Spammers Choose GMail

EdwardLAN writes "A study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen sharply." My spam has been pretty ridiculously high for the last few weeks, although I have no idea if this is part of it. It really does seem like gmail's spam filters are declining these days.

Invite-Only

[Anubis_Ascended]

Maybe they should have just kept the system invite-only, instead of opening it up to everyone -- that would help, the way I see it.

Re:Invite-Only

[betterunixthanunix]

It's still in beta. Bugs like massive amounts of spam originating from the service are bound to turn in up in beta software.

Re:Invite-Only

[damuhatori]

Maybe they should have just kept the system invite-only, instead of opening it up to everyone -- that would help, the way I see it.

Sure that would help, but it would mean less ad views for Google.

Re:Invite-Only

[Vectronic]

Doubtful, when they first started, and had the invite-only thing, there was a lot of sites that would give away account-invites to boost their own traffic/advertise, and even invites being auctioned off, plus you could give your invites to yourself, and breed invites, get our 5 invites, create 5 accounts, get 20 more invites...

It was all just marketing, if they started off with just a free-for all, it wouldn't have made as much hooplah as it did, "common man, gimme an invite" - "you gotta a Gmail account?" - "I'll do your homework for an invite" etc, etc...

Any spammer would have ended up with as many accounts as they wanted anyways, I think the increase is mostly because of that bug/feature mentioned yesterday here on Slashdot, about being able to get peoples real names (if yer stupid enough to have done so) from Gmail accounts.

Re:Invite-Only

It would only take one invite for a spammer to get his foot in the door, then he could invite himself over and over again to get many accounts to spam from.

Of course, it would also be easy to shut down the spamming account and all other accounts invited by that one, recursively. But you'd run the risk of removing some legitimate accounts in that process.

I don't know that it would have made GMail all that much cleaner.

Re:Invite-Only

[KBKarma]

Query: how could it be in beta for over two years? By now, it should be in gamma or delta, or, perhaps, final.

Re:Invite-Only

[funaho]

Two years of beta in the OSS community isn't unheard of. Wine was in an alpha/beta state for what...16 years?

Re:Invite-Only

[betterunixthanunix]

I must have missed the part where Gmail was OSS. Like, with the exception of the presentation logic, you can't really look at the code?

Re:Invite-Only

[funaho]

I did not say Gmail was OSS. I said "Two years of beta in the OSS community isn't unheard of." I'd edit to change the wording, but I can't.

Re:Invite-Only

[sirwired]

Google doesn't get paid for ad views, only ad clicks.

SirWired

Re:Invite-Only

[damuhatori]

Touché. Less exposure then?

Re:Invite-Only

[CDMA_Demo]

I did not say Gmail was OSS. I said "Two years of beta in the OSS community isn't unheard of." I'd edit to change the wording, but I can't.

I think you're right, sometime in the future GMail may end up open-source like all major google products such as search and AdSense. If not in the future then maybe in an alternate universe, where evil doesn't exist.

Re:Invite-Only

[Tetsujin]

I did not say Gmail was OSS. I said "Two years of beta in the OSS community isn't unheard of." I'd edit to change the wording, but I can't.

I think you're right, sometime in the future GMail may end up open-source like all major google products such as search and AdSense. If not in the future then maybe in an alternate universe, where evil doesn't exist.

Does logic normally rebound off your head like that?

He was just saying that gmail wouldn't be the only thing to be in beta for a long time. There are examples of it in other software - among other things, certain open-source packages.

Re:Invite-Only

[SanityInAnarchy]

Even the presentation logic is "compiled" -- Java translated into JavaScript.

Re:Invite-Only

[CDMA_Demo]

Obviously your thoughts only travel forward in time.

Re:Invite-Only

[dontmakemethink]

Wine was in an alpha/beta state for what...16 years?

It took forever to work out the tannins...

Re:Invite-Only

[MrDERP]

Yes but I get 5-10 spam email's aa DAY from gmail, for years I got maybe 1-2 a MONTH. In the last few weeks I get many spam messages sometimes 10+ day! I always mark them as spam but they just keep showig up. Does anyone know howw to block keywords in Gmail? ( Viagra V1@gra, c1@ali$ ) etc ? That's what most of them are for d**k enlargement pillz.

Re:Invite-Only

[againjj]

And the theory goes that views are proportional to clicks. I can't imagine that twice as many views (say) wouldn't generate at least one more click.

Re:Invite-Only

[GoulDuck]

I have had my gmail for almost four years now .. :)

Re:Invite-Only

[po134]

Why won't they just shut Gmail down? Oh yeha right ...

Re:Invite-Only

Google operates under both models: CPC and CPM (cost per click and cost per thousand impressions, respectively). Check out the AdSense page and click "Getting Paid."

Re:Invite-Only

[nekokoneko]

The number of ad clicks is obviously correlated to the number of ad views.

Re:Invite-Only

Obviously you should just shut up and admit defeat you fucking idiot.

Re:Invite-Only

Wasn't that the point of the original poster? If spammers keep giving themselves new invites, there is a clear chain. You can delete or screw with (make them think emails are sent out when they aren't) the original account and all that were spawned from it. There will be no legitimate invites coming from a spammer.

Gmail's spam filters

How does spammers creating gmail accounts to send spam from imply that gmail's spam filters for inbound mail are declining? (if that is indeed what the summary is supposed to say).

Re:Gmail's spam filters

[HardCase]

Now listen, if you've waited this long to complain about Taco's reading comprehension skills, you're way too late to get into the game.

Re:Gmail's spam filters

[spikedvodka]

I find it interesting that gmail's spam filters are in-bound only (If that is in fact the case [citation needed])

on the e-mail system I run, every message gets sent through our spam/virus-detection system. I don't care if it's inbound, or outbound, it gets scanned. period.

yes my site is much smaller than gmail, but still... isn't the first rule "Don't trust the users!"?

Re:Gmail's spam filters

[harry666t]

I don't know, but I see how the spam filters could've been fooled. Since you can have as many accounts as you wish, you can use them to harvest some spam you're sending by yourself, and see which messages get past the filters and which do not. Now get or write a python module for accessing GMail, another module for genetic programming, glue that together with some custom p3n!s enlargement generator and you're done. Anybody could hack such a thing in a matter of hours.

Re:Gmail's spam filters

[gravis777]

I definately agree. I have had no issue with increased spam in my inbox, and as I never check the spam box, I cannot say one way or the other. Me getting one or two spam messages in my inbox every couple of weeks does not say to me that there is an issue with their spam filter.

Re:Gmail's spam filters

[TheSeventh]

I've often wondered this as well. Why not put sending limits on accounts, plus spam check outgoing mail? An account is used to send spam? disable it (permanently or temporarily.)

I also think ISPs should be forced to do this. If they have a customer who sends massive amounts of email, they should have to investigate the nature of those emails. If they have an IP that is sending out spam, disable that customer's account until the problem is fixed. It would really disrupt a botnet if every time they acquire control of a new computer, the ISP shuts down the connection.

The ISPs claim that P2P software takes up too much bandwidth, but what about all of the spam and other botnet activities?

Re:Gmail's spam filters

[novakreo]

You probably should check it at least once a month (since spam messages are deleted after thirty days)—I've had several important messages show up there, and I always use the Not Spam/Report Spam buttons when needed.

Potentially losing genuine mail is far more of a problem than briefly seeing spam in the inbox.

Re:Gmail's spam filters

buddy, dont think you are genious. they do have outbound filters.

Re:Gmail's spam filters

So . . . if one of your users tries to forward spam to a spam-reporting service like Spamcop, do you just dump his report in the bit-bucket? That's what my ISP (Charter) does. It took me weeks to realize that my reports weren't getting through.

Re:Gmail's spam filters

[5of0]

Anybody could hack such a thing in a matter of hours.

Anybody...you keep using that word. I do not think it means what you think it means.

Re:Gmail's spam filters

[plasticquart]

Good point. But I *never* got spam in my Gmail inbox before approximately 3 weeks ago... now I get ~5 to 10 pharmacy spam emails a day in my Inbox.

Re:Gmail's spam filters

[darkpixel2k]

The ISPs claim that P2P software takes up too much bandwidth, but what about all of the spam and other botnet activities?

I worked for an ISP for 5 years. In that time, I've seen many connections get maxed out because someone was downloading torrents.
I've only ever run into one connection that was maxed out because of sending email.

The dude was connecting at 14.4 over bad phone lines.

I highly doubt anyone would max out their connection sending email...

Re:Gmail's spam filters

[WGR]

The problem is that gmail should have spam filters for outgoing mail for new accounts. That would prevent the automated creation of throwaway accounts. Hotmail prevent this.

Re:Gmail's spam filters

[harry666t]

Excuse me, but how is this a problem for anybody? ;)

Re:Gmail's spam filters

[5of0]

Contrary to popular opinion, "Anybody" is a global reference, including people like your mother, those fabled female types, and people like lawyers and doctors and such, most of whom couldn't hack together a "Hello world" to save their life.*

Me, you, any self-respecting geek, yes. Anybody, not quite. That's all I was saying.
Also, I didn't want to pass up an opportunity for a well-placed Princess Bride quote ;)

*Now before everyone flips out on me, I'm not saying girls can't code...just that there are a lot of them that can't, much like there are a lot of males who can't. Groupthink, however, generally recognizes the fact that males exist, while the existence of females is questionable.

Re:Gmail's spam filters

[gravis777]

Yeah, unfortunately that would require me to log into their website (imap rules) and then to wade through about 3,000 messages about buying Viagra or looking at the prettiest girls on the internet to find the one or two that are not spam.

I do know that Frontbridge has an issue where they keep blocking my subscriptions from HDNet and Facebook, and I have to keep telling them that its not spam, so I guess I could assume that GMail may have similar issues.

Re:Gmail's spam filters

[bds1986]

I love Slashdot. One minute everybody is all pro net-neutrality, and insisting that ISPs shouldn't prioritize or monitor customer traffic because it's none of their business what someone does with their connection. Then somebody mentions the word spam, and all of a sudden the attitude turns completely around and ISPs should be held responsible for customers private communications and behaviour on the internet. Kicking people off the net is fine, as long as you're only breaking spam laws. But kicking people off the net for breaking copyright law is bad, how dare those evil corporations!

I'm not necessarily expressing an opinion either way, I just think it's interesting.

Re:Gmail's spam filters

[dogmatixpsych]

That's why I glance at my spam folder every couple days or so. It only takes a few seconds to scan through 20 messages then I delete my spam folder. I can spare a few seconds every couple days to search for important messages that might have ended up in spam (actually, I've never had it happen with my gmail account but I still check).

Re:Gmail's spam filters

[Xtifr]

Well, as long as we're being picky...you're sort of assuming that it's the same people complaining about spammers as it is complaining about having their torrents hacked.

You're also assuming that torrent == copyvio. Which may be broadly true, but is completely false in some cases, e.g. mine. In fact, slashdot probably has one of the highest percentages of people using torrent solely for legal purposes of just about any community anywhere. Still probably a vanishingly small percentage, but still... :)

Re:Gmail's spam filters

[karthikg]

same here.. suddenly I too see in inbox in the last week or so (surprisingly today I don't, may be gmail already took care of the problem). Mine were mostly about transferring zillions of dollars to my bank account. In fact I did a google news search a few days back for this spam issue..didn't get any good hits. Good to see the problem getting more visibility (and probably resolved already).

Re:Gmail's spam filters

They used to rely on magical CAPCHA to take care of this . . . then it broke.

Re:Gmail's spam filters

[KlausBreuer]

Actually... I think (even ;) Slashdot is right on this one.

ISPs should not check your email. It's noe of their damn business.
ISPs should check to see if you're generating an excess of emails, slowing the net down for everybody (hey, over 80% of email traffic is spam).

Thus, yes, even I would allow them to have a look at email contents if the amount of generated emails exceeds a certain (very large) amount.
However, they are most certainly not allowed to check the content every time, (even if) looking for spam or the usual eeeeevil terrarist.

Re:Gmail's spam filters

[harry666t]

> most of whom couldn't hack together a "Hello world" to save their life

Reminds me of http://xkcd.com/208/

Re:Gmail's spam filters

[mathmoi]

Yes, you do. Spam-reporting services can work around this by using other means of communications.

Re:Gmail's spam filters

[donnielrt]

I just realized something interesting - one way spammers could bypass the Gmail spam filter is to repeatedly mark their mails as 'Not spam' in (guessing here) a few hundred of accounts in their control via a script.

That would pretty much result in that email not being regarded as spam by Gmail, I would think.

Porn related

Stop using you Gmail address when signing upto porn, warez and cracks forums?

One thing Google could do about incoming spam...

[tgd]

Half of the spam I get on my gmail account that actually gets past the filter is in some language other than English... in fact its almost always in Cyrillic as well.

Give me a damn drop down that says "I speak English, anything not in English is not to me".

Won't solve their outgoing problem, but adding "this is my language" support would be a big help on the incoming, at least with my spam patterns.

Really now?

Funny considering my gmail is relatively spam free!

The irony is, hotmail and yahoo will be getting spammed instead of being the spammers.

Companies blocking Gmail?

[mgkimsal2]

The IT staff at my dad's company blocked all communication with Gmail servers a few months ago, on the grounds that it was 'insecure'. Locking down an MS shop (XP/Exchange/etc) from the 'insecurity' of Google (while still accepting hotmail.com emails) still strikes me as a bit odd, but I've been hearing more reports of lax Google security with respect to spam/spammers. Perhaps they (dad's company) were on to something?

Anyone else having issues with people blocking Gmail?

Re:Companies blocking Gmail?

