The New Yorker On Spam

aqk notes an article in the Aug. 6th New Yorker surveying the spam problem up-to-date. The New Yorker may not be exactly the MSM, but it is pretty influential. The author got only one fact wrong that I noticed: Canter and Siegel's seminal spam was propagated through Usenet and not email. Still, it's a good look at the history of spam and the scale of the problem today. The amount of spam that "spam king" Robert Alan Soloway, indicted under the CAN-SPAM Act, is accused of sending over a period of four years is now pumped out about every 30 seconds, around the clock, around the world.

Need More Exposure to Ideas and Methods

[eldavojohn]

The New Yorker may not be exactly the MSM, but it is pretty influential. What were you hoping? That if it were mainstream media (MSM), it would bring to light the problems of spam? That it would influence the businessmen & marketers that make the spam?

This article is a great short history on spam but no new information was presented to me here (and judging from the summary neither did it shed light on anything new to you).

I laugh at either of these hopes because the average person already deals with spam daily (my relatives began reaching out for me on ways to censor that from my younger cousins years ago) and we have a different mindset than businessmen & marketers.

The article mentions the epic article by Paul Graham entitled "A Plan for Spam." It may look long and arduous but I heavily recommend you read that. I will not forget reading that article nor will Slashdot. I think it helps more for the "mainstream media" to publish things like this for their readers.

Yes, it has code in it. Yes, it requires a bit of a priori knowledge in some places (pun intended). But, you know, a lot of times the best stuff comes from outsiders and I personally think that newspapers should develop a 'tech section' where they can throw off the mittens & grade school knowledge that need to be on in order to handle your average reader. I know many newspapers have entire sections devoted to sports--sometimes even just one particular sport if it's in season! I've seen many newspapers have 'articles/ads' for new automobiles, why not new technology? I know Popular Mechanics is ... well, popular for lack of a better word so why aren't newspapers picking up on this and printing more tech-heavy articles? I guess all I can do is bitch about it because I don't have the same mindset as the people trying to sell the news.

Which brings me back to an important point, you're not going to change anyone's mind. Everyone knows about it and if you think that Wallstreet businessmen are going to pick up the New Yorker & their jaw will drop when they read this article, you're sadly mistaken. If you think marketers will read this and say "My God, I need to start thinking about what I'm doing to the networks of the world," you're deluding yourself.

What we need is an article that causes people to seriously ask themselves how we can keep e-mail free and uncensored while at the same time stopping spam. When I was asked by my aunt, they were concerned for their daughter using the internet and opening a spam message to see a guy with his legs split around a phallic-looking cactus in an ad for Viagra. I showed them how to use Thunderbird instead of Outlook Express and how to turn on junk mail filter. I also pointed out how vulnerable you leave yourself to spam if you print your e-mail in plain text on the internet. They never had a problem with it again.

So while this article is informational, it does nothing practical for the reader. I realize--and I think a lot of people will agree with me--that the best way to stop spam is to stop clicking on it and show others how to do the same. The 0.001% response will dry up and spammers will drop off. Articles on how to configure yourself to spot spam would probably be the best thing mainstream media could print--sure would have helped my relatives!

Re:Need More Exposure to Ideas and Methods

[morgan_greywolf]

I know Popular Mechanics is ... well, popular for lack of a better word so why aren't newspapers picking up on this and printing more tech-heavy articles? I

Because such articles don't sell advertising. Popular Mechanics, Popular Science, Scientific American, etc., can sell ads because they have nothing but tech-heavy, jargon-laiden articles, and so the advertisers know exactly who they are targeting.

Newspapers are general-purpose publications, written for the widest audience possible. It's hard enough for them to sell ads these days without having to have specialized sections for the tech reader.

That being said, newspapers should be trying to innovate, because if they don't, well...it's the death knoll for newspapers.

Re:Need More Exposure to Ideas and Methods

[KingSkippus]

So while this article is informational, it does nothing practical for the reader. I realize--and I think a lot of people will agree with me--that the best way to stop spam is to stop clicking on it and show others how to do the same.

This is definitely a start in the right direction, but it's not the whole story. I'm convinced that a massive part of the problem is that there's a widespread belief that spammers make millions of dollars.

No doubt, a very few do. A very few have mansions and island retreats in the Bahamas. But these people are like the Michael Jordans of spammers, the people who have spent an incredible amount of time and effort into honing their spamming skills not just into an art, but a lucrative profession.

The problem is that most spammers aren't the Michael Jordans of spam. They're just people who have heard that spammers make millions of dollars, and they want in on that action. They go out and download the latest scripts and fire off a few million e-mails. No one responds. So they fire off a few million more. After enough times, someone will respond, and they've made $20 bucks. Flush with the thought of new mansions, they fire off millions more. Whoops, that $20 was charged to a stolen card, so they're back to zero.

The point is that the world has changed. Back in the day, there was a lot of money to be made from spam. Now, though, you have a very few scummy individuals who have made massive amounts of money. You have thousands of scummy individuals who think they can do they same thing, but fail miserably. It doesn't matter, though, all you need are the few who do make millions to keep the perception alive that spam = TONS of money, and you'll have people lining up to do it.

What need to happen is that they need to stop focusing so much on the spam "kings" and go after the regular guys who send it out. The people without the million-dollar houses. The people who think that it doesn't hurt anything to fire off a few million e-mails to try to sell some Vigara (yes, I misspelled it deliberately). The press need to cover those stories too. (They really need to cover them more.) People stop seeing Bill the multi-millionaire spam king and start seeing Ted the worthless loser who was so desperate that he thought he could make a million dollars by sending spam.

It's not enough to make spam unprofitable. People have to know it's unprofitable, and that when caught, they'll end up in jail for nothing.

Re:Need More Exposure to Ideas and Methods

[Otter]

Yes, it requires a bit of a priori knowledge in some places (pun intended).

Umm, what pun?

Incidentally, the New Yorker is one of the most prestigious magazines in the world (albeit prestige derived much more from its past authorial and editorial quality than from anything it has now). I'm not sure why you and the submitter seem to think it's some sort of printed-out blog.

Re:Need More Exposure to Ideas and Methods

Yes, it requires a bit of a priori knowledge in some places (pun intended). Umm, what pun? If you've ever studied basic statistics, you'd be familiar with Bayes' Theorem which happens to be concerned with two types of evidence either before or after. I believe the Latin phrases for these are a priori & a posteriori respectively. You will also come across them in basic beginning logic & philosophical works historically used to describe essentially the same things.

The parent thought he was being funny when he mentioned Grahams work in which his algorithm hinges on Thomas Bayes' ideas.

Re:Need More Exposure to Ideas and Methods

[Philotechnia]

Let's step back from spam a second. If prostitution is the world's oldest profession, being a con artist is a close second. Before spam, these people were jumping out in front of cars to collect a paycheck, enticing people through telephone calls into shady business transactions, and so on. Spam is only a new form of an old trade. These people are always going to feed off the ignorant, the naive, the bleeding hearts, and the foolish. You will never regulate this kind of predatory behavior out of existence. All of us make bad choices. Some of those bad choices involve being the con artist, and some of those bad choices involve letting ourselves be duped. You can't stop this, you can only hope to contain it. That being said, the most effective approaches to spam are going to be those that assume the existence of the problem going forward - i.e. we can not stop nor get rid of spam - and manage it effectively while educating people against the tricks of the trade. I think spam is largely an overblown issue, that most competent sysadmins have tool sets that manage it very well, and that the average user is much more educated then us slashdotters assume. To put it briefly - spam is an overblown issue that just gives the government an excuse to get their grubby hands on our tubes. In Soviet Russia, the internet surfs you!

Re:Need More Exposure to Ideas and Methods

[Kadin2048]

This is definitely a start in the right direction, but it's not the whole story. I'm convinced that a massive part of the problem is that there's a widespread belief that spammers make millions of dollars.

No doubt, a very few do. A very few have mansions and island retreats in the Bahamas. But these people are like the Michael Jordans of spammers, the people who have spent an incredible amount of time and effort into honing their spamming skills not just into an art, but a lucrative profession. Replace "spammers" with "drug dealers" and the statement is still true.

