completely random, badly worded, illarticulated e-mail full of spelling mistakes from someone you don't know to make informed decisions about what stock they should buy?
It simply makes no sense to me. As long as people remain so completely clueless that they will fall for spam, there will be spam.
Seriously, however, who and how to punish is the issue.
/. readers. What I draw from this is that filtering software on various levels is fairly effective, but that has nothing to do with the volume increase which I've certainly noticed.
I have little trouble with spam getting through filters either on my webmail accounts or on the POP accounts I access on my system and I suspect that's true with most
Since I suspect that a good deal of this trash is sent from people who move electronic locations frequently, perhaps there's some way of developing a protocol whereby the first receiving server refuses acceptance of messages which display specific chracteristics found in spam or might even be able to trigger the equivalent of a DOS against the offending system. Widespread acceptance of such a protocol could go a long way towards reducing the volume of spam.
We have met the enemy and he is us - Pogo (Walt Kelly)
1 - I think it is fitting for the crime. It is not my fault the punishment is not fitting for others.
2- i said *prove* they used spam, so 'joe jobs' wouldnt apply here ( yes i know its hard to do, we are just dreaming here anyway )
3 - the goverment already does that..
---- Booth was a patriot ----
Make the punishment for the crime extremely severe. And if someone does it from a 3rd world country or something, they can be executed. Problem solved.
And I'm wondering; how do I bill these companies for my time? Would there be a government department willing to help me out with that, or perhaps a friendly lawyer (apologies for the oxymoron) interested in starting a class action suit? These fucknuts will only cease when it starts costing them to do this.
If you were blocking sigs, you wouldn't have to read this.
1 - death ( yes, death, not jail ) for conviced spammers ( oh, and make it painful and long too )
Please try to size the punishment to the size of the crime. Most civilized countries don't even have death sentence for serial murder. Also, your American laws don't carry much power over other jurisdictions, and convincing others to share death penalty for something like this would be hard.
Ok, I think you're missing something. You're trying to apply morality to this situation and I don't think spammers derserve that. At least not the worst of them. Spammers are a dime a dozen, and they all think that what they are doing is ok and that there are no consequences to it. I know this because I've talked to some directly. They don't have anything that is really scaring them into stopping what they are doing. And for every spammer that goes down there are 2 to replace that one.
What we really need is something like the Boogy Man is to children. Maybe not a vigilante that kills spammers (although I've said that this is a possible solution before), but something that would scare the living shit out of spammers and make them really worry that what they are doing is going to come to get them. And also makes new spammers realize what kind of risk they are getting into to.
Because all the anti-spam, laws, humiliation tactics that we are using now are doing practically nothing to prevent the problem from the beginning. Its time for more extreme tactics.
Please try to size the punishment to the size of the crime.
I'd settle for ten seconds of jail time and a penny fine per spam. That would (very roughly) approximate treble damages for time wasted. A million spams would yield a 4 month sentence and a $10,000 fine.
Of course, if they sent a billion spams, they might as well get the death penalty, since they wouldn't be getting out in this lifetime.
Also, your American laws don't carry much power over other jurisdictions, and convincing others to share death penalty for something like this would be hard.
The reverse is also the case, of course.
This tagline is copyrighted material. Please send $10 for an affordable replacement.
I too think there should be a much heavier punishment for spam or any form of fraud or deceptive advertising. And I think it should definitely be fought with more aggression. In the U.S. we have very strict rules for print and broadcast media with noteworthy punishments. But in the case of spamming, most of this is anonymous in most ways making this pretty difficult.
However, as someone pointed out, it's pretty hard to make a firm connection between the spammer and the activity being advertised. However, working out plea testimony of reduced sentencing, I'm sure the spammer would be likely to produce the evidence a prosecutor would need.
I hate to say it, but before the hard-core enforcement we beg for will happen, there will have to be some lobbying done.
It happens, but not that often. When they catch one, law enforcement does a dog and pony show and we applaud wildly. But they just keep coming.
Arrests don't seem to happen that often. Do a google for "spammer arrested", and most of the hits are about the Buffalo spammer. He was arrested back in 2003 to much fanfare. However my mailbox is still full of. Maybe there is more than one of them out there?
I'm guessing spammers spam because they know the chance of them being caught is nigh on zero. Yet, this is a criminal racket just like any other criminal racket. If some serious money is put into law enforcement, then spammers might finally get the shakes. Apart from pump-n-dump stocks (get off yer asses SEC), spammers aren't hard to catch. Consider Mortgage spammers. If you reply to a Mortgage spam (I am told) you will later be called by a seemingly unrelated mortgage agency. They have bought your contacts off the spammers. Everything can be traced, and if we have the feds seeded spammers with 1-use-only phone numbers, buying stuff and tracking it just like they do any other illegal contraband, of course they can bust it. Make receiving spammed contact details an offence too: The recipient must be reasonably confident that the leads they received are not spam. Harder to prove, but if there is a reasonable chance of prosecution buyers of spam harvests will become shyer and the market dry up. Lets make it a legal requirement that ISPs have to report spamming users to the feds.
And let's get beyond "fines" for offenders. Fines for any profitable business are merely an operating expense. What really scares company directors is Jail time. This has been used in L.A. to force companies comply with laws they'd otherwise have simply paid out. If a spammer thinks there is a 0.0001% chance of him being caught (and then let off with a warning), they will do it. If they think they probably can't sell their harvest, have a 50% chance of being caught and will definitely go to Jail, they won't!
So why isn't this happening? (1) It's not an issue for politicans. I want to see Obama/Hillary/McCain arguing about Spam!!! and so... (2) The money isn't budgeted for law enforcement. With some Elliot Nesses on Spam, I reckon we can crack this. How do we let the politicians know this is an issue for us?
Email simply isnt working.
We need something new. Nuff said.
We register websites. You pay. You should have to pay to forward emails. Say 1c per email. And all the money taxed goes to me for thinking of the idea. I will have eliminated spam and become a billionaire! Everyone is happy!
I don't understand the economics of spam. Apparently these people do make money. But how? In order to get their messages past all the anti-spam measures around these days, these guys have to send out almost totally undreadable misspelt nonsense with completely misleading subject lines. I can't beleieve that people receive these things and then go on to purchase something. It doesn't make sense.
Sorry, I wasn't aware that we were dreaming. I thought we had a serious discussion. I have no intention of participating in dreaming with you, so I guess that ends our communications for this time.
A basic fact of life is that any law enforcement officer is corruptible, it's just a matter of price. An extremely harsh punishment only makes the perpetrator willing to pay more, until the price level of the officer is met. A fair punishment is one that's enough to inhibit crime, but less than what the criminal is willing to pay to avoid.
A quick click in the spam column of the messages window and I have Thunderbird configured to flag and delete spam automatically. I have 1295 spam emails in the last 2 weeks, vs 8 real emails. Almost all were sent directly to the spam folder without any intervention from me thanks to the adaptive spam filter.
(Kudos to Mozilla Thunderbird team).
I only wish people would configure their mail server to not bounce spam email back to the 'sender'. Half of the problem would go away if they bothered to check the SPF record and see it was a spoofed sender address.
Just like with the war on drugs, eh? Yeah I see how raising the punishment really helps. No wait. Shit, it doesn't. I guess we're fucked now.
What I think would help is ISPs taking confirmed zombie machines offline. It's done in Sweden by some ISPs, and most people don't seem to have a problem with that.
If 1p was changed per email with the 1st 30 free per day it would stop spam dead.
The first rule is that spam is an advertisement that benefits an advertiser. To advertise something secret is an oxymoron - there is a product that is being promoted and somehow the spam recipiant must be persuaded to buy the product.
Broadly speaking, I see three types of spam at the moment creeping past the filters:
For the first, I'm being invited to buy something, and I have to pay by credit card. If the use of spam to advertise is illegal then why not void the credit card payments? The credit card companies will drop them like a hot potato. The second is more interesting. You don't actually have to be directly connected with the issuing company to benefit. All you have to do is to have a number of the shares. If the SEC wanted to, it wouldn't be that hard to close down such scams. The last is what interests me particularly. This is an advertisement for a sideline job that people could do from home to handle offshore payments. Allegedly this is to help people buying or selling via services such as eBay but with an address in Russia. It fails to mention that opening a bank account for a third party without declaring the fact is very illegal and may even give you trouble (think PATRIOT act).
In other words, there is a lot of legal ammunition to go after these people. It seems that many are just not interested.
See my journal, I write things there
Unfortunately, $10,000 is less than the cost of keeping someone in jail for 4 months ...
Also, why not go to the REAL root of the problem - Windows and the zombies that run it. Anyone connected to the net with an pwn3d box pays $100 for the first incident, doubling each time. People would learn to dual-boot really quickly.
Not only am I seeing more Spam hitting my inbox.. I am seeing more spam on WordPress Blogs. This is where I am seeing the most problems.
The email server I use tags and filters spam, but the WordPress Blogs are filling up with Spam, plus it is clogging up MySql databases for comment spam that it uses all the processing power up - so the other services on the box as well as the webserver crawl to a slow. Even with other programs such as Akismet marking the comment psots as spam, the problem lies in the database being tied up.
"SPAM-NET became self-aware at 2:14am EDT August 29, 2007 .."
If you think that spam is a problem now, consider this ...
all those "I for one welcome our self-aware spam overlords" and "in soviet russia SPAM deletes YOU" jokes won't be so funny if that happens.
Sure, why not.
tungstenband@mytrashmail.com
Which may be why I don't get any spam. Is it my fault that most people are as dim as a 5 Watt bulb?
Deleted
Perhaps the SEC could require stock brokers and other companies issuing penny/OTC/pink sheet stocks to log whoever buys or sells them. There should be a discernible pattern among pump-and-dump traders that the SEC could backtrace to identify the perpetrator. I would imagine the perpetrator would not purchase the stock too far in advance, as market fluctuations during that time could make their scheme fail. They probably buy the stock only a few days or maybe weeks beforehand, and then sell immediately after the spike. Their initial purchase is probably sizable as well, more than your average investor. For most people who never deal with OTC stocks, their privacy is ensured. For those who do choose to deal with these types of stocks, it would be part of the cost of business for dealing in such a risky and crime-ridden market. The SEC needs to figure this one out sooner rather than later...
Slashdot's first reaction to VMware
1. Satire: Perhaps the most confounding form of humor, note the subtle reference to the discussion embedded in a story about something else. This wasn't flaming slashdot, it was about how spam that appears to originate from your domain (but doesn't) can get you blacklisted by site admins as clueless as the moderators who flagged the parent as flamebait. Here is a good example of satire:
I'm sorry but your message from articles.slashdot.org was REJECTED because it has been flagged by our system as spam. You may not be the source of the spam, but our servers do not respect SPF flags and therefore accept, process and then bounce almost any old slutty slice of bits that get hucked our way. We blame you, the owner of the spoofed domain.For further reading, see the wiki.
2. Obligatory references to The Simpsons:
To get a hard copy of this message please send $1 to Happy Dude, 742 Evergreen Terrace, Springfield.Hint to poster: Next time, just go with the "overlords" joke.
3. Relevancy: Recent news stories highlight that most spam is coming from botnets under the control of Eastern European and Russian criminal organizations. Had you bothered to read anything on /. about spam prior to moderating just now, you'd probably know this. Hence the following is, in fact, funny:
Promotional consideration has been provided by the Russian Mob.Thank you for moderating today! We hope you enjoyed your crack!
and now okopipi is going to be reborn: http://www.okopipi.org/article/129
When ? Who knows.
P2P Anonymous Distributed Web Search: http://www.yacy.net/
Spam designed to get past Bayesian filters usually has deliberate spelling mistakes. Convince your local congressman that these spelling mistakes are ruining childrens' english education. In closing, add an ominous, but pleading "think of the children!!!one!!!" Watch in amazement as several swift, but ineffective laws (most with catchy acronyms) are passed against spam.
Rather than forcing thousands, if not millions, of people to filter spam at the server level, wouldn't it make sense to do the filtering at the ISP level? I'm talking about the major providers. If most (non-virus) spam is coming from outside the U.S., why isn't it being blocked by the tele-co's when it gets to the U.S. ISP's?
Stopping image spam is going to take writing Captchas to identify the spam. I don't see an end to this any time soon.
