Could Fake Phishing Emails Help Fight Spam?

Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."

Seriously?

[jeffasselin]

The spam problem will not be solved with laws or pretty tricks like this.

It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Re:Seriously?

[characterZer0]

Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?

Re:Seriously?

[oldspewey]

There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem. For starters, treating it as a technological problem leads to an arms race mentality in which spammers are continually driven to "outsmart" technological safeguards as they are developed.

Personally, I have no problem with an approach in which "purchasers" (in other words, anybody who responds to spam in any way) are exposed and educated by any means necessary ... with education consisting of an escalating series of measures until the recipients finally comprehend just how fucking stupid their actions were.

Re:Seriously?

[caffeinemessiah]

Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Sigh...it's so tiring to hear people on /. say things like "it's a technological problem" about spam. Do you know how easy it is to get a personal digital certificate from Thawte? Fill out a few forms, download your PKCS certificate. What's to stop your sooper-dooper anti-spam system if you can authenticate a spammer? Remember, if you can legitimately receive an e-mail message from ME (a stranger to you, presumably), you haven't "solved" spam. If you can't legitimately receive an e-mail message from me, I can't tell you that I'm your long-lost twin brother (i.e. your email system is then useless).

Re:Seriously?

[IBBoard]

If the zombie box has username/password on a legit account (or whatever the authentication is) then no protocol will help. It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem). I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.

I don't see how this'll help, though.

1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency
2) Chances are they'll probably be more suspicious of the 'Government Agency' email than the "get stuff cheap" email because they're interested in getting stuff cheap, but why would they get an email from the Government
3) Spam is spam is spam
4) Spammers/phishers will piggyback the Government emails, clone them and send out similar emails saying they'd been caught by one of these traps, so go to [insert site]
5) Despite what I said in 1), some of these people will never learn (see the people who get conned out of thousands of £/$/etc)

Re:Seriously?

[Thanshin]

the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly.

That would be nice. All messages could be identified by IP. No wait, it can be spoofed.

Then they can be identified by MAC. Hmm, but which mac to use?

Better by full name and Social security number. Yes, that's it! Let's include all data in each mail so the receiver can identify us.

Or better yet, with a credit card number and its pin.

Humm, no, that seems dangerous.

Let's sign the mails with an asymetric encription scheme. Wait, what? What do you mean it already exists and people have been using it for a decade?

Re:Seriously?

[Elledan]

How is this a technological problem? How is a user failing to properly read and/or comprehend that the email he or she just received is trying to scam him/her out of money or (personal) information or worse a technological problem? What if a user gets infected by a virus/trojan/worm/rootkit because he had to click on the executable attached to the email received from either a stranger, or from a person who would never send such an email (at least not unannounced)?

Spam is a matter of social engineering, of convincing someone to buy a product, give out information or click on a random executable, even though every rational fibre in that person's body should warn against doing so. Yes, using something more robust than SMTP would help, but it's no cure against stupidity and botnets.

I like this initiative, I just wish it would target those who are already at risk of 'stupid-clicking' instead of those with more than one braincell. It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(

Re:Seriously?

[oldspewey]

It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(

I'm surprised this has never happened to people buying from pill spammers. Think about it: there are thousands and thousands of people ingesting pills purchased from anonymous untraceable strangers with probable ties to organized crime. I'm amazed Al Quaeda or some similar group hasn't clued in to this one yet.

Re:Seriously?

[Chyeld]

So your arguement is basicly "The current system sucks, therefore no system will work!"?

Re:Seriously?

[CompMD]

The real solution is to simply tell all respondents that they have won an all expense paid vacation. Send them some fake e-ticket to print out and tell them where to go, and then just put them all on a rocket to the sun. Problem solved.

Re:Seriously?

[Davemania]

It is not just a technological problem. It is both a social and technological problem and technology itself can not address the randomness of human minds (stupidity, over confidence or ignorance etc). Scammers will always find a way around technology and other approaches have to be considered. I don't consider informing the public as a petty trick, this is something that is being used in real life and should be considered as a viable option.

Re:Seriously?

[Kugala]

They probably have, but why kill off an income source for no particular reason?

Re:Seriously?

[N1AK]

You've done a very good job of pointing out the problem with this proposed solution to spam.

The only solutions to spam that will actually work are ones that negatively effect the person whose computer is being used to send it. This leads to massive problems in trying to balance a workable service with the penalties.

Personally I would like to see ISPs begin to implement a system where they block service to anyone sending over a certain number of emails in a given time frame (this solution can be as technically advanced or simple as you like, and could even include the option to have this limit removed or increased if you contact them by say phone and request it). Instead users would only be allowed to view a portal informing them of the reason for the block, and perhaps offering links to a range of anti-virus tools.

ISPs could then block email from other ISPs whose level of spamming was excessive, until they themselves took action to limit it.

Re:Seriously?

[B3ryllium]

"Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"

That's one way to teach them. Granted, it's a bit Pavlovian, but ... if it works, it works.

Re:Seriously?

[moteyalpha]

That is definitely a solution and it is just __scary__ what my customers will do. I have considered training them to use encrypted email and there is a learning issue there. They will not learn how to use it as it is irritating to them and consumes their time. They will simply ignore me and hire somebody that will not bother them about security, even though they are exposing information about others.
Private customers are even worse, their computer skill level is so low that it is impossible to communicate the fact that they __personally__ must do something and there is no widget solution.
As far as the government doing this, it just makes matters worse. Soon the spammers will mimic the official documents and as a final step will tell the consumer to install pwn_my_Machine.exe to solve all their problems.

Re:Seriously?

[IBBoard]

You mean it'll make people salivate for food at the sound of a bell if they get a tax audit? Now that's some crazy conditioning!

Re:Seriously?

[IBBoard]

It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.

ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another ISP happy.

Re:Seriously?

[squoozer]

It's not possible to spot a zombie box with a protocol (at least not one that is going to be used for simply sending email) but if the machine has to authenticate with the server before sending then immediately you have and accounting trail. Zombie boxes could be dealt with very quickly and probably in a fairly automated manner. The current black listing system works fairly well but it's rather clumsy and causes a lot of friendly fire (I've been hit several times). While I like the ability to run my own mail server for free I would be willing to cough up (one time) for a certificate for it if it meant a dramatic reduction in spam.

Re:Seriously?

Death to all americans!

Re:Seriously?

[bruunb]

Well either sign/encrypt the message with the receivers key or just make the SMTP protocol fetch the mail from the MX server that is says it comes from, this will make sure that approx. 90% of all spam will never reach you inbox since they need to have a valid MX record for the mail to orriginate from.

To day the SMTP protocol goes like this:

userA@sub1.example.com sends a mail from a spoofing SMTP server at some arbitrary IP address to someuser@sub2.example.com, the sub2 SMTP server receives everything from SMTP server from the IP address, "thinking" it is from SMTP at sub1 and puts it in the inbox of someuser@sub2.example.com.

If it was "reverse"-SMTP then it would be like this:

The spoofing SMTP sever at some IP sends a mail for userA@sub1.example.com to someuser@sub2.example.com.
The SMTP server at sub2 gets the inital handshake from the spoofing SMPT IP server and then, according to the senders email address eg. the "From:" tag, contacts the MX SMTP server for that email address to fetch the actual mail.
Since the SMTP server for sub1 does not have the mail that is being sent by the spoofing SMTP server, the SMTP transaction is dropped and the mail never reaches the inbox of someuser@sub2.example.com.

Simple solution to a major problem. No valid MX record for the spoofed email disables the spammer from sending a spoofed email.

It will make it easier to track down spammers since they need an actual domain with an MX record, but it does not, however, solve the problem with fake domain registrations for MX records or hacked DNS records (I'm thinking demographic information (name, address, contact information etc.) But as I understand then work is in progress to make this better... or perhaps not, might just be a dream I had :-)

Re:Seriously?

[Skrynesaver]

The "B Ark" solution, I like it.

Re:Seriously?

[Drakonik]

You seem to think that the 'spam problem' is technological. It's not. You remember getting junk mail in your snail-mail box, right? Same concept. There is a medium through which many potential customers can be reached, and is cheaper than the alternative (for paper mail, it's cheaper than going door-to-door, for e-mail, it's cheaper than paper mail).

Even if sender and receiver are authenticated properly, so what? A spammer will still be able to 1)forge his own authentication or 2)compromise an authentic box and use that as a zombie spam machine.

The only even faintly possible way to stop all spam would be to have all email pass through a single point, where spam could be stopped. However, that is nearly impossible considering the already widespread and deeply entrenched SMTP, and the fact that getting net users to agree to let a single company read every single email they ever send to anyone ever will be nigh impossible.

The spam problem is human. There is money to be made in spam, and in email spam, the profit margin is fucking massive. To kill spam, you must remove the monetary benefit, but the profit margin is so large, you don't really have much hope trying to cut that down to where spam doesn't pay.

Re:Seriously?

[characterZer0]

1) You get a spam from box X that authenticated as sending mail for domain Y.
2) You determine that the message is spam.
3) ?
4) Box X gets shut down.

What is ??

A spammer would also be willing to cough up (one time) for a certificate.

Re:Seriously?

Let's replace it with something that authentifies sender and receiver properly

THERE IS NO SUCH WORD AS AUTHENTIFY! The word you are looking for is "authenticate"! Similarly, there is no such thing as "authentification" -- it's "authentication".

I don't know where this stupid variant on the word started, but it's idiotic, and many (presumably) self-respecting tech sites publish articles with them. STOP IT!

Re:Seriously?