In fact, I think many, if not most, illegal activities are driven by the same motivation. It's a lottery; people rationally know that their chances of 'winning big' (being the multi-millionaire spammer sitting in the Bahamas, or the drug dealer who becomes a rap star, or whatever) are ridiculously small. But they do it anyway, because they think they can be that one in ten million.

I strongly suspect that if you look at the pay-per-hour of spamming, that it -- like drug dealing -- often turns out to be a sub-minimum-wage job. The people sending spam could probably make more money doing something legitimate, but they're pursuing the (irrational) hope that they can beat the odds and become extremely wealthy without working hard instead. (And, ironically, end up working much harder for the little that they do make.)

Re:Need More Exposure to Ideas and Methods

[Logic+and+Reason]

A "death knoll"? Are the newspapers going to roll down it and hit their heads?

Re:Need More Exposure to Ideas and Methods

[corbettw]

It's not enough to make spam unprofitable. Not just that, it has to be seen as unglamorous. If the image of a typical spammer was changed from being a millionaire playboy to an Earl Hickey, that would help tremendously.

Re:Need More Exposure to Ideas and Methods

[mightyQuin]

This article is a great short history on spam but no new information was presented to me here...

How many people here knew that Hormel Span was a contraction of "Spiced ham"?

Re:Need More Exposure to Ideas and Methods

How many people here knew that Hormel Span was a contraction of "Spiced ham"? eldavojohn is from Minnesota as he's mentioned in many of his posts. Ever been to Austin, Minnesota?

Re:Need More Exposure to Ideas and Methods

[aqk]

I have to disagree about educating the dirty "0.001 percenters" that unwittingly support the spam.
They will never dry up, just as some people will never stop littering.

There will always be incivists out there, and unless we can somehow impose draconian measures on the whole population (internet or real world) the litter will always be present.

OK, Singapore appears to have stopped littering. But do we want this policing on the internet?

Perhaps the only way is to revive that old reprehensible suggestion of somehow forcing ISPs to tax every email sent- say 1 mil ($0.1 cents) per message.
For my 600 messages sent per month, it would cost me 60 cents.
For the spammer's 50 million, it would cost him $50,000.

Would his "A postcard for you, Dear" be worth it then?

Oops- this latter one, and most spam these days, are sent by zombies.
Well, perhaps once they got their monthly ISP bill, they would do something about installing a good up-to-date antivirus!

Re:Need More Exposure to Ideas and Methods

[Culture20]

So to translate to meatspace: We've been overrun by billions of deaf & blind prospectors who never found out the gold rush was over, and that every inch of land is owned. Hey! Watch that pick-axe this isn't a mine!

Re:Need More Exposure to Ideas and Methods

[tmjr3353]

Sorry, but I'm a little confused. Wouldn't having more focused sections HELP sell advertising? Maybe it's so hard for the newspapers to sell advertising because they're trying to cater to everyone. Why not pitch tech companies to put their ads in the Tech section -- they'll know who they're advertising to. Similarly, sell the ad space in the Celeb section to a demographic most inclined to read it.

Re:Need More Exposure to Ideas and Methods

No, somebody's going to stand on it and shoot them. Duh.

Re:Need More Exposure to Ideas and Methods

[AdamWeeden]

Depends if it's grassy. Those tend to cause the most cranial damage.

Re:Need More Exposure to Ideas and Methods

[sBox]

Spammers are more like pamphleteers of old, spreading trash on the streets, FUD about foreigners and land in the Everglades swamp. Pesky, irritating and costly in terms of cleanup. They will continue to exist and we will continue to fight in this media or the next.

Re:Need More Exposure to Ideas and Methods

Systems like IRC need to be shut down as they are too heavily abused and alternate (more secure) means of communication exist. There is nothing sacred about IRC. There also needs to be greater acceptance of the occasional need to temporarily cut off entire nations from the web if need be. If a country like the Ukraine can't or won't control its networks then it shouldn't be allowed to connect to them (just as nations without airport security aren't allowed to send planes to other nations). If the US does the same thing then we need to be treated the same.

Re:Need More Exposure to Ideas and Methods

[kmankmankman2001]

The "death knoll" is about 100 yards away from "the grassy knoll" - but nobody knows about it because it was removed from the Warren Commission report before it was published.

Re:Need More Exposure to Ideas and Methods

[JudgeFurious]

And that's a small step away from "Death Gnoll" which should bring in the D&D crowd (if they're not already here).

Hilarity ensues.

Re:Need More Exposure to Ideas and Methods

> OK, Singapore appears to have stopped littering. But do we want this policing on the internet?

We seem to be getting the police state without the cleanliness anyway, so hell, why not?

Re:Need More Exposure to Ideas and Methods

[EveLibertine]

None, I'd wager. Mainly because "spiced ham" doesn't have an N in it.

Re:Need More Exposure to Ideas and Methods

[nahdude812]

I think they'd probably alienate their existing advertisers and lose that income, but it would take a while before the people interested in such content started purchasing the paper, and even longer before advertisers interested in running adverts in their newly formatted publication were convinced that it would be of much value.

Actually probably a better approach would be if newspapers started having a real tech section (and not just a "here are the latest gadgets" which some papers are doing now), maybe starting as part of the Sunday paper, and expanding to weekdays as interest builds.

Re:Need More Exposure to Ideas and Methods

Okay, okay. It's a typo. Clearly I meant death knell. Sheesh.

Re:Need More Exposure to Ideas and Methods

[Meski]

Newspapers are general-purpose publications, written for the widest audience possible. It's hard enough for them to sell ads these days without having to have specialized sections for the tech reader.
Written for the dumbest reader, with the attention-span of a goldfish[1] you mean.

[1] sorry to any goldfish I'm insulting here.

Re:Need More Exposure to Ideas and Methods

Never send to know for whom the knell knolls, it knolls for thee....

Proper verification of senders

[morgan_greywolf]

Spam wouldn't be such a problem if we had proper verification of senders. Whether that's through some central identity or whatever. I realize this idea is extremely unpopular and is not in the spirit of the original Internet, but heck, if you had to essentially have an ID that verified who you were and if you sent out spam, you'd lose it, how much less spam would there be?

Re:Proper verification of senders

[gatzke]

I have friends that automatically bounce emails back for whitelist verification. This annoys me, but helps them. It also keeps them from getting a lot of needed email, like site automated site registration stuff. And the spammers would eventually beat that technology too.

Get a gmail account. It works. Our university spam filtering quality goes up and down, but I get maybe one spam a week in my inbox in gmail.

I used to periodically get some crazy communist manifesto spam, all in spanish. I miss that one...

Re:Proper verification of senders

[morgan_greywolf]

If you ask me, nothing less than the total removal of all spamming should be acceptable. Filtering doesn't get it because you still have all of this spam and zombies wasting terabits of bandwidth. And you have spammers pwning all these clueless idiots' Windows boxes, turning them into spam zombies. Remove the ability to send spam without screwing yourself, and you'll solve all of the spam-related problems. Filtering is like putting makeup on a facial wound. Removing the ability to send spam in the first place is the cure.

Re:Proper verification of senders

[Philotechnia]

It's not just that this idea is unpopular, in my mind it is untenable. The nature of a decentralized system such as the internet is such that it, by its nature, resists control. So you want to require every internet user to have an ID for verification purposes? How would that be enforced internationally? It only takes one China or Nigeria to fail to comply, and the solution becomes worthless. Even if 100% compliance was possible, how long would it take for the system to be hacked? Imagine waking up one morning and finding yourself without internet access because someone else had been spamming using your credentials. I would contend that, if spam is a crime, there would need to be a larger burden of proof than simply seeing someone's credentials attached to an email. The lack of centralized control of the internet simply forces us to face the reality of human nature - when not controlled, some of us will choose to do good of our own devices, and some of us will choose to do bad. I rather enjoy this kind of environment - it allows the true nature of individuals to sally forth, it shows who is to be trusted and respected and who is to be avoided, and it grants free expression without forcing us into a cookie-cutter mold that some centralized authority would impose upon us. With all due respect, if you seek the kind of solution you state, move to China. I hear their network is very secure. Good luck logging into slashdot, though.