[%] Cingular Ringtones
My ISP (www.ntlworld.com) doesn't allow you to use www if your connection has a high amount of outgoing port 25 action. I know this because a PC here got infected with a mass-mailer trojan once. Instead of seeing the webpage you're trying to see, you are shown a page telling you that you've been infected, along with access to several tools for removing these kind of infections. If ALL ISPs did this, I would think that spam traffic would be heavily reduced.
What you are doing to filtering, it is wrong because all it does (when it works) is to keep you from reading spam and cost you CPU time.
The bandwidth already been spent once the spam reaches your filter.
A much better approach (IMHO) is to use greylisting along with a few fast spamtrap driven RBLS, this way the mail doesn't even get transmitted to my server and I save both CPU, bandwidth and time.
Since I switched I have gotten a max of 2 spams pr. day, some days the count is even zero.
There are two reasons this approach is so great:
1) The greylisting on its own will weed out all the non-compliant MTAs, most spammers use zombies that don't care if their payload gets delivered, so they never retry.
2) The real MTAs that spam might get to me before hitting a spamtrap, but the greylisting tells them to come back a bit later, by that time they have hit one or more spamtraps and get blocked by an RBL.
I have yet to think of a way for spammers to defeat this scheme and the cost to legitimate mail is a 10 minute delay the first time someone sends me mail.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
Here's a little known fact: Death lasts forever, which is pretty long.
If we could link spammers to terrorism, we might have a chance.
Surely terrorist organizations have figured out that they can anonymously make money using the various spam/virus/malware schemes out there. If a connection could be established, law enforcement would take notice. Likewise, organized crime is involved with the schemes. The pump and dump stock schemes aren't run by individuals, it takes coordination to hide your tracks and keep the SEC alarms from going off.
While spamassassin, OCR etc are good techniques, greylisting is the best way to do a first level check. See http://harishpillay.livejournal.com/2007/01/17/ in which I sing the praises of greylisting. A comment to my post says it best: Spammmer do not knock twice.
That's a git if you're running a mailing list... suddenly you can't browse the web.
I'm sorry... what spam?
;)
I did not get a single spam-mail in my 5 mailboxes for the last 12 days. And it never went do more than one every 3-5 days for the last months.
(And that mail goes straight to junk without me pressing a single button.)
Am I doing something wrong/different by using SQLgrey(listing), Spamassassin with ClamAV and bayesian filtering enabled (maybe plus Razor, Pyzor, DCC),
and not disabling the local bayes-filter in my Thunderbird?
It's like Adblock for Firefox. I just wonder... what are those annoances they're talking about?
Could someone clarify this a bit for me: What's the actual problem? Users and hosters too stupid or too lazy to use existing and working filters?
If they don't care enough to find out how to get rid of the spam, then they should also stop complaining. I You can't have both, right?
Madbe the root of this is a principle of being human driven ad absurdum: If you are worse than others you don't lose in the big game of natural selection anymore... no, you simply complain the ass out of pseudo-social poeple that you want to stay lazy and still get it all, until they (unfairly) support you *because* you were worse.
This of course would mean de-evolution and penalization of everybody who did better... but hey... if it works and non-lazy poeple will die out, then again it's just "their way" of winning the game of life.
But i certanly won't like or accept it without fighting.
B.t.w.: I also did not get a single false positive since the installation.
and P.S.: my logfiles indicate that they catch thousands of spam-mails per day. But i woulyd not even know without them.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I recall someone claiming that they had *made money* based on stock spam. The strategy was really simple: they shorted whatever stock that was being pushed by spam. Shorting a stock means you borrow shares of the stock and sell them. If the price of the stock drops, you buy shares to fulfill your short contact at a lower price than the ones you borrowed. You make money on the difference. Sounds simple but you're screwed if the price of the stock goes up.
Example: You "borrow" 500 shares of Pump-n-dump Enterprises at $5.00 a share and sell them making $2,500.00. It crashes to $0.10 per share. You buy 500 shares to fulfill your short contract at that price for $50.00. You net $2,450.00.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
I think the role that registrars play in the spam game is vastly underestimated. The lion's share of spam that I recieve is all for domains that were registered through about 4 or 5 registrars - pacnames.com, yesnic,com, moniker.com, easydns.com, and tucows.com (many people forget that tucows is the 2nd largest registrar on the internet).
And a little more investigation into the registration data provided usually shows that the domains in question are sold without accurate data on the buyer. It seems that the registrars are too anxious to make a buck to care who said buck is coming from. And they repeat the process many times over.
If the registrars would be held responsible for actually providing accurate WHOIS data - as internic states they are - then a lot of this problem would go away. The spammers would no longer be able to hide behind false, 'protected', or 'sheilded' data.
Of course by now you should be thinking "what about the name servers?" because of course the spamming addresses cannot resolve without a name server to provide the mapping. If you look up the name servers that the spamvertised sites rely on, you will find that 99% of the time the domains that are providing NS are registered through the same registrars.
The punishment is irrelevant - you could have the death penalty for running a red light - people would still do it because they don't think they are going to get caught.
The way you prevent crime is to remove feelings of privacy and security from people. If they think they are being watched, then they won't commit crimes as they believe they will be caught.
Spam 2.0: Back with a Vengeance
and much later on..
Spam 3.0: The day it became sentient
Once you start despising the jerks, you become one.
What we need is an update to the SMTP protocol to address spam. It's clearly broken.
So someone convicted for holding a person up for $20 dollars should only get 17 minutes in jail?
The force that blew the Big Bang continues to accelerate.
Just this past week, an elected county treasurer in Michigan was arrested for sending a million(!) dollars to a 419 mugu. It was govt funds of course, he even went to London on county expense to meet his benefactors (and lived to come back).
If you want to know how dumb, every elected official in Michigan gets a fat pension and first dollar health care, so this sucker really blew it. Now he'll spend retirement in the Butfuck Hilton, blowing it.
Spam, the inspiration of double-digit IQs everywhere.
Yes I'm sure it would be as successful as the 'War on Drugs' here in the U.S. Unfortunately if there is money to be made they will take the small risk associated with making it.
Women don't want to hear what you think. Women want to hear what they think, in a deeper voice.
The idea of fines and jail time is to serve as a deterrent, and protection of society, not as "compensation".
Fighting spam is like fishing; however all current anti-spam systems attempt to remove the water from around the fish rather than removing the fish from the water.
With present technology spam is never going to go away. Sure we could change SMTP to do 'clever stuff' to make spamming incredibly difficult, but what about the millions of mail systems out there that will need an upgrade? Not really feasible.
I propose that we start treating ALL mail as spam, then run our tests in reverse to see if it's legit or not - filter IN rather than filter OUT. Lots of words spelt right? Positive score. No URL or images in it? Positive score. Sent from the same country you are in? Positive score. Sent from someone you have received mail from before? Positive score. Sent from someone you have sent mail to in the past? Positive score. You get the idea.
Additionally I think digital signatures should be leveraged - imagine if mail clients signed messages as standard and it was easy (and I mean EASY, but not necessarily too quick or free) for average people to get a digital signature - call them 'Internet Passports' or something. Get reported for spamming and your cert gets revoked. Without a valid cert your mail is assumed to be spam unless it passes tests otherwise. 'Joe jobs' will not be possible without the correct cert. If you have a cert then your mail is trusted (more). If you don't then your validity is questioned.
We have no way of knowing how many legitimate delivery failures are caused by greylisting. That's because, as the parent points out, messages are rejected a priori and there's no quarantine to check. If you reject and for whatever reason it is not retransmitted, your mail is lost. Maybe this "shouldn't" happen but it does, and it happens often enough that it is not entirely obvious that its false positive rate is less than that of a spam filter.
It is also trivial for a spammer to defeat greylisting. Perhaps they don't at this time, but at any moment they could flip a switch and render your approach useless. Contrary to popular belief, state-of-the-art spam filters aren't so easily defeated.
Blacklisting doesn't suffer from the immediacy problem of greylisting, but it shares the problem of an unknown false positive rate, and mediocre false negative rate.
my logfiles indicate that they catch thousands of spam-mails per day. But i woulyd not even know without them.
You pay for your bandwidth presumably? Image spam is 10-100* the size of normal spam. Once you're over quota due to spam and your monthly rates go up then you'll understand what the problem is.
Now scale that to the ISP level - these people deal with hundreds of thousands of *legitimate* emails per day. Now they're getting 10* that in spam (around 90% of all email sent is spam currently). They have to put in a bigger pipe, servers, etc. to handle the load.. your monthly bill goes up.
Stop trying to run your mailing list from a consumer-grade DSL connection from which servers are most likely banned then.
retrorocket.o not found, launch anyway?
Then you contact your ISP and make arrangements, after you convince them that you're not a spammer.
Fairly simply. Though today it should be able to tell the difference between legitimate bulk email* and spam
Such as mail-type discussion groups, business relations like people who want to receive tiger direct's adds, etc...
When you're having to post random segments of encyclopedias and put your actual message into an image to get through the filters, it's a clue that you're not wanted.
Those types I'd like to see shot. Heck, I'd shoot them myself.
Oh, and I don't believe that spammers are truly a dime a dozen. I think that if we removed the 10 worst spammers we'd drop spam in the USA by 50% or more.
I don't read AC A human right
make spamming illegal in the whole US. Apparently it's ok to spam according to some US judges :s so?ref=3
http://www.spamhaus.org/organization/statement.la
I know of no good ISP that bans such servers. Nor would I use any that did - that's retarded... I'm paying for the bandwidth and it's mine to use.
Consumer grade DSL is much faster than the servers that used to run ISP email systems just a few years ago - there's really no need to pay for expensive hosting unless you're a company needing 99.9% uptime. I do have hosts for some stuff but only that for which the bandwidth requirements exceed what DSL can provide.
Here's an even more effective method: almost all spam contains one of the letters {a, e, i, o, u}. Simply write a grep filter to reject all such messages!
Rule 1: never forward spam, even to abuse addresses, and absolutely never to the 'unsubscribe' address.
The only exception I know of is spamcop as they're (I think) trustworthy.
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
"pops out his head from transport layer"
Oh jesus, this is a fucked up place!
"returns back to datalink layer"
I can attest to the large quantity of stock spam that reaches my inbox. In fact, I sometimes get 3 messages a day at my corporate email. At first, I thought it was a result of signing up for a program at Fool.com, but I now see that 1/3 of all spam is stock related. Good grief! Where does it all come from?
I know of no good ISP that bans such servers. Nor would I use any that did - that's retarded... I'm paying for the bandwidth and it's mine to use.
Ok numbnuts, that's exactly the kind of attitude that spammers have. That they can do anything because they pay for it. You pay taxes for construction of roads and for schools, but that doesn't give you the right to drive 100 mph through a school zone. You have to have limits. There have to be rules.
...and, yes, it matters.
It makes you look uneducated when you don't spel rite.
The girls on Slashdot don't have that problem. Unfortunately, what they get is tentacles.
...for the Corleone Family to improve its popularity.
[whinny]
"3) it appears that these spams are more of a scam to drive people to brokerages, or stock advisors"
So that brokers can profit? Too convoluted to be true.
It's simply what you originally thought: Someone getting out of the stock during a 2-cent bump in the price.
Seems low, but that's bottom-feeders for ya!
Indeed... quick adding all of these hacks onto a broken protocol and just fix it already.
I implemented SURBL recently, and it's helped a lot. Your filter extracts url's from the *body* of the e-mail, and checks them against SURBL's blacklist. The idea is that most spam is trying to get you to click on a link, and although they can forge the From: line, they're still constrained to give the address they want you to click on. This has been amazingly effective for me, and it's really nice because there are essentially no false positives. It won't necessarily work with pump-and-dump scams, though, since it's possible for them to say "buy SCOX," without giving a URL.
Find free books.
Forget it's spam, treat it as a specialized form of fraud (which it is). Active investigation and prosecution. Total forfeiture of assets upon conviction (under the presumption that one should not be allowed to profit from illegal gains), proceeds of which should go to help victims of fraud. 50 year sentence - 5 years served, 45 years suspended hinging on a Kevin Mitnick-esque ban on using computers in any form for the duration of the sentence. International agreements to implement the same or similar legislation everywhere, and IDP's to any political states that don't come on board.
Yup, I think that'd about do it.