[multipartmixed]

Gmail servers have hit a variety of DNS blacklists in the past. They still get on every now and then. I have to run a whitelist in front of my blacklists to make sure I don't block gmail by accident.

Re:Companies blocking Gmail?

[mgkimsal2]

I guess that was supposed to be a joke, but it's not just one way. He can't send to me either. But he can send to other email services just fine (and receive from them).

This isn't an issue of blocking personal emails at work, it's a specific policy they enacted against gmail.com. Digging further it seems it's happening in other companies as well.

Re:Companies blocking Gmail?

[coop247]

Locking down an MS shop (XP/Exchange/etc) from the 'insecurity' of Google (while still accepting hotmail.com emails) still strikes me as a bit odd

Why is that, because you don't know what you're talking about. Despite all the flack MS receives, there is a reason Google Docs has done absolutely nothing to unseat Office in the corporate world, security. Are MS products secure, no, but they take it seriously. Ask Goog about security and they say, 'trust us'. Big companies don't trust anyone, rightfully so. I guess you also missed Googles gaping GMail privacy hole earlier today.

Re:Companies blocking Gmail?

My son works at Allstate, and Gmail is blocked there.

Re:Companies blocking Gmail?

[mgkimsal2]

MS takes security seriously? Perhaps nowadays, but that's a relatively recent trend (last few years), and they've got a lot of mindshare to win back on that score.

If you're going to adopt a policy re: mail, blocking all webmail accounts would make more sense than *just* gmail, especially making that policy months ago. There was more evidence to point to spam originating from compromised Windows boxes than from Gmail.

What the heck does Google Docs have to do with this conversation? But I'll bite anyway... You really think *security* has anything to do with why Google Docs hasn't taken off in the corporate world? Nothing to do with requiring people to be connected (increasing bandwidth costs) and having to use browsers to do work they weren't meant to do (document editing)? No, Google Docs simply can't replicate the functionality corporate workers need right now. Maybe some day it will, but I'd say it's far more likely functionality is keeping it out of business rather than security.

Re:Companies blocking Gmail?

[Drakonik]

Wow. I haven't seen a gaping hole like that since my prom night.

Re:Companies blocking Gmail?

[maxume]

Should have splurged and gone with the $20 hooker huh?

Re:Companies blocking Gmail?

[Kamokazi]

We'd like to block them, Yahoo, and Hotmail...but too many of our smaller customers use it for their e-mail addresses.

The thing that is really killing us lately is the bounceback spam...when spammers send spoofed e-mail to bad addresses on legitimate mail servers so the bouncebacks come to our addresses. They easily bypasses SpamAssassin...I was thinking of testing out Postini (Gmail's filter) to see if it gets them.

Funny you mention the MS shop...we're actually using CentOS and Qmail right now, but we're planning to switch to Exchange in '09 because it takes too much extra time to make changes or troubleshoot problems...you have to do most real configuration from the command line, GUI solutions are inadequate for it. Not to mention the other benefits, push, Active Directory integration, resource scheduling, OWA, etc. Also pretty much anyone can administer it. When you're in a fairly rural part of the country, finding anyone who even knows what Linux is can be tricky.

Re:Companies blocking Gmail?

[pruneau]

Yes, having heavily relied on gmail to send school-related messages to a number of parents and other people in the schoolboard organisation, I can tell you that gmail servers IP address are blacklisted by some commercial spam-filtering solutions.

The oddity is that they go by server IP address, so depending on which server your gmail was sent from, it gets blocked or not.

This is a kind of very annoying russian sendmail roulette.

Re:Companies blocking Gmail?

[PGU5802]

The company I work for blocks access to gmail.com as they deem it "personal email." However, blocking emails that come from gmail's servers is just plain stupid. Many people, some of whom may be interested in jobs at your father's company, use gmail as their primary email address. By blocking them you also risk blocking many legitimate email communications.

Re:Companies blocking Gmail?

Why is that, because you don't know what you're talking about. Despite all the flack MS receives, there is a reason Google Docs has done absolutely nothing to unseat Office in the corporate world, security. Are MS products secure, no, but they take it seriously.

I do know what I'm talking about, and the idea that MS the company actually takes security seriously, or that security has ANYTHING to do with the significance of Office in the corporate world, is utter and absolute hogwash. Should I remind folks that the first cross-platform virus for personal computers was CONCEPT, and what, exactly, CONCEPT did? If you tell me that there are a lot of smart programmers, engineers, and researchers at MS and that a lot of THEM take security seriously, I agree with that. But the idea that Microsoft Corporation as a corporate entity takes security seriously? The absurdity is palpable.

Re:Companies blocking Gmail?

[__aarcfd8085]

I wonder if a lot of the gmail specific blocking is because of gmail chat? being fully integrated into gmail makes it a little easy to chat using the excuse "im checking my email" ... which incidently is exactly what i do, not that it matters atm... yay for compiling

Re:Companies blocking Gmail?

[domatic]

Using this?

http://wiki.apache.org/spamassassin/VBounceRuleset

Re:Companies blocking Gmail?

[imipak]

sounds familiar...

Re:Companies blocking Gmail?

[y86]

Big companies block almost all web mail. They only want their email system used for various reasons, security, support etc.

The best way to block it? Deny connections via a proxy or implicitly through a firewall rule(probably what they did since he can't even send to you). Problem solved (for the business not you).

Re:Companies blocking Gmail?

[Noexit]

Taking his mom was the first mistake.

Re:Companies blocking Gmail?

[Christianfreak]

I run mail for several people. Its very frustrating because on one hand, lots of people (including my customers) use Gmail or have contactst that do. On the other the same customers are complaining more and more about the amount of spam they are getting. (and a lot comes from there)

Its frustrating.

Re:Companies blocking Gmail?

[kb0hae]

I have no problerm with anyone blocking/filtering messages from Gmail users, as I have been doing this every since I found out that replies to Gmail users are archived, and Google also records the IP that the replies come from if it can. If you use Google's search engine, they try to tie your IP and email address to your search history, which is also archived. Of course, it helps that none of my friends use Gmail. Oh, and a tip to help filter spam in your email client: Send any emails that are not to your specific email address (or addresses) to the trash. It seems that most of the spam I was (still am) getting is not addressed to my specific email addresses.

Re:Companies blocking Gmail?

[Collective+0-0009]

You don't have to lie to impress us.

Re:Companies blocking Gmail?

[eulernet]

Please, mod the parent up.

A company doesn't care about security, IT'S NOT A FAMILY (a lot of people mix the two concepts).

The top heads care about the money they can win from their products, not by the quality of the products themselves ! (Quality software is a bonus, since it helps keeping the distance from the competition).

They also care about BAD reputation (not good reputation !), so when a lot of bad reviews appear, they just try to show that they listen to their users, but in fact, they don't really care, since fixing the problems is expensive, and doesn't lead to more money.

Re:Companies blocking Gmail?

[fermion]

Honestly, for most of what the average company does, MS products are ok. I don't use them because for what I do the products are expensive and inefficient, but site licensing and kickbacks makes them a good choice for a large firm.

What would scare me is some employee, thinking that he or she ws being "progressive", sending company emails through a free public service, or storing company business on free public servers. Even if such a service was indeed secure, there is no way of knowing if said service would no someday use these email or documents to increase their ad revenue in a way that was detrimental to my company. I could not really complain, as the piper must eventually be paid.

So, yes, blocking certain aspects of google is perfectly justifiable.

Re:Companies blocking Gmail?

[FiloEleven]

There is a way to block just the chat service.

Re:Companies blocking Gmail?

[TheSeventh]

My Gmail account has never received any spam. I use it quite sparingly, as I have many others, but for the most part random addresses don't receive spam because someone guessed your email addresses.

Spammers prune their email lists regularly. If they have a list of two million addresses, and half of them are no longer valid, they waste half their processing time sending emails to non-existent accounts. It might only take a few cycles to send out one spam email, but for spammers, each email sent to an actual account is worth $0.0000?, so they need to send out as many as possible. Wasting a million emails because their lists are out of date becomes a problem.

3 ways to reduce spam:
1. If you receive spam on your email account, someone you gave it to most likely gave it away, or got hacked and it was stolen from them, etc. Avoid giving your email address to every TDH (Tom, Dick and Harry.com) that asks for it. Keep a junk email address for those sites that you can check if necessary.
2. If you can make the spammers believe your account is no longer valid, they will stop sending you spam. (Automated 'user not found' or undeliverable responses to spam should help.)
3. I keep a catch-all email domain NameOfWebSite@mydomain.com, and if any website gives my address away, or gets hacked, a simple filter rule to never receive mail from that site again takes care of that problem. e.g. eharmony got hacked at some point a few years ago after I signed up with them, and I started receiving pr0n spam on eharmony@mydomain.com. A simple filter rule took care of the problem.

Re:Companies blocking Gmail?

[TheRaven64]

I get a lot of bounceback from gmail. A little while ago a spammer started putting my email address in the From: field, and Google happily sent me a few hundred bounces (idiots).

Oh, and please don't use Postini - my editor uses it and it has an insane false-positive rate.

Re:Companies blocking Gmail?

Maybe you should set up spam assassin? or are you just that inept that you dont understand the concept of email filtering?

Re:Companies blocking Gmail?

If your systems are abused you end up on black lists.
An IP sends me spam I block it. I don't care who owns it. Close the hole on your end.

If your customers are victims of your incompetence they are going to move on.

Re:Companies blocking Gmail?

[Bert64]

Spamassassin seems to strip all the bounce spam for me...
I looked at the spam archive earlier, and i have thousands of them that got flagged, many for a domain that i only registered recently and never actually used!

Re:Companies blocking Gmail?

[Bert64]

Yes, google tie all this information together, it says so right there in their usage policy...
But do you really think that other companies (yahoo, msn/hotmail etc) don't do exactly the same thing?

Re:Companies blocking Gmail?

[Bert64]

I do similar to your catchall domain, but i use wildcard dns... thus:
anything@name.of.site.mydomain.com will come through.
This has the advantage that if i start receiving spams, not only do i know who sold me out, but i can create a dns record for the subdomain to point elsewhere (somewhere invalid, or back at the mailserver of the company that sold me out).

Re:Companies blocking Gmail?

[Kamokazi]

I've got a good friend who uses it for about 400 addresses and it works extremely well for them. Maybe he needs to play with his filtering settings?

I can't say I've seen bounceback from gmail (though I've never really looked). I see a substantial number of Russian servers and plenty of Eastern Europe and Eastern Asia. We could probably get away with blocking all .ru email...I don't think we have any Russian customers.

Thats my eperience!

Last 3 weeks my spam on Gmail has been in very large quantities. Exceedingly irritating! I wonder what has caused this?

It's still not much of a problem

[stinerman]

I've got maybe 3 a week, which is up from the normal of 1 per month, but it's not really too big of a deal.

IIRC, marking an email as spam or moving the message to the spam folder (if you're using Gmail's IMAP function as I am) helps to train the filter.

Re:One thing Google could do about incoming spam..

I want an option to have spam be deleted upon receipt instead of being placed into the spam section. After all of these years Gmail has never once mistaken a real email for spam so I would like this.

Why not apply spam filters on outgoing messages?

[mgkimsal2]

Gmail used to be touted as the best spam filtering service. Certainly it's good, but apparently they only feel the need to filtering incoming messages. Why not filter outgoing messages as well? Can't quite be a CPU problem, because outgoing has be be just a small fraction of incoming, right?

Is it just tradition? People never expect anything they send to ever have anything done to it? Google could set another precedent in webmail by introducing outgoing filters which would block or slow down mail appearing to be 'spammy'.

Obligatory question:

[Exanon]

When will we see spam mails that advertise free GMail invites?


(I know it's open registration nowadays but CMON!)

Re:One thing Google could do about incoming spam..

[Kadin2048]

Yeah I've thought the same thing, too. It wouldn't be that hard to filter. You could just select a charset (like Latin-1) and if less than 90% of the characters in a given message aren't representable in your chosen charset, automatically kill it. That wouldn't require figuring out the actual human language it was written in; it's a pretty trivial automatic test.

Re:One thing Google could do about incoming spam..

[mgkimsal2]

That option shouldn't be on by default though. I review my spam folder about once every month, and I *occasionally* find something from someone that is truly real email. Granted, we're talking about 1-2 emails per 10,000 or more, but I'd still prefer the default of just labelling them 'spam', not deleting.

I have noticed this

[niceone]

I have noticed this in the signups to my mailing list. I'm not sure why they are signing up, maybe they think they are leaving comment spam? Anyway all the addresses have the same format, a long first and last name followed by 2 numbers eg: EleftheriosZhytup84@gmail.com . Strange.

Captcha bust again?

[Chrisq]

Someone must have busted the captcha again, that prevents autonatic sign-up

Re:Captcha bust again?

[phorm]

That or they just have a whole whackload of accounts left over from the last time it was compromised.

plus ca change

Time to stop hiring people on the basis of being able to quickly answer standard undergraduate compsci problems and memorise specs that are available at the click of a mouse.

Microsoft (I worked there a couple of years, please don't crucify me) has taken many more years to not learn that they suffer the same problem. A college star is not an excellent engineer with a track record of solving real-world problems. And this is why Google, like Microsoft, keeps trying to branch out of its core competence (search / office respectively) and keeps failing. These companies can only afford a stream of loss-making projects because of their one or two hugely profitable ventures.

No spam for me.

[The_Angry_Canadian]

No spam message made it to my inbox in the past weeks.
When they say free porn, just enter you e-mail, it's a trap.

Re:No spam for me.