Re:Proper verification of senders

The person that ran the linux systems at school showed me the daily log for spam blocked once. It normally reaches 10,000+ a day. He said he contemplated turning it off one time if another user bitched about the 10 spam emails that got through on some days to most user accounts. So if the number of messages that get past the filter is less than 20, even if it fluctuates, is still high quality filtering.

Re:Proper verification of senders

[Jugalator]

Yeah, I've liked Gmail's filtering too, but was until recently blissfully unaware that it occasionally put legitimate mails in my spam box. :-( Now that I know it, I've seen about 3-4 mails gone that way.

Re:Proper verification of senders

[spikedvodka]

If you ask me, nothing less than the total removal of all spamming should be acceptable. Filtering doesn't get it because you still have all of this spam and zombies wasting terabits of bandwidth. And you have spammers pwning all these clueless idiots' Windows boxes, turning them into spam zombies. Remove the ability to send spam without screwing yourself, and you'll solve all of the spam-related problems. Filtering is like putting makeup on a facial wound. Removing the ability to send spam in the first place is the cure. Sounds great... where do I sign up? but seriously. There are a number of problems with "Removing the ability to send spam in the first place"
1) What exactly is spam? -- Some people would say that spam is any e-mail they don't want. Others will say any e-mail they didn't ask for. yet others point to the dictionary and say "unsolicited usually commercial e-mail sent to a large number of addresses"
This brings up the first problem... if we go with the last (and most technical) of those definitions, all a spammer has to do is start to "properly" personalize the messages (for some value of personalize)
If we go with the first, how can you check on the sending end if the recipient wants it?
if we go with the second, what about when I want to send e-mail to a friend I've lost touch with? he didn't ask for the e-mail, therefore my message is "spam"

Even if we, as the GP suggested, impose a technical restriction on e-mail such that it has to be authenticated as to who it's from, all that does is make the filtering easier. What is going to prevent the dedicated spammer from "registering" a new identity? where would everybody's identities be registered? would you trust a centralized registry of "registered senders"? for some reason i think not.

I've heard suggestions of using a "web-of-trust" method of "registering identities", but even with that idea, you're going to end up with many separate webs. and bog help you if you want to send e-mail between the webs, you'd be effectively unknown, and thus declared "SPAM".

All to often the way it seems with technology is that we put band-aids on everything. Endless patch-Tuesdays, etc. and that when a new system is proposed and agreed upon it (a) takes forever to get off the ground ... IPv6 anyone?, or (b) is fored to be backwards compatible, which defeats the purpose.

Maybe I'll have to think of an algorithm to dynamically and auto-magically create a positive, and negative web-of-trust, both for senders and for servers... but that's more for another time

Re:Proper verification of senders

[KingSkippus]

There's a reason why it's extremely unpopular. We need anonymity on the Internet.

Do you really want everything you do on the Internet to be trackable back to you? If they set up some sort of central ID authority, I can't help but think it will be expanded beyond spam service, and frankly, I don't want everything I do to be tracked.

I think that part of the problem is that people do stupid things without any thought of consequence. For example, several years ago, my sister called and asked my e-mail address, and I told her. I was kind of excited, because she hadn't had e-mail before, and apparently she had finally joined the Internet age. I asked her what she was going to send me. She kind of hemmed and hawed around, and finally said that Bill Gates sent out an e-mail saying to forward the message to everyone, and Microsoft would send her $1,000.

Of course, I told her it was a scam, but she still sent it out anyway. Why? Because, as she explained, "It's probably fake, but even if there's a one in a million chance that it's real, it will be worth it, because it doesn't cost anything to send an e-mail."

Needless to say, she never got her $1,000 from Bill Gates, and a few years later, she's not as naive as she used to be. Still, it took a depressingly long time for her to wise up to how the Internet works, and there are masses of naive people like that joining the Internet community every day.

What made it worse, of course, is that she didn't just send the message to me, she CC'ed it to everyone she could get an e-mail address for. So that means that several dozen people now have my e-mail address. Knowing her friends, at least several of them CC'ed it to everyone they could get e-mail addresses for, which means that hundreds of people now have my e-mail address. After just a very few iterations of this, I might as well get on national television and broadcast my e-mail during the Superbowl. No doubt I've gotten at least a few thousand spams from people who stupidly CC their whole address list on stuff.

Re:Proper verification of senders

[Opportunist]

That will never happen. Never.

Reason? Simple. Who would immediately lose their "internet rights"? Clueless people with spam sending trojans. The same people that pretty much everyone who earns money through the internet loves. ISPs love them, because they use little bandwidth and don't care if their connection speed and reliability is far below anything advertised. Internet shops love them, because they rather buy crap online than trying to find it for free. Governments love them for as long as they're occupied with internet games and internet gambling, they don't ponder looking at the real world and what runs wrong.

This won't happen. For pretty much the same reasons why nobody will ever be held responsible if he is unable to keep his computer malware free. Pol Pot already knew it, and our politicians catch up, it's easier to govern fools than it is to govern people who are willing to learn. Learning leads to questioning, questioning leads to opposition.

Re:Proper verification of senders

[gatzke]

Ask your friends to stop using subjects like:

"You will be able to penetrate deeper"

"15% discount automatically on BOTH watches!"

At least in gmail they are still around, and gmail will let you search for them easily. I am more worried about my university bouncing legit email as spam and I never see it... No way to find those.

Re:Proper verification of senders

[morgan_greywolf]

Reason? Simple. Who would immediately lose their "internet rights"?

Let them!!!

Look, if you're stupid enough to get your machine infected like that, you're too stupid to be on the Internet.

That's why I keep saying we need to eliminate warning labels. If you're not bright enough to figure out that you shouldn't use a hair-dryer in the bathtub, you deserve to die! Remove them from the gene pool, and all of our problems caused by idiots disappear.

Re:Proper verification of senders

[digitig]

I get maybe one spam a week in my inbox in gmail. That's my experience too. Unfortunately, I get three or four legitimate emails a day in my spam box. And even though those legitimate emails are from mailing lists I have subscribed to, and I have set up filters to label them, and I keep clicking the "not spam" button, gmail spam filtering overides my filter, doesn't learn to recognise the origin as legitimate, and doesn't seem to have the facility to whitelist them :-(

Re:Proper verification of senders

[Opportunist]

I'm all with you, I'd be the first to rip their network cord from the socket and seal it with a "break it and we go medieval on you" police seal. But as I said, this will not happen. What industry and government wants is dumb, simple morons to bullshit. Nobody actually wants educated, interested and informed people. At least not past the point where they are good enough to generate money for industry and government.

Re:Proper verification of senders

[digitig]

Ask your friends to stop using subjects like:

"You will be able to penetrate deeper"

"15% discount automatically on BOTH watches!"

I once had to email a copy of Arnold's poem "Dover Beach" (http://www.victorianweb.org/authors/arnold/writin gs/doverbeach.html) to somebody, and a Bayesian spam filter bounced it. Go figure.

The ones I have most trouble with are mailing list digests that do contain spam, but mixed in with legitimate content. Until the filters learn how to take apart the digest this looks set to remain an issue.

Re:Proper verification of senders

[Kadin2048]

Reason? Simple. Who would immediately lose their "internet rights"? Let them!!!

Look, if you're stupid enough to get your machine infected like that, you're too stupid to be on the Internet. I'm not disagreeing with you, but did you read the rest of the GP's post? There are reasons why governments and societies protect the stupid.

Re:Proper verification of senders

[stevey]

Every time I receive a message asking me to verify my mail address for the privilege of communicating with somebody I just delete it an move on.

Nothing bugs me more than receiving a bug report via email, then being unable to reply back to the submitter without jumping through hoops.

Don't even get me started on why this kind of system is bad - or what happens when two people who use systems like this try to mail each other.

Re:Proper verification of senders

[morgan_greywolf]

Yes, yes. I know all about Opportunist's argument about why governments and societies protect the stupid, because they make them money. It's not the first time he's made the argument, and I'm sure it won't be the last.