I like this because it doesn't advocate some technical torturing of an established protocol, nor is it directly legislating email or the internet - this can be an extension of current laws against fraud. Of course, it still won't work because it advocates a level of international cooperation that simply isn't likely to happen... though anybody that wants to fill out the "it won't work" checklist to point out other shortcomings is more than welcome.
"Hey, the third matrix movie would have been good except for the plot,story, and acting." --AC
no not like the war on drugs , there we are mainly jailing low level dealers and end users #3 above, and let's face it there are a lot of people who want drugs( wheather we like it or not) . Nobody wants spam (except the spammers).Spam is attacking the very fabric of our society(the internet), do we let the few (spammers) destroy it or do we punish those who try.The war on drugs is not popular for several reasons ,no one in their right mind objects to removing murders ,rapists and child molesters from society , although some on moral grounds prefer long prison sentences to the death penality.
If you want to stop crime, the penalty should be,
and perceived to be:
- certain
- immediate
- more costly than the benefit of the crime
"Law and order" advocates generally advocate
draconian punishments, but there is no evidence
that they help, beyond counterbalancing the
benefit of the crime. Increased detection speed
and likelihood are far more effective.
You might think that draconian punishments increase
the expected cost, even with haphazard and delayed
detection, but they don't increase the perceived
cost nearly enough to counter the tacit "I will
beat the odds mentality" to which criminals and
lottery-ticket buyers cling.
In the case of spam, I'm not entirely convinced
that any of the three criteria are met, but
cranking up the third is certainly not "a solution"
as the parent indicated.
So now that we've had a few years to tackle this problem, what is the most viable, likely replacement for e-mail that would be unspammable? Sender-verification? I see IM coming up a lot as a spam-free alternative, though that is probably simply a function of lowest-hanging fruit.
Would someone mind updating us as to the state of technological alternatives on the horizon?
The ______ Agenda
I know of no good ISP that bans such servers. Nor would I use any that did - that's retarded... I'm paying for the bandwidth and it's mine to use.
If ISPs had outbound port 25 blocked by deafult but allowed users who wanted it to turn it on zombie spam would be substantially reduced.
What we can hope is that some hardware manufacturer start building hardware acceleration boards for OCR, so that huge prociders that manage several thousands of e-mail accounts and processing millions of mails per day can use this kind of filters to remove spam.
It has been done before for anti virus like ClamAV, so there's hope for image filters to hit soon our mail providers, even if their require some more magnitude order of processing power than regular filters.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Well, one can only hope that this leads to some wider sweeping reforms, because as it stands now, the market is way too influenced by widespread fraud and insider trading. It's not anywhere close to being a legitimate market, it's more like a casino where a few favored gamblers get the nod, and even fewer just get lucky, and the rest lose, and maybe this wave of spam will spur some real change on the law enforcement side.
Or maybe mail servers will just start rejecting all binary attachments.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Hear! Hear! Fix the probelm at its source...
Uh, no. That would be a massive policing program with huge overheads requiring the creation of an entirely new bureaucracy with powers that cross international borders.
Besides, there is a much simpler way under existing US law.
<div id="criminalNegligence" class="rant, antiMS, antiBot, proFOSS">
Microsoft is responsible for this, along with the principle Microsoft shareholders at the time when the decisions to market OSs whose security defects were known (or would have been known by prudent managers and owners) were being made. The bunch of them should be brought to court on charges of criminal negligence and class action suits should be filed. Their crime is deliberately allowing the sale of defective products that have cost US businesses and taxpayers billions of dollars in lost time and damages. This is the surest way of assuring that the spambot problem isn't repeated with the Next Big Thing (whatever it might be), and a good source of funding for the next step. Rip the profits out of building dangerous software, in the same way that the profits were ripped out of building dangerous automobiles 40 odd years ago.
The US Congress could legislate that moneys obtained through legal actions against Microsoft and its owners would be used to fund replacing risky MS products on Windows boxes with equivalent safe FOSS products. This would have to be voluntary, but persons who refused to convert to a securable platform (where security was design in, not bolted on later) would be put on a "No Internet" blacklist until they decided to comply.
</div><-- eoSundayMorningRant -->
all those "I for one welcome our self-aware spam overlords" and "in soviet russia SPAM deletes YOU" jokes won't be so funny if that happens.
They're not funny NOW -- or am I missing something?
The problem is that many people *think* everything coming from cable or dsl is consumer grade. This guy might be using consumer grade dsl, but I've setup business packages for cable and dsl to run servers. I'm paying the premium and yet I'm still often blacklisted because I can't afford an OC48.
MidnightBSD: The BSD for Everyone
The problem is zombies, and the problem there is Microsoft products are unsuitable as shipped for use on the internet. Off the internet, different story, more or less functional, but to surf with and use email etc? Completely faulty product. Broken beyond design.
They are allowed to profit immensely, yet have no normal consumer warranty. Precedent setting major supreme court action here, class action would be the way to go, from individual users to ISPs, file suit,do it, sort this crap out. If software companies can demand patents and receive them-that means they should be *forced* to offer a warranty, including suitability for purpose, exactly the same as any other consumer product out there. One or the other, but not both. If software is just art, then copyrights only. If it is a product with patentability-make them have a warranty. Even just dead tree books-copyright only, because they are a product, have to have a warranty, it is implied. If the pages fall out with normal immediate use-they will be forced to recall them.
If Microsoft (or any other for sale software company) wants to still offer software with no warranty, call it a beta testing agreement, but then they can't charge a single penny for it. Shift the responsibility to where it belongs.
--and sorry leet trolls, before you even start, I don't give a rat's ass about some slashdork geek who claims he can keep his windows box "secure". That isn't the point at all. There are one hundred million people or a lot more who *can't* keep their machines secure, that's the point, that's why there is so much spam and other sorts of computer bogusness, because it's too hard for normal users to use this stuff even remotely safely on the internet, and microsoft software is insanely insecure and has a precedent going back years to prove it, despite numerous major releases all claiming to have "fixed" the problems.. It just is, admit freaking reality.
In this day and age you don't have to be an engineer to use normal consumer products. You shouldn't need to be a thermodynamics engineer and an EE to keep your refrigerator running. You shouldn't nneed to be a systems administrator and a programmer and a security guru to surf the internet. You don't need to be a telecommunications engineer to use a telephone. You don't need to be a professional audio engineer to use consumer audio equipment.
The cartel of Microsoft and the big box vendors KNOWINGLY ship consumer products that they make billions on knowing they are highly susceptible to malicious compromise. In legal terms, this is maintaining an attractive nuisance at a minimum. And I'll repeat the patent angle- you want a patent, want to maintain your typed up crap is some sort of "product" that you can charge money for? You need a warranty, or offer it for free for testing with a copyright only.
So why isn't this happening? (1) It's not an issue for politicans. I want to see Obama/Hillary/McCain arguing about Spam!!! and so... (2) The money isn't budgeted for law enforcement. With some Elliot Nesses on Spam, I reckon we can crack this. How do we let the politicians know this is an issue for us?
The best thing politicians could do is repeal CAN SPAM. Spammers would then face 50 sets of charges, one of which might call for 5 million consecutive 5-day jail terms
Or you can simply block all outbound port 25 except to very specific mail servers. Cox does this. At first I was a little miffed but then I realized it makes sense. You can still send mail to anywhere you just need to go through their mail server. So if you are running your own SMTP you simply set (for example) smtp.east.cox.net as your smart host and be done with it.
This way you stop most of the mass mailing trojans because they'd have to be smart enough to use the right smart host. Then, even if they do get smart enough to do that cox still has their mail server's log so they can easily show what went out.
The only wrinkle in this is a road warrior who wants to authenticate to his company's mail server so the mail appears to be coming from there. That is simple actually. Simply run a mail submission agent (MSA) on port 587 and reconfigure the clients to use port 587. An MSA only accepts authenticated connections.
I thought for once we could get through a Slashdot spam discussion without hearing the single most retarded thing people say on this topic. Apparently not.
using SQLgrey(listing), Spamassassin with ClamAV and bayesian filtering enabled (maybe plus Razor, Pyzor, DCC),
and not disabling the local bayes-filter in my Thunderbird [...] What's the actual problem?
Do you not see the contradiction? You are using seven different tools or services there.
Starting at least ten years ago and going up until recently, you couldn't have a discussion about spam with some chowderhead saying, "I just hit delete. What's the actual problem?" At least people finally dropped the "I just delete them" nonsense, so that's a start. The actual problem is that spam is a growing problem, and an arms race. Every technical, social, and legal solution we have implemented has been breached by spammers.
The actual problem is that we are now spending billions receiving, processing, storing, and hopefully detecting spam. TFA says that 75% of all mail is now spam. For me, with a few decade-old domains and one fifteen-year-old address, it's well over 90%. Every time we have this discussion on Slashdot, somebody says, "What's the big problem?" Every time, those numbers are worse.
How many nines of crap would you like before you're willing to call it a problem?
Vista? It'll be the Zune of operating systems ...
ok the problem is that people/people worrying about spam are not publishing callerid and DKIM in DNS
before we blame ISP's for not doing it by default we must (those people who read slashdot) ask out hosts to do it
make sure we have done it for our domains
ANTISPAM NEEDS YOU
simple
if you send mail from a domain make sure it has a callerid and if possible use DKIM
ISP's who sell domains and put a MX record in by default Without at least a callerid record are wrong... lets correct ours and then ask them to correct theirs
spamassassin can check SPF and DKIM so enable it NOW !
regards
John Jones
p.s. setup yous now
Microsoft callerID and exchange/outlook resources
Kerio CallerID check to help chek your setup
yahoo resources on Domain Keys and setup for various MTA's
Spam will not go away until email is a fee-based service. Spam proliferates because it costs the sender only a few dollars to spam millions of people. If it was fee-based, even say 5-cents per message, then spammers would have to pay 50,000 to do that. If they used zombie machines, then the zombie owners would notice a bill for thousands of messages and fix their machine or abandon email. Of course it would not eliminate all junkmail, but a vast majority of it.
Table-ized A.I.
This was a technique described at CEAS 2006 (papers and slides should be on the website). It worked well for the ISP in the States that piloted it, although they were less invasive at first - hosts that had high outgoing email activity got a banner applied over the top of their web pages (or a click through). The idea was the banner got them to ring in and get help to clear their machine or get them to explain what they were doing. There were some other ideas presented too, such as an automated system for replying to 419 scams - that was pretty cool. I think they managed to get a chain of 19 emails to/from this bot before the scammer gave up. Consume their resources if they try and consume yours! :)
A big problem with most spam filters, especially the open source ones, is that they're single user. They're trying to work out from the content what's spam. Systems like gmail (and Spamcop before IronPort bought it) look at spam addressed to a large number of addresses. When roughly similar material starts showing up at a few hundred different addresses, the probability that it's spam is very high.
Here's a thought. Mail servers should, on receiving an SMTP connection from an IP address, probe that IP address to see if it's a Microsoft consumer-grade operating system. If so, reject the connection. That would put a dent in the zombie problem.
"Though today it should be able to tell the difference between legitimate bulk email* and spam "
just make two classes of outgoing mail: addresses you have recieved e-mail from, and addresses where you are initiating the contact. You are only allowed but so many (20 ?) new contacts per day.
We are all just people.
turn off the anti-spam system, now say what spam? Even with it on you should be looking at the stats of what its blocking.
We've all had to invest some conbination of money, resources and time to this problem.
It's a pain, more for some that others, but it's still costing us money in way in order to block the stuff..and yes it's getting worse.
Spam will effectively destroy email as we know it. Too many people, too many messages, and too easy to get to people.
We will migrate to a system where a sender must have a "key" before email is accepted, and those keys are under the control of the reciever.
This kind of system will work much like email, as it is so popular and so useful people will only migrate from it slowly. Default keys for new email users will be simple (like a "1"). Once someone is getting enough connection, enough email, then mail clients will communicate automatically with known good senders and create an individual, bidirectional keypair so that future communication with known friends continues, while spam is shut off. In the future, sharing someone's "contact" will be more akin to sharing the private key they have to connect to a person. Once you see a new email address use a known key of someone else, you would accept it once, automatically regnerate the key for the original person, and watch the behavior to determine if it was spam or a legitimate introduction of a friend to a friend. To most users this system could work exactly like email now - just need to add more functionality to the mail clients' spam processing ability.