[Chrisq]

Good I'm safe... It just asked for my credit card number.

It's a big problem for gmail users!

[argent]

It's the outgoing spam from Gmail that's the problem, not the incoming spam, and there's been messages on the Gmail forums about Gmail servers being blocked for spam. If Google doesn't do something about it, then Gmail accounts will end up "read only".

And having Google themselves impose outgoing spam filtering is something else to worry about, if you're a Gmail user.

Re:It's a big problem for gmail users!

[mgkimsal2]

Not sure how much of an issue filtering for outgoing spam would be, except perhaps an extra delivery delay. Charge for that feature as 'authorized' accounts, or something like that. I'd pay a nominal fee, tied to a credit card, to 'authenticate' my outgoing mail.

I've never sent anything that's *remotely* spammy, and people I correspond with generally don't.

What problems do you see with outgoing mail being filtered?

Re:It's a big problem for gmail users!

[maxume]

It punishes people not doing anything for the actions of others (and it would be 'better' for them to deal with it at the account level, not the message level).

Re:It's a big problem for gmail users!

[argent]

What problems do you see with outgoing mail being filtered?

False positives. Even if you never send anything that's remotely spammy, you can still be caught by filters... I dig legitimate mail, including mail that doesn't look at all spammy to me, out of my google *incoming* filters on a regular basis.

I often think the biggest cost of spam has been the decreased reliability of email caused by spam filters making mistakes like that.

Re:It's a big problem for gmail users!

[everphilski]

I dig legitimate mail, including mail that doesn't look at all spammy to me, out of my google *incoming* filters on a regular basis.

I get several incoming emails **a day** that get caught in the inbound email filter. The thing that is so silly is they are all on several mailing lists I subscribe to, so you think the filter would be smart enough to realize gee, this guy has wanted several THOUSAND emails from osg-users, even though this one looks like it might be spam, I'll let it slide and see how this guy tags it ...

This doesn't just happen on one mailing list, it happens on 5 or 10, all open source or amateur radio development lists. And I can't figure out why it thinks its spam... occasionally there is broken english (international development teams), but sometimes it's a crystal clear paragraph of English. Maybe it's the acronyms. Almost wish I could turn spam filtering off, or at least set up rules to not filter messages containing X in the subject, some days its 25% legit email, 75% spam in the filter, if you forget to check for a few weeks it becomes tedious to clean.

Re:It's a big problem for gmail users!

[maxume]

You can set up rules. One of the options for the filters on gmail is to place incoming messages in the Inbox. This effectively turns off spam filtering for messages that match the filter.

Re:It's a big problem for gmail users!

[maxume]

Oops, maybe not, I thought you could, but I don't see it now that I am looking.

Re:It's a big problem for gmail users!

There is no reason why they shouldn't apply their spam filter to outgoing messages; that seems like a good way to detect spammers to me.

Re:It's a big problem for gmail users!

[Bert64]

Go based on volume...
If a user sends lots of mail to different places, theyre more likely to be spamming, especially if its large quantities of the same mails. Most people have a fairly small group of people they correspond with.
You could also run outbound mail through the spamfilter without modifying it, just checking it and flag up any account that sends lots of mail that gets spamflagged.

Re:It's a big problem for gmail users!

[everphilski]

I have all mailing lists filtered to apply labels, when I go to my spam folder, the messages are labeled, but also spam :)

Re:It's a big problem for gmail users!

[againjj]

The solution is to see if more than 50% (say) of all outgoing emails from an account are considered spam, and if so, shut down the account. You would need some minimum threshold of outgoing messages (say, 20) before the shutdown occurs, and "spam" messages should not be blocked before the shutdown, in the case of false positives.

Unfortunately, after I wrote the above, I can already imagine a workaround -- spam accounts emailing to each other legitimate email. However, I think the idea could bear some thought.

Re:It's a big problem for gmail users!

[argent]

There are a number of algorithms they could use to block spammers without blocking things that look like spam. But... I've got a pretty low false positive rate on my own spam at home, much better than Google's, probably because I care about false positives more than they do. So my concern is not so much whether they can do a better job, but whether they will care to.

Re:It's a big problem for gmail users!

[adolf]

One theory:

Suppose someone subscribes to a open-source-related mailing list. They ask their question and get their answer, and are then done with it and wish to no longer receive it. Then, instead of unsubscribing, they start flagging all of the mail on the list as spam.

Gmail's spam filter is supposedly community-based, so if enough people do this it will start applying a spammier rank to all future mailing list postings. This, in turn, will cause some slightly-spammy (as determined by acronyms or poor English or whatever) messages on such lists to cross the line into being deemed outright spam. I'd like to think that unflagging a given mailing list over and over again would make a difference, but I'd also guess that the variation in headers on mailing lists (due to the variety of senders and their clients) might also make it more reluctant to be trained.

Just a thought. I don't do much with real discussion lists these days, but I do intentionally subscribe to a few advertising lists which Gmail initially thought were spam. Things like the Newegg mailer, pizza coupons, and cigar discounts, which I'd guess a lot of people would subscribe to on accident and flag as spam, took a good bit of training on my part to get past the filter on any consistent basis.

Re:It's a big problem for gmail users!

It's Google's way of telling you that you need to start using Gmail for Domains like everyone else.

CONFORM. DON'T BE EVIL.

They'll Close the Holes When ...

[geoffrobinson]

They'll close the holes when it is out of beta.

Re:They'll Close the Holes When ...

Keep dreaming, "mission accomplished" boi. Reality is for liberals, right??

Google Groups

[Yusaku+Godai]

I haven't noticed any particular trouble with spam originating from Gmail, and Gmail has still been pretty good at filtering most of my spam.

But if you really want Google to do something about spam, go after them for their negligence on google groups. They've allowed the service to become almost unusable due to the amount of spam they allow through. For actual Google Groups it's not a big problem, but for USENET groups it is. Most people on USENET are just dropping anything coming from Google Groups outright. Any legitimate posts from Google Groups are considered an "acceptable loss" given the amount of godawful spam they allow through. It really cheeses me off that Google won't do something about it.

Re:Google Groups

[maxume]

They don't seem to be particularly active in preventing the spam, but they do seem to actually close down accounts that get reported through their web interface (this was more useful 5 months ago when it was 3 or 4 accounts a week in the group I bothered reporting spam for, currently there are dozens a week).

Re:Google Groups

[Lincolnshire+Poacher]

> Most people on USENET are just dropping anything coming from Google Groups outright.

Google Groups is well overdue for an active Usenet Death Penalty; in my opinion it is the only sanction which will make them take note. It was sufficient to bring Erols and UUNet to their senses. ( There is a conspiracy theory that Google is deliberately flooding Usenet; a UDP would disprove this in addition to forcing action ).

Similarly, widespread blacklisting of Google Mail may be the only means of controlling the huge increase in spam. At present, a few individuals and companies are blacklisting but this is inadequate to make Goliath pay attention.

Re:Google Groups

[bcrowell]

It's certainly true that there's a ton of spam on usenet recently that *claims* to be from gmail addresses. That doesn't mean it really is from gmail addresses. You can claim any address you want to claim when you post on usenet. My usenet posts claim to be from an email address in the comain lightSPAMandISmatterEVIL.com.

The trend is that ISPs are dropping usenet access. My ISP dropped it last month -- not just to binary groups but to all groups. I ended up deciding to pay someone else for usenet access, but many people aren't going to bother (or don't realize how cheap it can be if all you want is text groups). Usenet is in danger of drying up and blowing away completely, and if google groups helps to keep it above critical mass by providing a web interface, then I think we ought to hail google as the savior of usenet.

Re:Google Groups

[Yusaku+Godai]

I would support this, and I personally use Google Groups to access USENET at work. But I'd rather just take my lumps and be forced to find another way if it'll help Google pay more attention to this problem.

Re:Google Groups

[Curmudgeonlyoldbloke]

It's certainly true that there's a ton of spam on usenet recently that *claims* to be from gmail addresses. That doesn't mean it really is from gmail addresses. You can claim any address you want to claim when you post on usenet. My usenet posts claim to be from an email address in the comain lightSPAMandISmatterEVIL.com.

Maybe so, but I'd be surprised if someone could disguise the rest of the header info to point completely at Google when they weren't involved at all.

Usenet is in danger of drying up and blowing away completely, and if google groups helps to keep it above critical mass by providing a web interface, then I think we ought to hail google as the savior of usenet.

They had that when Deja died - but they're in danger of being thought of as the spammers' best friend unless they get their act together. More and more of stuff that I used to go to Usenet for tends to be available with less hassle in standalone web forums.

Re:Google Groups

[bcrowell]

It's certainly true that there's a ton of spam on usenet recently that *claims* to be from gmail addresses. That doesn't mean it really is from gmail addresses. You can claim any address you want to claim when you post on usenet. My usenet posts claim to be from an email address in the comain lightSPAMandISmatterEVIL.com.

Maybe so, but I'd be surprised if someone could disguise the rest of the header info to point completely at Google when they weren't involved at all.

Why? Forging headers is a lot easier than solving captchas. Virtually all spam for the last 5 years or more has had forged headers.

Re:Google Groups

[Curmudgeonlyoldbloke]

Mail, yes - but I'm not convinced about News. Most of the Googleish spam on there looks like someone's registered an account and spammed like mad on it for a while, before presumably moving onto another account.

Exhibit A:
http://groups.google.com/group/soc.history.what-if/browse_thread/thread/1a90953ae15922bf#

Re:Google Groups

Hmm? All of the spam I've been seeing is posted from Google Groups, not just from someone with a Gmail address.

This may be linked to somthing a few articles down

The article here http://tech.slashdot.org/tech/08/07/16/2220232.shtml may have a somthing to do with this. Just a thought?

you sissys!!

who the hell cares about spam!?! So some russian kids are trying to sell you viagra pills! It is not the end of the world that hours of programing leaves you impotent!

Already predicted

[Scotteh]

In Wednesday's article, it was revealed that through a bug in Gmails software is was possible to send personalized spam. I guess it's true.

Re:One thing Google could do about incoming spam..

[hobbit]

Crikey, you leaf through 200 pages of emails and manage to find the 1 or 2 false positives? That must take a while.

Real summary: spammers have cracked the CAPTCHA

[argent]

The summary implies that there's something wrong with the GMail spam filters. Actually, the problem is with the GMail spammer filters... the CAPTCHA.

Also, both Google and spammers are being overly complacent about people blocking GMail:

spammers also find Google attractive because of their strong reputation, which makes it highly unlikely the gmail.com domain would ever be blacklisted.

Actually, several sites have blocked Google SMTP hosts that show large spam outflow (it seems to be specific hosts, as if specific accounts are allocated to specific servers or clusters of servers). Including, and I know the irony is thick enough to cut with a knife, MSN Hotmail. There have even been a number of posts to Google's help forums complaining about mail not being sent because Google servers are being blacklisted.

Captcha

[mcwidget]

The fact that more spam is originating from Gmail is not indicative of Gmails spam filters being less effective, I think they only scam mail sent to Gmail accounts.

We know that the Gmail Captcha was broken a few months back. It's more likely that a variant of that tool has become more widely distributed and/or cheaper and has found it's way into the hands of script-kiddies.

The usual slashdot response to..

[bravecanadian]

bad news about Google will be: *insert fingers in ears* NA NA NA NA NA NA NA NA NA! I can't hear you! NA NA NA NA NA NA!

Re:The usual slashdot response to..

[ricebowl]

bad news about Google will be: *insert fingers in ears* NA NA NA NA NA NA NA NA NA! I can't hear you! NA NA NA NA NA NA!

When has that ever been true? From what I can tell from reading the comments to most Google stories, certainly in the past six months, the groupthink seems to be more along the lines of cynicism and criticism. I can't recall any company that gets unanimous praise regardless of its actions. The opposite used to be true, that scorn was heaped onto some companies regardless of their actions (Microsoft is probably the most obvious target of that group-disgust), but even that seems to be waning, there's still the hard-bitten MS-haters, but the view seems to be more balanced and critical these days.

Even the Mac fanboys aren't quite so unfettered any more.

Re:The usual slashdot response to..

[bravecanadian]

Go check out the previous post about google calendar leaking information and the general non-chalant attitude from slashdotters.. then try to compare that to what would happen if it had been Hotmail.

Re:The usual slashdot response to..

[kaos07]

I think the OP's exaggerated the point somewhat, but it still stands to a degree. While I don't think Slashdotters are going to bury their heads in the sand over this, and the previous Gmail article (A bug in the calender system revealing users real full names), the reaction has most certainly been different to what one would expect if the same story was about Hotmail or AOL.

Re:The usual slashdot response to..

I think the natural inclination is to remember the responses from people who disagreed with you, most especially if they were particularly arrogant or stupid about it.

Re:The usual slashdot response to..

It's interesting to see this dicussion. I've been getting tonnes of spam from gmail accounts so I just added a filter to block the whole domain. As far as I'm concerned if you use gmail then you don't deserve my time.

If everyone does this then gmail will die, and the industry will learn an important lesson, if you provide material support to spam terrorists, then you will be caught and punished!

Spoken languages?

[dimer0]

I'm baffled why it's so hard to put some dropdown on gmail (or a set of checkboxes) that say "Here are the languages I can speak/read:", and let me pick English. I'm getting a ton of Russian spam coming in with a character set I don't even know, ... seems like that would be incredibly easy way to filter some of this stuff.

Re:Spoken languages?

ÐYоÐÑÐ Ð ÐнÑÐÑнÐÑÐ ÐYоÐÑÐ ÑÑÑÐнÐÑ Ð½Ð ÑÑfÑÑÐом
And earn FROM $500/day (guaranteed for 1 hour of work/day) UP TO $10000/day.