But if we rid the world of stupid people through the elimination of warning labels, the whole point will be moot, no?

Re:Proper verification of senders

[TheRaven64]

When you send a message with XMPP, your server is responsible for validating and re-writing the from field. It then connects to the recipient's server. The recipient's server, before the message is received, performs a DNS lookup of the sender's server, and checks that it matches the sending server's IP. If it does, then it relays the message.

When you receive a message from foo@bar.com, then your server guarantees that it comes from bar.com, and the bar.com server guarantees that it comes from the 'foo' user. This allows much easier spam filtering. A lot of SMTP servers (e.g. those run by ISPs or large institutions) don't do authenticated relaying, they relay based on IP. This means that something sent from their mail servers claiming to be from foo@isp.com could be any customer of that ISP. Worse, your server doesn't have any way of guaranteeing that mail claiming to be from isp.com actually is, unless they've set up SPF or similar.

Without these guarantees it is much harder to filter spam. If user@isp.com is a spammer, you can't easily filter them without blocking all of isp.com.

Re:Proper verification of senders

99.9% of potential spam is clearly spam (evading filters, falsified headers, botnets, etc). You're worrying about a tiny part that isn't the real problem. Misuse of my e-mail address by businesses is annoying, but not the problem we're talking about.

Re:Proper verification of senders

[rickb928]

"I realize this idea is extremely unpopular and is not in the spirit of the original Internet"

The idea that you should be able to mask your true identity, deluge others with unwanted data, and consume excessive bandwidth in the process is NOT in the spirit of the original Internet. It's not even in the spirit of a commercially operated Internet.

Spam is now the single greatest scourge of the Internet. It wastes resources, causes significant effort to merely manage, not eliminate, and has been the tool of those who wish to hijack systems for their purposes.

None of that was in the spirit of the original Internet.

Accountability and fair play was.

If spammers abided by the spirit of the original Internet, they would mark their messages clearly as spam. They would accept requests to remove addresses from their lists. They would not disguise their true identities. They would not mask the contents of their messages to avoid filters.

An identity-based email system is probably the answer. More likely, a reputation-based system in addition, which would allow us to both know who the sender really was, and then both report them as spammers and check to see if they are generally regarded as spammers.

And, sadly, this would lead to the undeniable realization that much spam is coming from compromised personal machines. ISPs would be forced to block outgoing SMTP or whatever traffic, requiring it to go through their own gateways. And then they would be forced to block these compromised (read: botted) machines, users would have to go through the painful process of removing the botware and/or rebuilding their systems, and there would be much weeping and gnashing of teeth.

We're in a perfect storm. Most Windows machines can be pwned by a single click. SMTP is fundamentally insecure, able to be exploited easily. Users pretty much just want to use their machines, and not have to have an MCSE come in and scrape them clean regularly. ISPs are afraid to filter more than they do. And everyone wrings their hands.

No, I don't have a solution either. I'm just some slime on a tooth of a gear. Hopefully, in the spirit of the original Internet, smart people will join together and propose solutions, and we will adopt them.

Hopefully.

Re:Proper verification of senders

[corbettw]

You don't have to verify who someone is, as long as you verify that the From and Reply-To address(es) associated with an email are valid for the sending MTA. If not, drop the email.

Yes, I know this would impact mailing lists, but I think that's a small price to pay to help stop spam.

Re:Proper verification of senders

[God'sDuck]

"That's why I keep saying we need to eliminate warning labels."

You assume the increased number of subsequent Darwinian deaths will outnumber the number of stupid birth-control failures. Also, that dumbness is primarily genetic. Neither is that likely.

Re:Proper verification of senders

[Main+Gauche]

"I once had to email a copy of Arnold's poem "Dover Beach" (http://www.victorianweb.org/authors/arnold/writin gs/doverbeach.html) to somebody, and a Bayesian spam filter bounced it. Go figure."

I followed your link. As a human Bayesian, let me say that if I got an email with those lines, I'd presume it to be spam, too!

Re:Proper verification of senders

[chromatic]

I have friends that automatically bounce emails back for whitelist verification.

I wouldn't brag about having psycopathic friends.

Re:Proper verification of senders

[nuzak]

> Don't even get me started on why this kind of system is bad - or what happens when two people who use systems like this try to mail each other.

Most C-R systems are pretty good at avoiding jabbering like that. Doesn't stop them from being fundamentally broken though.

But if you get a challenge for a spam that was forged from your address, do the net a favor: jump through the hoop and let the spam through. The user of the C-R system deserves it.

Re:Proper verification of senders

Use PGP and tell all your friends to use it.
Set Spamassessin to add +1 to non-PGP mails.

Re:Proper verification of senders

You don't have to verify who someone is, as long as you verify that the From and Reply-To address(es) associated with an email are valid for the sending MTA. If not, drop the email.

Yes, I know this would impact mailing lists, but I think that's a small price to pay to help stop spam.

And it would impact those of us who need to send our outgoing messages through our ISPs MTA, so that they can catch those with spam trojans. I.e. most of the world by now.

Not MSM?

[spikedvodka]

How is the New Yorker *NOT* MSM? it's practically on every newsstand from here to Moscow (and yes, I have traveled that far, and seen it there) It's lasted for over 80 years so far and has won more than just a handful of nationally and internationally recognized awards for journalism.

If anything the New Yorker is a good way to reach people that might not be quite as technically proficient or knowledgeable.

Re:Not MSM?

[anti-pop-frustration]

MSM ?

The three letter acronym MSM can refer to:

Maastricht School of Management, in Maastricht, the Netherlands

Metal-semiconductor-metal junction.

Miami Sound Machine

Men who have sex with men

Million Skirted Men, a movement advocating men's right to wear skirts.

Re:Not MSM?

[spikedvodka]

MSM: Main Stream Media in this case

Off topic tremors, go figure

[ArcadeX]

I don't know why, but when I saw

The amount of spam that "spam king" Robert Alan Soloway, indicted under the CAN-SPAM Act, is accused of sending over a period of four years is now pumped out about every 30 seconds, around the clock, around the world. I heard Michael Gross in my mind...

"the possibilities for disaster boggles the mind" .

Suck

I run a mail server for our 5 person business. I left at 8pm last night and got in at 6:45am this morning. During that time, 191 messages where blocked due to the content of the headers. 1,799 connection attempts where rejected due to being on rbls or part of my block list(182,910 entries). 351 pieces of spam still got through that and got caught by the filter which I went through by hand to verify that none of it was valid for users. I just finished going through everyones inboxes to make sure nothing got through. Wanna know how many valid pieces of mail for all 5 users? 17. 17 out of the potential 2,341 attempted mail deliveries within a 11 hour time span.

Just because your inbox doesn't have a lot of spam doesn't mean someone out there isn't making sure you see it that way.

Re:Suck

[DMorritt]

why are you reading your employees email? surely some of it may be private, and unless you had grounds for searching you should really keep your nose out.

Re:Suck

[aqk]

HA!

As a techie, I used to read several of my BOSSES email. I didn't want to, but I had to get rid of the P3n1S ads. (My immediate boss was a very straight woman)

Later, this job was taken over by an anal-rententive network 'manager', replete with CNA, FUKSA, etc certificates plastered on his office walls.
His solution?
Reject all emails coming from Hotmail and Yahoo! He actually thought that's where the spam was originating.
(You should have heard the screams come from upper management then!)

Eventually I advised him of network spam filter programs, which were then just starting to become available...

Thank goodness, I remained a lowly techie, thus defeating the Peter principle.

King Robert Alan Soloway?

[AndroidCat]

Who died and elected him Spam King? (Not objecting, just hopeful that the previous Spam King died.)

Re:King Robert Alan Soloway?

[dkleinsc]

If I'm not mistaken, the previous Spam King would be Alan Ralsky, who was in effect shutdown in October of 2005 by the FBI. He's also done time for fraud among other crimes.

Re:King Robert Alan Soloway?

meant to mod you funny, accidently moded overrated -- damn scroll wheel. sorry.

It'll be hard to change minds.

[iknownuttin]

Which brings me back to an important point, you're not going to change anyone's mind.