[D+Ninja]

I disagree.

Yes, there are issues with the technology - that's not what I disagree with.

However, I know at least a few individuals who were fooled by an e-mail that looked legit (banking site), and didn't bother to check the e-mail address, etc.

The problem is, ultimately, people.

Re:Seriously?

[Hordeking]

Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?

RFC 3514 does propose a solution to this sort of thing...

Re:Seriously?

[Cthefuture]

It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem).

Note there is already a system for doing this. It called the Sender Policy Framework (SPF) and uses DNS records to tell mail servers which machines are allowed to send mail for your domain.

This is not a perfect system though because often there is a legitimate need to use a different e-mail domain address than where your mail came from (eg. forwarding, etc). For that reason it doesn't appear that many mail servers are configured to check SPF records.

At the very least it seems like they would be good for pre-tagging SPAM (ie. still deliver it but add something to the header that says it could be spam).

Re:Seriously?

[Thaelon]

No, it's a social problem. Technology can't solve it.

As long as you have careless users, no attempt to fix the problem with technology will work. The perfect example is that debunking of Bank of America's "sitekey" bullshit. "60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns."

Re:Seriously?

That's exactly what we have today, isn't it?

People that respond to spam are generally "educated" when they lose their money, bank account, identity, etc.

Re:Seriously?

[pipatron]

The free and open nature of the internet is what have made it so great. A lot of companies and governments are scared of this, and wants to close it up and make it mandatory to authorize yourself at every step. I think this is a very bad direction.

I rather keep it free and open, and keep ignoring the spam-counter in my gmail account, as that is normally how much I have to interact with spam.

Re:Seriously?

Yes, but they aren't publicly shamed by putting their name and picture on a billboard someplace along with the caption "this stupid tool responds to spam"

Re:Seriously?

[TubeSteak]

So your arguement is basicly "The current system sucks, therefore no system will work!"?

Seems to me that his argument was basically "Your authenticated sender/receiver solution sucks"

Ultimately, the only spam filter that matters is the one between the keyboard and chair.
Even a 99% effective technological solution is useless if the human spam filter constantly fails when it comes to that final 1%.

Re:Seriously?

[Chyeld]

And for that I refer you to this comment.

Why is it so many otherwise perfectly intelligent people act as if a solution which doesn't solve 100% of the problem must be completely worthless?

"You know, it's 20 below out, and you are standing in a swimming pool slowly freezing. You could get out and go inside.

"Nah, I'd still be wet and cold."

Yes, a 99% effective solution (i.e. something that reduced the actual volume of spam by 99%) would likely not result in any fewer people clicking on spam. But it would mean a 99% reduction in spam.

How, in the great wild wild world of the web, do you look at that as a bad thing. Do you know how much of the current traffic in the world is spam?

Re:Seriously?

[grumbel]

There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem.

The problem with spam is that there is no accountability. If you can't find the guy who sends the mail, you can't punish him, therefore you must solve the technical problem of no accountability before you can deal with the actual spammer by law or other social means.

Those fake phising mails really don't do anything to fight spam, they might be good for educating users, but they don't stop spam, since its not normal users who send spam.

Re:Seriously?

While technical prowess would go a long way, the social engineering aspect also needs to be solved. This is a method to teach the uneducated to be smarter, and realize you cant get Viagra for free.

By adjusting the social portion, it makes spam less lucrative and less inviting to start doing.

Re:Seriously?

[Talderas]

Isn't this one of the problems that SPF seeks to mitigate by using DNS as a method to establish valid email senders?

Re:Seriously?

[Geoffrey.landis]

THERE IS NO SUCH WORD AS AUTHENTIFY!

Good point. It was a typo for authentificationate, I expect.

Re:Seriously?

[grumbel]

The point of authentication is to get accountability, not to get instant filtering. If a spammer is using a fake certificate, that certificate can be blacklisted. If some company isn't checking for fake date, certificates by that company can be blacklisted. If random joe is sending me good mail, I could white list him. If random-mail-provider.com is doing good at stopping fake accounts, I could whitelist them as well. And when you would send your twin mail via a good email provider it would arrive just fine.

Today you have the issue that you can't really do much, because you can't tell where a mail did come from. Most of the data in the headers is completly fakable and useless, and yet they get used a lot for mail filtering because its the only data we have.

Re:Seriously?

[kheldan]

1) The people who fall for this won't actually learn until they're actually stung

Nope, the people who will fall for this sort of tactic aren't ever going to learn, not even AFTER they've been hurt by it because they've already thoroughly demonstrated that they aren't CAPABLE of learning any better.

Re:Seriously?

[geckipede]

Make it the '10s equivalent of the "funniest home videos" shows, now that youtube has rendered the original format pointless.

Re:Seriously?

[nsheppar]

I believe what you are proposing is a method which involves actual consequences to having your computer 0wned. As such, it will go down in flames.

Re:Seriously?

[Chirs]

Make it cost money (1 cent, say) to send an email, with that money going to the recipient. They can then choose to accept the message as non-spam, and the money returns to the sender.

Individuals won't be impacted. Smaller-scale targeted marketing is still possible, but sending out hundreds of millions of spam messages becomes expensive.

Mailing lists can be handled simply. Make the subscriber send an email to sign up (costing them 1 cent). The first time the subscriber doesn't return the money (costing the list sender the 1 cent they got from the subscriber initially), the subscriber is removed from the list.

Re:Seriously?

[RenderSeven]

people with email sending addictions sent too many emails

Youre thinking on the wrong scale. Limits dont have to cut in until you hit thousands or tens of thousands to cut spam. Spam hit rates are now something like one hit per 12 million emails sent, and it *still* makes financial sense for spammers. To make spam economically unfeasible you dont need much of a delay penalty on that kind of volume. If you added 1ms latency penalty for each email per day per IP, even big mailing lists would hardly feel the effect. But a spammer would need 2000 years to get his 12th million email out. A microsecond penalty probably works, or even a nanosecond. For a 1 nS cumulative penalty, his 12th million email gets out in one day, but thats just one hit. His 2nd hit from another 12m emails is 3.3 days, his 3rd costs 7.5 days, and it rapidly gets worse.

Re:Seriously?

[Nethemas+the+Great]

I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.

I wouldn't be so certain of that. Someone just purchased asdfghjkl.com...

Re:Seriously?

[Lexible]

Why do you assume that social engineering is not a technological solution?

Re:Seriously?

[fugue]

Only if it's the Liberty Bell.

Re:Seriously?

[dragonjujotu]

This makes me think of another interesting use

userA@sub1.example.com sends a newsletter to 100 addresses user00@sub2.example.com thru user99@sub2.example.com. each recipient pulls the message from the same spot - one copy of the message exists.

The only issue I can think of is a security vulnerability that allows someone to change the original message that was stored.

Re:Seriously?

[acvh]

I'm not a kernel developer, but every mailing list to which I once subscribed moved to web based forums, which I find much, much more convenient to use. I think mailing lists are a relic which some are reluctant to give up, and I'm sure there may be good reasons for that. I just don't know what they are.

If a "solution" to spam were to exist or be developed, and mailing lists suffered collateral damage, there are other ways for the participants to communicate and discuss.

Re:Seriously?

[techno-vampire]

people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.

Let them object, then. If that's how the ISP's TOC and/or AUC policy are written, their objections and $2.75 will buy them a cup of "gourmet" coffee, and nothing else. If they don't know how to clean up their systems, the ISP can point them in the direction of various services who can, and if they don't care to clean up their act, they don't get to send any more email.

Re:Seriously?

[1u3hr]

The problem with spam is that there is no accountability. If you can't find the guy who sends the mail, you can't punish him,

Most spam is motivated by profit: trying to sell something to the recipient. There is therefore a money trail. Law enforcement could simply respond to a small proportion of spam and track where the money goes, and then prosecute for fraud, selling unregistered drugs, tax evasion -- it;s a good bet they are breaking some existing laws, no new "cyber laws" are needed. But they don't because governments really don't care about it. Each spam is a fleabite, and below the threshold for which they take action (I've heard at least $5000 for the FBI). And various business lobby groups have made sure that there are plenty of loopholes so their marketing material can get through.

My point is that they CAN find the spammers. They don't even try. Slashdottes foam at the mouth and talk about lynching. We imagine the rest of the world shares our hatred for spammers. But really, most people don't care. Governemnt leaders don't care, if they use email at all it's filtered by their staff and they never see spam.

Re:Seriously?

[0xygen]

Here my ISP has an IDS watching user activity.

It notices nasty things happening such as SSH scanning and mass SMTP sessions.

First they try to contact you to confirm whether it is your activity or a zombie, if they cannot get hold of you, they pull the plug if it is severe enough.

I liked it - I got a notification when I lost control of an old Linux box on my network before I came home and spotted it.

This should really always be part of the solution, being adequately monitored by your upstream provider.

Re:Seriously?

Rockets to the sun are expensive.

Just send them an e-ticket to print that has "I'm a terrorist" written on it somewhere. They are probably too dumb to check the ticket carefully, but when the try to get through security at the airport with that bogus e-ticket I'm sure they will learn a valuable lesson.

Re:Seriously?

Exactly,

Follow the MONEY.

To make it worth "the government" following up on it they (we, who ever) set up 10,000 "monitored" addresses on various domains, preferably already existing ones. (I would gladly give the project an email address or two on all 3 of my domains for free...)

All the spam from those addresses gets collected by central server and pattern matched to determine if they have the same reply to/web link/whatever.

You then follow the money back to the seller and fine them $1000 per email.

