The New Yorker On Spam

aqk notes an article in the Aug. 6th New Yorker surveying the spam problem up-to-date. The New Yorker may not be exactly the MSM, but it is pretty influential. The author got only one fact wrong that I noticed: Canter and Siegel's seminal spam was propagated through Usenet and not email. Still, it's a good look at the history of spam and the scale of the problem today. The amount of spam that "spam king" Robert Alan Soloway, indicted under the CAN-SPAM Act, is accused of sending over a period of four years is now pumped out about every 30 seconds, around the clock, around the world.

Proper verification of senders

[morgan_greywolf]

Spam wouldn't be such a problem if we had proper verification of senders. Whether that's through some central identity or whatever. I realize this idea is extremely unpopular and is not in the spirit of the original Internet, but heck, if you had to essentially have an ID that verified who you were and if you sent out spam, you'd lose it, how much less spam would there be?

Re:Proper verification of senders

[spikedvodka]

If you ask me, nothing less than the total removal of all spamming should be acceptable. Filtering doesn't get it because you still have all of this spam and zombies wasting terabits of bandwidth. And you have spammers pwning all these clueless idiots' Windows boxes, turning them into spam zombies. Remove the ability to send spam without screwing yourself, and you'll solve all of the spam-related problems. Filtering is like putting makeup on a facial wound. Removing the ability to send spam in the first place is the cure. Sounds great... where do I sign up? but seriously. There are a number of problems with "Removing the ability to send spam in the first place"
1) What exactly is spam? -- Some people would say that spam is any e-mail they don't want. Others will say any e-mail they didn't ask for. yet others point to the dictionary and say "unsolicited usually commercial e-mail sent to a large number of addresses"
This brings up the first problem... if we go with the last (and most technical) of those definitions, all a spammer has to do is start to "properly" personalize the messages (for some value of personalize)
If we go with the first, how can you check on the sending end if the recipient wants it?
if we go with the second, what about when I want to send e-mail to a friend I've lost touch with? he didn't ask for the e-mail, therefore my message is "spam"

Even if we, as the GP suggested, impose a technical restriction on e-mail such that it has to be authenticated as to who it's from, all that does is make the filtering easier. What is going to prevent the dedicated spammer from "registering" a new identity? where would everybody's identities be registered? would you trust a centralized registry of "registered senders"? for some reason i think not.

I've heard suggestions of using a "web-of-trust" method of "registering identities", but even with that idea, you're going to end up with many separate webs. and bog help you if you want to send e-mail between the webs, you'd be effectively unknown, and thus declared "SPAM".

All to often the way it seems with technology is that we put band-aids on everything. Endless patch-Tuesdays, etc. and that when a new system is proposed and agreed upon it (a) takes forever to get off the ground ... IPv6 anyone?, or (b) is fored to be backwards compatible, which defeats the purpose.

Maybe I'll have to think of an algorithm to dynamically and auto-magically create a positive, and negative web-of-trust, both for senders and for servers... but that's more for another time

Re:Need More Exposure to Ideas and Methods

[morgan_greywolf]

I know Popular Mechanics is ... well, popular for lack of a better word so why aren't newspapers picking up on this and printing more tech-heavy articles? I

Because such articles don't sell advertising. Popular Mechanics, Popular Science, Scientific American, etc., can sell ads because they have nothing but tech-heavy, jargon-laiden articles, and so the advertisers know exactly who they are targeting.

Newspapers are general-purpose publications, written for the widest audience possible. It's hard enough for them to sell ads these days without having to have specialized sections for the tech reader.

That being said, newspapers should be trying to innovate, because if they don't, well...it's the death knoll for newspapers.

It'll be hard to change minds.

[iknownuttin]

Which brings me back to an important point, you're not going to change anyone's mind.

I'm in the middle of starting up a small business and was talking to someone about marketing. This individual (Not an in-duh-vidual - a Ph.D.) suggested that I send out mass emails. I told him that I can't do that because I'll be a spammer and my ISP will yank my account. He then mentioned that they're are ways to mask my origins. I said if I get caught doing that, I'll be in even more trouble. Besides, I DON'T want to be a spammer.

My point? Spamming has become so standard and everyday that people don't even give it a second look now and just consider it an annoyance at worst. The only people who really care are those of us in IT.