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Ok numbnuts, that's exactly the kind of attitude that spammers have. That they can do anything because they pay for it.
Last I checked, spammers didn't pay to rent the bandwidth and processor time on each zombie machine they use.
You have to have limits. There have to be rules.
However, those limits shouldn't put a stop on legitimate activity. Just because _you_ do not have a legitimate reason to be running a mail server doesn't mean no one else does.
I'm all for ISPs cracking down on spammers, but not in a way that prevents people legitimately using the service.
(For the record, the great-great-great grandparent cited NTL as an example, who unfortunately have a history of _not_ dealing with abuse of their service, even when the recipient of the attack reports the abuse and supplies logging proving the source of the attack.)
http://blog.nexusuk.org
An underlying assumption is that these stock schemes are pump'n'dumps fostered by someone who has actually risked money on buying the stock. I don't think that's generally the case.
Whether a pump'n'dump succeeds or not, the broker handling the transactions will take his commission. Anyhting that increases a broker's transaction volume will increase his earnings, including shorts; he always takes his cut. A "shrewd" broker, like the ones known for calling nursing home residents to encourage them to day trade their life savings, don't need to do an actual pump'n'dump scheme; all they need to do is make it look like one is happening and wait for the suckers who want to take a ride on it. It doesn't matter whether the stocks go up or down, either way they collect when these are bought, and collect again when they are sold.
I think most of these stock scams are coming from sleazy brokers rather than stock speculators. Paying a few bucks a month to a spammer who is getting the same amount from a bunch of other brokers would be more than worthwhile when it increases the monthly transaction volume for all of them. Tracking the transactions he sees for the stocks the spammer decides to use is a simple way of checking whether the subscription to the spammer's service has been worthwhile.
Doing it this way, no one would actually have to work at researching pump'n'dump possibilities or risk any of their own money in a speculative buy. Also, there would be no way to trace back from the stock to the crooks, since the crooks never touched the stock itself. For con artists, this is a perfect deal. The marks suckered into it aren't going to talk about it: who is going to admit that they lost money trying to beat a pump'n'dump scheme?
Of course no one who reads slashdot would be dumb enough to fall for this scheme, right?
I see no one has really brought up the idea of handing out beatings to these slimy purveyors. Can't you imagine: Spammer sitting in his recliner one spring evening. There is a knock on the door. He opens the door and there is a crowd of Slashdotters with baseball bats (disguised as Gandalf, stormtroopers or Neo). The spammer gets wooden shampoos and is "encouraged" to change his ways or he will receive another visit. Yes, I know the squeamish among you will wail "That is against the law....you could go to jail". To that I reply "Shut your mouth, basement boi". The problem is there is not severe enough punishment for these goons. Violence may be a bit excessive, but so far everything else hasn't worked. Who is with me?
....for the important stuff, use indi. And yes, I'm working on the Linux port...
The Army reading list
Thunderbird's bayesian filter strips out and ignores all html tags in message bodies, and ignores a significant amount of the header. I think it strips out symbols too, but I don't remember for sure. In essence, it ignores the majority of the information that could tell it whether or not a message is spam. A good spam filter would try to use everything. My mail rules catch a lot more spam than Thunderbird's junk filter.
There's also a problem inherent to bayesian filtering where the spammer just needs to add a bunch of positive words/indicators to outweigh the negatives. In the real world, an email that has a number of negative words is very likely to be spam no matter how many positive words there are.
I guess that if you're running a mailing list to more than 1000 people, and you send out mail every day, there's a chance your ISP would misidentify you as a spammer yes. I'd imagine that you could explain this to them over the telephone, and if it really upset you you could take your business to someone else. The current situation is a bit of "a git" for people that don't run mailing lists, but are not terribly tech literate, and I think their needs outweigh yours. I hope more ISPs follow NTL's example.
Somewhat tangentially, what happened to Project Honeypot?
I saw this Slashdot headline and immediately headed there to check up on my honeypot, but noticed the site was down. Just a few days ago, it was "down for maintenence."
If this really is what spammers are taking their revenge out on, then how can we ensure that upstanding members of the Internet community are protected?
Wait till someone spoofs your domain in the from line. Happened to me last month, and now i get 100+ MAILER DEAMON bounces per day. Try putting rules in for that and not flagging legit bounces. Lots of fun there!
... but spammers and virus writers do. There are so many people out there who _are_ dumb enough to make no informed decisions whatsoever, and who actually don't even want to know better. People who make informed decisions don't usually fall for mails that are prone to insult their intelligence. The problem is that there are far too many people online, and it is made too easy to come online by most ISPs. Fact is, most ISPs profit regardless of the problem.
As long as this isn't understood spam is here to stay. (And as long there are people who run operating systems with by-design security errors virii and trojans are here to stay, too).
Mostly the grandparent post is guilty of something missing from the standard spam solution rebuttal checklist: insufficient details.
Yeah, a spam solution is almost certainly going to involve a modification to the SMTP protocol. The devil is in the details.
For my tastes, I'd be content to start with rejecting emails immediately rather than sending out "your email was rejected" messages. The number of valid "rejected" messages has got to be infinitesimal compared to the amount of address-guessing spam in the universe. About 1/3 of the spam I get comes from somebody's server rejecting somebody else's spam and telling me about it to no useful effect.
Seems like the only AI that will be done will be via the through clients that allow execution of code... for it to be "AI". (insert MS jokes here). Otherwise, it is just a blackbox spammers send mail into and no way to be smart.
Pretending spam has anything to do with free speech is like saying feces are food because both contain carbon.
I feel like death on a soda cracker.
There are 2 steps to stop this ( well 3, actually )
1 - death ( yes, death, not jail ) for conviced spammers ( oh, and make it painful and long too )
2 - any company caught knowingly using spam as a way to advertise is forced to shut down and they lose all thier assets ( including personal )
You're advocating a legislative solution to spam, and it won't work for the same reasons that outlawing certain drugs doesn't stop drug trafficking, outlawing certain kinds of guns doesn't stop violence with guns, etc.: The people who you're trying to control with those laws don't respect the law in the first place, and in any case enough of them aren't scared enough of getting caught and prosecuted to keep them from breaking those laws. Furthermore, spam is a global problem and you'll never get every single jurisdiction in the world to pass compatible anti-spam laws and then cooperate with each other to go after spammers. Sometimes I get frustrated by a surge of spam and briefly entertain a sick fantasy involving a spammer's shins and an aluminum baseball bat, but I know that would never solve the spam problem.
I'd argue that in the cases of the drug trade and the old U.S. alcohol prohibition, the anti-[whatever] laws just drove up end prices and made trafficking more profitable for the [whatever]-runners, though I don't think that a similar effect would apply to spam because the supply vs. demand structure is different.
Fundamentally, both email spam and physical mail spam exist because the incremental cost of sending a single message is low enough that an unscrupulous person can send a huge volume of messages with a very low response rate, and still turn a profit. As long as that is the case, spam will continue to exist, whether in its current forms or some unforeseen form which targets some future communications medium.
Botnets aren't the problem; they're a problem which happens to provide a convenient tool for spammers. Spam filters, whitelists, blacklists, etc. will not stop spam, because they target symptoms, not the root cause. The anonymity available in email and postal mail (i.e., the sender's ability to list any return address that they want without authentication) makes it harder to filter spam and/or track down the spammers, but it doesn't cause the problem in the first place.
The only way to permanently and thoroughly solve a problem like spam is to go after the root cause, and only divert as much time, money and attention to the symptoms as is necessary to get by until the root cause is eliminated. In the case of spam (both email and postal), the root cause is the very low cost of sending a single message to an arbitrary address (where cost includes time, effort and money), and any spam filtering just targets symptoms without addressing the root cause.
Any time and money spent on things like improving spam filtering actually diverts resources from solving the real problem. Some of that is necessary, because today's SMTP-based email would be thoroughly unusable without it, but we'll never solve the problem that way.
The only way to eliminate spam is to remove the financial incentive by making the incremental cost of sending a single message to an arbitrary address too high for spammers to turn a profit. That's a lot easier said than done; if it cost a sender, say, 100 US dollars to send a single message, the flow of spam would stop, but so would almost all non-spam use of that messaging medium. The hard part will be to find a way to raise the cost for spammers beyond profitability, while still allowing fast, cheap, electronic person-to-person messaging for all people who can afford to have a computer (or at least access to one) in the first place. Legislative approaches to spam try to do this by attaching a very high cost (high fines, jail time, aluminum baseball bats applied to shins with a wonderful meaty >tink< sound, etc.) to the few spammers caught, in hopes that [punishment cost]
but I stopped getting spam when I stopped registering at sites. It would seem that their 'bidness model' involves what the telemarketers call interested consumers. Is it illegal to spam but still legal to sell email addy collections to spammers? As an aside, one of the very few sites with which I have registered is a stock trading company, and I think they thought better of alienating their customers. I get no unsolicited email from them.
Which would be of greater benefit to society, to allow a few people running mailing lists do so without having to pay for a higher (and audited) grade of net connection, or to raise the cost to spammers attempting to highjack zillions of consumer net connections? There's a sucker born every minute, but the percentage of zombie machine owners who could be convinced to pay a few extra $$$ for their net connection by viral spam is probably much lower than 100%. Thus spammers would be costed with a 2 step effort.
Email doesn't work already (add up the costs to the users and the providers). So the solution doesn't have to work either. It just has to suck slightly less badly.
I HATE these stupid 'form letter' responses. They make the poster look like they know-it-all, and they preclude any REAL thought or discussion about the idea. That said, I have a simple, foolproof idea to help eliminate spam.
Email certification.
If you want to be able to send Certified Email (CE), you apply for Certification from the company that gives you internet connectivity. They check you out, and 'Certify' you as being a legitimate emailer (ie: not a spammer). Then, you generate a private/public key pair and give them the public one. In the headers of all your email, is their certification, and an encrypted header line that's createdusing your private key.
When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.
Due to the public/private key cryptography, there can be no certified email spoofing. (Assuming the private keys are secure, the keys are of decent length, etc.) All emails are traceable back to the originating server. CORRECTION- all CERTIFIED emails are traceable. Anonymous email is still possible. People can still set up email servers for mailing lists without "having" to get them certified. And people can still receive non-certified mail.
If an email server sends out spam, the complaints go to it's certifier. They can drop the certification, deleting the public key from their server. When this happens, ALL the email from the spamming server is now 'uncertified', and gets handled accordingly by email clients. If nothing is done, complaints go to THEIR upstream, etc. Individuals and groups can keep their own blacklists, if they wish, and anyone can choose to filter emails according to those lists.
Now, I've looked over that 'form email' that people like to post to shoot down anti-spam ideas. And nothing applies to this idea. (If something seems to apply, it's because I either left out details, or explained something wrong.) This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. It's primarily a way of reliably tracing (certified) emails back to their originating server. The anti-spam part comes later: if you receive certified spam, complain and get the server un-certified. If you receive un-certified spam... well, just have your email client dump all uncertified emails in the trash. (Not nessisarilly, you could just use it's un-certifedness as a factor in filtering your email.)
This idea does not require anything be changed with SMTP. It simply requires a second connection be made to the certifying server. Now, before you bitch about the extra bandwidth, I'd like to remind you that, once this idea catches on, spam will be greatly reduced. This reduction will MORE than make up for the slight increase in bandwidth created in querying the certifying servers. Also, the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.
To sum up: Email Certification is reliable way of tracing the certified emails back to their originating server. This allows spammers to be identified unequivocally, and have their certification pulled. Email servers are NOT required to be certified, and anonymous email is still possible. Email recipients can, if they choose, set up their client to send uncertified emails to the trash, or to handle them however they wish. White lists and black lists
1 - death ( yes, death, not jail ) for conviced spammers ( oh, and make it painful and long too )
:-)
I'm actually suprised there have not been any vigilante attacks yet. Just imagine what one really pissed-off person can do from a van parked across the street from a spammers house with an ordinary hunting rifle. Or, if you are not into the whole violence thing, just leave an anti-spam manifesto and slash their tires. Every day for a week.
This argument is flawed. Let us draw a parallel. Spam is irritating, frequently gross, and unsociable. Much like the common cold.