Even if only 10% of companies that use spam as a sales tool got fined $5,000,000 it would cause the others to seriously reevaluate their marketing strategy, and 5 mill should be more than enough to make some LEA decide that this is a worthwhile plan.
 

Re:Seriously?

[B1ackDragon]

Just send them a fake e-ticket for a real flight. Piss off spam suckers, and the TSA in one shot. It's a win/win!

... damn. Anonymous coward beat me to it. Screw it, I'm posting anyway.

Re:Seriously?

[guruevi]

The problem is that spam remains profitable even after all those anti-spam measures. Currently I have no spam coming through my box (Amavis, SpamAssassin) and I have been with providers that implemented solutions similar to parents, grandparents and all other posts 'proposing' a solution. We have SSL-based (both client and server) e-mail, we have authenticated SMTP, we have rate limiting, we have blacklists, whitelists and greylists. Put together they all limit the spam but they are all expensive on the receiving (or intermediary) servers.

The senders costs however are very low (next to nothing) and they can afford to lose 50-90% of their e-mail on technical measures, the other 10% is still successful enough to be profitable.

There is no simple measure against spam simply because it's profitable for the sender and the companies/individuals that sell services to those senders. It's kinda like the physical junk mail that you get. Without it, I would be a lot happier and I wonder who actually buys their junk and how it is profitable at the current rates of stamps and paper but without junk mail the postal services would have to increase their rates and at the current incompetence of those organizations they probably would go under because FedEx, DHL and UPS does their jobs much better at those price points.

We can't really get rid of spam and if we get rid of SMTP, spammers will jump on whatever 'alternative' we have. Spammers have already jumped on web ads, domain names, IM, VoIP and several other technologies that are used to communicate freely with one another (without too much restrictions) even though those technologies are much more limited in scope and user base.

Re:Seriously?

[Bill,+Shooter+of+Bul]

That won't work. Spammers would just send out similar looking messages a day latter intelligent them that the trip has been rescheduled to a later date. Additionally, a nominal re-booking fee applies that will be fully refunded when they complete the vacation. They can also put in fully refundable deposits for future free vacations as well (social, creditcard info, and date of birth, and deposit equal to 1/10 th retail price of the trip is required).

Re:Seriously?

[Ironica]

I'm not a kernel developer, but every mailing list to which I once subscribed moved to web based forums, which I find much, much more convenient to use. I think mailing lists are a relic which some are reluctant to give up, and I'm sure there may be good reasons for that. I just don't know what they are.

Here's some of the reasons I prefer my mailing lists to forums:

* I don't have to remember to go there; it comes to me.

* I KNOW what I've read already.

* I can set up filters to mark my own "posts" as read automatically, to delete posts from people I'd rather not hear from, to flag items with particular subject lines, etc.

* Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.

* If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.

* I can (with the original poster's permission) forward all or part of a message to an individual or another list.

* I can (with discretion and an x-post note) post the same text to multiple lists at the same time.

I'm sure there are other reasons, but those are the reasons I've advocated against email lists I belong to switching to online forums. Since most of them are Yahoo groups, though, people *can* read them as web forums if they want to instead.

Re:Seriously?

[duguk]

I use SPF; it's great. I really like it. Honestly. Great idea, nicely implemented.

However, Google Mail and MSN Hotmail both seem to either totally ignore it; or at least with a valid SPF still occasionally classify it as spam; with the only recourse seeming to be to use DomainKeys - not supported on Courier Mail Server atm.

It's really not a perfect system if most companies are going to totally ignore it.

Re:Seriously?

[Ironica]

$2.75?! Where are you getting your coffee? A tall brewed at sbux is only $1.60, and even the cafe downstairs in our office building is only $1.75 for the same.

Re:Seriously?

[Ironica]

The problem with spam is that there is no accountability. If you can't find the guy who sends the mail, you can't punish him,

Most spam is motivated by profit: trying to sell something to the recipient. There is therefore a money trail. Law enforcement could simply respond to a small proportion of spam and track where the money goes, and then prosecute for fraud, selling unregistered drugs, tax evasion -- it;s a good bet they are breaking some existing laws, no new "cyber laws" are needed. But they don't because governments really don't care about it.

Or they don't have jurisdiction. The FTC can deal with commerce that crosses state lines, but the WTO has yet to get into the spam issue, and a LOT of spam is selling from outside the US. In that country, what they're doing may or may not be legal... if it is, then the trail ends; if it's not, the best you can do is notify the local authorities, who may be motivated to let their spammers "tax foreigners living abroad," as it doesn't hurt their populace and brings in GDP.

Re:Seriously?

Now that we're in the realm of crazy ideas, how 'bout this idea:

If you want to cripple the profitability of a product, inundate the market with like products. We could flood the market with yet more spam, it dilutes the 'market share' of the real spammers, reducing the profitability of their career decision. At some point, people either stop buying products that are communicated via spam and/or it becomes unprofitable to invest time and effort to peddle them.

This could precipitate another reaction, the one you desire: banishment of SMTP altogether. The Business tends to not have to do things until it becomes too painful. There is not yet an incentive to abandon SMTP because it doesn't hurt enough. Without a doubt this is going to be really painful.

Re:Seriously?

[Ironica]

The technological issue is that, while I can identify a spam email, check the headers, and notify abuse@domain.com that someone is using their servers to spam me, they (1) may not care; (2) can't always find the person at fault; (3) have no recourse except to close their relay. Whereas, if you NEED a certificate, and a certificate costs money, and your cert gets revoked or blacklisted as soon as you send spam (because people like me report it), sending spam isn't free anymore, and will drop off quite a bit.

Re:Seriously?

[deroby]

Frankly, I doubt that any spammer sends out 12 million emails from 1 machine.
More likely he'll send out 1 "instruction" to some 'hub' that is then 'read' by 10000 hacked machines that will each send out 12M / 10k = (lots) of emails... Then again, I must agree, each and every spam-bot would get silenced too after a while (as would the owners of the p0wn3d machines, which might by tricky from a commercial point of view for the ISPs).

After a while, only the spam-king with the largest zombie army would be able to make money on it as he would be able to send out mails in a volume that's just below the threshold of getting tarpitted. This might result in more aggressive viruses / bot networks, not sure whether that would be good or bad... =/

Our ISP @ work (well, the one that provides the 'unimportant intarweb connection') had a filter installed that would count the number of emails coming through the SMTP server and once a certain threshold (mails / interval) was reached, the SMTP server would reply with 'You have been infected by a virus'. In fact the message was a bit harsh since in our case 100+ people behind a single IP address sent out quite a bit of 'personal' mail that was not routed via the companies mail server (Exchange), but directly out using the ISP's SMTP router; but it indeed helped us catch an infected laptop once that tried to send out gazillions of emails. So YAY for that system.

Not sure if they still do that, our mighty internal-IT-staff decided that port 25 shouldn't be open to the outside anyway. (Can't blame them off-course, our firewalls were pretty much swiss cheese before that day)

Re:Seriously?

What about the Taco Bell?

Re:Seriously?

They are sending spam to the US, so our laws would apply. The crime is happening on this end.

We'd have a hard time getting spammers extradited, but our laws would apply if they ever took a vacation or whatever.

Re:Seriously?

[deroby]

it probably would work, for a while...

Reminds of the Blue Security thing we had couple of years ago. The idea certainly hit a nerve somewhere (= probably the 'wallet-nerve') but the collateral damage was probably more than most people are willing to offer... that is, most companies. Personally I wouldn't have cared that much if it took 2 weeks of 'no access' for all ISP's around the world to find the infected machines and lock them out, knowing that after those weeks I'd have a better internet to come back to.

(see : http://it.slashdot.org/article.pl?sid=06/05/18/2158227 )

The problem is : once they fight back, who is willing to take the responsibility ?

Suppose this hadn't been a 'little company' like Blue Security but an FBI operation. Would they have let the internet go down on it's knees until the entire botnetwork was cleaned up ? That could takes weeks, if not months. Trying to find the botnet-owner isn't trivial either, and suppose you'd be able to find him/her, (s)he would claim to know nothing about it, let alone give them the 'magic word' to stop said bots.

Re:Seriously?

[1u3hr]

Or they don't have jurisdiction.

Sure they won't get them all. But there are plenty they could. And any money transfer, credit card, whatever HAS to go through US jurisdiction. If you block such transfers, even if you can't prosecute, that will also remove the incentive.

In any case, 90% of the spam I get is selling stuff from the US. Most of it is obviously illegal, fake or fraudulent. They COULD be prosecuted if the government gave a damn.

Leave the Nigerians for Phase II.

Re:Seriously?

99% reduction in spam response -- thus send 100x more spam...

Re:Seriously?

[Runaway1956]

Disagree that spam is a techno problem. It is a people problem. The wife used to open every mail, open every attachment, and click on every link. Well, maybe I exxagerate - there isn't enough time in anyone's life to click on EVERYTHING that comes into a spambox... All the same, my sons and I have done our best to educate her, with good results. She has finally learned to delete most of the spam without ever looking at it. Even better, she has learned to use filters, meaning she never even sees most of the spam. My own inbox only sees a half dozen spams each week, on average, simply because I don't sign up for every worthless offer I stumble across. Having a secretive nature pays off sometimes. Educating people to be secretive and selective would end the spam problem.

Re:Seriously?

[causality]

The spam problem will not be solved with laws or pretty tricks like this.