Re:One thing Google could do about incoming spam..

[Inda]

I wrote to them about this during the early Beta. They were not interested.

My mistake was signing up for a Spanish (Spamish?) site. I don't speak Spanish but I guessed the form fields for username, password, email address. The floodgates opened afer that.

Back to the topic, why doesn't Google just change their CAPTCHA? It sounds too simple a solution...

Something's gotta give

[XxtraLarGe]

We really need to make a change in the way e-mail is done, but I don't know how. While white-listing seems like a good approach, there's always the catch 22 where somebody changes their e-mail address. I know public/private keys would also help, but I think that's too far over the head of most non-tech savvy individuals.

Spam

[corychristison]

My spam has been pretty ridiculously high for the last few weeks, although I have no idea if this is part of it. It really does seem like gmail's spam filters are declining these days.

You don't say? I own a few domain names and to make life easier for me, I have setup 'catch all' e-mail forwards. I get about 30-40 spam messages a day. Gmail catches all of them with the exception of one every few weeks.

Re:Spam

[everphilski]

Try checking how many legit messages it catches too. Yesterday, it caught 4 of mine ...

Re:Spam

[jsdcnet]

i've been using gmail for 3+ years now and i don't think it has ever caught a legit message. i used to check the spam box regularly for false positives but after a while i stopped because it seemed like it never happened. i just looked again and it's still clean.

Re:Spam

[everphilski]

Well, good for you. Yesterday: 11 incoming messages. 7 spam, 4 legit. 3 from the mailing list what accompanies the open source scene graph package OpenSceneGraph (www.openscenegraph.com), and the fourth a robotics design group.

Image here, names of senders blocked to anonymize the uninvolved, only showing messages from yesterday.

Nothing to do with the article...

[argent]

This has nothing to do with spam *to* GMail users, it's about spam *from* GMail users.

Re:Nothing to do with the article...

[Scotteh]

Well I don't use GMail, but in order to take advantage of that bug, would you not have to have a GMail account? Thus, the spam would be originating from GMail, to GMail.

Re:Nothing to do with the article...

[argent]

That still has nothing to do with the article. This is about spam coming from GMail. To the rest of the world. Via Google's outgoing SMTP servers.

I know it's probably against the unwritten Slashdot rules to Read The Fine Article (as someone just pointed out in another thread) but in this case it really is worthwhile.

Re:One thing Google could do about incoming spam..

[mgkimsal2]

No, actually I've found them on the first couple pages. There might be a few more that get through, but I don't normally go back but a day or so (3-4 pages maybe).

If I see a false positive, I'll do searches in the spam folder for mail from people I was corresponding with lately, just to make sure nothing's in there. It's a rarity, but does happen.

Confusing summary

[gravyface]

TFA is talking about the popularity of gmail accounts for sending spam now that Google's CAPTCHA has been cracked. This has nothing to do with how effective your gmail is filtered.

Re:Confusing summary

[Jugalator]

I agree, the submission was alright, but CmdrTaco has misunderstood it.

Fix the damn summary!

[argent]

Most of the comments on this page are about *incoming* spam to google, when the article itself is about *outgoing* spam from google.

Re:Fix the damn summary!

[asCii88]

Mod parent insightful and RTFA

Re:One thing Google could do about incoming spam..

[tgd]

Yeah thats why I mentioned the Cyrillic thing.

In reality doing it via language matching should be pretty trivial. I'd hazard a guess if you had a list of 30 languages and you pulled out the top 50 most common words in each language you'd probably have near 100% success in detecting the primary language in an e-mail. I'm sure an algorithm either purely based on that word set or based on a larger dictionary choosen based on that matching could be done to determine with a very high confidence what language an e-mail is in and if there's more than one or two languages in it.

They also know my white list of contacts. In my case I'd bet 90% of my e-mail comes from them so those can be immediately put in the inbox, reducing the number that need to be scanned at all.

Re:One thing Google could do about incoming spam..

[gad_zuki!]

Or how about providing this option "I dont expect email from senders outside of the USA. Put all foreign mail into junk."

more arrests needed

Can't they do one of the multi-country coordinated sweeps and arrest like the top 100 spammers all at once?

I know the little guys will fill in eventually and take over but at least it will be calm for a few weeks.

Re:One thing Google could do about incoming spam..

[jeiler]

CAPTCHA is broken: it's not just various implementations that are compromised, but the entire theory.

Spew from an unblockable

[redelm]

However warped or rapacious, spammers are not stupid. They think that GMail is an unblockable address and its mail will get through. They want their "messages" to get through, so they will use it.

Perhaps the GMail mailadmins will try to stop some, but they probably won't get it all. And they too will rely on GMail being "too big to block" for most mail recepients.

This just highlights how the burden of anti-spam efforts often gets transferred to legitimate email senders by simplistic blocking. The unacknowledged false-positive problem. I have seen these come to a sudden stop when the company loses an important order because it false-positived the prospect.

Re:Spew from an unblockable

[gmuslera]

Most blocking techniques based on source of connections (black/gray lists/dnsbl, etc) fail against spam originating from real gmail accounts, coming thru their servers. And filtering based on content not only is expensive (requires more cpu at the very least) but also very sensible to whatever trick the spammers are using some day.

But once you have a way to automate creating accounts or at least being able to do it in mass (cracking captchas, or using social engineering, like putting a bunch of people to decipher it for you with tricks like masking it as a game or a way to deliver porn or whatever), no big email provider is safe.

Of course, some behavior can be blocked for sending mail. Making sending thru auth smtp slower, or not letting just subscribed accounts to send to a lot of different people at once, or limiting the amount of receivers per hour, there are a lot of things that can be implemented.

But if a mid-sized botnet targets gmail/hotmail/yahoo/whatever, it could be fast to react to those challenges, so you will not really solve the problem AND will punish your users if they have a somewhat not evil use that hits those restrictions (i.e. autorepliers, mailing/announcement lists, etc)

Re:Spew from an unblockable

[redelm]

I suspect content-based filtering is underutilised because of a historical perception of "high cost". CPU is unbelieveably cheap these days with x2 and x4 CPUs. The problems are small and fit nicely in cache. Bandwidth still costs, but perhaps minimally with early content-based TCP abort.

Ultimately, content-based filtering can also be used to identify spammers and refresh blocklists rapidly if they are still desired.

Re:Spew from an unblockable

[multipartmixed]

Content filtering is not only costly in terms of CPU, it's costly in terms of man-power if you care about maintaining a super-low false positive rate.

Our organization manually reviews N% of all incoming e-mail for training purposes, at a cost of about Y man-months per year. That's real dollars.

Blocklists are still the most effective anti-spam weapon, but are a huge problem in terms of false positives. So.. block list selection is incredibly important.

[ N and Y redacted ]

Re:Spew from an unblockable

[gmuslera]

Spam can easily go back to gfx form (or other kind of embeddable content, like i.e. pdfs). In that scenario, plain "content" filtering is or incomplete, or enough cpu intensive in busy/underpowered enough servers, AND, the bandwidth needed to do even an early detection will be high.

In the other hand, connection source blocking can cut the connection after receiving a few bytes, but cant do anything again widely used real servers... like gmail.

Complementing this 2 techniques with some sort of user feedback (bayesian, gmail's "report spam", etc) could help to get spam, cpu and bandwidth low.

About updating blocklists based on spam coming from servers risk adding big servers like er... gmail, as spam is originating in their servers from the point of view of the receiver.

Re:Spew from an unblockable

[redelm]

Blacklists should only be set on a _percentage_ basis, not number of hits.

To reduce burden, white hats could share (automated network) content-hits, either signatures or sources.

As for graphics, parsing them is indeed difficult, but they are also relatively costly to send, and their presence could be a part of scoring.

Re:Spew from an unblockable

[redelm]

The ultimate content-filter is the recepient. They're the ones insisting on super low false positives, so should be ready to pay the price in false-negatives.

In this respect people vary, and should have some continuous choice (threshold score) between: "I hate spam, filter everything and I don't mind the occasional loss" and "I cannot afford to miss anything, so be careful what you filter". Turning filters on-off is very crude.

Re:Spew from an unblockable

[Mr.+Roadkill]

This just highlights how the burden of anti-spam efforts often gets transferred to legitimate email senders by simplistic blocking. The unacknowledged false-positive problem. I have seen these come to a sudden stop when the company loses an important order because it false-positived the prospect.

That all depends on how you approach it, and how useful the rejection information is. "We don't accept spam" is more likely to get a lost customer than "REJECT [Reason for rejection] - if it wasn't spam, please contact postmaster@bar.baz so we sort this matter out". A polite message that indicates that we acknowledge that we might have fucked up and want to fix things is unlikely to put many noses out of joint - we reject maybe half a million messages per day, and get between two and perhaps eight queries about blocked mail per month. I use a lot of simplictic blocking against most of the interenet, and it works a treat.

I also have a lot of whitelistings at that kind of level in place for places like hotmail, yahoo, gmail, bigpond, optus and a whole lot of other ISPs that we get a lot of legitimate mail from as well as a lot of spam and viruses. They're massive spam sources, especially now that captcha is useless, but I can't block them outright for even a Spamcop listing. They then trickle down to our next level of scanning.

That level of scanning is content-based, and uses ClamAV - with the official, the SANE Security and the MSRBL signatures. They catch a whole lot of phishing and 419 and image- and pdf-spam messages, as well as viruses. Gmail and Yahoo and Hotmail mostly have phishing emails caught that way, it's mostly viruses that come from ISP mail relays, and that seems consistent with who and what is sending unwanted mail through those kinds of systems.

Anything that passes that level then goes to Spamassassin, which has had the scores tweaked and which we have a rejection threshold of 15 set for - we have a legitimate need to accept Chinese HTML-Only mail from crappy webail systems with no PTRs wherever possible, hence the relatively high threshold. We have the various URIBL checks apply 15 points - so, if it's got a nasty URL in there, it gets rejected. We apply varying numbers of points for hits against most blacklists - mostly 5, but we've got 15 for the RFC Ignorant BogusMX one and 1 for SORBS and 2 for SORBS-OLD and 2 for SORBS-RECENT so they get 3 for old spam or 5 if they're a recent spam source. We also apply 5 for things like CSMA or PSBL that I couldn't dream of blocking against directly. With some tweaked scores for other tests, I find that we mostly manage to keep gmail spam out while letting gmail real mail through. I got one false-positive reported last week for mail from a gmail user - but it turns out that we'd also rejected 3000 messages from spammers from that same IP address in that same week, and that server was listed in no less than four different blacklists at the time of the rejection. I also noticed that small but significant number of them were rejected due to Sane Security's ClamAV signatures, and they looked like targetted phishing attempts and 419s from the subject lines. Simplistic "You're in SpamCop, we're not accepting your mail" blocking can't be safely used by some organisations against the likes of gmail and hotmail, but there are ways of reasonably cheaply keeping most of their crap out with minimal false-positives.

Re:This may be linked to somthing a few articles d

[Chrisq]

Unless I've missed something this doesn't affect sending outgoing spam.

It may attract spammers in that they can compose personalised messages that you are more likely to read. It may be useful to phishing scams as many people will use real names, but I don't think it will aid bulk sending.

Of COURSE they do

[gparent]

It makes it much easier to find out their spammees' names with Google Calender!

Re:Of COURSE they do

[betterunixthanunix]

I wonder if this combination of attacks will lead to an increase in the number of people who fall for the typical, "Hello, I am prince Abracadabra and I need a safe place to store $150000000; what's your bank account number?" I could see it now:

Dear Betterunixthanunix,

Upon reviewing your banking history, we think that you are an ideal candidate for a business deal we need a partner for. It involves the transfer of $2000000, from an offshore account. You will receive a 25% commission on this. If you are interested, please send a scanned copy of your birth certificate, social security card, driver's license, and a copy of your last bank statement...

Re:One thing Google could do about incoming spam..

[antifoidulus]

Google already does that for their ads. I'm an American living in Germany who also has friends in Japan that I coorespond with in Japanese. I get ads in English, German, and Japanese(in fact I get ads in Japanese offering to teach me English and/or German....) so if they can determine the language for the ads, then they should be able to use it for spam.... at least if you get an email in a language that isn't in your outbox it should trigger something..

The script check

[Analog_Manner]

So what's going to happen? Is google going to require that gmail users fill out the script-check for out-bound messages?

Captchas...

The Gmail captcha has been cracked, spam will of course follow.

Require digital signing; people will catch on fast

[betterunixthanunix]

Here's a quick way to solve the problem: require digital signatures for "important" emails. Want to sign up for Facebook? Digitally sign your reply to the "verify" email. It is quick, effective, and people who don't know what signing is will catch on really fast.

Originating? Or Spoofed As?

Are these emails actually originating from a Google Mail system, or are the hackers just plugging in spoofed origin email addresses in the Google system? There was the recent article where a Calendar entry could disclose all current Gmail userID's.

Google should hire hit squads

[spidercoz]

Start assassinating some of these fucking degenerate spammer asshole motherfuckers and watch the junk disappear. Seriously, these cocksuckers need to be burned at the stake. Blackwater would prally do it.

Re:Google should hire hit squads

[Animats]

Blackwater would probably do it.

There's something to be said for this. Many of the major spammers have been identified (see ROKSO). The anti-spam community needs "boots on the ground" to do something about them. There are private companies in that business. Blackwater is one; Kroll is another. Spammers today are part of larger criminal enterprises, which makes them vulnerable to private investigators.