You've come up with a pretty much perfect way to block all the spam - in my parallel, you've stopped anyone from giving you a cold. Horray for you. Whether it's by wearing a mask, or injecting yourself with anti-bacterials... you've prevented anyone else from infecting you with this annoying bug. Further, you believe anyone who *doesn't* take this "existing and working" action to prevent getting the spam/cold, they're either lazy or stupid.
The problem is though - even if there is projection, it doesn't make it right for people to cough all over me (send me spam). I shouldn't have to go out in public wearing a suit with a self contained air supply to avoid catching a cold, and nor should I have to go to any lengths to avoid spam.
If you want to go back to sociology, then how about this... the big game of natural selection used to mean that if you engaged in anti-social behaviour, you'd get smacked for it... These days, spammers are coughing all over us (to go back to my analogy), and getting away with it. Let's focus on smacking them down, rather than picking on the poor guys getting coughed on.
Greylisting doesn't work anymore. You might block a few spammers but I do greylisting with the latest version of postgrey and I still wind up with about 50 spams a day that get through to my spamassassin... Spammers take non-fatal error returns and add them to the end of the list. X-Greylist: delayed 58065 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 10:58:49 UTC X-Greylist: delayed 48829 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 11:42:10 UTC X-Greylist: delayed 8054 seconds by postgrey-1.27 at xxxxx; Mon, 15 Jan 2007 13:18:46 UTC That's from my spamassassin folder.
If implemented well, this scheme drives up the cost of sending spam for all spammers regardless of whether they respect the law, are in a legal jurisdiction that would cooperate with the recipient's jurisdiction, etc., because their messages simply won't get through if they don't front the money, and any recipients who they targeted may choose to keep the fronted money to compensate for their wasted time and annoyance. ...and so, spammer will turn to Identiry Theft and using other peoples credit cards to pay for their spam.
The problem of stock spam can be fixed by the stock market. Zero tolerance. Automatically delist any stock advertised by spam.
Tired of FB/Google censorship? Visit UNCENSORED!
What actually ticks me off most is the Spam that lands in my "brick and mortar" mailbox everyday.
Much more of a hustle to get through and a waste of resources.When are Walgreens, Target and other big stores finally going to be flagged as spammers??
A distributed AI would be unkillable, self-healing, and darned hard to fix - after all, no two pieces of code for the AI are the same, so forget about filtering by signature, etc ...
It shouldn't be too hard to figure out how to turn a couple hundred thousand zombies into a really awesome neural net (a net-neural-net). We can call it IAI (Internet AI) or AI2 for buzzowrd compliance.
Come on .... admit it ... if someone offered you $10 million to write it, you would. And the new owners would make their money back the first day, just in "protection money".
Your idea is:
(x) interesting
(x) complicated
Seriously though, the only problem I have with it is your email vendor providing certification. Anyone can generate the key pair and set up a server if they own a domain. I also think that a zombie network could overcome it, the script will just need to search for the public key. Sure, they get pulled, but the spammer just runs the script again. Not a whole lot more difficult than what goes on now.
"He may be mad, but there's method in his madness. [...] It's what drives men mad, being methodical." G.K.Chesterton
Most businesses use email to almost completely replace the traditional uses of the FAX. That means that more often than not, the timeliness of the delivered mail is important to them. What you failed to mention is that greylisting will delay incoming mail anywhere from 15 minutes to days, depending on how the sender's mail server is configured.
So, greylisting is a great idea for those businesses who don't care about the timeliness of their email (as long as it gets there eventually) and for most home users as well. But for others, it's not even an option unfortunately.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
...and so, spammer will turn to Identiry Theft and using other peoples credit cards to pay for their spam.Not necessarily. If the barrier cost is set high enough, then anybody who's inclined to steal credit cards would be better off using their stolen money to buy things, rather than using it to pay for spam mailings. Identity theft and credit card theft are major problems, but they exist independently from spam, and require their own solutions (and I don't have any suggestions for them at this time). There's overlap and interaction between various kinds of theft and spam, but they're still fundamentally different problems with different root causes.
Spam is really a very old problem. Before email spam, there were postal spam and telemarketing. Before those, there were door-to-door salesman (both honest ones and con artists). Before those, there were beggars accosting people in the street and stall owners hawking their wares to passers-by. Fundamentally, spam is the result of unscrupulous people trying to get the attention of a large number of strangers for personal gain. That gain may be direct or indirect, depending on whether they're pushing their own scheme or spamming for hire. The gain may be in the form of profits from the goods or services being pushed, money resulting from a scam they're running, gains from insider trading in a pump and dump scheme, or even an intangible motivation such as a true believer evangelizing their chosen political party, religion, or other cause.
Modern email spam differs from postal spam, telemarketing and aggressive face-to-face marketing only in volume... a single email spammer can target millions of people in a short period of time, and a single person can be deluged with hundreds or even thousands of annoying and unwanted email messages during a short span. Other than that, email spam is fundamentally the same as things that have been going on throughout history. What all of those things share is that a small number of people annoy a large number of people by stealing their attention in order to realize some personal gain (most commonly an economic gain).
I guess that at its roots, spam is a problem of human nature (and thus practically impossible to solve at that level), but just above that it's an economic problem that demands an economic solution. The promising thing is that since this is an economic problem being exploited through a technological medium, there may be technical ways to implement that economic solution that were never available in previous incarnations of spam. While a purely technical solution that does not directly target the economy of spam (such as spam filtering) cannot eliminate spam for the reasons I explained above, and a legal solution will also be ineffective as I have explained, there's promise for a technical solution which directly passes a higher cost on to the spammers, to the point where they look for other ways to make their money, or at least other targets.
All current spam filtering methods that I know of act at the receiving end and try to block incoming spam messages from getting to their recipients. It's still easy and cheap enough for spammers to try sending spam that there's incentive for them to engage in what's effectively an arms race with the filter developers. What we need is an effective way to make the spammers stop trying in the first place, without breaking the communications channels for everybody else. We need to address the root cause of spam, because we'll never solve the problem by simply treating the symptoms.
spam means nothing when MSC is around. a little mustard and pwned.
Kill your TV
I'm not a security expert by any means, however, AFAIK, the public key can *only* be used to encrypt. The private key is what allows you to decrypt the ciphered message.
--Jeremy
Jesus was a liberal
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
Tip: Throw in the OCR plugin for SpamAssassin. It works beautifully.
Now if only I could get my mail server running properly.
The stock market is just a particularly effective and efficient means by which to do commerce- mutually beneficial, voluntary trade.
It might be rife with (perish the thought) other people making money for doing things that you may think aren't worth that much money, but it's no cancer- not by a long shot. To the contrary, it's a structured institution that makes it possible to make wealth liquid- to make it possible to trade iron for grain, grain for fuel, ownership of a company for a down payment on a house.
What you have a legitimate complaint with is fraud and the people who commit it. Don't try to pin this on the market. Although it's not perfect by a long shot, it's also arguably the best solution we've ever seen for solving the problem of how to trade one thing of value for another.
If there's one thing I won't stand for, it's intolerance.
Well, my dogs seem to think cat feces is food.
(Actually, cats are true carnivores with inefficient digestive systems, and, while I don't recommend eating it, cat feces contains more protein than commercial dog food)
Anyone can generate the key pair and set up a server if they own a domain.
And anyone can have their email client filter out self-certifying senders. This can be done by tracing the chain of certification to the top (or at least up a few levels).
For instance, let's assume "Fred Klein Inc" has an email server. I get my Internet service from "Local ISP Inc", they get theirs from "Regional ISP Inc", who gets it from UUNET. Email I send would have an encrypted header and a header that points to 'Local ISP'. An email client would connect to the 'Local' ISP server and get my public key. It themn sucessfully unencrypts the header, which contains a link to the 'Regional' ISP. Etc. A client recurses up the chain until it reaches the top, or a known-good certifier.
If someone tried to self- certify, the links will never actually go anywhere 'proven', and the email can be flagged as bad.
the script will just need to search for the public key.
The PRIVATE key (held only on the sending server) is used to encrypt a header. Knowing the Public key will not help a spammer.
My favorite spams are the ones with "news" headlines as subjects. They started out late last year echoing some of the more popular news stories. A better cross-section of all news on the Net than any newsreader, with less than no effort by me to compile them. So my New Year's resolution was to read all my spam. But since midmonth, the headlines have turned more speculative. The same stuff, but apparently from slightly in the future. Controversial global figures are now reported to be dead, imminent wars/invasions now reported as underway.
I wonder if maybe some Russian spammer gang has grabbed a disaffected physicist, repurposing their time machine to the more profitable spam that's perhaps legally compliant or just evasive through exploiting some temporal loophole.
My resolution has already paid off. Enough of the stock pumps have delivered "ahead of schedule" that I'm paying someone to read my spams for me. Though I've been getting a higher percentage reporting my own kidnapping by an unnamed employee...
--
make install -not war
It happens, but not that often. When they catch one, law enforcement does a dog and pony show and we applaud wildly. But they just keep coming.
The agency responsible for enforcing securities laws, the SEC, is understaffed and weak. Think back a few years when Spitzer went after the investment banking companies in New York while the SEC cried on the sidelines while Spitzer did their job.
Spam filtering is not a solution to the problem. The solution is to write your congressmen, especially those in the banking committe, and demand that they order the SEC to investigate and encforce.
I disagree with all of your steps to stop the stock spam.
The incentive to send out stock spam needs to be removed. Until there is some law enforcement and a penalty, this will continue. Write to the SEC and ask them to start investigating. Write to your representatives and let them know that you feel this is a serious problem.
And how do you stop spammers from just using everybody elses key?
Oh, there needs to be a way to restrict how keys are used.
Maybe we can do that by domain name, to show which domain names can use which keys?
Or maybe we can do it by IP addresses to show which ip addresses are authorized to send email with that key?
I know! We will use DNS for that.
Congratulations, you have reinvented spf, senderid, domainkeys -- but with a whole lot more of intrusiveness, annoyance and lead bricks to guarantee it never gets off the runway.
> Or you can simply block all outbound port 25 except to very specific
> mail servers. Cox does this. At first I was a little miffed but then
> I realized it makes sense.
That makes no sense at all!
The best way is for the ISP to simply prevent the rogue connection from connecting to the Internet until either:
1/ the user rings the ISP and confirms that they are running legitimate mailing software. OR:
2/ the user provides proof that the machine is clear of spyware, viruses, trogans, and keylogging software, and the attempted outbound traffic on port 25 on that machine either completely stops, or is reduced to the levels that most persons would use on an averaged daily basis.
It's simply inane for an ISP to block all port 25 traffic.
Why not just set up a unilateral system, under which every email costs a fraction of a cent? Micropayment postage for all email. This would not affect residential users, would provide commercial users a way to defer costs of internet service (and be tax deductible), and totally sock it to the spammers. If a spammer got a bill for $100,000 a month, they would quit in no time. I would have no problem paying a micropayment for each email I send out. Write your political representatives recommending micropayment email postage legislation if necessary.
Eliminating or minimizing incorrectly aimed bounce notifications is a whole lot more about proper system design and about mail admins with a clue and a care than it is about the SMTP protocol, other then the fact that the protocol specification requires mail to not be thrown away by an MTA without proper notification for trivial reasons.
As these trivial reasons include the machine crashing or running out of disk space, they most certainly also include "my filter thinks it is spam" or "the downstream server says the user is unknown".
I certainly hope they dont change that part of the specification.
Within the last few months in 2006, I started getting spam that would get past most of my filters. This is when I finally did it and setup automatic white listing on my e-mail address. Someone I don't know (not in my address book on the server -- addresses automatically added when I send e-mails to them) sends me a e-mail, they get a response asking to click a link to verify.
This has been the best spam fighting tool I've ever had. It also works for website registrations, as I can signup on a website, then look in my whitelist queue folder (I'll never do it otherwise -- as most of it is spam), add the e-mail to the whitelist manually and move the e-mail to the appropriate folder. I have yet to lose any legitimate e-mail with this system, it keeps the spam 100% out.
Change is certain; progress is not obligatory.
VRFY. http://www.ietf.org/rfc/rfc2821.txt section 2.5.2. Not supported by all MTAs. It's an address disclosure vulnerability, or so it is claimed. Though there are those of us who'd say that hiding your address is pointless (it only works until it doesn't, which given malware prevalence on computers you don't control (eg: anyone who's legitimately got your address) is in the very near future.