It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

I've always seen spam as an economic problem with many parallels to prohibition (like the War on Some Drugs). The actual problem is that so long as there are people in sufficient numbers who are willing to buy from a spammer (or who are vulnerable to being defrauded by a spammer), the spammers will find some way to do what they do. Spam is something of a business; it will end the moment it's difficult enough to do that a spammer can no longer make a profit. You don't really need any sort of perfect solution, just one that's good enough to remove the profit and put them out of business.

The parallels to prohibition really are strong. For example, trying to end spam by catching and prosecuting spammers will have about as much of an impact on spam as arresting drug dealers has had on the War on Some Drugs, i.e. little to none, and that's assuming no jurisdictional problems. In fact, to drug dealers and spammers alike, increased risk means less competition and higher profits when looked at from a purely business perspective. There simply is no force available that can neutralize sufficient economic demand and to spammers, who don't care about legal/ethical issues, being an easy target for scams is as indistinguishable from demand as willingly buying from them. You're right that laws or pretty tricks won't solve the problem, but I propose that technological changes won't solve the problem either. What is needed is for large numbers of people to both realize and care that this is a shared network and that their actions (such as buying from spammers or running insecure systems or making insecure transactions) can negatively impact other people. Obtain that sort of widespread understanding and these matters will take care of themselves. Try to proceed without it and see how insoluable this problem can be.

This idea about sending fake phishing e-mails might actually have an impact because the ultimate cause (or ultimate enabler) of this economic problem is the large number of ignorant users. This may identify some of them and prove to them that their current understanding leaves them vulnerable. I don't think this alone will end spam once and for all, but it's one of the few solutions I've heard that shows an awareness of the underlying problem.

Re:Seriously?

[Ironica]

Or they don't have jurisdiction.

Sure they won't get them all. But there are plenty they could. And any money transfer, credit card, whatever HAS to go through US jurisdiction.

Why? If my bank, a private entity, is (for my convenience) member of a network of banks, which allows me to conduct international transactions with my credit card, at what point is this "US jurisdiction?" If I'm purchasing something that cannot legally be sold in the US, but it is NOT being sold in the US, then it would need to also be illegal to buy or own in the US, and then it's the purchaser who is at fault. But in the case of prescription drugs, unless they're listed as "controlled substances," there's no restrictions on owning or buying, just on selling.

Here's the question: what's the difference between me going to Mexico and buying the item, vs. ordering it online from a Mexican vendor? (replace "Mexico/Mexican" with "Canada/Canadian" or "Russia/Russian" as suits your mood.)

Re:Seriously?

[RenderSeven]

Frankly, I doubt that any spammer sends out 12 million emails from 1 machine.

Yep, agreed. So use the 1ms number instead of the 1ns number, and thats for 100,000 machines. Thats a big-***ed bot net :-)

The escalating delay penalty is not that different from the small compute-task concept in that it incurs a substantial penalty to the sender. The delay though can be implemented in an existing SMPT server. It might be a more acceptable alternative than blacklisting, although as you point out, it does nothing to force the issue of identifying a bot/zombie.

Re:Seriously?

[oldspewey]

They are sending spam to the US, so our laws would apply. The crime is happening on this end.

We'd have a hard time getting spammers extradited, but our laws would apply if they ever took a vacation or whatever.

... which is another way of saying they are completely immune to legal repercussions.

Re:Seriously?

[Impy+the+Impiuos+Imp]

From TFA:

> The agencies could then contact them from a suitably important-looking
> government address, warning about what could have happened

"To find out more, just click here and enter your verification info like your CC or SS numbers, or both."

Re:Seriously?

[Obfuscant]

Here's some of the reasons I prefer my mailing lists to forums: * I don't have to remember to go there; it comes to me.

I was going to make this comment in computer-ish terms. It's called "push content" versus "pull content". Mailing lists PUSH the content to the user. Web fora require the user to PULL the content.

PUSH is much better for important information. PULL is better for information that is not critical.

My cell provider has an email to SMS gateway (and did the same thing prior to such gateways being common.) They also have "internet access" I could pay for that allows me to access POP/IMAP mail servers and web sites. The former is PUSH, the latter is PULL. When my server is dying, I want PUSH data telling me that. If my house goes below freezing, I want PUSH data telling me that. When I want to discuss hobbies, I mostly want PULL so I control when I read the information. If I want to know the temps in my house (other than extremes) I want PULL so I can control how often I am told.

One reason you didn't mention is that, for Unix users, at least, it is absolutely trivial to set up an email alias ("mailing list") using nothing other than standard email tools, where a web forum requires running a web server and the forum tools. I do both -- I have aliases for meeting notices and I have a Drupal wiki for online discussions. The aliases were so much easier and take so much fewer resources.

Re:Seriously?

Until we all die from a disease caused by a dirty telephone...

Re:Seriously?

[IBBoard]

Yeah, that's the real problem with this suggestion - it'll basically teach people to trust "official government" looking emails instead. Not a good idea!

Re:Seriously?

[IBBoard]

Surely that depends how many bots the emailing is split across? Yes, you could set a threshold that any reasonable person wouldn't hit but there will always be some human that'll hit it. Either that or you set it high enough that a lot of bots still get past. There was a story recently about a teen sending crazy numbers of texts in a month, but they were all legit texts.

Throttling would help, but it needs to either hold the connection open for a while longer (which will reduce through-put by clogging connections) or force people to repeatedly re-send if it bounces and says "try again". I can't see either necessarily being popular with an ISP in implementation cost or effort.

Re:Seriously?

[IBBoard]

That's because SPF doesn't guarantee that emails are not spam, just that they're allowed to be sent from the domain that they say they're from. A spammer can register weliketospamfromthisdomain.com, set up SPF records and spam like crazy from it, so the SPF records will show "Pass" but it'll still be spam.

Oddly, though, GMail has SPF records. AFAIK the others don't.

Re:Seriously?

[IBBoard]

Yeah, I use SPF records on my own domains, but because it's an optional extra then a lot of places either don't use it (like Yahoo) or don't check it (probably also like Yahoo).

I guess a new protocol would probably get to the same situation, though - you can't ditch the old one (SMTP) because so many legacy systems still use it.

Re:Seriously?

[Ironica]

I was going to make this comment in computer-ish terms. It's called "push content" versus "pull content". Mailing lists PUSH the content to the user. Web fora require the user to PULL the content.

Thanks for the increase in precision.

PUSH is much better for important information. PULL is better for information that is not critical.

I think (especially in light of the example you gave) this is an oversimplification. PULL is preferable when:

* The information is not critical, AND
* There is a non-trivial "cost" to transmitting the information.

PUSH is preferable when:

* The information is critical, and/or you know you want all parts of it, AND
* There is no significant cost for transmissions.

If you have one condition and not the other, then it's more of a personal preference.

My email lists are, by and large, NOT critical... but it's all information I want locally, and I don't suffer a usability issue from getting it all pushed to my computer. I have everything filtered into nice neat folders, and I can read my various lists in the order that I prefer. But you're right; I wouldn't want all those messages showing up on my phone all the time.

Re:Seriously?

[duguk]

True enough, but how do us MTA hosters ensure that all mail will not be classed as spam? If SPF is basically ignored, and DomainKeys is hard or impossible, what's the solution?

Pretty much the same situation as trying to stop spam, I guess?

Re:Seriously?

[Symbiot]

1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency

Hey, that gives me an idea: if people won't learn unless they're stung then sting them. Don't just make it illegal to send spam, make it illegal to respond to it. Then law enforcement could send a ticket instead of just a "stern letter". I think that would pretty well destroy the spam business model.

Re:Seriously?

[RenderSeven]

Well, no. Yes and no. There isnt a threshold to cross, only an ever-increasing delay. And it resets every day (i.e. if its based on emails over the last 24 hours). My point WRT 'wrong scale' is that we dont need to worry about stopping each spam only adding enough tiny penalty for each email that tens of millions become economically unfeasible. An email would never bounce. Spreading the load over a lot of bots helps a lot, but it doesnt help enough, or at least I dont think it helps enough.

You're right about holding a connection open. I cant say I was proposing a fully thought-out protocol! Maybe have the server hold the SYN-ACK when establishing the connection? I'll hear agonized screams for trying to violate stack layering, but what the heck.

Re:Seriously?

[jibjibjib]

It's not a technological problem, it's a social problem. Sure, the lack of authentication in SMTP makes things easier for spammers. But even without that, spammers could use legitimate email addresses. As long as people are able to send bulk email and other people are gullible enough to respond, there will be spam.

Re:Seriously?

[Stradivarius]

SMTP no doubt could be improved.

But I do not think the spam problem is really about SMTP, or any other technical limitation. It's a social and economic problem, which is that it is profitable for spammers to deluge millions of people with junk because a tiny minority of recipients will give the spammer money.

While spam is illegal to send in some jurisdictions, that is not the case world-wide, and the Internet is a world-wide medium. Spammers will set up shop in favorable jurisdictions. So even if we had a mail protocol that could properly authenticate the sender to be "John R. Smith" or "Cheap Meds Inc.", there will still be spams, and there will still be some recipients who will buy stuff the spammers are hawking.

Solutions must tackle the economic aspects. One way could be to reduce the number of people who fall for spam, as TFA attempts to do. I suspect this will be ineffective on the whole, simply because so few suckers are required for a spammer to turn a profit. Another approach would be to create adequate anti-spam laws worldwide, effectively raising the cost of spam very high (fines/imprisonment). This is unlikely to succeed due to the sheer number of parties that would need to act together. Another economically-driven approach I've seen is requiring the sender to perform some computational task for an email to be sent, thus raising the cost of spam. This has some potential, but would have to be kept "calibrated" over time to adjust for Moore's Law and the price of cloud computing services.