I'm in the middle of starting up a small business and was talking to someone about marketing. This individual (Not an in-duh-vidual - a Ph.D.) suggested that I send out mass emails. I told him that I can't do that because I'll be a spammer and my ISP will yank my account. He then mentioned that they're are ways to mask my origins. I said if I get caught doing that, I'll be in even more trouble. Besides, I DON'T want to be a spammer.

My point? Spamming has become so standard and everyday that people don't even give it a second look now and just consider it an annoyance at worst. The only people who really care are those of us in IT.

Re:It'll be hard to change minds.

[RobertLTux]

Terabyte world megabyte minds Its entirely possible that somebody could be in the top 0.0005% of their field but an absolute moron in other areas

Sherlock Holmes . Gregory House 90% of geeks reading this message all of them have areas where they excel but they would be dangerous in others
This is Old Media covering a tech problem.

Re:It'll be hard to change minds.

[gsslay]

I'm in the middle of starting up a small business and was talking to someone about marketing. This individual (Not an in-duh-vidual - a Ph.D.) suggested that I send out mass emails. Please tell us you weren't paying this individual for this advice. Please tell us you haven't paid him anything since.

Re:It'll be hard to change minds.

[KlomDark]

Dude, you need SalesGenie!

Re:It'll be hard to change minds.

[iknownuttin]

Please tell us you weren't paying this individual for this advice. Please tell us you haven't paid him anything since.

Don't worry, he's a friend of mine and we were shooting the breeze. I did bring spam into his awareness, though.

Re:It'll be hard to change minds.

[RobBebop]

I hope your friend's Ph.D isn't in a computer science related field. It seems logical that an acceptance of this would infect the rest of the world, though. Many businesses have enjoyed moderate success by sending out "mass-mail" through the USPS for years.

In regards to your other point...

Spamming has become so standard and everyday that people don't even give it a second look now and just consider it an annoyance at worst.

I have found it increasingly annoying dealing with people who run pirated software because "they couldn't afford to pay for it". This "don't give it a second thought" mentality is, IMHO, something that should be reversed. Just because technology enables somebody to do something... it doesn't mean they should.

Re:It'll be hard to change minds.

[cliffski]

"I have found it increasingly annoying dealing with people who run pirated software because "they couldn't afford to pay for it". This "don't give it a second thought" mentality is, IMHO, something that should be reversed. Just because technology enables somebody to do something... it doesn't mean they should."

Amen brother. I am interested in your ideas and wish to subscribe etc etc,

Re:It'll be hard to change minds.

[nametaken]

There's a fine line between mass mailing and spamming. I believe it has much to do with allowing people to unsubscribe.

Re:It'll be hard to change minds.

[__aailrp9629]

Unsolicited e-mail, regardless of origin, is spam. It may not be legally actionable spam, but it remains spam.

Re:It'll be hard to change minds.

[mqduck]

I have found it increasingly annoying dealing with people who run pirated software because "they couldn't afford to pay for it". This "don't give it a second thought" mentality is, IMHO, something that should be reversed. Just because technology enables somebody to do something... it doesn't mean they should. What about those people who say "they couldn't afford to pay for it" because they couldn't afford to pay for it?

Re:It'll be hard to change minds.

[gnunick]

Stealing bread when you can't afford it (and no one's giving it away) is difficult to condemn.

Running pirated software because you can't afford it? Well, since you can get almost any software you could possibly need both free and legally, you're apparently either uninformed or not the sort of person to take responsibility for your own actions and choices (just like a spammer).

Re:It'll be hard to change minds.

[greed]

I sure hope you meant "with allowing people to subscribe." Hopefully, your subscription mechanism also has an unsubscribe, but at that point, at least you're only annoying people who asked you to. (Assuming properly confirmed subscriptions....)

It is, by definition, unsolicited if I didn't ask for it.

Re:It'll be hard to change minds.

[RobBebop]

Assuming you aren't trolling... I was referring to recent conversations with people who wanted "Photoshop" and wouldn't give a second thought to the comparable "Graphical Image Manipulation Program" that doesn't have the $500 price tag.

If somebody can't afford "Photoshop", the option they choose shouldn't be to run an unlicensed copy of it by using a cracked version that they downloaded through BitTorrent. The option they choose should be "run something they can afford".

Returning to the topic of the article... a Ph.D who proposes a Spam Advertising Campaign as a way to run a business is not technically suggesting something that is illegal/immoral/without precedent. However, where the line is crossed is the fact that spammers don't own (notice I didn't say "Pwn") the computers that are being used to send the spam. If they did (which assumes internet security were actually robust and users could actually use operating systems that protected them from infection) then spamming would cost a lot more... you'd see a lot less of it... and it would be better targeted (instead of hoping for 0.001% hit rates).

Re:It'll be hard to change minds.

[judd]

Those are pretty weak weak objections. You need shame.

No, I won't spam because it is antisocial, and you would have to be a jerk to do that.

Re:It'll be hard to change minds.

[mqduck]

Assuming you aren't trolling... I was referring to recent conversations with people who wanted "Photoshop" and wouldn't give a second thought to the comparable "Graphical Image Manipulation Program" that doesn't have the $500 price tag.

If somebody can't afford "Photoshop", the option they choose shouldn't be to run an unlicensed copy of it by using a cracked version that they downloaded through BitTorrent. The option they choose should be "run something they can afford". Well, we both know that the GIMP is far less capable when it comes to advanced features. Pirating Photoshop when it would never be bought instead of running the GIMP in no way harms Adobe (or whoever owns it now). Some of us have moral systems based on "do no harm" rather than "respect the concept of private property" and other easy but empty morals.

They try to send, but don't really succeed

[badger.foo]

The amount of spam that "spam king" Robert Alan Soloway, indicted under the CAN-SPAM Act, is accused of sending over a period of four years is now pumped out about every 30 seconds, around the clock, around the world.

Well, they're trying to send a lot, but with a proper setup at and around your mail server, you will not be seeing much of it anyway.

Simple greylisting helps a lot, supplemented with greytrapping-generated blacklists (with 24 hour expiry) it's even fun to watch. The last 2-3 percent that actually makes it through to be seen by content filtering gets converted back to free electrons.

I've had a series of blog entries over at bsdly.blogspot.com about this and the conclusion is clear - with a competent system administrator, Spam is a solved problem (Links to other refs inside, follow links).

Re:They try to send, but don't really succeed

[Philotechnia]

Amen. Regulation of the internet to curtail spam is a solution looking for a problem without an existing solution. In other words, it's government.

Re:They try to send, but don't really succeed

[seebs]

I don't think an ever-increasing percentage of my bandwidth and CPU time going into spam filtering counts as a "solved" problem.

How much time should I spend on becoming the hypothetical "competent" sysadmin? How much should I have to pay someone else to do it for me?

Tell you what. You provide the salary for me to hire someone reasonably competent to keep filters up to date, and send me a couple of fairly powerful servers, and pay for a second dedicated T1 to do nothing but process email, and I'll back you and claim that spam is "solved". By you. And I'll suggest that everyone go ask you to "solve" it for them too.

Re:They try to send, but don't really succeed

[badger.foo]

You seem to be lumping several very different techniques together, thinking it's all about content filtering.

Content filtering costs a lot of cpu, greylisting and stuttering (replying 1 byte at the time) costs our end very little.

The cited techniqes are likely to save you significant costs by discarding the obvious cases at the gateway and letting your computation heavy content filtering deal with five percent or less of the load it is handling at the moment.

All I can say is read the articles. You really don't need that kind of extra gear you are imagining.

Re:They try to send, but don't really succeed

[seebs]

You know, I actually do use greylisting. And a lot of other techniques, too.

They all add up, and they really do require a lot of extra hardware.

Do you have any clue what percentage of the bandwidth I pay for is going to the initial TCP packets from hosts I drop immediately? I'll give you a hint: It's a lot.

I guess... I've heard serious discussion from people at large sites of what goes into their spam filtering. I'd guess they're not morons; in many cases, I know that they are quite intelligent, and have a lot of experience, and put a lot of time into learning about this stuff.