People on mailing lists would have to set up whitelists to participate. Also, it doesn't address the issue of spam from mailing lists
:-)
Yes, people from mailing lists that post from UN-certified servers would have to set up a whitelist. This is trivial, and a tiny price to pay for no more spam.
Spam from mailing lists is handled like any other spam is.
There are holes in the approach which will allow spam to continue and we would still be stuck with this annoying protocol.
Again, as I said at the end of my post, why not try to work out the bugs in the idea, instead of just dismissing it out-of-hand?
And the protocol is not 'annoying'. It's invisible to the end user, with the possible exception of creating the key pair.
This plan will be totally useless unless everyone switches over.
No, No , NO! Now I know you didn't even bother to actually read the idea. This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. Peopel who do not have compatable client will simply not enjoy the spam blocking. They can still send and receive email.
Somebody has to perform the certification. It must be possible to certificy quickly and cheaply. Yet those two requirements mean it is fairly easy for spammers to commit fraud and get themselves certified.
"Hello, ISP. Joe Speaking. How may I help you?"
"You want to get certified to send emails? No problem. We have your personal info (name, address and phone number) on file, as well as your Credit Card. If this is for a business, we just need the name/address/phone of the Business. Otherwise, please log onto our home page and upload your private key. Someone will contact you by phone tomorrow to confirm you are set up."
"Thank you for calling ISP"
Not that tough, is it?? (Heck, the whole thing could be done online!) And with that information (name/address/phone), the ISP knows exactly who you are. If you send spam, they pull you certification, and blacklist you. (The old-fashioned blacklist, where they place you on a list that other ISPs have access to, as a warning that you broke your agreement with them.)
Spammers will circumvent the rules for certification, take over end-user machines, or take action to get legitimate mail servers decertified.
If a spam complaint comes in to an ISP, they can check their own email server logs and find out who send the spam. They then have several choices:
1) Do nothing, which means they might shortly lose their certification, depending on their agreement with their upstream.
2) Stop accepting mail fron the user, contact them(remember, they have contact info!) and find out what is going on.
3) Pull the users certification.
Here is the achilies heal of your proposal. Spammers will take over end-user machines and send out tons of spam (as they already do). This is already the biggest problem is blocking spam. We can already go upstream and tell the ISP about the problem. The ISP can already tell the client about the problem. Nevertheless, spammers take over machines faster than they can be fixed.
This is a policy matter to discuss with the ISPs, not wih me.
If the zombies are sending spam thru the ISPs email server, then the ISPs need to BLOCK these zombie users from sending email. Then contact the users and inform them that, since they have violated the TOS, they cannot send email until their machine is un-zombified.
On the other hand, if the zombies are sending email directly (ie, NOT thru the ISP email server), then they are already uncertified, and no one is receiving the spam anyway.
Spammers will get themselves certified...
And the minute they send spam, they will get their certification pulled, and their names on a blacklist. Which means no other (legitimate) ISP will certify them in the future (and the illegitimate ISPs should already be un-certified and/or blocked).
To participate in a maili
And how do you stop spammers from just using everybody elses key?
Um, the whole point of Private Key Encryption is that there are 2 keys: a Public key which everyone knows, and a private key only you know. In this case, only your certifier's email server has you private key. Therefore, only your certifier's email server can use it.
Now, I suppose the spammers can all become hackers too, and crack into an email server and use the keys stored there....
What I mean is, I'd like to change the protocol from:
.. time passes ...
Spammer: Here's some email
Server: Thanks!
Server: Hey, this is spam! Let's send it to jfengel!
to
Spammer: Here's some email
Server: Screw you. It's spam. (or "There's no such person here. I reject it now rather than having to call you back using the forged header.")
I suspect that the SMTP protocol already supports that. But in general, SMTP is heavily oriented towards store-and-forward in an intermittently connected, unreliable network, passing mail at midnight when the rates were cheap. Maybe that's still a good mode to support, since not everybody has high-speed lines and the network is still unreliable, but TCP and the backbone have solved the problem without some of the problems that come from store-and-forward.
Well, I don't want to be rude, but you're not a security expert (obviously) :) Actually the way it works is that you have two asymmetric keys. One decrypts what the other encrypted and vice versa. The way you decide one is private and the other is public is completely subjective and doesn't change the process.
If there's one thing I won't stand for, it's intolerance.
Or just regard anything with an image as spam unless it's sent from an address with whom the recipient has already corresponded. This simple rule will eliminate most of the new spam. I would prefer to go one step further and say the first email from any person must be plain text; no images, no HTML. If you can't persuade me that you are worth corresponding with without images or fonts, then you probably aren't worth talking to.
I am TheRaven on Soylent News
How good is cox.net again?
From : JOHN C C CHAN
Reply-To : cjohn1970@yahoo.com.hk
Sent : 15 January 2007 16:12:56
Subject : Hello,
MIME-Version: 1.0
Received: from eastrmmtao02.cox.net ([68.230.240.37]) by bay0-mc5-f10.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Mon, 15 Jan 2007 08:14:23 -0800
Received: from eastrmimpo02.cox.net ([68.1.16.120]) by eastrmmtao02.cox.net (InterMail vM.6.01.06.03 201-2131-130-104-20060516) with ESMTP id ; Mon, 15 Jan 2007 11:12:58 -0500
Received: from eastrmwml01.mgt.cox.net ([172.18.52.73])by eastrmimpo02.cox.net with bizsmtpid BUBT1W00b1alsd00000000; Mon, 15 Jan 2007 11:11:27 -0500
Received: from 190.170.20.22, 81.199.61.27 by webmail.east.cox.net; Mon, 15 Jan 2007 11:12:52 -0500
X-Message-Info: LsUYwwHHNt0jQMoA4uXEnu8dQwqETZ4LM/CFB5z5Dbw=
Sensitivity: Normal
Return-Path: cyberinformation@cox.net
X-OriginalArrivalTime: 15 Jan 2007 16:14:23.0628 (UTC) FILETIME=[38822CC0:01C738C0]
View E-mail Message Source
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
FROM:MR.JOHN C C CHAN
HANG SENG BANK LTD,
HONG KONG.
tel/fax: +852-301-49319
Tel:+852-367-86734
Email: cjohn1970@yahoo.com.hk
Let me start by introducing myself. I am Mr. John C C Chan Chief Executive
Officer of the Hang Seng Bank Ltd.
Before the U.S and Iraqi war, our client a business man made a numbered fixed
deposit of (167,211,702.56 HKD) for 18 calendar months, this is valued to Twenty
One million Five Hundred Thousand United State Dollars only in my branch. Upon
maturity several notice was sent to him,even during the war, Four years ago
(2003). "...
yada yada, that would be a 419 scam originating from cox.net wouldn't it.
the same cox.net that refused to do anything when given evidence of abuse from a cox account.
Whenever I see inconsistencies like that in a Python work, I just attribute it to the surrealist aspect of the group's sense of humour. The scene starts off as a normal cafeteria, and then suddenly spam starts popping up in the ingredients list, more and more, and eventually a chorus starts singing louder and louder in direct analogy to the prevalence of spam. The spam and musical crescendoes are more amusing when you set the list up to start with two spam-free menu items, and then you realise that you've been sucked into an evil parallel universe
:(
But we digress...sometimes I go through my bulk e-mail and read my spam's sender names and subjects for a good dose of surrealist humour. Let's see what I have from today that's especially funny:
Winston Beaver sent me "Hussy so agreeable and cultured!"
Patti asked me "yoou wantt punctilious Cuties?"
Freeman Childress wanted to talk to me "Re: Loan requets approved"
Stockroom P. Groundwork and Unkinder R. Restudy sent me blank e-mails.
I may make you feel, but I can't make you think.
I'm not kidding. If they actually did this, you watch how quickly spam would drop. Is it overkill? Yes. Would it work? You bet.
I wouldn't be so annoyed if the spam haiku was literally that -- a spam message in the form of a haiku. Certainly it would not be so bandwidth taxing to receive:
---
Buy our Viagra!
Your mojo is on the rise
from little blue pills.
http://blahblahblah.xxx/
---
Easy to filter though, which is why it would not be attempted now.
The point is that if e-mail advertising were even remotely as entertaining as television advertising can be, we might be willing to read it. Even if we aren't immediate buyers, it still plants the idea. Most of the entertaining TV commercials barely even address the product or brand until the very end, but they work because they keep you hooked that long.
Of course there are products I will not buy no matter how I become aware of them. Bud Light commercials can be moderately funny, but the product is awful. It must be working on someone though, as it's still one of the most popular beers in the country (maybe even #1).
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
The biggest problem is Uncle Remus and Aunt Daisy Mae who connect their PC's to the network and download a spambot. ISP's (especially broadband ones) should quarantine customers who aren't running things like Windows Defender or other trojan/bot/worm scanners. Until such time as a machine can be reasonably proven clean, it simply shouldn't be allowed on the network.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman
There are a number of smaller businesses out there with something like Mercury32 or MDaemon running on Win95/98/ME, with halfway-decent firewalls that keep the bad guys from attacking directly or no attackable services running, and no web browsing from those boxes to expose them to the various web-based exploits that affect the out-of-date browsers on their machines. These set-ups were probably installed years ago by various consultants, and have been left alone because they continue to do what they're meant to. It's possible for something to have a Win98/98/ME fingerprint, legitimately send mail directly to your servers and be no threat to your or your users.
I keep seeing variations on this idea, and while it's perfectly sound in the abstract, in practice it simply will not happen.
The problem is that certification is useless until the vast majority of email servers are certified.
I know, you said this isn't true, but I don't think you understand the situation. Spam filtering at the client level doesn't affect spam -- the suckers who the spam targets are NOT configuring filters at home. Yes, the geeks will get their family server in the basement certified in their spare time, and all their friends will send them certified messages. The spammers won't give a damn, because they're perfectly happy if the geeks and antispammers don't read their spam (they don't buy anyway).
So -- can you imagine an ISP filtering out email at the server level based on certification? No -- because all grandma cares about is getting Junior's emails, and when they stop coming (because his ISP's servers are in the 95% still uncertified) she gets on the phone and starts costing them money... and don't forget the time/money they spent implementing the filter, testing it, rolling out with hopefully no glitches/downtime, monitoring it, etc..
They might put a flag in the subject line of uncertified emails... okay, but it shows up in the emails from the bank, from the kids, from work... the complaints roll in. Cash flows out. So filtering is a liability.
But what about their own outgoing mail? Certify? Well, again it'll cost a chunk of time (money) to learn, setup and maintain 24/7/365 with the occasional confused complaint, it'll possibly cost their users some downtime particularly if they screw it up, and it'll gain them *nothing* for now, because no one is filtering yet (see above).
No brainer decision when your staff is already stretched thin.
The last link is the upstream access provider. They would need to implement the system and hire the staff for accepting complaints (online? via phone?), filtering out the sabotage from the real complaints, collecting evidence of abuse, dealing with angry ISPs on the phone, establishing/expiring/revoking certification, etc..
Will they go for it? Again, big cost, big headaches, and no gain until that magical day when everyone is on board.
Seriously, there's a positive push because no one likes spam, and everyone would gain from a plan that would actually curb it... but people need to come up with something that will work on the low level.
The SPF system is one that DOES help incrementally more as implementation spreads. It mitigates joe-jobs and backscatter for all domains with a SPF DNS record, and is trivial for server admins to implement. AND it doesn't cost anything if mail servers reject mail that fails the test: valid email will come from the server listed in the DNS record, OR the server may have no SPF record yet (let it through). Spammers can only spoof addresses without SPF records, since they can't set up their own SPF record -- they'd be easily traceable when they spam, since the domain registrar would have credit card info, etc..
Even at early stages, there's benefit for server admins to filter (removes spam safely from any domain with an SPF record), and there's benefit for adding the SPF record (please, filter out spam that pretends to be from me! my customers don't like it).
It's not perfect... forwarding email and badly created records can cause issues, plus while AOL has implemented basic SPF filtering Microsoft is involved and trying to mix XML into the record format somehow....
Personally I feel the BlueFrog approach is the strongest for non-stock-pump spam... but obviously a decentralized approach is required to avoid Blue Security's fiery downfall. The main problem with this system is that human analysis is required to analyze spam and write scripts for leaving complaints.