OTOH, things like phishing emails (which I would call a subset of spam) could probably be helped quite a bit by a better technical solution for mail authentication.

Re:Seriously?

[Golddess]

Yes, but lets kill the Americans who aren't funding us first, then we start replacing these pills with poison. :)

Re:Seriously?

[Obfuscant]

But it would mean a 99% reduction in spam.

There is no system that will result in a 99% reduction in spam.

There may be systems that will stop spammers temporarily, until they figure out how to get around those systems and then we'll be right back where we are.

No, we'll actually be worse off, because we will have lost one more technique from the "what if" pool, and the spammers will work just that much harder to send more than they did before.

SPF won't solve it, because, as others have already said, all the spammer has to do is register a domain and set the SPF records. Anyone who thinks the system is now more trustworthy will treat that spam in a more trustworthy manner, a worse result than we have now.

Re:Seriously?

It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem)

What you are talking about is called a "Reverse DNS entry". Any mail server worth a crap will refuse to accept mail from a server without one, or from a server that has a mis-match.

Most mail servers already do this.

The counterpoints you made are good, however.

Re:Seriously?

[hairyfeet]

Unfortunately the "virus" excuse gets to be just that if the ISP turns out to be shitty. If we were all going to agree to something like this I would want concrete data written in stone about what EXACTLY constitutes a "virus" disconnect, otherwise they will use that any way they please.

For example, when I was living a whole 2 blocks from where the cable ended(and where the cable hasn't actually moved a single foot in 30 years) and trying to get away from the evil that is Direcway I decided to try the local WISP when it was set up. After spending nearly 2 hours making sure that there was NO FAP, asking about upload/download limits and speeds,etc I sign up. But because their "definition" of a "virus" is pretty much anything OTHER than WinXP running IE6 I ended up having to threaten a lawsuit to get the service canceled and my money back. Use Linux? "It looks weird,it must be a virus!" Use a download manager in Windows, or update packages in Linux? "It uses more/different connections than normal people(WinXP running IE6) use, it must be a virus!". I finally had to say "Scan the damned machine. When you see that Xandros Business 4 does NOT, and as a matter of fact can NOT, have a Windows virus, I want an apology and my money back or the next you hear will be from my lawyer."

So until we have actual competition in the majority of the USA for broadband I wouldn't be so quick to let ISPs toss people for "viruses" without a clear, concise, and verifiable definition in place of exactly what a virus is. Otherwise you may end up finding that a "virus" is simply anything they don't understand or looks different than what they are used to.

As a final humorous note, my sister decided after my little ordeal to try them herself. She figured where she lived it was them or dialup, and she didn't use Linux, so what would be the harm? She also had to threaten to get her money back after they refused to let them back on the network after my oldest nephew wiped out their WHOLE DAMNED NETWORK with a malfunctioning Yahoo messenger! I shit you not! I never have seen a more badly run ISP in my life. I mean, how in the hell do you raise capital to set up something like a WISP when you know so little about networking that Yahoo messenger can drop your entire network?

Re:Seriously?

...often there is a legitimate need to use a different e-mail domain address than where your mail came from (eg. forwarding, etc)...

I, for one, would be happy to give up transparent forwarding (where the email appears to come from the original sender) in return for getting rid of spam. If we were redesigning the internet from scratch, with hindsight, I'm sure that's a change that we'd make.

Re:Seriously?

[Chyeld]

First off, if the item is in the "what if" pool and isn't effective, then loosing it shouldn't matter.

Secondly, if the sole argument you are going to present is "It's hopeless! Just give up!", then frankly I wish you would.

Our current system for email is virtually 100% open and unsecured. No, I don't think we'll ever eliminate spam. And yes, we may take steps in the search for the 'optimal plan' that end up being a total waste of time.

But at the end of the day, the only thing you have presented so far is pessimism. That doesn't prove your case or make your point.

Even if we never get around to tearing down SMTP and replacing it with something designed to be secured from the start (and why the hell not given we could use that for MTA-MTA connections and still present an SMTP emulation for MUA's) there are plenty of aveneues for us to take in locking down what we do have to work with.

And regarding the "now people will trust spam more" malarky. Stupid people do stupid stuff. News at 11. The point of SPF isn't to ensure the email is trustworthy, it's to ensure the email was meant to come from example.com. The folk ignorant enough to trust spam aren't going to know enough to ever realize or care about SPF or any other measure put in place. They are going to click it regardless. But at least now, those of us who aren't vying for Darwin Awards will have another tool in the arsenal of cutting the volume of what we are receiving and have absolutely no intention of ever clicking.

Re:Seriously?

[againjj]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work.

...

Re:Seriously?

[adavies42]

add the ability to usefully branch discussions and complete decentralization of the distribution channel and you're back to usenet. remind me why we ever started using anything else?

Re:Seriously?

[MacWiz]

The spam problem will not be solved with laws or pretty tricks like this.

Of course it won't. But it creates jobs, apparently.

Re:Seriously?

[1u3hr]

Why? If my bank, a private entity, is (for my convenience) member of a network of banks, which allows me to conduct international transactions with my credit card, at what point is this "US jurisdiction?"

If the banks and credit card companies are incorporated in the US, using US dollars, they are. Which covers most transactions. You can evade it if you use a Swiss bank or send gold coins to a mailbox, of course.

Here's the question: what's the difference between me going to Mexico and buying the item, vs. ordering it online from a Mexican vendor?

IANAL, but I believe the latter is illegal, because it's being imported to the US.

Anyway, the idea is not to stop trade where the customer knows what's up and what they're getting, but scammers.

Re:Seriously?

[bruunb]

Somebody might be able to ensure some sort or of public/private keypair cryptology between the SMTP servers to encrypt the message-id or what other information is used to say "this is the message you can fetch for user X". Possibly a publicly signed key, somewhat like the current SSL-certificate signing.

That way the only "change" to the SMTP protocol would be

  - fetching the message from the receiving SMTP server that would normally just receive everything
  - some encryption based on the MX record validity/certificicate signing to ensure the correct receiver fetches the mail

I don't think that it would be a big issue or problem to implement.

Re:Seriously?

[IBBoard]

If the spam is done correctly then you can't. Some spam can have give-away features that are basically never seen in legit email (certain malformed dates are one pattern I've seen that accounted for 50% of my spam), but others can look no different to legitimate mailing lists or requested retailer updates.

You could base it on "have I seen lots of emails like this", but then you need lots of accounts to compare across, lots of content processing, and you'll probably still catch mailing lists (plus spammers just insert padding content to look different). You could base it on large numbers of connections from a specific IP address, but again that will catch mailing lists and spammers just spread the load between machines. You could base it on "that doesn't look like a sensible domain", but that would fail both ways (too many nonsensical legit domains and sensible spam domains). You could use whitelists, but then people who are contacting you for the first time get bounced. You could use grey lists, but some legit servers will drop messages because you're breaking the spec, and any new protocol that allows a similar method would just end up with the spammers writing with it in mind. You could base it on any number of things, but as long as the spam is well crafted then just about any measure will either let spam through if it is well crafted or block/junk legitimate emails.

One important point I saw during a Machine Learning course at Uni was an article that said they'd got a very high success rate very quickly just by being personalised. Since one person's spam isn't necessarily another person's spam (in general it is, but what is picked out as a "spam feature" in one may occur in a legit mailing list of another) and each person has their own topics that they discuss in emails then personalised filtering is about as good as it gets.

Re:Seriously?

[IBBoard]

Yes, but it relies on domains setting up records. If they don't have a record then you've generally got to accept them or you're cutting off a large proportion of the Internet, including some big email providers. If you have a replacement protocol you can embed it from the start and properly enforce it. It still won't stop spam (spammers will just say "yes, I can send from icanspam.com") but it will let you filter some emails.

Re:Seriously?

[rHBa]

SPF can cause problems if your users are connecting to the internet via an ISP that likes to re-route all port 25 traffic through their own SMTP servers.

The solution we used was to configure our SMTP servers to listen on another port (1025 for example) which wasn't being hijacked by the ISP.

Other than that I find SPF works quite well, the amount of spam I receive through my SPF enabled accounts is probably 5% of what comes through my other accounts and it's the SPF email addresses that I'm using whenever I think my address may be displayed where it could be harvested...

Re:Seriously?

[IBBoard]

An intrusion detection system would be great, and is useful in a business setting, but most of the spam I get is from countries that aren't likely to do anything like that. It'd help in the tech savy nations (since even the US is quite prolific in sending spam from some reports I've seen) but it'd still leave a problem on the receiving end from any network that doesn't use it. That plus I can see ISPs complaining if they have to implement that kind of thing as it'll be expensive and require such terrible things as "experts with knowledge" and "dealing with customer complaints about their network being shut off".

Re:Seriously?

[0xygen]

This is the problem really, I think we need to re-draw of what percentage of junk output constitutes a "bad" ISP which should be cut off upstream.

I understand there's a massive cost to implement monitoring, but that has to be part and parcel of remaining connected.

You would think at least the US, western Europe and Korea could get this sorted though, then we can pressure China, Russia and all the rest to follow suit.

Re:Seriously?

[giafly]

Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?

Yes. ISPs should ask for an additional fee to provide email access. Most people use free GMail/Hotmail/other Webmail and will never bother to enable local email, therefore most zombie boxen will not be able to authenticate properly and send.

Re:Seriously?

[characterZer0]

The ISP should block a TCP port? That is not a protocol, that is the ISP failing to provide the service paid for.

