Fighting Spam Through Regulation and Economics

Bryan29 writes ""Next door to our offices was a spam operation... One day they weren't there anymore". Apparently in the past several months some black hat SEO companies (comment spammers) closed shop. Mr. Evron explores using a couple of case studies how spam was directly impacted by the UIGEA online Casinos law, disallowing payment processing, and how the subprime mortgage collapse made many former clients of spammers "move on". The article draws its conclusions from an economic standpoint "Perhaps the next step policy makers should take is to work to change this economy, possibly by legalizing and regulating ... More to the point, they can make the act of processing funds for this type of operation illegal.""

This one is better, but no cigar

[ravenspear]

Your post advocates a

() technical ( ) legislative (*) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(*) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(*) Asshats
(*) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(*) Extreme profitability of spam
(*) Joe jobs and/or identity theft
(*) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:This one is better, but no cigar

[spikedvodka]

(*) No one will be able to find the guy or collect the money
(*) Requires too much cooperation from spammers

Specifically, your plan fails to account for

(*) Lack of centrally controlling authority for email The whole point of this plan is that those are wrong. If you can make it illegal for process transactions for things like online casinos, you can make it illegal for things like online pharmacies.

You're not controlling the e-mail, but you're controlling the money. if they can't accept "Visa/MC/AMEX/Discover/Diners/etc." they won't make as much money. paypal is the same way.

Yes, the "mark" could still send a check, but at that point you know exactly where the check went, and you get the copy (electronic) back.

I think this plan has half a chance of working... however, then I think we'll start seeing more phishing... and I really would hate to see more laws

Re:This one is better, but no cigar

[longacre]

But where do legislators and credit card companies draw the line between a shady online pharmacy and a legitimate one like Express Scripts? Even with new regulations to prevent use by criminals and terrorists, it is still pretty easy to get a merchant account. When a merchant signs up for a card processing service they simply ask you what you're using it for...and they believe you. There's not much to prevent you from using the same account on a legitimate site and one that advertises PLEASE YOUR GIRLFRIEND TONIGHT. This is good for legitimate businesses because it requires very little time or hassle to get started selling. The more laws we have banning transactions from entire sectors of businesses, the more questions and verifications merchant processors will demand from new merchants, thereby discouraging entrepreneurship without necessarily hurting the bad guys.

Re:This one is better, but no cigar

[TheRaven64]

That's a very separate issue. The WTO is involved because the US gambling laws discriminate against casinos not based in the USA. This wouldn't be an issue for anti-spam laws (they're about preventing spam, not just about preventing spam from non-US companies). The reason that they are involved in practice, rather than just theory, is that the US laws are having a real financial effect on organisations outside the USA, which is exactly what you would want to happen to spammers.

the only way to defeat spam

[wakim1618]

is through a national health care plan that would provide free penis enlargement, viagra and breast implants to all Americans

Re:the only way to defeat spam

[techno-vampire]

Oh, good! I'm sure my girlfriend would love to have a huge penis. I know I'd love to have a rack of 36D's myself! As for the viagra, well, after that surgery, we can both use it. Profit!

Re:Gadi Evron = Hot Air

[arivanov]

Just read the article.

Gadi at his best.

First of all, the casino SPAM has not decreased. It has changed target markets. I got 10+ mails over the last month that managed to get past my antispam filters with gambling spams and scams. This is compared to under 3 for the preceding year. Mortgages - that disappeared at least one year before the credit crunch started. And so on.

The reason SPAM is decreasing is that the return on investment for spammers steadily decreases. People are responding to it less and less. As a result the vast botnets built for spamming are now geared towards phishing, identity theft (botnet ops are actually scanning computers for useable documents) and from time to time a bit of SPAM for the purposes of botnet expansion.

I already said this...

[damn_registrars]

Previous slashdot discussions have discussed some of the ways that most people try to fight spam. I already said that we need an economic solution to what is an economic problem.

Unfortunately, the suggestion from this article misses the boat. Trying to price the spammers out of operation doesn't get the job done, because there's hardly a shortage of money to keep them running. We need to price the middle men out of operation.

In particular, when the spammers register new domains (which they do by the hundreds or more at a time), they give kickbacks to their favorite registrars, who in turn will turn the other way regarding the illegal operations.

If instead ICANN had some cajones, they could take the bad registrars out, clean up the registration mess that currently exists, and they could make it economically unfeasible for the spammers to continue their game as currently played. A good start would be to enforce an exponentially increasing fee structure for domains - I know of very few people who have a legitimate need for more than about 4 domains. Furthermore, if the bad registrars were to actually lose their accreditation after willingly doing business with these criminals (easy to prove), that would also help.

But as someone else already pointed out, you cannot just simply tax spam out of existence. You need real, working, economic solutions. And if ICANN was worth their own weight in bat guano, they could make it happen.

Re:I already said this...

[www.sorehands.com]

If instead ICANN had some cajones, they could take the bad registrars out, clean up the registration mess that currently exists, and they could make it economically unfeasible for the spammers to continue their game as currently played. A good start would be to enforce an exponentially increasing fee structure for domains - I know of very few people who have a legitimate need for more than about 4 domains. Furthermore, if the bad registrars were to actually lose their accreditation after willingly doing business with these criminals (easy to prove), that would also help.

AMEN to the first part!

ICANN needs to get rid of the AGP (grace periods) for domain name registration which allows domain tasting. This allows people to register a domain name for up to 5 days and then get a refund on the fees.

I have had this discussion with ICANN staff. The liaison claims that since there is no partial penalties for registrars that violate their agreements that the only punishment available is to terminate the registration status. Bull! They can always terminate the ability to register new domain names to get the registrar to behave. Then the domain name registrars that don't bother terminating domain names with false whois information.

Most of the registrars are now "bad"

[Animats]

If instead ICANN had some cajones, they could take the bad registrars out...

The problme is that most of the registrars, by actual count, are now "bad". See the list of ICANN-approved registrars. There are several hundred, few of which have any real existence. Most are just fronts for some domaining operation. Some are obvious about it: "DropExtra.com, Inc.", "DropFall.com, Inc.", "DropHub.com. Inc", "DropJump.com, Inc.", etc., all of which are fronts for a "wholesale domain registrar". Then there's "Enom1, Inc."., "Enom2, Inc." ... "enom469, Inc.". Most of the "registrars" are now dummies like that.Those are ICANN's constituency.

Well, DUH!

[www.sorehands.com]

It is obvious. If companies don't/can't make money from spammers, they won't pay spammers.

That is what I have been doing. I don't file lawsuits against the people pressing the send button, but the people who are advertised and making money as a result of the spam. A sex dating site I sued years ago, took a strong anti-spam policy after I sued them.

Spammers spam to make money. If people don't pay them to send the spam, they won't do. If a company will not make money from spam, they won't pay the spammer. The same thing happened with junk fax.

Re:*sigh~*

Kill the botnets and you kill spam. A technological solution to a mostly technological problem. Oh, and you'd stop DDoS attacks at the same time We had spam and DDoS attacks long before botnets. Killing botnets will stop the way muich of the spam is sent today but cannot stop spam

The root of this problem is people. People who buy the drugs from websites linked in spam, people who open the attachments that lead to their computers being used for spamming, and people who care more about making money by providing business to spammers. This is a people problem, not a technological one at all.