Re:Google should hire hit squads

[halcyon1234]

I disagree with this-- only because they aren't going after the right targets

Spam is profitable not because there are people who will do what it takes to get the money-- but because there exists a small subset of the population who will gladly given them the money. Spammers aren't the problem, they're a symptom. It's the customers who are the problem

And the solution is easy. Send in Blackwater, et all to take down one or two of the biggest spammers. By the time the bodies hit the floor, four more operations will have popped up. Not a problem.

Have Blackwater take over the Spammer's customer list. They'll have the names, and more importantly, the addresses of everyone who has purchased from them. That's when you pack up a "healthy" dosage of cyanide pills (colored blue, of course), slap them into a generic \/!@gr@ container, and ship a "free sample to our loyal customer" to each and every address there.

Give it a week, and there won't be a problem with customers.

And make sure that the news corps get ahold of the story "Spammers killing Americans en mass! Teh Internets r Dangerous". Make it very, very publicly known that meds from a Spammer killed tens of thousands of Americans. Not only will it "wake up" the few people who didn't take the blue pull, but it will also make it much easier for Blackwater to then go after the rest of the Spam operators.

Why that last part? Well, just because killing the Spammers wouldn't solve the problem doesn't mean I don't want them killed. =)

Re:One thing Google could do about incoming spam..

[The+Tomer]

Actually, you can create that filter using gmail's filter system.
It would look something along the lines of:

Matches: from:-(*.edu OR *.com OR *.net OR *.org)
Do this: delete it. (or if you want to be sure you don't accidentally delete real mail, give it a label and skip inbox)

lolwut?

[hagnat]

is this for real ? i use gmail since it was released to the public in that april fools day, and the past two months have been the ones with the least spam i ever had in my entire life... last time i trashed my spam box was last friday (July 11th), and since then i only got less than 40 spam messages... this is way less than the amount of valid emails i got in the same time frame.

Re:lolwut?

[dave420]

Your reading comprehension definitely isn't for real :) The article is about spam originating at gmail, not how much spam gmail users receive.

Re:lolwut?

Why on earth did you bother to reply to someone who uses 'expressions' like "lolwut"?

I didn't read it

[koan]

I just wanted to add something interesting, I forwarded an account to my gmail in order to use gmail's filters to rid me of most of the "sorting" work, periodically I log into the original account to clean it up.
After about 6 months of doing this, I notice when I log into the original account there is almost no spam in it these days.
I guess they lost interest in that email since I never actually look at anything in it.

Re:I didn't read it

[MeditationSensation]

Depends on how much spam you receive, how many spammer lists you're on. I have an old university email account that I check once every few months. I haven't used the account to send mail--nor have I posted that email address anywhere publicly--in almost *four years* but the account still gets a couple thousand spams every three months.

Same with my current Gmail account (which I foolishly used to post Google Groups messages a few times and got indexed by spammers). I haven't posted the address publicly in almost two years, but I still get 100 spams/day.

My point is that spammers take a *LONG* time to get tired of your address. :-) I'm guessing you didn't receive nearly as much spam as I do, so you only had a few spammer lists to fall off?

Re:One thing Google could do about incoming spam..

[Poorcku]

http://youtube.com/watch?v=lSnWhsmlGec&feature=rec-fresh

is this english?

Re:One thing Google could do about incoming spam..

Give me a damn drop down that says "I speak English, anything not in English is not to me".

Won't solve their outgoing problem, but adding "this is my language" support would be a big help on the incoming, at least with my spam patterns.

1) Tell them about it. Companies actually listen to large volumes of feature requests (like voting, except that each one counts). I already suggested this very thing (though I suggested it by way of allowing regexes in the tagging)

2) This would help greatly with their outgoing problem. The reason gmail is preferred by spammers is that it has a special standing with gmail spam filters, in other words, they can easily bypass otherwise top notch spam filters by using gmail. If, however, your (and my) plan were put into place then gmail has a convenient way to say things like ">50% of this users emails are tagged spam, don't accept any more outgoing from him"

I wrote the release...

[dskoll]

Well, I did this study and our results are here.

We in no way imply that Gmail's inbound spam filtering is bad. It's probably excellent. It's just difficult or impractical for Google to filter outbound mail without either human review or complaints because of false-positives.

What we're saying is that spammers are trying to evade IP reputation systems by hijacking organizations with good reputations or which would be impractical to block. There will be a CAPTCHA-cracking arms-race, but unfortunately I think the system will reach equilibrium with spammers quickly breaking CAPTCHAs and continuing to abuse free e-mail systems.

Re:I wrote the release...

[dave420]

It definitely doesn't help that you can hire people over the internet to sit and respond to CAPTCHAs all day. As long as a human can understand the CAPTCHA, the spam will continue.

Re:I wrote the release...

What netblocks did you use to determine whether the mail came from Gmail, Yahoo, etc.?

Re:I wrote the release...

[john83]

My experience is that Google's inbound filters are still excellent. Outbound filtering is interesting. Thing is, you don't need to filter outbound mail in the same way as you filter inbound. Instead of killing any message that scans as spam, you let them through. At the same time, you track what percentage of any given account's output is flagged as spam. Any real account is hardly going to top 1%. Any bot-generated spamming account is likely to top 99%. Kill those accounts. I really doubt you'll get any false positives.

Re:I wrote the release...

[gnud]

If I were to try to filter outgoing email, this is how I would go about it:

I would apply the normal filters, but with a very low weight. Then I would calculate in the number of receivers for this email, and the number of receivers in emails sendt for the last 24 hours.
You -might- be sending legitimate email to 30000 people about V14Gr4, but I somehow doubt it. -G

Re:I wrote the release...

[the_olo]

Well false positives could be minimized by applying some sort of "tenure score" to all GMail accounts - the older an account and the more legitimate mail it has emitted, the more trustworthy it is and this contributes to a "whitelist" score on the filters (both outgoing and internal GMail -> GMail).

Recently created "throw-away" accounts would start with a low score and their outgoing mail would be much more likely to trigger blocking, provided that it also scores on some spam characteristics. I think that legal initial activity on webmail accounts can be identified and contribute to whitelisting too - after all, users often send "test" messages to their other accounts or their friends after they open a new account. While the spammers go right to mass sending.

Which gives me another idea. I understand that the spammers make a large number of new accounts and not necessarily send large amounts of messages from a single one. However, they probably send massive amounts of nearly identical messages from different throw away accounts. I think that GMail could try to correlate this data (e.g. using some message fingerprinting tehchniques similar to Pyzor/Vipul's Razor) and identify not single accounts that send out spam, but entire spam account clusters operated by single spammers at once!

Heck, this could be improved even further by buffering suspect outgoing messages and delaying sending them to external systems a couple of seconds (e.g. half a minute) in order to try to detect whether they are more of them coming from other accounts as a part of larger campaign. The system could hash, group, count and sum their amounts to decide whether this is actually a spam mass mailing. It would then bounce them, then start refusing to accept everything that looks the same, right at the sender (in the initial SMTP session from the MUA or in the web UI). This way some spam would not only be identified, but successfully learnt automatically by the whole system, and rejected from now on.

Of course, not working at Google, I can only speculate, they probably are doing all this, yet still it's not enough.

Well, they could try cooperating with some spam-fighting and anti-phishing communities (like the underfunded, yet still effective "pain in the phishers' ass" CastleCops). Actually, I've suggested this to a colleague who works at Google and he suggested that to someone else, but it seems the idea didn't catch on then. Maybe Google should realize by now that even they cannot beat the spam problem all by themselves?

There are lots of ideas I think that would make GMail's spam filters much more effective. After all, being such an integrated service and having such an efficient infrastructure, they have lots of useful data and mechanisms at their disposal.

Re:Require digital signing; people will catch on f

[megaditto]

Most people don't like jumping through meaningless (to them) hoops.

Re:Why not apply spam filters on outgoing messages

[Ralph+Spoilsport]

Nice idea, but what if you're discussing spam content? Then your email will appear spammy, even though it isn't.

Or, what if you write poetry? A lot of modern poetry reads like seriously fucked up spam. Also, scripts read as nonsense, and nonsensical scripts, even more so. Example, from "Waiting for Godot":

(with magnanimous gesture). Let's say no more about it. (He jerks the rope.) Up pig! (Pause.) Every time he drops he falls asleep. (Jerks the rope.) Up hog! (Noise of Lucky getting up and picking up his baggage. Pozzo jerks the rope.) Back! (Enter Lucky backwards.) Stop! (Lucky stops.) Turn! (Lucky turns. To Vladimir and Estragon, affably.) Gentlemen, I am happy to have met you. (Before their incredulous expression.)

So, if I were discussing that, or simply emailing a friend or group of friends saying "Here's the passage you were looking for / we were discussing", it would get flagged as spam.

So, no, hindering outgoing mail is NOT the answer, or part of an answer. One poster above noted that opting for (Language X) charsets only (such as Roman only) would help get rid of all the cyrillic and chinese/korean spam. That would be good, and VERY simple to set up. As far as the rest of it goes, heuristic filters do work, if you use them. But, you always have to use them...

RS

Re:One thing Google could do about incoming spam..

[Enki+X]

What happens if one of your correspondences is simply a horrible speller? Does it simply blanket filter them out too?

Re:One thing Google could do about incoming spam..

[jmauro]

Doesn't help me. Most of my gmail spam is in Portuguese which uses the same character set as English. At some point I was hoping they'd cross pollinate translate.google.com with gmail so the spam filters could learn that if the message is in Portuguese to me it's spam.

Re:One thing Google could do about incoming spam..

[Spy+der+Mann]

CAPTCHA is broken: it's not just various implementations that are compromised, but the entire theory.

The turing test theory to identify humans from machines is broken?

Nay. It's the implementation that is broken. Image analysis and pattern recognition do NOT make artificial intelligence.

My solution is to make entire phrases out of captcha'ed characters. Decyphering a single character can be difficult, but it's much easier to deduce the meaning of an entire phrase even if some characters were wrong (except the numbers):

"Please add the numbers except the one with purple dots behind it, and then substract from the result, the second digit of the one with an orange background: 723, 934, 21, 5".

Note that the questions don't have to be math related.

"Alice broke up with her boyfriend James. She was so mad that she forgot where she left the car keys, and got late to work. If only she hadn't seen him kissing the other girl, she wouldn't have had a bad day.

Question:

What did Alice lose that made her arrive late to her job? (three words)"

(Yes, all the sentence was captchaed).

The real issue: Gmail considered secure

[scorp1us]

With most big name email players like gmail, yahoo, etc, now using DomainKeys, the value of having an email address on any such system has skyrocketed. Gmail addresses are also usually even more respectable addresses. So being on gmail and a getting through because DomainKeys work makes it is a privileged domain.

What the proper response should be:

1. Gmail makes signing up harder
2. Gmail scans all outgoing mail (and between its own servers)
3. mail receivers don't skip the spam screening even if there is DomainKeys

What should really happen is SenderKeys, which augments DomainKeys. You will get your own domain key when you can become "verified" like at Ebay and elsewhere. SenderKeys is implied by DomainKeys.
 

Re:Require digital signing; people will catch on f

[betterunixthanunix]

Yeah, but they will tolerate it for certain purposes. For example, my bank insists upon verifying "unknown" computers by sending text messages to my phone. It is annoying, but they haven't seen a drop in traffic on their website, because people are willing to deal with the annoyance, even if they have no understanding of why it was imposed on them. Likewise, if we started forcing people to sign messages in order to gain access to the latest Internet fad, we would see a vast increase in the number of people digitally signing their email, and a very sharp decline in the amount of spam.

Re:One thing Google could do about incoming spam..

[xerxesVII]

And besides, Netcraft confirmed it.

Limit outbound to X/day based on reputation

[davidwr]

If free mail services limited mail to X/day based on the user's reputation this would make them a lot less attractive.

Some ideas:

Notarized or other highly reliable means of identity confirmation: very very high
Driver's license, passport, or purchasing paid services with major credit card, or identity confirmed by somewhat reliable means: very high
Established user with good abuse history: high
New user or idle account: medium
User with poor abuse history: low

Limit "medium" users to something like 10 messages a day + 1 more message for every day in the past 30 days they logged in to check their mail.

Limit "high" users to 100 outgoing messages a day.

This will at least make the spammers work harder.

Web-based mail should also check for "robotic activity" like sending too many messages in a short period of time, or messaging around-the-clock. Real people sleep or stay up all night playing WoW.

Re:Why not apply spam filters on outgoing messages

[fireboy1919]

They do. And its a pain in the butt if you want to send a newsletter to people in your org/company/group.

Maybe I just look like a spammer for some reason.

Outgoing Filters.

[mr.sean.r]

Outgoing Email filters are becoming more and more popular on the internet. My company pays for hosting and email, we were recently switched from Postini to Can-It. Postini had no outgoing mail filtering, Can-It does, once we learned the rules of outgoing mail everything was fine. I would not be suprised if this was the way google took. Maybe not switching to Can-It, but outgoing mail filtering.

Why not use GMail to catch GMail Spammers?

[Erez.Hadad]

Seems to me that Google could simply use its own (quite excellent) spam filters to identify GMail accounts that generate spam. Then, it could send a warning message to those accounts and if no reply is received within 2-3 days, shut down the accounts (or at least disable them)

Re:One thing Google could do about incoming spam..

That would just be an unplanned bonus.