Even so, then the virus will scan for other zombies that do have access on that port, and relay to them on another port.

Re:Seriously?

Here's some of the reasons I prefer my mailing lists to forums:

* I don't have to remember to go there; it comes to me.

You remember to come to /. and probably a large number of other sites as well.

* I KNOW what I've read already.

I would hope you'd know that no matter what communication medium you use.

* I can set up filters to mark my own "posts" as read automatically, to delete posts from people I'd rather not hear from, to flag items with particular subject lines, etc.

Most forums auto-redirect to your own post, making your own marked as read by default. Most also have ignore buttons for annoying people you'd rather not hear from.

* Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.

It isn't that difficult to set up a forum with a good search feature. The ones that don't typically don't need such a function. A specialized developer forum? I would laugh if you guys couldn't set that up.

* If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.

There are MANY ways to create and maintain a local copy of forum posts.

* I can (with the original poster's permission) forward all or part of a message to an individual or another list.

* I can (with discretion and an x-post note) post the same text to multiple lists at the same time.

A forum, as opposed to email, does nothing to prevent you from forwarding that message with permission.

I'm sure there are other reasons, but those are the reasons I've advocated against email lists I belong to switching to online forums. Since most of them are Yahoo groups, though, people *can* read them as web forums if they want to instead.

Translation: This is how I do it. This is how it's always been done. This is the only way to do it.

Re:Seriously?

[nasor]

But does anyone actually purchase things from spammers? Or are spammers just ripping off one merchant after another, charging them for spam and promising great returns even though no one might respond?

Re:Seriously?

[badkarmadayaccount]

Nope. Something related to pedophile druggie communist hippie terrorists is uNceasingly Nagging me, Though I can't Put my finger on it.

Re:Seriously?

[Obfuscant]

Secondly, if the sole argument you are going to present is "It's hopeless! Just give up!", then frankly I wish you would.

Yes, I know it is easier to put words in someone else's mouth and then argue about those, but it's not productive. If I wanted to argue that, I would have. Since I did not, you are wasting everyone's time by pretending I did.

But at the end of the day, the only thing you have presented so far is pessimism. That doesn't prove your case or make your point.

The fact that there are so many ways of getting around every proposed technical solution is not "only pessimism". It's a realistic evaluation of the probability of success. The fact that so many things that have been tried have resulted in no long term solution is what makes my point. (Anecdotal: I get more spam phone calls NOW than I did before the Feds created the DNC list, and they are more pernicious and determined. The DNC list stops some; others saw it as a challenge to be overcome.)

And regarding the "now people will trust spam more" malarky. Stupid people do stupid stuff.

Yes, they do. Guess what percentage of email users are "stupid people" when it comes to understanding the underlying concepts of email transmission? I think "99.9%" is an optimistic number. (Have you ever had to convince someone that they didn't actually get email from Santa Claus after they were sent an email claiming to be from him? I have.)

Of course the smart people who know that email isn't secure won't be fooled. Smart people know what spam is and don't respond to it with money, either. And yet, spam is still a money making proposition. Must be the stupid people.

So, the answer to spam has to not only make the smart people happy, it has to protect the stupid people, too. If you create a system that hints that email is authenticated (SPF, e.g.) then stupid people will see that as "email is authenticated" and thus this latest message from Mrs. Ubangi who is trying to get $456 million out of Kenya MUST be valid. That's going to make the problem worse FOR EVERYONE. Not only will spammers work around your solution, they'll be finding more victims and have more reason to keep spamming.

The point of SPF isn't to ensure the email is trustworthy, it's to ensure the email was meant to come from example.com.

No, it's to ensure that the client handing this specific email to the server is authorized to handle email that claims to come from example.com. "Meant to come from" is meaningless. If I hijack a machine that is in example.com's SPF records, then I can create all the spam I want using example.com addresses, even though none of it was MEANT to come from there. So see, even smart people don't have a full understanding of what it means to pass the SPF test. How can you expect Joe User to know better?

... cutting the volume of what we are receiving ...

Ahh, all is clear now. Solutions to spam aren't intended to lessen the loads of servers around the world and free up bandwidth for other services, they are intended only to cut the volume of what YOU get in YOUR mailbox.

Re:Seriously?

[caffeinemessiah]

The point of authentication is to get accountability, not to get instant filtering. If a spammer is using a fake certificate, that certificate can be blacklisted.

You might be confusing business and personal certificates. Individuals, presumably, will have personal certificates that are usually free and therefore plentiful/renewable. If you're talking about business certificates for the e-mail provider, then read on:

If random-mail-provider.com is doing good at stopping fake accounts, I could whitelist them as well. And when you would send your twin mail via a good email provider it would arrive just fine.

Regardless of whether you're whitelisting or blacklisting, the "amount" of spam sent from a provider could be minuscule compared to their total volume. Thus, there really isn't a good way to tell a "good email provider". Even Gmail is used to send spam, although they may be quicker at shutting those accounts than others.

There's a checkbox on the "your spam solution will not work..." form that circulates on /. about how "ideas like yours are easy to come up with, yet none have been shown to be practical".

Re:Seriously?

[Ironica]

You remember to come to /. and probably a large number of other sites as well.

More or less. But I might go days without getting around to it, and because of how it's set up, it's hard to catch up, also. Since I *do* visit online forums *and* subscribe to several email lists, I know exactly how my usage varies between the two.

* I KNOW what I've read already.

I would hope you'd know that no matter what communication medium you use.

Uh... just *how* am I supposed to tell what posts I've read previously on /., for example? Sure, if I read something *again*, I can tell you if I've read it before, but that's a waste of my time. I'd rather have a reliable system for marking things as read or unread, which email provides, and I have never seen a single online forum that's able to do this properly... especially if it's days between visits.

Most forums auto-redirect to your own post, making your own marked as read by default. Most also have ignore buttons for annoying people you'd rather not hear from.

Granted on the ignore button... but as for the former, this doesn't work properly on the largest board I frequent. It works if my post goes onto an existing page, but if it starts a new page, *even though I saw my post in the re-direct,* it bolds the subject line when I click a link to return to the forum page. Bogus.

* Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.

It isn't that difficult to set up a forum with a good search feature. The ones that don't typically don't need such a function. A specialized developer forum? I would laugh if you guys couldn't set that up.

I'm not on specialized developer forums. Most of the online forums I go to, besides /. obviously, are related to parenting issues. It may not be hard to set up a good search tool, but that doesn't mean it happens on a regular basis. PHPBB and BigBoards both have really crappy search tools, and they account for a really large proportion of the online forums I see.

Anyway, do you know what "luck of the draw" means? Just because it's possible doesn't mean that it gets done. If I'm viewing content using my email client, I have a predictable level of search ability, which (so far) is way better than what I find on online forums.

* If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.

There are MANY ways to create and maintain a local copy of forum posts.

So? That's an extra step. Not only that, but are there many ways to maintain a synchronized local copy, or would I have to download the ENTIRE THING every time I made a backup? Should I do that every day? Every week? Every hour? POP will download each post exactly once. Are there online forums that do that?

* I can (with the original poster's permission) forward all or part of a message to an individual or another list.

* I can (with discretion and an x-post note) post the same text to multiple lists at the same time.

A forum, as opposed to email, does nothing to prevent you from forwarding that message with permission.

It's not in my email client, so I can't "forward" it. I can copy and paste it into an email, but again, I'm switching programs and taking extra steps. And cross-posting requires multiple steps as well. There's also the fact that if I *want* to include basic header info (original sender, date/timestamp, etc.) I probably have to manually grab each of those bits of data.

Translation: This is how I do it. This is how it's always been done. This is the only way to do it.

No, translation: this is wh

Re:Seriously?

[Ironica]

If the banks and credit card companies are incorporated in the US, using US dollars, they are. Which covers most transactions. You can evade it if you use a Swiss bank or send gold coins to a mailbox, of course.

Ok, so if my bank does something illegal, someone can do something about it... but if *I* authorize a transaction via their usual means, and the person on the other end of the transaction is breaking US laws but is outside the US, what happens then?

Anyway, the idea is not to stop trade where the customer knows what's up and what they're getting, but scammers.

I thought the idea was to stop SPAM. Spam is often selling "legitimate" items, but through illegitimate means. (I use quotes because the items frequently don't really do what they appear to claim, but they have the proper disclaimers and it would be difficult to sue them for straight-up fraud.)

Someone who buys a pill that's supposed to enlarge their member knows it probably won't work, but they're willing to try it. The problem is that, for that ONE person who buys it, hundreds of thousands of people have to delete that same email. That's the problem they're trying to address.

Nah, dumb idea....

[King_TJ]

In my experience, many of the people clueless enough to respond to some spam email are also the ones who wouldn't understand the reply that came back to warn them of their behavior.

(Heck, you wouldn't believe how many people I've had to help out, because a free version of their Windows anti-virus software expired, and they couldn't figure out what to do with the windows popping up to tell them they needed to download the newer version. They thought that stuff meant their anti-virus "broke" because they got a virus!)

Re:Nah, dumb idea....

[lastchance_000]

I wonder how long it would take for fake government-anti-spam-warning emails to start showing up?

Re:Nah, dumb idea....

[AlexBirch]

Perhaps now that Obama has closed Gitmo down for terrorists, we could use that space for people who repeatedly respond to spam.
Or we could just send them to Cuba where they will not do us any harm.

Re:Nah, dumb idea....

Surely you realize that Guantanamo Bay is in Cuba; making one of your sentences redundant.