Re:Need More Exposure to Ideas and Methods

[KingSkippus]

So while this article is informational, it does nothing practical for the reader. I realize--and I think a lot of people will agree with me--that the best way to stop spam is to stop clicking on it and show others how to do the same.

This is definitely a start in the right direction, but it's not the whole story. I'm convinced that a massive part of the problem is that there's a widespread belief that spammers make millions of dollars.

No doubt, a very few do. A very few have mansions and island retreats in the Bahamas. But these people are like the Michael Jordans of spammers, the people who have spent an incredible amount of time and effort into honing their spamming skills not just into an art, but a lucrative profession.

The problem is that most spammers aren't the Michael Jordans of spam. They're just people who have heard that spammers make millions of dollars, and they want in on that action. They go out and download the latest scripts and fire off a few million e-mails. No one responds. So they fire off a few million more. After enough times, someone will respond, and they've made $20 bucks. Flush with the thought of new mansions, they fire off millions more. Whoops, that $20 was charged to a stolen card, so they're back to zero.

The point is that the world has changed. Back in the day, there was a lot of money to be made from spam. Now, though, you have a very few scummy individuals who have made massive amounts of money. You have thousands of scummy individuals who think they can do they same thing, but fail miserably. It doesn't matter, though, all you need are the few who do make millions to keep the perception alive that spam = TONS of money, and you'll have people lining up to do it.

What need to happen is that they need to stop focusing so much on the spam "kings" and go after the regular guys who send it out. The people without the million-dollar houses. The people who think that it doesn't hurt anything to fire off a few million e-mails to try to sell some Vigara (yes, I misspelled it deliberately). The press need to cover those stories too. (They really need to cover them more.) People stop seeing Bill the multi-millionaire spam king and start seeing Ted the worthless loser who was so desperate that he thought he could make a million dollars by sending spam.

It's not enough to make spam unprofitable. People have to know it's unprofitable, and that when caught, they'll end up in jail for nothing.

Re:Need More Exposure to Ideas and Methods

[Philotechnia]

Let's step back from spam a second. If prostitution is the world's oldest profession, being a con artist is a close second. Before spam, these people were jumping out in front of cars to collect a paycheck, enticing people through telephone calls into shady business transactions, and so on. Spam is only a new form of an old trade. These people are always going to feed off the ignorant, the naive, the bleeding hearts, and the foolish. You will never regulate this kind of predatory behavior out of existence. All of us make bad choices. Some of those bad choices involve being the con artist, and some of those bad choices involve letting ourselves be duped. You can't stop this, you can only hope to contain it. That being said, the most effective approaches to spam are going to be those that assume the existence of the problem going forward - i.e. we can not stop nor get rid of spam - and manage it effectively while educating people against the tricks of the trade. I think spam is largely an overblown issue, that most competent sysadmins have tool sets that manage it very well, and that the average user is much more educated then us slashdotters assume. To put it briefly - spam is an overblown issue that just gives the government an excuse to get their grubby hands on our tubes. In Soviet Russia, the internet surfs you!

How much does spam cost?

No kidding. I admin a medium sized ISP. We have 8 (soon to be 9) distributed servers dedicated to email.

3 load balanced e-mail filtering appliances, at the Internet facing edge. (Basically, BSD boxes running postfix, spamassasin, clamav, policyd, DCC checks, RBL and a few other checkers and daemons I'm forgetting.) They get about 90% of our spam.

2 load balanced postfix boxes, running policyd on our outgoing mail, they will greylist any naughty customers with a zombie that have sent to much. Also, they do inbound user verification with LDAP, if spam has BCCed an invalid recipient or two, reject. Add another layer of anti-virus on the way to the customers. This catches another 8-9%. I'm guessing around 1% gets through.

1 DCC server, because we exceeded the threshold for being able to use free DCC long ago. (I'll admit it's a bit under used.)

1 MTA running exim for the hosted domains. This has spamassain, and a few other services, supplementary to everything in front of it. I'd say it gets most of the rest for those with hosted domains.

1 big bad 8x processor pop server that runs webmail and pop for the customers. It does no spam checking, because it could never handle the load, just stores what we think is not spam for the customers, around 25,000 accounts.

By comparison, we need one (1) production, not counting backups, provisioning server. It handles minor things like DHCP for 15,000 customers.

Now you have an idea on what your ISP spends its money and resources on. There is no small industry selling you solutions to fight the SPAM.