I totally disagree. The Cox-provided SMTP servers will transfer any outbound mail you send to them. There is never any need to use another mail server for outbound traffic. If one is using another mail server then that mail server should be requiring authentication when it receives mail from unknown IP addresses. If that is the case then that mail server should be running an MSA on port 587 in addition to or in lieu of an MTA on port 25. Therefore, blocked port 25 does not affect submission of mail to properly configured mail submission agents (MSAs).
The problem with your idea is that an unwitting user might think he has his computer secured but how can one really be certain? What does the ISP do if the user has assured it that he has no viruses/trojans but then the ISP starts getting a bunch of port 25 traffic coming from the user's machine? Do you then block the port until he clears it? Do you block all access including to the web? And there's another thing. Doing that sort of port blocking requires a slightly more advanced firewall than simply blocking port 25 outright.
If you simply block port 25 always then you never have to worry about this. And, as mentioned above and in my original post, blocking port 25 has no effect on legitimate setups whatsoever. The only thing it might do is prevent you from sending to an MTA requiring authentication in which case you are doing a mail submission not mail transfer which should be running on port 587 as a pure MSA not port 25 as a hybrid MTA/MSA.
The problem with blocking outgoing port 25 is uninformed so-called power users like yourself who claim to need it. You don't. Nobody does. Get over it and configure your shit the right way. Imagine if all of the DSL and dial-up providers blocked outgoing port 25. Can you even think about how much less spam there would be? Dial-up blacklists would become a thing of the past. Trojans would have to be smart enough to use the correct smart host. And even if they did that all of the traffic would be logged. It is an excellent idea and I can't believe that more ISPs aren't doing it.
That actually appears to be a legitimate mail. It appears that someone logged in to Cox's webmail and sent the message through it. The spammer probably used a phishing scam to get the password and probably used some sort of screen-scraping app to send the message rather than logging in and doing it manually. However, the point still remains that it was most likely sent by authenticating to a server.
No one can stop idiot users from using weak passwords and giving them out to bad guys. And I don't think it would be right for Cox to terminate the user's account. Maybe inform him that it has been breached and send some information about phishing and not using weak passwords. And how do you know they did or didn't do anything? It's not generally a good idea for a business to start outing its customers as being stupid.
People who DO have a compatible client will not enjoy the spam blocking until they can unilaterally reject anything that is not certified. That won't happen until the servers that typically send them email switch over to your protocol.
"Hello, ISP. Joe Speaking. How may I help you?"
"You want to get certified to send emails? No problem. We have your personal info (name, address and phone number) on file, as well as your Credit Card. If this is for a business, we just need the name/address/phone of the Business. Otherwise, please log onto our home page and upload your private key. Someone will contact you by phone tomorrow to confirm you are set up."
"Thank you for calling ISP"
Not that tough, is it??
That's exactly my point. Of course they won't have your personal info on file. That's what you give them when you first call them up. Also, you don't call the ISP. In this case it's the spammer that wants to be an ISP. So they either certify themselves (how ridiculous is that?) or they call up a centralized certification authority like Verisign to get certified.
(Heck, the whole thing could be done online!) And with that information (name/address/phone), the ISP knows exactly who you are.
No they don't. Do you have any idea how easy it is to present fake information--even with a credit card? You can go down to Walgreen's, pick up a Visa gift card, log onto a web site and enter any personal info you want. Regardless of that, large key-signing authorities (eg Verisign) have a reputation for not checking up on any of the information presented to them.
If you send spam, they pull you certification, and blacklist you. (The old-fashioned blacklist, where they place you on a list that other ISPs have access to, as a warning that you broke your agreement with them.)
By the time your key can be revoked (and note that key revocation is still a huge problem in PKI) you can send more than enough spam to make up for the cost of the certificate. Anyway, if you set up blacklists like this, identity theft will become a common means of retribution where someone gets certified with your name, then sends some spam and gets you blacklisted. Spammers will do it for no other reason than to introduce noise into the system.
This is a policy matter to discuss with the ISPs, not wih me. If the zombies are sending spam thru the ISPs email server, then the ISPs need to BLOCK these zombie users from sending email. Then contact the users and inform them that, since they have violated the TOS, they cannot send email until their machine is un-zombified. On the other hand, if the zombies are sending email directly (ie, NOT thru the ISP email server), then they are already uncertified, and no one is receiving the spam anyway. :-)
And you accuse me of not reading your post! This matter is not disputed, just the issue of how quickly the zombie machine can be shut down and how quickly new zomies can come into play.
And the minute they send spam, they will get their certification pulled, and their names on a blacklist. Which means no other (legitimate) ISP will certify them in the future (and the illegitimate ISPs should already be un-certified and/or blocked).
"Repeating yourself doesan't make you right."
What kind of retaliation are you talking about? How do spammers retailiate for this?
Avoid Missing Ball for High Score
Not true. A simple combination of white-listing, black-listing, and certification would work fine. In other words, what people need to do NOW. Eventually, the white- and blick-listing would become unnecessary.
That's exactly my point. Of course they won't have your personal info on file. That's what you give them when you first call them up.
They won't have your info, because you gave it to them??
Also, you don't call the ISP. In this case it's the spammer that wants to be an ISP. So they either certify themselves (how ridiculous is that?) or they call up a centralized certification authority like Verisign to get certified.
No- they call up the company that gives them internet access- in other words, their ISP. Like I said.
Do you have any idea how easy it is to present fake information--even with a credit card? You can go down to Walgreen's, pick up a Visa gift card, log onto a web site and enter any personal info you want.
So the ISP will have to, you know, VERIFY the data before certifying you. Like, spend a minute calling you back at your supposed phone number. Or sending you a letter at your supposed address (not a PO box) that you need to respond to. These things are trivial procedural issues.
Regardless of that, large key-signing authorities (eg Verisign) have a reputation for not checking up on any of the information presented to them.
Procedural issue. Besides, if an ISP gets a reputation of not checking their clients, and their clients are spammers, they risk getting their certification pulled by their upstream provider. IOr possibly their internet connection itself pulled.
By the time your key can be revoked (and note that key revocation is still a huge problem in PKI) you can send more than enough spam to make up for the cost of the certificate.
To be plain, when I say 'the key is revoked', I mean "the certifying server is set to NOT hand out the public key anymore". Joe receives an email, his client/server connects to the certifying server, the certifying server says "Nope, I don't know that sender", and the email is marked 'uncertified', and trashed (Or whatever).
Anyway, if you set up blacklists like this, identity theft will become a common means of retribution where someone gets certified with your name, then sends some spam and gets you blacklisted. Spammers will do it for no other reason than to introduce noise into the system.
1) Identity theft is illegal.
2) It's not possible if the ISPs perform even basic confirmation of the user.
And you accuse me of not reading your post! This matter is not disputed, just the issue of how quickly the zombie machine can be shut down and how quickly new zomies can come into play.
12:00 1000000 Spams Sent from a zombie machine owned by 'SomeIdiot@someplace.net'
12:01 Spam received by JoeBlow@whatever.com
12:01:05 Joe clicks the 'Report Spam' button'
12:02 whatever.com (Joe's ISP) runs the spam thru automatic verification. It matches a known spam pattern.
12:03 whatever.com sends a report to the someplace.net (the sender's ISP) (cc: the certifier)
12:04 someplace.net automatically re-verifies the reported email is spam. It is.
12:05 someplace
Or you can simply block all outbound port 25 except to very specific mail servers. Cox does this. At first I was a little miffed but then I realized it makes sense. You can still send mail to anywhere you just need to go through their mail server. So if you are running your own SMTP you simply set (for example) smtp.east.cox.net as your smart host and be done with it.
Here's the wrinkle: if I'm at a friend's house, using his wireless, then I can't send email without reconfiguring my mail client. Nor vice-versa, because smtp.east.cox.net won't accept email from outside the Cox network. Similarly, anyone who brings their laptop to work/school/library/cybercafe from a place using Cox cable, or vice versa, will have to dick around with SMTP settings in order to get their mail to work in both places.
You could, of course, set up an authenticated relay on some high port on a server halfway across the net, but this requires technical skills, a server halfway across the net, and double the bandwidth usage.
I hereby place the above post in the public domain.
So are pot smoking and copyright infringement, but people do them anyway.
That's why you rent a shared or dedicated e-mail server in a data center from a company that specializes in e-mail smarthosting. Preferably you want at least one in each major territory in which you do business (e.g. North America separate from Korea).
Windows Internet Explorer is shipped under a supplemental EULA that requires the licensee to also be a licensee of Microsoft Windows OS.
(My SMTP response is worded somewhat politely because while the probability that the message is spam is quite high, the probability that the message is spam given that someone is reading my response is quite low. Write the message for the friendly mail administrator, not for the evil spammer.)
There are significant downsides to this approach, however. SpamAssassin is very memory-hungry. I can only be spam-checking so many simultaneously. This limits my mailserver's maximum concurrency. And if my system processes messages too quickly, the remote mailserver will give up on me and I'll have to go through it all again when they come back.
I used to say that everyone should be using this approach, but it's probably not realistic for large sites. They need to level out the load by inserting a queue between receipt and spam checking. That means accepting the message for delivery before knowing if it's good and thus bouncing it on failure.
What may be more realistic is rejecting bounces regarding messages that you know were forged. Your system can keep a database of all outbound Message-IDs, and bounces are in a well-defined format. (Aside from those stupid pseudo-bounces from the !@#$ virus checkers; I hate those.) If a bounce refers to a Message-ID that you haven't sent, the bounce can be rejected.
How do we let the politicians know this is an issue for us?
Turn off their spam filters for a couple of days.
I used to do tech support for a federal court judge. He was hearing a case about spam, and wanted my opinions on the situation. I explained to him that every e-mail, spam or not, incurs a certain amount of overhead - bandwidth, processing time, etc. Then I explained that every spam requires CPU time to filter out, and that it cost our organization $x to support the spam that was eventually filtered out. And that for every spam which got through, over 97% didn't.
Then I shut off his spam filters.
A few hours later, he called me and begged me to turn his filters back on. Needless to say, the trial went our way. Unfortunately, the spammer was only small potatoes.
Fire and Meat. Yummy.
If greylisting doesn't work for you, then switch it off and see how you prefer to receive the huge amounts of spam that it would otherwise prevent. Did you ever tweak your config files?
Some of the servers that I care for receive a few thousand junk messages per day, greylisting cuts that down to about 2 or 3 messages, if spamassassin doesn't get them after that, they are filtered through a few RBL's and tagged, postfix body checks usually do wonders for anything left.
I seriously doubt you are getting spammed with anything drastically different than I am.
Two points:
1) Email has never been an instant messaging system, I've tried getting people to stop asking for an IRC/ICQ/MSN/AIM/whatever chat and just use email, but nobody listens.
2) Any mail server that doesn't retry when given a temporary failure code is broken and needs to be replaced, sooner rather than later.
In any case, I do review my mail logs (well I did the first two weeks of using the new system) and I saw exactly zero false positives.
The spamtrap driven RBLS I use all list and delist servers quickly, so they also cause no false positives, but if they ever do the user who sent me the unlucky ham will get a nice bounce message, so he will be able to retry the mail or call me.
I think getting bounce is much nicer than just having your mail eaten by a filter.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
Are you trying to tell me that the bastion of Internet standards, Microsoft, cannot produce a mail server that understands temporary errors?
If you are right then people will need to stop using exchange for real Internet mail now rather than break the rest of the worlds email.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
You seem to have missed the "+ RBL part".
Most spammers seem to hit a number of spamtraps with each zombie at some point, so using spamtrap driven RBLS in front of greylisting means that the RBLs will take care of the verified spammers.
greylisting gives the spamtraps some extra time to get hit, so rather than do actual blocking itself it augments the RBLs.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
It seems to me a simpler solution is just to get the ISPs to stop permitting spam and zombies. I think they could do it easily but don't do it now for fear of loosing customers (both clueless zombie owners and spammers). Perhaps an organization could be formed to boycott ISPs that don't shut down zombies. Perhaps a class action lawsuit could be filed on behalf of all the people who had to waste money on antispam software because the ISPs don't shut down the zombies which are engaging in illegal activities in plain sight of the ISPs. Perhaps a law could be passed to force ISPs to shut them down.
When spam from the US plummets to tiny levels, all other countries would probably follow, either enthusiastically or reluctantly.