Re:Why not apply spam filters on outgoing messages

[cronot]

The problem major problem with spam filters is the false positives, and with outgoing e-mail this problem is worse, because if Google thinks the e-mail you're sending is spam, google is caught in a dead end with two options, neither good:

1. Discard the e-mail silently. With false positives, that's bad for obvious reasons.
2. Bounce the e-mail back to the sender. That's less bad for legitimate users, but awesome for spammers, because they can then tweak their message until it gets past the filter. Google could probably implement further filtering criteria in this case that starts silently discarding outgoing messages after N bounces of a message that looks like other messages to a certain degree, in a given period. But that would not be cost effective (both in implementation and computational cost), and could probably hurt a few legitimate users too.

I think outgoing filtering is not the way to go. I don't have a better solution either, the best for now is probably improving their current filter for incoming messages, and make it harder for spammers to get an account on GMail.

Re:One thing Google could do about incoming spam..

just use filtering rules to auto assign spam to the trash...

Re:Require digital signing; people will catch on f

[megaditto]

I don't understand why "a vast increase in the number of people digitally signing their email" would cause any reduction in spam, unless you are saying that only signed emails should be allowed on the internet.

Re:One thing Google could do about incoming spam..

[PC+and+Sony+Fanboy]

bad spelling should be a crime, there is no excuse! ... it should be 'punished' by mandatory use of the built in firefox spell checker.

Re:CAPTCHA is broken

[javilon]

Well, as you increase the level of intelligence meeded to go through the CAPTCHA, you start to leave humans out. And this only gets worst as CAPTCHA breakers get better and better, so in that sense, the CAPTCHA is broken, and also in that sense, we have artificial intelligence that is at least as good as the worst humans.

Actually mine seems to be from....

[Deth_Master]

"Opera's revolutionary new email client."

or

FROM MR PHILLIPS ODUOZA
EXCUTTIVE DIRECTOR ELECTRONIC TRANSACTION BANKING

While my dspam has noticed a substantial amount of misses, most of the ones it's missing are the Opera ones, because they contain so few tokens similar to most other spam. They seem to be using absurd titles "Obama killed in bathroom luncheon" or "40,000 Troops die in Iraq" Oh well, retrain FTW!

Re:Why not apply spam filters on outgoing messages

[hankwang]

Nice idea, but what if you're discussing spam content? Then your email will appear spammy, even though it isn't.

I have mail accounts which are filtered by SpamAssassin, which does a fairly good job, and it looks like the actual text content of the email can only contribute so much to the spam score. I tried sending myself emails from a different account with text like "president nigeria $8,000,000 viagra penis enlargement rolex' and it stayed below the spam threshold: each spammy subject gives one point, so that is only 4 points while the spam cutoff is at 5. Blacklisted IP addresses have much more weight, and in addition there are plenty of technical issues that are are spam indicators, such as dynamic IP addresses, forged header lines, HTML-only mail with inline images, and so on.

I don't know what Gmail exactly uses for spam filtering, but the above message sent to my gmail account made it to the inbox with no problem.

Re:Require digital signing; people will catch on f

[betterunixthanunix]

Ah, forgot to mention that part. Yes, presumably, if the overwhelming majority of legitimate emails were digitally signed, spam filtering would be a lot easier, at least if there was a good PKI in place. Even if spammers managed to get trusted signatures on their certificates, the amount of CPU time required to digitally sign a message would decrease the volume of spam they could send out (and those trusted signatures could be quickly revoked when if became clear they were used for spam).

Re:One thing Google could do about incoming spam..

[jsdcnet]

Give me a damn drop down that says "I speak English, anything not in English is not to me".

god yes. i have wished for this constantly.

Do you want enlarge your penis? d27j

Dear admin@gmail.com

Do you want enlarge your penis upto 4 inches?
Amazing, PERMANENT RESULTS that will last.

Å¥ Gain 3+ Inches In Length.
Å¥ Increase Your P3nls Width (Girth) By up\to 20%.

Thanks
Jennifer Cassidy

Re:Do you want enlarge your penis? d27j

[ufpdom]

here's a thought.... Forward your spam to admin@gmail.com maybe it'll get fixed faster.

Re:One thing Google could do about incoming spam..

[davegravy]

What did Alice lose that made her arrive late to her job? (three words)

"her x-boyfriend's virginity" ?

Re:One thing Google could do about incoming spam..

Posting as Ac because I moderated...

Your idea doesn't address one of the main avenues of CAPTCHA breakage, which is the mechanical turk approach that has been used - swiping the CAPCTHA graphic, showing it to a real human to get them to fill it in in exchange for free porn/MP3's or whatever.

In the spam arms race, this missile has been downed.

Re:Why not apply spam filters on outgoing messages

[foniksonik]

"The email you are sending appears to be spam. Are you sure you want to send this email?"

I had the same idea but on second thought it would be a hard strategy to enforce.... they'd have to set up an extra call center just to handle the flood of complaints: "Hey you guys say my email is spam, WTF... it's an email newsletter I send out to my men's club about the benefits of Viagra!"

Not to mention the instant killing of any type of email meme jokes...

Re:Why not apply spam filters on outgoing messages

[Ralph+Spoilsport]

Hi!

I'm not concerned with recieving spam - as you noted - spam filters work well, and I also noted that. I am much more concerned with labeling outgoing email as spam, as it is a fast and slippery slope from halting viagra adverts to straight censorship. My concern isn't technical - it's conceptual.

cheers!

RS

Re:Why not apply spam filters on outgoing messages

[Crackmonkeyjr]

There's a big difference between filtering incoming spam and filtering outgoing spam. When spam comes in, it doesn't get blocked, it just gets put into your spam folder, which you should check periodically to make sure it hasn't collected any real mail by accident. There is not, however, any protocol by which an outbound server can place spam in your spam folder, they would have to block it outright. This means that certain, totally acceptable emails will be blocked, not a good thing. Moreover, most spam filters, including Google's, have a very important feature by which you can set particular senders as "not spam," this would also be impossible for an outbound server to allow you to do. Moral of the story, if you don't like having your mail randomly blocked, and you expect to ever get legitimate emails from someone using gmail, having gmail filter outgoing mail is a bad idea.

Re:One thing Google could do about incoming spam..

[funaho]

To properly filter such mail you really need to filter on the Received: lines, and even then you would need to filter by IP to be able to accurately identify what is coming from outside the US. Many smaller mail systems for example will actually filter out the entire Asia-Pacific IP range due to the large amounts of spam originating there.

Re:One thing Google could do about incoming spam..

[ScreamingCactus]

September 2008 /. headline:
Google launches new "unbreakable" Captcha-Phrase validation system

December 2008 /. headline (3 months later):
Spammers in Nigeria beat scientists to creating world's first sentient AI

Subsequent comments read:

I for one...
Welcome our new CaptchaPhrase-cracking artificial overlords!

Frist Post?
First post!

Re:One thing Google could do about incoming spam..

That wouldn't work for me. I regularly send emails in Frenglish. I'm a Quebecer who frequently switches back and forth between French and English in emails with my friends and family.

Si tu te basais sur le contenu de mes courriels pour déterminer s'il est en franÃais ou en anglais, ton algorithme échouerait parce qu'il est ni en anglais, ni en franÃais.

Re:One thing Google could do about incoming spam..

[jeiler]

CAPTCHA is broken: it's not just various implementations that are compromised, but the entire theory.

The turing test theory to identify humans from machines is broken?

I would have to say yes--because (in the case of automated sign-ups) it is implemented by computers to computers.

The only thing your example does is add a layer of complexity. Standard CAPTCHA techniques rely on a single dimension of perception--the ability to recognize and reproduce text. Your examples rely on multiple channels of perception (recognition of text and comprehension of language), and as such adds a layer of complexity to the issue--one that's currently not within a computer's capability, but is theoretically possible.

Any process that can be automated will eventually be developed as an algorithm: currently, computers are capable of recognizing CAPTCHAed text (within a certain failure percentage). Computers currently cannot reliably understand complex phrases in natural language ... but they can understand simple phrases, and complex phrases are only an additional layer of complexity.

I'm not saying that the theory is unsound (though I suspect it is--I simply don't have enough proof to make the argument). What I'm saying is that the test cannot be automated--and adding layers of complexity is not the cure.

roaring penguin?

[nimbius]

this would have had more credibility if it came from a more neutral party.. study by anti-spam vendor concludes: spam is on the rise. google responds: we know. vendor insists: we're still 98%+ effective!

Re:roaring penguin?

[dskoll]

How are we not neutral? We can back up the numbers with data.

Of course the press release boasts a little. That's the purpose of press releases. We can back up the 98% number too. Email us if you're interested.

Let's Not Forget

Google is not in the Email business. They sell online ads.

Re:One thing Google could do about incoming spam..

[kvezach]

My solution is to make entire phrases out of captcha'ed characters.

Like this one (solve differential equations), or perhaps this one (calculate resistor network values)?

Unnecisary concern

[kiddygrinder]

Please, you're all worrying too much, all of these problems and more will be solved by Email 2.0.

Re:One thing Google could do about incoming spam..

[biohack]

I also see some ads that match the language actually used in e-mails. However, I suspect that the current system Google uses to make decisions about ads is rather unsophisticated, since I also get ads in Japanese (or what I think might be Japanese) simply because a thread mentions Japan multiple times.

Re:One thing Google could do about incoming spam..

[maxume]

Spelling checkers is not the compete salutation.

??What

[smoker2]

How does a spam filter "decline" ?
I could understand its efficiency declining or its effectiveness declining, but the filter itself ?
Time to find an English translation I think.
No matter, the summary and the actual article are talking about 2 different things anyway.

And while all you mods are reaching for the troll option, just bear in mind that if no-one publicly questions the inappropriate use of language, then it is seen as acceptable and copied by others, until there are no rules being followed at all. Let me know how that works out for you.
I care because I learned English, and to ignore blatant and sometimes deliberate mistakes is to do a disservice to future speakers. Is it fair for someone who is not a native English speaker to learn English, only to find that when they make a mistake it is ignored, causing them to think they got it right ? And then later on they are taken to task over a misuse of the language which nobody ever corrected them on.
Everybody has the right to make mistakes, that's how we learn. But in denying the possibility of correction, you are denying the act of learning itself.
And that is pretty self centred IMHO.

Yahoo to

[PadRacerExtreme]

It really does seem like gmail's spam filters are declining these days.

Yahoo's filter has been pretty bad for a week or two now also.....

I don't need no stinkin' Spam.

[No2Gates]

I have had a Gmail account since the first month of "Beta testing" years ago, and would get maybe 1 spam per month. In the past 2 months however, I seem to get about 3 per day. Always Canadian pharmacies trying to get me to have great sex. Those damn Canadians are out to kill us all I say...

Re:Why not apply spam filters on outgoing messages

[Exitar]

We had something similar in our company years ago (the mail server added *nameofthecompany-spam* to the subject of suspect email) for both incoming AND outgoing mail. It's not very professional when people of a company you are doing business with read *nameofthecompany-spam* as the first word of an email.
But maybe it's better than not receiving the email at all as you suggest (I've my work email forwarded to gmail, and sometimes is classified as spam, so the filter is not 100% infallible)

First in a long time

[JackassJedi]

Today was the first in a long time that a spam email on GMail made it to my inbox; could be just randomflux but seems to correlate.

Re:One thing Google could do about incoming spam..

Indeed. While you can specify a language tag in searching your mail, which works great, there seems to be no way to hook that criteria to a filter.

Re:One thing Google could do about incoming spam..

[niconorsk]

To save you some time in the future, I believe the GMail spam filter automatically whitelists anybody that you have sent e-mail too. The assumption being that if you're sending them e-mail, they're not likely to be sending you spam

Actual Origin? Don't blame service provider.

[twitter]

Blaming Google and claiming it's because of broken captcha begs the question of how the spammers really operate. Anything open to the public is open to abuse as you say. Invite systems only invite spammers to do more of what normal people do. Spammers can't be doing this from a single IP address, or even a small collection of them, without being blocked so we know they are somehow obfuscating their communications. I can only think of two ways:

1. Botnet
2. TOR and other anonymous proxy services.

The history of spam shows that a combination of the two is at work. Spam has traditionally come from exploited computers on cable modems and that has not changed only the means. Now that every ISP blocks port 25 and forces you to use their SMTP server, the spammers have targeted that and webmail.

The real solution to the spam problem is to attack the root cause, the continued failure of M$ to protect their customers. The spam problem is directly proportional to the number of Windows machines on the Internet and the speed of their connection.

Re:One thing Google could do about incoming spam..

It's funny you say all your spam is Cyrillic, all of my gmail correspondence is in Bulgarian and all the spam I get is in English. I suspect it would even be unnecessary to examine the content, just dump everything that is Latin-1 in the spam folder. The gmail filter already works flawlessly for me, though. But I'm also very careful in giving out my email address.

Re:One thing Google could do about incoming spam..

[lawaetf1]

I hope it will take into consideration those of us that speak jive.

Re:CAPTCHA is broken

[tonyray]

I don't think CAPTCHA's are being machine broken. I've seen ads outsourcing the typing in of CAPTCHA bidding $1 per 1,000. Try looking at http://www.getafreelancer.com/projects/Data-Entry/Captcha-PROJECT.html to get an idea of what is going on.

Re:CAPTCHA is broken

[jez9999]

So it's a win-win situation; you get fewer bots, and fewer dumbasses signing up. Heyyy, I've just thought of a great voting eligibility test...

Re:CAPTCHA is broken

[TheBig1]

And that's a bad thing? ;-)

Re:One thing Google could do about incoming spam..

[jez9999]

It's a bit of a nonsense argument to just say, 'computers will get smarter and figure out how to fool your test /eventually/'. So what? They can't *now*. By that logic, NO test will EVER be good enough because eventually we'll have developed an android that's completely indistinguishable from a human, and for all intents and purposes it will be a human. Like, eventually.