They think it's expensive. Hell, the mere fact that there are people who are putting in full-time jobs at this proves that it's expensive.

It's not solved. As long as it's taking a measurable number of people working full-time to "solve" it, it's not solved. It'll be solved when we no longer have to spend huge chunks of bandwidth on it, no longer lose mail to it, no longer have mail delayed by it -- you do know that greylisting often delays legitimate mail, right? -- and otherwise no longer have to pay for it. Until then, it's not solved, we just have workarounds that are more tolerable than not having the workarounds.

Re:They try to send, but don't really succeed

[badger.foo]

It's not solved. As long as it's taking a measurable number of people working full-time to "solve" it, it's not solved. It'll be solved when we no longer have to spend huge chunks of bandwidth on it, no longer lose mail to it, no longer have mail delayed by it -- you do know that greylisting often delays legitimate mail, right?

Unfortunately, the age of innocence is past, and I have another shocking revelation or you:

There is no silver bullet.

Spam is a solved problem to a very large extent. We are successfully turning essentially all of it away with minimal annoyance to others.

Greylisting does delay delivery of the initial message from a new correspondent, but it is certainly no workaround - rather it's all about being a bit pedantic about adhering to standards. The workarounds are the odd things you need to do in order to compensate for poor configurations elsewhere. And of course you will need to scale your infrastructure according to expected loads.

We will never have a perfect world, and any method you can devise will have a non-zero error rate. These are the simple facts of life.

There are necessarily costs too, but by using available tools intelligently we minimize the costs.

Re:They try to send, but don't really succeed

[seebs]

Billions and billions of dollars of year are not a "solved" problem.

I'm not saying we need or want legislation. I'm just saying that it's not a solved problem.

Greylisting is a workaround. It is an obnoxious workaround which reduces the functionality of legitimate mail. Any time I have to sacrifice some useful functionality to keep things working, that is exactly what a "workaround" is.

I'm not claiming there is, or should be, a silver bullet; nothing I said implied any such thing. What I am saying is that what we have right now is utter crap, costing us billions and billions of dollars, wasting the full-time employment of many many thousands of people, and that we could do orders of magnitude better if there was general buy-in for it.

People saying the problem is "solved", while the rest of us are losing a day or more of our productive output every week to this "solved" problem, are making the problem worse, not better. You might as well declare that the drug-related violence problem in America is "solved" by the War On Some Drugs.

Re:They try to send, but don't really succeed

with a competent system administrator, Spam is a solved problem ...for a given cost.

As someone further up said, whether you're solving it by paying MessageLabs or Postini to filter your mail for you, or you buy some combo of appliances and extra software, or you spend a lot of valuable admin time & clue and kit doing it yourself -- it all costs money. Lots of it, in fact. (I work in the anti-spam industry, and my employer's doing quite nicely anyway...).

That cost gets passed on downstream, plus 5% sales tax and 7% margin... minus whatever the local competitive situation compels you to knock off in order to stay in the game... and you end up with crappy $30/month 1Mb DSL, or more ads, or less cash for the office christmas party (or lower pay / less work). Which is bad, of course, but not as bad as the alternatives. (If you don't know why, look for the "You have suggested a: []technical solution" form letter re-post down-thread, I'm sure someone will post it before long).

Mod parent up!

[khasim]

This comes up every single time there is a discussion about spam.

It is simply impossible to have a system that will identify EVERYONE in the world ... that will not also allow the spammers to grab fake addresses whenever they want to.

Re:Mod parent up!

[Planesdragon]

It is simply impossible to have a system that will identify EVERYONE in the world ... that will not also allow the spammers to grab fake addresses whenever they want to. You don't know what "impossible" means, do you? Impossible means "if you had unlimited funding, you still couldn't do it."

A total identification system is fairly easy. The hard part would be picking the right one, and handling bad authorizers. It may be "impractical", but it sure as heck isn't "impossible."

(Absolutely easy method: one e-mail address per real person, always based on their nation of residence. Anonymnity goes out the window, but you get real authorization.)

Re:Mod parent up!

[Philotechnia]

Conceiving the system is far from impossible. Forcing people to comply by the rules of the system will always be impossible, that is the point.

Re:Mod parent up!

[icknay]

Rather than track everyone in the world, you could just have a reputation system based on email addresses. Anyone can make up a brand-new email address at any time, but then it won't have an impressive reputation. The main barrier to this is that currently, the From: on an email is easily forged, so the notion of reputation does not work. Domain Keys and SPF attack exactly this problem -- enabling a durable notion of reputation for a domain. If we could get a few more people to implement those, it's going to make a huge difference. We're so close ... yet the default attitude seems to be to exclaim how hopeless it all is. Domain Keys Now! http://dkim.org/

It's worse than you think.

[khasim]

What made it worse, of course, is that she didn't just send the message to me, she CC'ed it to everyone she could get an e-mail address for. So that means that several dozen people now have my e-mail address. Knowing her friends, at least several of them CC'ed it to everyone they could get e-mail addresses for, which means that hundreds of people now have my e-mail address. After just a very few iterations of this, I might as well get on national television and broadcast my e-mail during the Superbowl. No doubt I've gotten at least a few thousand spams from people who stupidly CC their whole address list on stuff.

Now, the first time ANY SINGLE ONE of those people get infected, anything that appears to be an email address will be uploaded to the spammer's computer.

From the spammer's perspective, that is the whole purpose of those "scams". To get more LEGITIMATE email addresses on more people's machines so that the spammer only needs to infect ONE machine to get ALL the addresses.

How times have changed

[HitekHobo]

Just the other day I ran across an old thread on the linux security audit mailing list where a few of us were bitching about the second spam in a month! In the end, they elected to leave it an open, unmoderated list so that non-subscribing developers could continue to post responses to things they may have been cc'd on.

Seven short years later and our current spam catch rate (at a regional CLEC) is over 98% and far from perfect...

Every generation has to learn

[Normal_Deviate]

there is no free lunch. Spam is the latest iteration of the Tragedy of the Commons, and will persist as long as email is "free".

"Web of trust" won't work.

[khasim]

Check out TFA. They even mention Hotmail.

Hotmail is one of the world's largest providers of e-mail service, with two hundred and eighty-five million registered accounts in more than two hundred countries. "We filter them all, and that takes huge amounts of computer processing power and Internet bandwidth, and it requires us to work constantly to keep the numbers from getting worse," Scarrow said. "We do this to minimize the impact on our customers, but it's a hell of a job."

Yet about half the spam that gets through my system comes from HotMail and GMail.

And let's not forget the cute ads that Microsoft appends to outgoing Hotmail messages. So, someone sends spam through Hotmail, which ends up with the ad attached ... and it gets reported as spam ... so when a legitimate message comes through from Hotmail it also has the ad and so it gets flagged as spam by SpamAssassin.

That's great. The spam gets through and the legitimate messages are blocked. Maybe Microsoft could have put a bit more thought into their process? No? Getting the ads out is too important?

Here's a thought. How about Microsoft and Google throttle the outbound connections on their servers? One message every 5 seconds? And take an account off-line AND ALL ITS PENDING MESSAGES if they get a complaint? Google has smart people. I'm sure they could work out an automatic arrangement with the larger anti-spam sites.

The only "web of trust" you can really trust is your own white list.

I'd rather focus on the opposite. Identifying ranges that are 99.9%+ likely to be spammers. Like most of the home accounts on Comcast and Verizon and such.

Re:"Web of trust" won't work.

[achbed]

Yet about half the spam that gets through my system comes from HotMail and GMail. You mean appears to come from HotMail and GMail. There are lots of gateways out there that are still open, and will willingly bounce messages from anyone purporting to be Buddha, God, and Allah. Trust me, I know. I get a ton of "message rejected" notices on my domain from email that does not originate from me, but is somehow scheduled for delivery anyway. And that's just the ones that don't get through. Domain hijacking for spam purposes doesn't require hacking DNS, just forge your "from" address.

Of course, very little stops spammers from also opening a ton of "legitimate" free accounts and spamming using those, but they can (sometimes) get tracked and shut down...

Re:"Web of trust" won't work.