Say you've got a regional provider(ie a Chinese ISP), anyone in a given region can only connect to that ISP because there are no alternatives(this is most definitely the case). Now say that that ISP, as is often the case in certain parts of the world, doesn't give a rats about its clients sending SPAM, and is perfectly willing to certify them. Now by your system the ISP should lose its certification, which means that any legitimate users of the system also lose their certification, which means they can't send certified e-mail to anyone.
This system is also expensive, not so much in bandwidth, but in human time. Verifying someone's identity and intentions is expensive and time consuming, even for an ISP, and for something like hotmail or gmail, which people use for perfectly legitimate reasons, it's be pretty much impossible.
So in the end, what you have is an expensive system which is essentially a complicated form of blacklisting, which as I said, sucks.
They don't need. They're already trading captchas for porn. ...Actually, I think all great problems of humanity could be solved if one found a way to throw porn in the solution...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Instead of going after the spam with increasingly sophisticated filters that work only for the short time it takes for the spammers to come up with a countermeasure (arms race), go after the spammers themselves. Use their own shady methods against them just like the 'make love not spam' thing we had some time ago. Sure, wasting bandwidth on DDoS attacks against spammers websites is a waste on some level, but taking their websites out will kill their income and thus their 'business'. They cannot counter that, not will they have the funds to do it. We, the rest of the world, have much larger resources and we can blow their stupid businesses completely away if we want to - and we should.
Hopefully a few of them are stupid enough to attempt to use violence and similar against some of the people running these anti-spammer attacks and them we can really throw the book at them, sending them behind bars for hundreds of years each. Maybe some are stupid enough to commit a suicide by cop... we can hope, anyway.
Yeah. Forget "becoming gods" after the singularity. More likely, the world will become a spam wasteland, dominated by AIs trying to take each other out, both online and in real life. Imagine people with their brains hacked running down the street harassing you, screaming about viagra, and killing the other viagra peddlers.
On the other hand, it would be really easy to get pr0n and warez...
I totally disagree. The Cox-provided SMTP servers will transfer any outbound mail you send to them. There is never any need to use another mail server for outbound traffic.
When I send an email to work it goes directly from my MX to works MX. It's encrypted on the way. (as is any other email to a server that supports STARTTLS)
Cox's "solution" to spam forces everybody in my position to jump through complicated hoops and it would be so easy to forget on that one email in a thousand where it actually matters that it is encrypted.
Tim.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
This is too cynical for monday morning. Believe it or not, some people are not criminal simply because they have some moral code.
Ni.
You couldn't be more right Yes Spam is back again with a vengeance. This time it is like a revenge.. What happened to stiffer penalties for spammers and the CAM-SPAM act of 2003 (http://www.spamlaws.com/federal/can-spam.shtml) or does it mean CAN SPAM :)
Chris ,
Php Programmers.
You are a god. I worship at your shrine. Well, I would if you had one.
:-)
Seriously, it seems you are one of the few people who have actually ~thought~ about the underlying epistemology of anti-spam efforts. I really like your tick-box approach to dealing with anti-spam "armchair enthusiasts". They mean well but haven't thought it through more than one or two steps.
So, More Strength to Your Arm!
I invented a device that you could bolt on to the gas line of your automobile and get 1000 miles/gallon (0.235221 l/100km). But there's a conspiracy between the oil companies and the auto manufacturers to prevent me from marketing it, so I wasn't able to acquire the funding to build a prototype.
But I have the formulas that *prove* that it works!
I read many comments on the article to the tune that we should get 'those countries' that harbour the spammers to track them down and punish them. And what country would want these scum in their borders? etc, etc.
;)
Ha! Don't make me laugh! Many spammers are located in countries with MUCH bigger problems like disease, famine, war, poverty etc. I'm sure that some jerks in a crummy computer lab are low on the list of priorities of the local and federal governments. Heck, I bet some of them are seen as local Robin Hoods stealing from the rich idots and bringing money home to poor families.
We'll never get them to stop by law enforcement. The only solution is to get spamming to be a waste of time. Ie- make people stop opening, clicking on, reading,and buying things from spam. Who are these idiots? Probably someone you know who is not very technically literate. Got a grandparent or relative who's just been given a new computer? Educate them. I also love it when the media publishes stories of people who got scammed. Then this will help other people learn from their mistakes. Until buying from spam stops - spam will never stop.
My family laughed at how paranoid I am about giving out my email address. My dad signed up for every darn newsletter and survey he encountered online and rolled his eyes at my warnings. Now he gets hundreds and hundreds of un-filterable spams a day to an email address he must keep for business purposes. Told him so!
If a bounce refers to a Message-ID that you haven't sent, the bounce can be rejected.
That's clever. I like that.
(Kudos on the polite rejection message. My example was a joke, of course, but I'm glad to hear you're applying some civility. Spam tends to make people very, very upset; you've seen the sort of things people on Slashdot propose as punishments and they really don't seem to be joking.)
Any server that sends a bounce message to anyone but the original sender is misconfigured (it's called "backscatter").
The reason for this is simple: many companies use a mail filter/proxy in front of their main mail server.
So we get:
Spambot -> Mail Filter -> Mail Server
Now, if Spambot sends filter a message and it ACCEPTS it, then there is no more link back to Spambot except the "From" address which is undoubtedly forged. So the trick is, you have to reject BEFORE you close the connection. This is perfectly acheivable, but you have to have Filter configured correctly. Usually each email user will not have have an account on the Filter, so a quick thrown together system accepts everything to any user and lets the Mail Server sort it out afterwards. What you need to do though, is have a list of all valid users on the Filter itself, and reject invalid recipients THERE, so that they can be immediately rejected. Not only does this stop your setup from throwing around backscatter everywhere, but it also reduces the ammount of spam to wrong addresses that the filter has to process (rejecting a wrong address is far less intensive than scanning and then banning).
My setup uses Postfix/Amavisd-new/Spamassasin/ClamAV running on Gentoo as a filter. It connects to our Lotus Domino server's LDAP service once every three hours and refreshes the list of valid users.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
I have a big problem with filtering. I believe too that it is wrong. It is wrong because it costs the victim ISP's and users while costing spammers very little. Most filters work pretty well at getting rid of spam. However, legitimate messages can also be filtered by spam filters. Yes, I know that most filters route messages to spam folders. In doing so, people still have to wade through such spam folders to check for legitimate messages. This wading through spam takes time to do, and that time costs spam victims. Filtering spam is much like putting one's hand in front of his face to fend off the punches thrown by a schoolyard bully. The best way in dealing with spammers and schoolyard bullies is for a number of people to HIT BACK.
I remember when Blue Security had their Blue Frog program going. My spam was decreased significantly. The problem with Blue Security and the likes is the fact that like most spammers, they depended upon a central server. When spammers start feeling the heat caused by such programs as Blue Frog, they take out the Internet server(s) on which spam complaint programs depend. Now there will be a new program that allows spam recipients to fight back. This new program will operate on instruction files that are updated via a peer to peer network. These instruction files will be cryptographically signed so that there is little chance that the instruction programs will be tampered with. I hope to release this GPL licenced program within a couple of days. Look for SpammerSkewer soon.
Try Nolisting. It's nifty.
Nolisting twarts spam bots that ignore the secondary MX. If the primary MX always rejects connections and a large percentage of bots ignore the secondary MX, then a large percentage of spam never arrives.
Nolisting on the primary MX plus Greylisting on the secondary MX easily avoids 90% of spam.
I did not get a single spam-mail in my 5 mailboxes for the last 12 days
Sorry, but you are getting spam. It is coming down the wire to your PC. Only after you have got it is it filtered out so you do not see it.
Could someone clarify this a bit for me: What's the actual problem?
I am on shared broadband for the web but for privacy I use dial-up for e-mail. It now takes about 30 minutes per day to fetch my e-mail. In fact I find it very easy to identify and delete the spam once I have got it (about 90% of the total). My problem is that I have to pay the phone bill for 30 minutes every night. I will let others speak for the problems this junk causes in ISP's and sysadmins trying to run mail servers.
Frankly, I am fed up with "spam is not a problem" astroturfing.
You are 100% correct. If your mail client is configured to send to a hopefully authenticated server on port 25 then it won't work when you connect through Cox and you'll have to reconfigure your mail client. And when you leave the Cox network indeed you will have to reconfigure back to your authenticated server.
This is exactly what you should do. You don't set it up on "some high port". You set it up on port 587 which is specifically intended for this purpose. If your mail submission server isn't running on port 587 then you get what you deserve. If you are purely an end-user and don't have control over the server then bitch to your IT guy and tell him to fix his shit.
There is a trade off to be made here if you are the ISP. You can support the old method of running both MSA and MTA on port 25 by not blocking port 25 and have to deal with the increased complexity of blocking spam trojans when (note: not if) they happen. Or you can simply block port 25, provide a local mail server not requiring authentication that will send to anywhere (so mail can go through if necessary) and leave outbound port 587 open so that people whose mail servers are properly configured are completely unaffected.
Please, PLEASE, read what I am saying here instead of just spouting off and saying that port 25 must be open for authenticated mail submission. Port 25 mail submission is only necessary if your config is borked. Since _your_ config is borked, don't blame Cox.
Your mail server and/or client is configured incorrectly. Change your mail client to use port 587 (the mail submission port) instead of port 25. If it doesn't work, bitch to your server administrator to run an MSA on port 587. It's not Cox's fault that your configuration is wrong.
Now by your system the ISP should lose its certification, which means that any legitimate users of the system also lose their certification, which means they can't send certified e-mail to anyone.
Exactly. I don't see the problem. If it is an inconvenience to use an ISP that is not certified, then that will spur people into either changing ISPs, or changing the ISP.
This system is also expensive, not so much in bandwidth, but in human time. Verifying someone's identity and intentions is expensive and time consuming,
Not really. A callback, or letter (that needs to be replied to) sent to the address of the applicant will verify the person adequately.
hotmail or gmail, which people use for perfectly legitimate reasons, it's be pretty much impossible
You get what you pay for. In this case, you pay nothing for these free webmail services, so you get nothing back. Hotmail/gmail would be uncertified (unless the company decided their advertising revenue was enough to fund the certification). Again, I don't see a problem.
just make two classes of outgoing mail: addresses you have recieved e-mail from, and addresses where you are initiating the contact. You are only allowed but so many (20 ?) new contacts per day.
That'd work for consumer accounts most of the time. Still have to work on the zombie problem.
I don't read AC A human right
Here is a sampling of previews of my spam from gmail:
Lists checker linkatomic hunter, acquiring potential customers successful...
Known converting stream such satellite processed devices...
is named Svinjar
One mispagels won joey, grimm. Nationwide initiated members house...
Nautz viewslets pray dn, iyo bait...
This stuff makes absolutely no sense! Did I get targeted by the retard spammers? It looks like spam for the sake of spam!
While I certainly don't advocate the GP's ideas, I do feel I should point out that there is a big difference between illegal and immoral. In fact, sometimes following the law is the immoral thing to do (e.g. Rosa Parks).
We hope your rules and wisdom choke you / Now we are one in everlasting peace
You set it up on port 587 which is specifically intended for this purpose. If your mail submission server isn't running on port 587 then you get what you deserve. If you are purely an end-user and don't have control over the server then bitch to your IT guy and tell him to fix his shit.
Hmm, you learn something new every day. My university doesn't run MSA, and I'll still have to route mail through port 25, but now my own server has it set up.
I hereby place the above post in the public domain.
http://en.wikipedia.org/wiki/Joe_job
I got 35000 bounces/week of mail that I didn't send after getting a spammer booted by his ISP.
I submit to my local mailserver from whichever machine I'm using using port 587. My local machine then submits it to my own mailserver via SMTP+TLS. That then delivers it to my works public facing mailservers using SMTP+TLS.
This is perfectly normal delivery of email.
Cox, it appears, would prevent this by requiring that they be allowed to snoop on all email.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
Ok, maybe I should have made the point that this is a RESIDENTIAL service. If I wanted to run a mailing list, I would need a BUSINESS or COMMERCIAL connection. Most residential connections actually have clauses in the TOC stating that this kind of activity is prohibited in large amounts. The large amounts I'm talking about is hours of outgoing mail, non-stop. Tell me how many people legitimately do THAT.