"declining"

[unfunk]

I don't think that the problem is that GMail's spam filters are declining, it's that the spammers are getting better at avoiding them.

That said, in the last three years, I've had maybe five or ten spam messages sneak through the net. Pretty good, if you ask me, and the fact that it can 'learn' is even better, unlike rival offerings (or at least, where they were before I converted to Google)

Re:One thing Google could do about incoming spam..

[codeButcher]

Please not. I receive and write mail in at least 3 languages (some of which do not feature on GMail's list), could possibly decipher a couple more, and sometimes receive mail sent from work accounts that add some insanely long disclaimer to the bottom in some foreign language.

Now a feature that I would like, is the ability to set up your own filters (black/whitelists) of domains, or even better, regexes, that should summarily be rejected. In other words, the sender should receive a "550 unknown recipient" reply >:-]

Re:One thing Google could do about incoming spam..

you're from quebec. all emails from you should be in the spam box by default anyway.

Spammmmm

[humm4it2007]

I used to NEVER get spam mail in gmail. In the last month, I have been receiving at least 10 spam emails a day. It's mostly nasty pron stuff. What the heck is goin on? I don't want it anymore.

Why don't they just...

[ParanoiaBOTS]

Why doesn't google just put a cap on how much outbound email you can send? Say 100 / hr, 500 /day? Or something along those lines? Then if you need to send more than that you could just fill outa form requesting it, then those people are on an easily monitored list. Anyone that is found spamming gets their account suspended until they can prove that they were not, in fact, spamming.

Re:One thing Google could do about incoming spam..

[d3ac0n]

You guys see ads?

No Firefox+Adblock Plus?

WTH? I thought this was Slashdot?!?!?!?

Re:One thing Google could do about incoming spam..

[TheRaven64]

It might work, but I get email in English from Greek friends (for example) with a Greek signature. Often this is added by their webmail provider and is the equivalent of 'get a free hotmail account, click here!' in Greek. It will also have 'TheRaven wrote:' above quotes in greek, since this is the language their client is configured to use. The character set of the email is set to allow these characters, even if the main body of the email is English.

Re:One thing Google could do about incoming spam..

[jeiler]

It's a bit of a nonsense argument to just say, 'computers will get smarter and figure out how to fool your test /eventually/'.

That's actually not my argument (and I agree that it's not a good argument at all). My argument is that CAPTCHA specifically is already broken, that adding layers of complexity is nothing but a short-term cure, and that the "Turing-test security" concept may not be a sound theory.

Re:It is invite-only though...

[jacquesm]

right, as if 'johnsmith@gmail.com' isn't going to reach *somebody*. And no, he didn't give it to me.

What a load of crock. Spammers don't care about the exact person they reach, as long as the message gets read by a live body they're happy as can be.

So, consider every combination of firstnamelastname , initiallastname, firstnamefirstletteroflastname to be spammed to the hilt.

Well, you know what they say...

[PHPNerd]

"Choosy Spammers Choose GMail"

Re:One thing Google could do about incoming spam..

Jive ain't just a language, it be a way of life.

Re:One thing Google could do about incoming spam..

[Bert64]

I have some spamassassin rules that do something similar, spam using a non english character set or which sufficiently resembles a foreign language that does use the same charset get flagged... I can declare what languages i receive mail in, and it will flag anything else..
Besides, if a mail is written in a foreign language you can't read you're not gonna read the contents anyway.

Re:One thing Google could do about incoming spam..

[Bert64]

Which isn't going to stop spams which are sent by other gmail users.

Here's how they get those accounts...

Just yesterday I got an email from Google asking me to confirm that my GMail address could be used for outgoing mail by @gmail.com. So they're using the "send as.." functionality to spam a crapload of GMail users in the hopes that some of them bite and hence volunteer their personal email addresses for spamming.

I reported it to GMail's phishing reporting service. Hopefully they find a way around this.

Re:CAPTCHA is broken

[Spy+der+Mann]

Well, as you increase the level of intelligence meeded to go through the CAPTCHA, you start to leave humans out.

If a topic so simple such as reading comprehension gets beyond the average human's intelligence, then spam is the LEAST of our problems.

Unless we start making captchas ask you questions about the personal life of celebrities such as Britney or Paris.

"Welcome to CAPTCHEOPARDY!"

Great, now my mind's scarred :(

Re:Require digital signing; people will catch on f

How does that help when spammers could abuse the process used to give someone a certificate--an initial or replacement certificate?

This could work as well as a gray-list, but with the same burden of dealing with receiving emails from new people it doesn't seem to be a better system for stopping spam because something or someone still has to decide if messages from new people--certificate-laden or not--are spam or not.

Imagine a PGP model, too: the spammer could say the same thing as a new business client, namely, accept this key to read the message. You accept the key, find it's spam, then discard the key and effectively blacklist a specific email address and signature that the spammer will never use again. This scenario is no different than what currently happens except that there is an extra burden on users, and that spammers must spend 20 seconds to a minute computing a new key for each batch of x00,000 spams. IMHO, it would be great to have many more people use PGP, but not as a way to cull spam.

Re:Actual Origin? Don't blame service provider.

[dedazo]

the continued failure of M$ to protect their customers

You linked to the usual "time to pwn" stories, but the reality is that botnets grow nowadays by means of email attachments. Very few (that I know of) trojan attacks are over remotely-exploited vulnerabilities, with patches or not. You are implying that botnets are created when unsuspecting Windows users install nine-year old copies of an unpatched operating system. That's not true, is it?

The previous wave of trojan attacks (with those "admirer has send you a message" subjects) grew botnets dramatically, I think. How do you account for that? Sobig is the fastest spreading trojan ever, and it requires user interaction to infect a machines. It's a proven fact that infections are spread thanks to vulnerabilities with available patches. How do you account for that?

How is that a "continued failure" of "M$" to protected their customers again?

If your Windows machine is in a botnet herd, you probably did something you shouldn't have, or failed to patch your machine. Even the actual remotely-exploitable vulnerabilities like Blaster have had patches available a month before the exploits were seen in wild.

Re:One thing Google could do about incoming spam..

I think all Quebecois should go into spam anyway...

not a complete one...

[PC+and+Sony+Fanboy]

yeah, spell check + preview tends to get rid of most of the errors. when you + education, then you should be able to avoid most mistakes.

Re:One thing Google could do about incoming spam..

[Spy+der+Mann]

Not quite, my dear AC.

The purpose of CAPTCHAs is to differenciate humans from spambot machines. If another human is filling the captchas for your botnet, then that's an additional problem, but the "bot posting spam" problem has been succesfully solved.

Unless the problem is incorrectly formulated. How about this - make Gmail ask you a captcha for every e-mail addressed to a person not in your contacts (which is not a reply-to, either), or for every 5 contacts that you want to add.

Google doesn't want/need good outbound filtering

[swordgeek]

OK, many people seem to be missing the point that this is mail _outbound_ from google. Google accounts are the originator.

Yeah, Google doesn't want to be known as the "source of doom" for spam, but as long as they're seen as making some effort against hosting spammers, they're fine. No more is needed, and in fact is counterproductive. Why? Because they want everyone on the planet to sign up for gmail as their primary email account, and the way they do that is by having the best damned INBOUND filters around! If the spam problem gets worse but they can filter it better than anyone else, then they win twice over. Reducing spam is NOT the goal of any email provider--reducing spam received by their customers is. In this case, it also increases spam to their competitors' customers.

Oh, except that google would never do that, because it's evil! Yeah, right.

Re:One thing Google could do about incoming spam..

[hesaigo999ca]

Throw this story to the support at google, they should be listening...especially if they want to keep their stocks selling high.

Re:One thing Google could do about incoming spam..

[Spy+der+Mann]

Personally, I believe that computers will never become as smart as human beings. We just have to find the right questions that computers will never solve.

Perhaps they will involve some kind of interaction. Maybe in a few years we'll end up with VR-based captchas so you'll have to tell a virtual cab driver to take you to the 5th avenue, getting an envelope from your professor, opening it and then typing the contents in the textbox below the VR screen. I just hope we don't have to resort to that.

Re:CAPTCHA is broken

[jank1887]

if only we could remotely administer an empathy test.

Maybe it's because of ...

[timbck2]

This. [/.]

Re:CAPTCHA is broken

[saterdaies]

To create your new Gmail account, please translate the following equation into a limerick:

(12 + 144 + 20 + 3 * sqrt(4))/7 + 5 * 11 = 9^2 + 0

Answer:

A Dozen, a Gross, and a Score,
plus three times the square root of four,
divided by seven,
plus five times eleven,
equals nine squared and not a bit more.

via: http://www.trottermath.net/humor/limricks.html

Re:Google doesn't want/need good outbound filterin

[Stochastism]

Except that even Google's hardware/bandwidth resources are limited. They don't want to waste resources by hosting millions of spammers.

Also, many smtp servers will block Google IPs if the spam percentage rises too high. There have been several /. stories about XYZ blocks Gmail. Since this hurts good Google users, Google should want to avoid sending spam.

Outbound filtering is MUCH MUCH harder than inbound filtering. On the inbound side they have millions of users labelling mail. For outbound, what kind of feedback do they get except for some bounces?

Re:One thing Google could do about incoming spam..

[markimusk]

"That little rat-looking thing just got ATE! Damn, Nature, you Scary!"

Re:One thing Google could do about incoming spam..

Actually, you can do something similar to that by putting a few common Cyrillic letters into a couple filters and telling it to delete/put-in-spam-folder/whatever with the stuff that turns up.

Where I initially read about it.

Vi@gra c1ali$ cheap canadian enlarge your member

[MrDERP]

been getting 5-10 Viagra spam a day!! All to the same site, seems like google could have fixed that by now. the same site over and over. Viagra for $1.20 each? Seriously. They cost much more. I have no idea why I get so much Vi@gra spam, I never go to porn sites etc, I have many dvd pr0nz from a DVD rental store I worked at during night time while I was going to University..ripped em to my HTPC which isn't connected to the net.

Re:One thing Google could do about incoming spam..

[LunaticTippy]

I thought the problem was this:

Spambot needs captcha.
Spambot sends image to spammers porn/mp3/warez site.
Human provides captcha to get their goodies.
website provides captcha to spambot.

All 100% automated from the spammers point of view. Bots are still posting spam, at near zero cost to the spammer, with potentially massive throughput.

Re:Require digital signing; people will catch on f

sure, everyone will catch on fast.
now all you need is some magic that prevents spammers form learning to sign there mail as well.
or force spammers to sign with "I am a spammer", just to make it easy to filer out.

Re:One thing Google could do about incoming spam..

[mazarin5]

Line 1: "Buy Viagra" (in Russian)
Line 2:
Lines 3-50: Surreal computer generated literature in any given language

The point of delivering Russian spam to people who speak English? I've never known.

Re:CAPTCHA is broken

[gknoy]

An online Voight-Kampf test? That'd be interesting, at the least. :-)

Re:One thing Google could do about incoming spam..

[jstott]

so if they can determine the language for the ads, then they should be able to use it for spam..

HTTP allows browsers to set a preferred language (actually, a prioritized list of preferred languages). Google is probably picking up on this to set a default, and then looking at your language settings in GMail as well. So, if you're getting your ads in English, is probably because you've "requested" them that way.

-JS

Re:Blaming the user now?

[dedazo]

Please be so kind as to reply with the account you originally posted the comment with, not the name troll you created for me, or any of your other 12 accounts.

Also, ad hominems are not particularly useful, they merely tell everyone that your argument was invalid to begin with.

It's a wrap-up folks

If there was *any* doubt whatsoever of what you do around here, this post pretty much should end that.

Spam's getting smarter

[languagehacker]

Spamming vs. catching spam, in many ways, has a lot of parallels with the long history of cryptography. A spam filter is a lot like a cryptanalyst, while a spammer is a lot like someone writing an encrypted message. Just like a cryptanalyst looks for recurring clusters of words to pick out "the", "a", and "of" in an encrypted text and work from there, spam filters try to learn what makes an email spammy. There's a number of ways to catch spam with machine learning, but of course, two of the best ways are looking for specific words or variations on them and testing for syntactic coherence. The incorporation of better language models with the use of synonyms makes it harder to catch spam based on its text alone. It's even looking a lot more coherent lately. What's more, we've got bots doing much better at breaking CAPTCHAs these days. But they're not so good at discourse coherence yet, so this might be the next step in catching spam (until they get good at that, too).

It took them this long to notice?

[gujo-odori]

Three weeks? Sheesh. Most email security firms, including the one I work for, stopped whitelisting Google over a month ago. Heck, we're even penalizing some of their IP space. This is old news. Nothing to see here, folks. Move along, move along.

Re:CAPTCHA is broken

[jank1887]

if(failure()) retire(testsubject);

Re:Require digital signing; people will catch on f

[AnyoneEB]

At least if you have some sort of trust infrastructure (web of trust or paid signing like SSL certs), then completely untrusted e-mail gets a bump to its spam score. If such a system were in place long enough, then any real person would have their key signed by a lot of people.

There is a major problem with this idea, though: if spammers can take over computers to send spam from them, it is probably not much more work to sign their key with that user's key. Other users could sign an assertion that that key is being used for spam, but I suspect that would not be effective, especially because spammers have access to a lot of computers.

The other way keys help is that if people usually know their recipient's key, then any e-mail sent to only one person and not encrypted with their key is suspect. Encrypting each message separately would make sending spam a good amount more computationally expensive.

One easy thing they could do: nix some char sets

[timothy]

Hey, if your character set (or any of your character sets) is non-Roman, this wouldn't apply -- sorry.