Re:Nah, dumb idea....

[BrokenHalo]

Hmmm. Do you have any idea where Guantanamo is?

it's already in use...

[Kindaian]

And it's called more exactly honey-pots.

Re:it's already in use...

[ericspinder]

And it's called more exactly honey-pots.

Actually, honey pots are more about collecting spammer addresses, not identifying their targets.

stupidity tax

[patjhal]

And the government spam could bilk the gullible out of money just like real spam. They could lower regular taxes by creating this stupidity tax. Also the DOD could spread viruses on this government spam that take over machines to use in web war. And no need to keep it local, it could be worldwide.

Re:stupidity tax

[oldspewey]

They could lower regular taxes by creating this stupidity tax.

Where do I sign the petition?

Re:stupidity tax

They could lower regular taxes by creating this stupidity tax.

We already have one of those, it doesn't work.

Re:stupidity tax

[pxlmusic]

me too

Re:stupidity tax

[russotto]

They could lower regular taxes by creating this stupidity tax.

Where do I sign the petition?

I'm the designated signature collector; just sign one of your checks and send it to me, and I'll take care of it for you.

actually, this works fairly well.

[gandhi_2]

my school district did the same thing, and it works great.

It's the best form of targeted training. Only those who fall for shit like this get a lesson, and follow-up fake scams had a MUCH lower success rate.

Re:actually, this works fairly well.

[socsoc]

Really? Sounds ridiculous to me. It's difficult enough to convince people that your work e-mail is for work related matters... I don't need management asking me to sent out a phish attempt to the staff as a test.

Re:actually, this works fairly well.

[uncledrax]

Pretty sure a local university does that here.. but what they do is if you click through to the site, the SITE itself tells you "Hey Dumbass.. you just got phished.. here's some info and the whys-and-wherefors". (The Site in question would actually be under the admins control and on the LAN)

I agree with most people here that the follow up email idea is bad because I'm probably MORE likely to ignore an email that says it's from the government

Re:actually, this works fairly well.

[JCSoRocks]

As much as I hate the thought of even more spam coming my way... it makes perfect sense. It'll basically act as a sort of PSA for people that have no idea what they're doing.

Re:actually, this works fairly well.

[gandhi_2]

The first step in solving ANY problem is identifying it. So, let me ask you this:

What percentage of your staff is susceptible to a phishing email?

You don't know, right? How can you find out? A voluntary questionnaire?

Unfortunately, a phake phishing scam is the only tool you have to gauge the problem. And, coincidentally, it can help IT get the point across to the staff.

Re:actually, this works fairly well.

[squidfood]

It's the best form of targeted training.

I agree if it was local and targeted.

If my IT department did this, and I fell for it, and then someone from IT or even better, my boss, came to me in person and said "you idiot, don't do that", you'd better believe I'd have embarrassment and pay attention.

But from a law enforcement agency that's as anonymous as the scammer would be? Intrusion aside, it's just one more piece of noise.

Re:actually, this works fairly well.

[philspear]

my school district did the same thing, and it works great.

Really? Sounds ridiculous to me.

Sounds to ME like there's a testable hypothesis here, which someone should think about testing rather than just saying it SOUNDS ridiculous.

Re:actually, this works fairly well.

I don't need management asking me to sent out a phish attempt to the staff as a test.

I don't think the purpose is to figure out what you need. I'll bet you're one big pain in the as to "those idiots" in management.

Re:actually, this works fairly well.

[davidnicol]

my initial response to the post was, sure it's more spam, but it would be end-user education, and it would be time consuming, it would take some people to run it and maintain it and explain it, and that would not be free. Who would fund it?

and since ghandi_2 has successfully demonstrated the technique, why not demonstrate it for a larger audience than your school district, in such a way that you can be supported by donations from the customers/victims who have fallen for it? Spinning THAT to not seem like a scam will be a neat trick to see: "If you appreciated being fooled by this message from thephishgroup.net, please support our further operations with a donation..."

Re:actually, this works fairly well.

The person just told you it worked and you reject it anyway!? It's stubbornness like yours that prevents simple solutions like the one the article proposes from even being considered.

Its unfortunate how this problem has been labeled "impossible" and now slashdotters spend enormous energy to explain why "No spam solution will ever work.", but its all BS from the pseudo experts. The fact is that not much has even been tried. Its like the misguided fools who say you can't find every bug in a program. Of course you can, you silly fool. Don't project your failures on the problem itself!

The simple solution to spam is to require intelligent throttling of all email coming from downstream internet connections. Noncompliance results in blocking. And yes, you could resolve a number of other problems, like zombie DoS bots, with this simple and obvious solution.

Yes, this would require ISPs to actually show some responsibility and to actually communicate with their peers and customers, but it would work. Its not too hard to find the sources of spam and block it if everyone does their part. But ISPs aren't doing their share because they've built the $9.95 a month business model that does not budget for responsibility. Screw them. They can go bankrupt and maybe internet will cost $11.95 a month but at least somebody will answer the phone.

The top level ISPs can implement this solution by policy alone and that is all you need because the policy can be required to be applied downstream by contract.

Of course, stupid people will flail around trying to explain why this won't work. I might even get the "Why your Spam solution won't work" form filled out for me by some loser script kid, but you know, it really isn't funny anymore.

Dumbass idea, man

[Eggplant62]

Sending more spam in the name of eliminating spam is not eliminating spam. It's still creating a mess on people's email servers and personal computers, and storage for much of it adds up, especially at the server level. How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?

Re:Dumbass idea, man

[utnapistim]

That's a good argument, but I think you oversimplify.

The intention behind it is to stop spam, and the results of responding to these emails will lead to the responders answer less in the future (at least in theory).

While I agree with the principle that "the same energy that creates a problem cannot be used to solve it", this is not the case here.

For a similar example, there are vaccines that use a dead/weakened virus to trigger an antiviral response from the body (and you could say that sending more viruses to eliminate viruses will not eliminate viruses).

Re:Dumbass idea, man

[Eggplant62]

Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam.

If that's too overly simple for you, I don't know of any other way to get the point across.

Re:Dumbass idea, man

[gurps_npc]

This isn't spam. It LOOKS like spam. But just as spam looks like a legitiamte message, but isn't, this looks like spam but isn't. It is a message from your BOSS. What you want to do is to force everyone, even those of us smart enough to ignore spam to take meaningless, boring classes about things we already know. As others said, it is targetted training. It is carefully and SUPERBLY designed so that those that don't need the training are not bothered by it. But those idiots that need it, get the training.

Re:Dumbass idea, man

[vagabond_gr]

I'm really surprised that phishing and viruses are confused with spam, they are very different things:

- viruses/phising: really "dangerous" messages. Opening them might lead to a comprimised bank account, PC, etc. In this case fake viruses/phising emails might help, educating people not to open such emails.

- SPAM: useless but harmless messages that are merely an annoyance to 99.9% of people. The problem is not opening such emails but the mere fact that you receive them. If someone opens spam then he might be actually interested in the advertised products, which is not bad, the problem is only that the same email is sent to thousands of people who are not. Sending fake spam to educate people not to open spam is just stupid. I don't think spam has anything to do with this article, the word has been just incorrectly used.

Re:Dumbass idea, man

[Eggplant62]

Email sent to people without them first consenting to the process is spam, plain and simple. I don't care what it looks like.

SENDING MORE SPAM TO ELIMINATE SPAM IS NOT ELIMINATING SPAM, DUMBASS.

Re:Dumbass idea, man

[Eggplant62]

I should amend this: If that's what you want to do with your own email servers at your own business, have at you. But if your fakeass offers end up in my inbox, the server I receive them from will be treated like every other one that sends spam -- reported to major blocklisting facilities and added to local blocklists.

Re:Dumbass idea, man

[Ajaxamander]

The point isn't to eliminate spam TODAY, the point is to eliminate spam TOMORROW. If people who don't understand that it's a scam are taught that it is a scam, then there will be fewer of them. What better way to improve spam/scam education than to target it to those who need it most? The fewer suckers^Wtargets there are, spam becomes a lot less viable of a business model.

I find your complaints (and, frankly, suggestions) myopic. You can teach ethics all you want, but the basics of human nature show time and time again that it's not guaranteed to stick.

Re:Dumbass idea, man

Sending more spam in the name of eliminating spam is not eliminating spam

Amen. And it'd waste of our money.

Re:Dumbass idea, man

[PitaBred]

Spam is in the eye of the beholder... hell, look at how many marketing emails that people request are subsequently marked as "spam" because they no longer want them, not because they somehow magically turned from "good" to "spam".

Besides, we're talking about companies sending these fake messages to their own employees, a local, controlled list. If it's your own network, it's not spam. It's an approved, system-wide message. Get off your high horse.

Re:Dumbass idea, man

[AndrewNeo]

All spam will be government spam!

Re:Dumbass idea, man

[Mr.+Underbridge]

Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam. If that's too overly simple for you, I don't know of any other way to get the point across.

That's a great sound bite for an audience with an IQ of about 80, but it doesn't hold up to analytical rigor. If you decrease the spam response rate, you make spamming less lucrative, and you have fewer spammers.

That's still pretty simple, even for sound-bite based logic such as you seem to prefer.

Re:Dumbass idea, man

[Ogive17]

Why is it a bad idea? The people who wouldn't click on the link embedded in the email won't even bother reading the message. Those that typically fall for phishing attacks are the ones most likely to click on the link.. and maybe they'll learn a lesson.

I think the "solution" is so simple that it might just actually help. Even if it only educates 1% of the click throughs it has still made an impact. What's the best way to stop phishing? Make it not worth the while.