[spikedvodka]

The only "web of trust" you can really trust is your own white list. This falls under the problem of the "If I didn't ask for it, it's spam"

Just recently, I got back in touch with a friend from college, I contacted her at work, and she asked me to e-mail her private e-mail address... of course, her private e-mail address didn't know who I was, so filed me under spam.

White-listing is a great concept, but it isn't complete enough to work all-of-the-time. What we need is an "all-of-the-time" non-broken system.

Rose colored taped up glasses

Oh man, I wish I had your optimism. But I'm a geezer, I'm beyond hope.

I personally think that newspapers should develop a 'tech section' where they can throw off the mittens & grade school knowledge that need to be on in order to handle your average reader.

Not me, I cringe every time I see the single weekly article by some so-called "tech guy" in a mainstream newspaper where someone (a non-nerd, obviously) says something like "my internet stopped working, what do I do?" and the answer starts with "first, open Internet Explorer. That's the program that lets you get on the internet"... GAH!!!! Someone will complain about viruses, does the guy ever mention Firefox? The fucktard doesn't seem to have ever HEARD of firefox, Linux, or OSS. Thankfully, the guy linked has retired. Hooray!

I know many newspapers have entire sections devoted to sports--sometimes even just one particular sport if it's in season!

That's because 48% of Americans (99% of males, probably not just Americans but men world-wide) are sometimes jocks and usually overweight wannabe jocks who love nothing better than to sit in front of the boob tube watching sports, memorizing meaningless statistics, and believing that it actually matters whether or not "their" team won the "big game" while not giving two shits or even knowing about warrantless wiretapping, limitless copyrights, the inability to make backups of DVDs they've bought, etc.

Sorry man (for me as well as for you) but it ain't gonna happen, not in my lifetime and not even in yours.

What we need is an article that causes people to seriously ask themselves how we can keep e-mail free and uncensored while at the same time stopping spam.

You're not going to see an article like that in the MSM or even in most so-called "tech" rags or sites. There are a lot of people who think they're geeks (Geek Squad anyone?) just because they own a computer!

So while this article is informational, it does nothing practical for the reader.

Informational for Aunt Gussie, not for you or me. And informing Aunt Gussie is practical.

the best way to stop spam is to stop clicking on it and show others how to do the same.

Ignorance is curable, but unfortunately stupidity is not. There are enough people who know better than to click on spam but are stupid enough to do it anyway. Hell, my oldest daughter is brain damaged with an IQ of 65 but even she is smart enough to not click on spam! But college professors do it anyway.

The situation is hopeless. If enough countries (esp. the US where most of the spam comes from) outlawed commercail unsolicited email with serious prison time for offenders, the spam problem would dry up... just like the "drug problem" has dried up.

It's hopeless.

=(

-mcgrew

Please...

[drooling-dog]

Canter and Siegel's seminal spam Do I have to hear about that this morning?

A modest proposal...

[Kadin2048]

Spam wouldn't be such a problem if we had proper verification of senders. Whether that's through some central identity or whatever. I realize this idea is extremely unpopular and is not in the spirit of the original Internet, but heck, if you had to essentially have an ID that verified who you were and if you sent out spam, you'd lose it, how much less spam would there be?

Sure, and while we're at it, if everyone was required under penalty of death to have their name tattooed in large block letters on their forehead, then I wouldn't have to worry about embarrassing myself forgetting people's names at dinner parties.

Some 'solutions' are worse than the problems they purport to solve.

No. It comes from their servers.

[khasim]

You mean appears to come from HotMail and GMail.

Nope. They can't fake the IP address if you don't have pipelining turned on. It's coming from their IP's.

Of course, very little stops spammers from also opening a ton of "legitimate" free accounts and spamming using those, but they can (sometimes) get tracked and shut down...

That's the problem. You cannot "trust" Hotmail or GMail because they ARE used by spammers.

And there is no technological reason why they could not address that issue. They know that spammers will open accounts with them. Yet they take no steps to mitigate that. Even limiting the outbound emails from each account would help. And having an automated process for reporting and blocking spam from them would pretty much solve the rest of the problem with them.

Re:No. It comes from their servers.

[thogard]

They can't fake an IP address if you have pipelining turned on either but you have to flush the input buffer before you send back the response to the EHLO. I did a simple hack that looked at the queue size at the time the greeting was issued and purged lots of spam that way.

Re:No. It comes from their servers.

[nuzak]

> Yet they take no steps to mitigate that. Even limiting the outbound emails from each account would help

They do that, in fact.

> And having an automated process for reporting and blocking spam from them would pretty much solve the rest of the problem with them.

They have that. Of course it's ignorebots on the abuse@ inbox, but hey, it's automated. As for automated blocking, that's kind of your problem. You can always block their IP addresses.

I don't give a damn about the free email accounts -- they're nuisance traffic, 419 spammers mostly. It's the BILLIONS of spams spewing every single day from the residential blocks of the Comcasts and Oranges and Verizons that are doing real damage to the email and bandwidth infrastructure, and it's THEIR greed, incompetence, and sloth that keep it going every single day.

How much does spam cost?

No kidding. I admin a medium sized ISP. We have 8 (soon to be 9) distributed servers dedicated to email.

3 load balanced e-mail filtering appliances, at the Internet facing edge. (Basically, BSD boxes running postfix, spamassasin, clamav, policyd, DCC checks, RBL and a few other checkers and daemons I'm forgetting.) They get about 90% of our spam.

2 load balanced postfix boxes, running policyd on our outgoing mail, they will greylist any naughty customers with a zombie that have sent to much. Also, they do inbound user verification with LDAP, if spam has BCCed an invalid recipient or two, reject. Add another layer of anti-virus on the way to the customers. This catches another 8-9%. I'm guessing around 1% gets through.

1 DCC server, because we exceeded the threshold for being able to use free DCC long ago. (I'll admit it's a bit under used.)

1 MTA running exim for the hosted domains. This has spamassain, and a few other services, supplementary to everything in front of it. I'd say it gets most of the rest for those with hosted domains.

1 big bad 8x processor pop server that runs webmail and pop for the customers. It does no spam checking, because it could never handle the load, just stores what we think is not spam for the customers, around 25,000 accounts.

By comparison, we need one (1) production, not counting backups, provisioning server. It handles minor things like DHCP for 15,000 customers.

Now you have an idea on what your ISP spends its money and resources on. There is no small industry selling you solutions to fight the SPAM.

Track them and arrest them.

Every spam message sent has a business model behind it: Whether it's selling fake pharmaceuticals or convincing gullible people to fly to Amsterdam with suitcases of cash for an imaginary nigerian prince, the point of every Spam mail is to get someone to part with their cash.

That means there always has to be a point of contact, some mechanism by which the victim delivers money to the spammer: Whether it's a paypal account or a bank account or an arrangement to meet the African-looking geezer in the "I am in Ur inb0x steelin Ur muneez" T-shirt down at Skiphol airport, that means there is a trail by which law-enforcement can track these bastards down. Sure, this can be complicated and obfuscated by international boundaries and the spammers' sneakiness, but with sufficient resources every single one of these people ought to be traceable. Couldn't the international law-enforcement community just take some of the 10 billion dollars (or however much TFA stated) spent annually on spam-filtering and spend it instead taking the spam-bait and then using the payment methods to track the bastards down and nail their collective goolies to a wall?

Hell, if every frustrated server admin in the world were to donate $1 each I reckon we'd have enough to send some heavies round...

Re:Track them and arrest them.

[achbed]

Two problems with this.
1) You assume that all nations want to cooperate and, as you so eloquently put it, "nail their collective goolies to a wall". That is very far from the truth. If we can't get a universal agreement about terrorists, how can we get a universal agreement about spammers/scammers? The only way one is going to be able to do this consisently is by doing vigilante justice - and then avoiding any law enforcement that wants to take you out for taking matters into your own hands. Good luck with that!
2) You also assume that "sending the heavies round" means that the "heavies" and the spammers are not colluding. I'll be willing to bet that many illegal spam operations are now owned by the same "entrepreneurs" that own the "heavies" you are referring to. Any bets on if they would be willing to beat down their own people for a few bucks? Many fewer bucks than their spam operation is bringing in?