But for me, I can't read Arabic, or Sanscrit, or Farsi, or any language written using Cyrillic ... and gmail's masters should be smart enough to let me exclude character sets I don't want or need. I would imagine that most people could name one, or a small set, of character sets that are likely to apply, and specify exceptions as appropriate. But every time I get Cyrillic spam, I think dark thoughts about easy-to-automate solutions.

Since this is a fantastic and unimpeachable idea, I have decided to create a FAQ about it, consisting only of questions I have just asked myself in the same voice I use to imitate cats and babies:

Q: Would spammers try to get around it?
A: Yes; they are spammers.

Q: Would there be complications and annoyance?
A: Quite possibly; they are the spammers' fault.

A: Should one suffer a spammer to live?
Q: Only at your own peril.

timothy

Netblocks

[dskoll]

For Google and Hotmail, I used the gmail.com and hotmail.com SPF records respectively. That is, I assumed any mail from an IP address that got an SPF "pass" came from Google or Hotmail.

Yahoo doesn't publish SPF records, so for Yahoo I did a reverse lookup on the IP address and if it contained the string ".yahoo.", I counted it.

Re:Blaming the user now?

[dedazo]

Oh. Whomever modded me offtopic probably can't see the post I'm replying to? Here it is. "deadzero" is one of twitter's accounts, and it was created for the same purpose as all the other name trolls he maintains.

expected?

[thedistrict]

Isn't this to be expected? Since gmail has become more popular, more people are using it. Wouldn't it make sense that then spammers would get into the system to try to distribute mail across the gmail platform to other users? I have to say though, if it hits the level of yahoo mail, I'm out. I work at a marketing firm that does entertainment and have signed my adress up on a number of sites that I'm a member of to try to stay current with news(including this one). However, somehow spammers get my address and punish me with an inordinate amount of spam.

Shocked

[jav1231]

I was shocked to check a rarely-used Gmail account today and find 10K emails caught as spam and another 10K NOT caught. This is unlike Gmail. :(

Perfect Spam Free Email ...

[dbcad7]

Switch to Excite for your email.. After their upgrade (2 weeks Friday) I haven't received any spam.. of course I haven't received any non spam either.. No incoming emails at all.. other Excite users are pissed, as some use it for business, school, job searches etc.. The excite discussion boards are full of people who are dumping them for Yahoo and Gmail.. and there is absolutely no word from Excite explaining the situation. I have a friend who also uses it, and his finally came online yesterday. 2 weeks to switch over their users seems a bit long to me.

I'm not.

[Valdrax]

I was shocked to check a rarely-used Gmail account today and find 10K emails caught as spam and another 10K NOT caught. This is unlike Gmail. :(

This is part of why I stopped using GMail within a single month of signing up. I gave out my new email address to a handful of people, but pretty quickly after signing up, I started to get volumes of spam which were ungodly. Given security problems like the recent Calendar issue, I'm not surprised that GMail is such a spam sink -- it seems like they don't do hardly anything to protect your email address from public knowledge.

GMail is useless. I wish I could just delete my account permanently. I should probably look into doing that.

Re:I'm not.

[jav1231]

I never see this on my primary GMail account, though. Usually, Google catches most spam for me.

Now Yahoo! is another matter.

Re:I'm not.

[Valdrax]

It's the opposite for me. I actually intended my Yahoo account to be the spam sink, and I use it for all websites that require me to give them an email address, but I never get true unsolicited spam on that account. (Just limited "newsletters" from the companies themselves that keep "forgetting" my mailing preferences.)

Gmail was the one I intend for true personal email. Even with 70-80% of spam blocked, the account was useless within a month or two. Given how little I email back and forth with people, I was getting less than 1% signal to noise ratio. I haven't checked the account in over a year now; I wonder if Google's already deleted it.

Re:I'm not.

[jav1231]

Could be a nice case study. Wonder how long it takes to fill it!

Re:Why not apply spam filters on outgoing messages

[nEoN+nOoDlE]

Google could set another precedent in webmail by introducing outgoing filters which would block or slow down mail appearing to be 'spammy'.

The day that happens is the day I never get an e-mail from my grandma again.

it's been going on longer than 3 weeks

[fl!ptop]

i've had spam from google.com and gmail.com coming in for months. it started immediately after their captcha was broken. since then, i've received practically none from hotmail.com, and that used to be where most (of mine) came from. i still get spam from p0wned broadband boxen, but the majority since google's captcha was broken has come from them.

lately (the past month or so), after reporting to spamcop, i've noticed a lot of google's mail servers are blacklisted by sorbs and/or abuseat.org. i'm not sure what efforts google is taking to thwart it, but you'd think they'd do more now that they're being blacklisted.

hmm, bad moderation?

Your post is painfully self-contradictory. You are essentially implying that hooking up an unpatched XP machine to the internet is the root cause of said machine being in a botnet. But the reality is that the number of users who actually install Windows is ridiculously small. Isnt' that the main argument that explains why Linux is not more popular, that Windows only has "superiority" because it's bundled on 99.999% of all new computers sold?

If your theory was correct, then botnets wouldn't be cost-effective for the people who operate them - or simply wouldn't even exist.

Furthermore, I disagree with your assertion that there is a continued failure in the part of Microsoft to protect their customers, based on your provided links. Microsoft regularly patches Windows to prevent remote and local exploits - installing a ca. 2000 copy of Windows XP is no different than, say, installing RedHat 6.2. Do you also object to RedHat's continued failure to protect their customers?

If you keep your machine patched (which is laughably simple with Windows) then you have nothing to worry about, except...

...if you download and run executables from untrusted sources, or even more common, execute them when they arrive in your inbox. There is clear proof that most machines in botnets are compromised because of lack of simple common sense by the users. The last wave of botnet infections last year proved that beyond doubt. Why bother to "hack" Windows if it's ridiculously simple to use basic social engineering techniques to get people to infect their own machines?

Maybe the moderators should start reading posts before voting them up.

Re:CAPTCHA is broken

[dn15]

Well, as you increase the level of intelligence meeded to go through the CAPTCHA, you start to leave humans out.

The problem I've observed lately with some sites is they're distorting the CAPTCHA text so much that it's difficult to make out the characters. Is this "5" or "S"? Is that a "I" or just part of the background? Is it a Q or is it an O with a line overlapping in a confusing spot? And so on. It takes several tries to get CAPTCHA right these days, and it's frustrating -- not because it takes intelligence per se, but because it takes trial and error to figure out what the mess on the screen is really supposed to be.

Re:Require digital signing; people will catch on f

There you have it.. PGP as the answer to spam has been right in front of us all the whole time. How much more of this shit will the "too technical" argument hold up against?

Don't expect google to push PGP or any encryption or signing technology though, no matter how "not evil" they are they still want to read your email and intertoob traffic. And that's why they've been "evil" since day one.

BZZZT Wrong

[Bryansix]

Dude your system can get owned just because you failed to update on patch Tuesday and now it's Thursday. Internet Worms are very much still a viable attack vector. They infect machines that are on with no user in front of them all the time. I know because I have to fix these machines.

Re:One thing Google could do about incoming spam..

[gad_zuki!]

Why shouldnt it? If the originating IP is in a foreign netblock then trash it. Its 100% doable.

Re:Actual Origin? Don't blame service provider.

[rockout]

Blaming Google and claiming it's because of broken captcha begs the question of how the spammers really operate.

No it doesn't

Re:Blaming the user now?

This is what happens to anyone who dares question twitter. Have a name troll account created for you, be insulted, get modded down if you complain. People like dedazo, Macthorpe, Otter, willyhill, westlake all have to put up with this crap. The rest of us have to be on the lookout for more sockpuppets and hope we can add them to our foes list before they get to posting at +2.

Slashdot is going to hell in a handbasket.

Time to retire the "free mail" concept?

[British]

Spam seems to be heavily tied with yahoo, hotmail, and just about every free email service. Maybe we need to introduce some more hoop jumping to get a new (free) email account, or shut it down altogether. The lack of accounting of an email addy to an address/phone # is nice, but it seems to come at a VERY high cost.

Re:Time to retire the "free mail" concept?

[sydbarrett74]

I agree. In fact, I wish the provision of email services would become divorced from that of connectivity. If my ISP would allow me to opt out of their email service in return for paying several dollars less a month, I would gladly pay $5 or so per month to use Gmail. Requiring everybody to pay a nominal fee would open up a useful means of verifying identity upon signup. I know many of you will say, 'Spammers will just sign up using stolen credit card information!' but hopefully Suzy Feltersnatch's bank will notice $500 in charges to Gmail and pop up a fraud flag.

Re:CAPTCHA is broken

[Kalriath]

Demons I HATE that site. It's the scourge of all website operators, used by noone but spammers to get people in random Indian cities to break CAPTCHAs and make spam software for them. Someone needs to shut that shit down.

Sockpuppet and Censorship Smoking Gun.

People like dedazo, Macthorpe, Otter, willyhill, westlake all have to put up with this crap. The rest of us have to be on the lookout for more sockpuppets and hope we can add them to our foes list before they get to posting at +2.

There is no better evidence of all of those accounts belonging to one person than you being able to rattle them off like that. Yes, I checked them against willyhill, that is your, fine journal for correct spelling. You even got the capitalization correct.

There is no better evidence of your abuse of moderation than your confession. Tell me, do you use your foes list to make those accounts stand out so that you can mod them down? Your object is censorship and you just admitted it. That's some serious stalking folks.

Re:Sockpuppet and Censorship Smoking Gun.

There is no better evidence of all of those accounts belonging to one person than you being able to rattle them off like that.

That's not evidence, you moron.

Re:Sockpuppet and Censorship Smoking Gun.

You have to ask yourself, "what are the odds," and throw out the improbables. A statistical test like that is fine evidence.

Re:Sockpuppet and Censorship Smoking Gun.

That doesn't even vaguely resemble what you're doing.

Maybe its just me...

[teh+moges]

I never had a problem with spam on GMail from when I signed up, which was in 2006, fairly soon after it opened. Only lately have I been getting spam through, but while its blocking about 1000 a month, only 2 actually got through in the last couple of months and once I reported it as spam, I haven't got any spam through since.

I was initially really careful with giving out this email address (its my actual name, so I can use it on resumes, etc), but since then, haven't been so careful, using it to signup for many sites.

Re:Require digital signing; people will catch on f

Ah, like captchas or verification emails? Better not try to explain to them the meaning of a digital signature.

Re:Google doesn't want/need good outbound filterin

[swordgeek]

I apparently wasn't clear enough on something. To quote my own post:

"Google doesn't want to be known as the "source of doom" for spam, but as long as they're seen as making some effort against hosting spammers, they're fine."

They're not opening the floodgates because of exactly what you say, but they won't work really hard on filtering outbound email, when it's (a) difficult (as you say), (b) not as useful, and (c) counterproductive.

They'll filter outbound mail enough to keep spam from gmail down to a dull roar, and to maintain their "good internet neighbour" seal of approval, but no more than that.

As for outbound vs. inbound filtering, I know how hard it is (it's related to my work at a major ISP), but there are some things which are pretty easy to implement, and google doesn't do many of 'em. There are other things which could use some research for great benefit, but as long as spam from google hurts their competitors more than it hurts them, they'll put their research into inbound filtering.

The code left beta ages ago

[jesterzog]

Query: how could it be in beta for over two years? By now, it should be in gamma or delta, or, perhaps, final.

GMail is in beta with its current features, and perhaps it always will be because Google's obviously happy to use it as a beta-style testing environment for some of their relatively new features and ideas.

Older versions of the code-base were stabilised and released from Beta ages ago, and you can easily use a non-beta edition in Google Apps. The difference? Google Apps is targeted at people (often businesses) who have a greater need for the system to stay relatively stable and predictible, and who might even pay for it.

Re:One thing Google could do about incoming spam..

[theaceoffire]

Half of the spam I get on my gmail account that actually gets past the filter is in some language other than English... in fact its almost always in Cyrillic as well.

Give me a damn drop down that says "I speak English, anything not in English is not to me".

Won't solve their outgoing problem, but adding "this is my language" support would be a big help on the incoming, at least with my spam patterns.

Create a filter that targets messages containing non-english letters, and then marks as spam.

^_^ Worked great for me.

Re:CAPTCHA is broken

With CAPTCHA's getting more and more complex, all we need is a CAPTCHA that, when entered correctly, proves you are a bot. Can't solve the CAPTCHA? You must be human...

Oh come on, like it's really that bad

[fretlessjazz]

You can use gmail, or you can buy a Barracuda Spam Gateway, set up a *nix IMAP/SMTP box, and hire a sysadmin.

TCO - Roll your own = $10,000k initial + $70k / year
TCo - Gmail = $0.00

Seriously, quit whining.

Spammers are ruining email for everyone

And the people who justify the cost in sending SPAM by responding to it are complete morons. FUCK SPAMMERS!!!!!!

Email systems that have the "spammer filters" easily tricked are making the costs of doing business as a spammer decline. Thats why spam is increasing. Its an economic formula. As the cost of sending spam goes down, the margins generated by it will get larger. This only increases spam.

Re:Google doesn't want/need good outbound filterin

[Stochastism]

but there are some things which are pretty easy to implement, and google doesn't do many of 'em.

I'm quite curious.. which things are easy to implement that Google aren't doing... how can we know for sure?

Re:Blaming the user now?

[slashdotwannabe]

You never get around to explaining why Mac users never have the same problems.

Do you really want an explanation of why Mac users don't have the same problems as PC users, or even *nix users? How about why CP/M users have different problems than TRS-80 users?