RMS wants spam!

[strredwolf]

"The amount of harm done by any of the cited 'unfair' things the net has been used for is clearly very small,'' the Internet pioneer Richard Stallman wrote a few days after the DEC e-mail. Stallman opposed any action that would interfere with the aggressive openness that came to define the Web. And he still does. In his message about the DEC spam, Stallman pointed out--three decades before the appearance of Craigs-list and Monster.com--that the network provided a unique opportunity to advertise jobs and an entirely new way to sell products. He went even further: "Would a dating service on the net be 'frowned upon' . . . ? I hope not. But even if it is, don't let that stop you from notifying me via net mail if you start one."

I guess RMS wants spam. Quick! Forward all your spam to RMS! He wants it! He can have it!

Address book doesn't help?

[Kadin2048]

Have you put both the "From" and the "Reply-To" addresses on the mailing list into your Gmail address book? I've found that seems to keep mail in my Inbox instead of in Spam. (I think it's only the "From" that matters, but you can put both in there to be sure.)

I'm not sure it's an automatic 100% non-spam rating, but it does seem to be worth some points at some point in Google's filtering process.

Re:Address book doesn't help?

[digitig]

According to gmail help, it guarantees to keep it out of the spam box -- I'll see, although for me contact lists and whitelists are two different things and I don't like to see them merged.

Re:Address book doesn't help?

[digitig]

I can now confirm that despite the Gmail documentation (http://mail.google.com/support/bin/answer.py?answ er=9009&topic=1520), adding an address to one's contact list does not stop Gmail moving email from that address to the spam folder.

OT: The New Yorker

[Kadin2048]

albeit prestige derived much more from its past authorial and editorial quality than from anything it has now). I'm not sure why you and the submitter seem to think it's some sort of printed-out blog. I suspect for people who can't recall its past editorial quality, it probably does seem about like a printed-out blog...

Spamfilters by Default

[Doc+Ruby]

I get more spam than ever. And setting up spam filtering on Evolution is much harder than it should be. In fact, I couldn't even find a simple, clear, authoritave instruction for starting it. When it should just be on by default when I first install Evolution.

Email

[Frozen+Void]

Does anyone for all these 20 years thought that there might be some deficiency in Email protocol itself?

you read other people's mail?

[DancesWithBlowTorch]

I just finished going through everyones inboxes to make sure nothing got through.

Wait, you read everyone's mail? Do they all know about this policy? If not, I'd seriously kick your ass if I were your boss and would find out.

Re:you read other people's mail?

About the reading everyones mail(the 4 other users besides myself). Yes, each user knows about it, it was a policy enacted by the president of the company(I'm the vice president) after he and his wife infected themselves for the 8th time(that leaves 2 other users). Rather than them take care, its a make sure they don't get it in the first place.

It definately makes sure that the corporate email is used for corporate things.

The point of the original post was to demonstrate how even small companies are getting flooded by spam.

Re:you read other people's mail?

[LWATCDR]

"If not, I'd seriously kick your ass if I were your boss and would find out."
1. It is the company server and bandwidth. You should expect that it is not private.
2. Bosses don't "seriously kick your ass". They may reprimand or terminate.

Re:"Web of trust" MS bashing won't work either.

[aqk]

Yet about half the spam that gets through my system comes from HotMail and GMail

Sigh ... if you're going to be another one of these tedious /. Microsoft basher, you should learn to get it right.

Both Hotmail and Gmail do an excellent job of spam filtering.
Try looking at your 'Hotmail' email wrapper sometimes.
You DO know what that is, don't you?

Re:Proper verification of Bill Gates $1000

Good grief!

Is Gates offering a $1000 now?!

When I first got that tracker, it was only $500! Still I dutifully forwarded it to hundreds of people, and eventually Bill sent me $127,000 !!
To this day I still get a residual $500 every few months.

But perhaps it's time I contacted Micro$oft (There! I finally got to use that spelling!) and asked for the full $1000 monty that other people are now getting!
What do you think?

It's a law enforcement problem now.,

[Animats]

What's so striking is that there are so few different spams that make it through the filters. And most of the top spammers are known; see the ROKSO list. They're all crooks; legitimate businesses haven't been able to spam through filters in years now. With slightly more law enforcement effort, most of those spammers could be put behind bars. Two or three go to jail every year now; if that could be increased to ten or twenty, the problem would drop substantially.

The way to find them is by following the money. The FBI and Treasury have the means in place to do that, developed for money laundering. That's what FinCEN does. It's tough to repeatedly collect money via credit card and hide from FinCEN. Especially when investigators can initiate tranactions themselves, which is easy enough with Viagra spammers. Maybe after Bush is out of office this can be addressed.

Actually, if some anti-spam people wanted to deal with the Viagra spammers, it would be easy enough. Find the order form, and start ordering using a script. Use random credit card numbers that will pass the check digit check, delivery addresses of random buildings or PO boxes, and a broad range of IP addresses via proxies. The orders will all be rejected at credit card check, but their credit card service provider will hit them with a fee for each bogus transaction. Drive them out of business that way.

In Korea ...

only old people receive spam

Re:you read other people's mail? Why yes!

You ARE my boss, you pointy-headed nitwit!

Now go back to sleep, and let me get my job done, you moronic micromanager!
(I refer to your intellect as well as your managerial style)


...tonight, I'll be drinking a pinoqachole sunrise in my pub, while YOU are on your fat-ass watching dopey "Friends" reruns! Grrrrr....!

The *original* source has a great history of spam

[geekotourist]

This article is a great short history on spam

The author's source material is a great short history of spam, too: I didn't read anything new on the early history of spam in the New Yorker because I'd already read it elsewhere. Yet the New Yorker author only obliquely referenced his source materials when he mentions Brad Templeton (EFF chairman, etc.) via a quote. If I was the editor for that article I'd have pushed for more research credit to be given.

Brad Templeton's collection of essays on spam includes:

• The origin of the term spam to mean net abuse.
  
• The history of the first spam in his Reflections on the 25th Anniversary of Spam, which includes the actual first spam and reactions to it. Here's Slashdot's reaction to the 25th anniversary.
  
• Definitions of spam (unsolicited bulk email from strangers), summaries of current proposed solutions to it, thoughts on specific methods like C/R, and more.

Re:The New Yorker On Spam

[aqk]

Huh!
Some guy further up this thread cited Matthew Arnold's "Dover Beach"

I'll bet that's the first time Matthew Arnold ever got play in /. !!

Green Card Lawyers

[crotherm]

Canter and Siegel's seminal spam was propagated through Usenet and not email. I was a usenet admin at that time. I remember quite clearly the rage throughout the news.admin.* groups. I still have the T-shirt that was made to remember those scum. "Green Card Lawyers, spamming the globe"

Re:Green Card Lawyers

[aqk]

Huh!

Lucky you.

My ex-wife threw out (unbeknownst to me) all my old raggedy (AND VERY VALUABLE) T-shirts from that era!
Grrrr.!

Re:Green Card Lawyers

[crotherm]

Valuable you say? (muhmuhmuahaha)

Re:Green Card Lawyers

[aqk]

>>> Valuable you say? (muhmuhmuahaha)

Valuable, I DO SAY!

I would have sold any one of them for no less than $1000, including my favorite- a 1972 Ernest Hemmingway T-shirt that I bought for $2 while sitting at the bar in Sloppy Joe's in Key West Florida, from a stoned barmaid for $2. It was slightly small, and my ex-wife thought it made me too 'muscular'. Besides she didn't like the look of that macho "as--le' on the front of the shirt.


Of course probably no one would have given me $1000 for a T-shirt; nevertheless that WAS my selling price.
Valuable? Yes. I DO SAY! ;-)

I went back to Sloppy Joe's a few years ago and tried to buy a new T-shirt.
Sloppy Joe's had turned into some kind of faux McDonalds, the bartender was wearing a tie, and all their merchandise was available from their emporium on the side, including a much inferior T-shirt, made in Sri Lanka, for only $24 !! Grrrr...

F--k Key West! I ain't NEVER going back there again.