Re:Dumbass idea, man

[Eggplant62]

Increasing the amount of spam received on anyone's servers is something that I think most admins will tell you is unacceptable. Even a child of 5 could tell you that 2 + 2 does not equal 0.

Re:Dumbass idea, man

[hobbit]

Nice try at another soundbite, but you've already been called on that. Luckily, most admins have considerably better understanding than you do of the difference between short-term and long-term goals.

Re:Dumbass idea, man

[hobbit]

And while we're at it, I don't have to obey the law of the land because I never signed up to it; I was simply born into it.

PLEASE STOP SPAMMING THIS DISCUSSION WITH YOUR RIDICULOUSLY SIMPLISTIC THINKING.

Re:Dumbass idea, man

[philspear]

Sending more spam in the name of eliminating spam is not eliminating spam.

I could see similar arguments made before vaccinations became commonplace: "injecting bits of viruses into people is not eliminating viruses." Of course, they do work. Similarly, vaccinating spam might work.

While it could increase burden on servers, if it cuts down on the amount of people responding to spam, there will inevitably be less spammers and less spam.

How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?

I don't think an ethics class and ethics advertising is going to make spamming unprofitable, nor is it going to make people any less greedy.

Re:Dumbass idea, man

Yes, you're right, it's still spam. The key difference here is that it's spam being delivered by a government agency, which would be required to follow laws and regulations - like an opt-out list, for example. Savvy internet users would hear about the opt-out list from sites like this one, and never see any additional spam at all. For workplaces and schools, IT administrators could use a simple Perl script to opt-out every address on their network.

This would keep the fake spam hitting the people who need to see it, while saving us geeks from the extra hassle.

Re:Dumbass idea, man

[Explodicle]

How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?

I have a few doubts regarding the effectiveness of your proposal.
1. Improving our education system to teach anyone anything better is not very simple at all. There's usually a lot of disagreement as to what is "better" and how to achieve it.
2. Few spammers/clients have degrees in marketing.
3. A large percentage of spammers are from outside the USA, so we cannot change their educational system.
4. Spammers/clients either know what they're doing is unethical, or no amount of education will override their rationalizations. Their primary motivation is profit.

Re:Dumbass idea, man

[e4g4]

If it's your own network, it's not spam. It's an approved, system-wide message.

Amen, and failure to understand this is, I think, why everyone who thinks this is a terrible idea on this thread is holding that opinion. The fact the it's the DoJ that ran this test - there's some presumption that the government would be the entity responsible for this training, which is a) a waste of taxpayer dollars, and b) never going to happen, and an improper use of government authority.

If, on the other hand, ISPs and email providers take this approach on their own networks - it could definitely work. After all - it is in an ISP's best interest to reduce the overall profitability of it's network as a target. And, since it is an ISP's resources that are being wasted by spam targeting their network, it is certainly in their best interest to take a proactive approach to prevent spam.

Re:Dumbass idea, man

[Zerth]

Even a child of 5 could tell you that 2 + 2 does not equal 0.

.

Well, for sufficiently small values of 2...

Re:Dumbass idea, man

[Mr.+Underbridge]

Increasing the amount of spam received on anyone's servers is something that I think most admins will tell you is unacceptable. Even a child of 5 could tell you that 2 + 2 does not equal 0.

Pathetically superficial response and a red herring to boot.

I'm pretty sure most admins would beg you to do it if it works. If I can decrease future spam by 30% with a 1% increase in traffic due to fake spam today, that's a win.

Even a child of 2 can tell you that 30 is greater than 1.

Re:Dumbass idea, man

[Ironica]

Ok, as clueless as most of your posts on this topic have been, this raises a good point: if the government engaged in a wholesale effort to send fake spam to identify and educate the people who respond to real spam, we *also* dilute the current system of reducing the impact of spam, because blacklisting government domains could be a problem. How would one (besides Eggplant62) address that issue?

Re:Dumbass idea, man

... look at how many marketing emails that people request are subsequently marked as "spam" because they no longer want them, not because they somehow magically turned from "good" to "spam".

The vast, vast bulk of those marketing emails - or 100% in my instance - are spam as they are never requested. I've lost count of the number of companies that re-add my address to their spam list or spam even the checkbox was unmarked or spam even though their privacy policy says they won't (or share the data despite saying they won't).

Go after the corporations that spam. They can't hide and they would be easy to stop if anyone could claim $500 for each spam they send with explicit, verified (e.g., signtaure) permission.

Re:Dumbass idea, man

[Jeremi]

Email sent to people without them first consenting to the process is spam, plain and simple. I don't care what it looks like.

I'm pretty sure that when you agree to work for a company, implicit in that agreement is that you give the company permission to send you email.

SENDING MORE SPAM TO ELIMINATE SPAM IS NOT ELIMINATING SPAM, DUMBASS.

Yep, that really drove your point home. You sound like a very grown up person.

Awful

[mtrachtenberg]

This idea is awful for the same reasons that I don't want the local police department entering my home to show me how easy it is to pick my locks.

The idea smells of John Ashcroft appointees.

Been there done that.

[Lumpy]

I did that back in 2001 to the sales force at Comcast. we in the IT department formed and sent a email with a exe file payload. when ran it reported back to us who opened it and pooped up a message on their screen that said, "IF I WAS A REAL VIRUS ALL YOUR FILES WOULD BE DELETED"

we sent it from outside the company with a yahoo.com address

85% opened and ran the attachment. we used this as a part of our It education to our users. after the classes that month we repeated it 45 days later.

we had a 90% opening rate this time. you really can not teach the users. Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.

The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

Re:Been there done that.

[u38cg]

There was also that university that sent all their students an email to warn them about phishing. Included in the email was a typical phishing text, along with comments on style and grammer. I think the guy that sent it out got something like forty or fifty usernames and passwords back.

Re:Been there done that.

[Hatta]

The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

Fire them all after the 2nd time. The survivors would warn the new hires.

Re:Been there done that.

Arrange with management to get a reasonable contract change in: Opening these leads to docked pay - enough docked pay to hurt. After the first couple of thousand, they're likely to learn.

Re:Been there done that.

[y5]

Dwight Schrute? Is that you?

Re:Been there done that.

[Covert+Penguin]

Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.

+1, Proving that this requires a technical solution, as opposed to some new method of training users.

Re:Been there done that.

[JCSoRocks]

Now there's a man that knows how to consolidate power.

Re:Been there done that.

[LihTox]

Or, since docking pay sounds hard to arrange, try public shaming. "The following morons got pwned this week." Put it in the break room at first, threaten to post it in the lobby next time.

Re:Been there done that.

[AlexBirch]

Why not have some consequences?
1) They AND their supervisors have to attend the class together;
2) They have to pay x dollars for jeopardizing the confidential business data;
...
...
Other than getting paid and not having to work while texting their friends at a class.

Re:Been there done that.

[nsheppar]

and pooped up a message on their screen

Really? What is the system call for that? Is it in the Win32 API?

Re:Been there done that.

when ran it reported back to us who opened it and pooped up a message on their screen

That'll teach them to click on random shit.

Re:Been there done that.

I think this approach could actually have a major impact when it comes to tax collection.

How this would work:

1. Government sends phishing/nigerian e-mail en masse

2. People reply with their banking details

3. Government passed Go, collects $200 from the user, then sends an e-mail to thank them for being great tax payers.

End result: People will start being more careful, because we all know that the government is evil. As collateral victims, we'll have the actual phishers and con artists. They'll probably go out into the streets too, to protest about the unfairness of this system :)

Re:Been there done that.

[Lumpy]

actually that DOES work. we had a problem with users surfing to inappropriate sites.

I wrote a few linux scripts that displayed on the big 42" plasma in the office the images that were being surfed and the user-name attached to it I sniffed out of the IP traffic. correlating the user-name ot the IP of the machine requesting the image was actually easy.

It was only up for 1 week. Office websurfing went down 95%.

Re:Been there done that.

[Gnavpot]

85% opened and ran the attachment. we used this as a part of our It education to our users.

after the classes that month we repeated it 45 days later. we had a 90% opening rate this time.

you really can not teach the users.

Yes you can. You taught one third of the remaining 15% that these messages are harmless service bulletins from the IT department - not the dangerous mails they originally thought.

Re:Been there done that.

[Ironica]

Well, given that several other folks have posted that they've done similar things and had good results, I'm wondering about the curriculum of your class... maybe that's the weak link.

Re:Been there done that.

[Amazing+Quantum+Man]

Shitty OS, shitty results.

Re:Been there done that.

[Jay+L]

Fascinating... so "teaching" doesn't work, but shaming does.

That's disappointing, though, since presumably more sites would be amenable to teaching than shaming.

I had proposed just such a phishing lesson for AOL customers back in the day, but of course marketing didn't like the idea of telling users "Don't trust us". And without any data, I couldn't particularly argue to the contrary.

Pretty sure they wouldn't have gone for the shaming either. Ah well.

Re:Been there done that.

[Arancaytar]

to actually delete all the users files and never give them back.

If you are actually in charge of IT at the place, you might look into a hardware solution. A mechanism involving a boxing glove installed on each computer, perhaps. :)

Your post advocates a....

[mindstorms]

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Your post advocates a....

[Lumpy]

Exactly.

which is why we blocked ALL attachments on emails except for zip files. and as far as I know that limit is still in place.

The users whined for 3 months. then they got over it.

worked great. The only way to get a user to stop doing things is to slap their hands. They refused to be smart opening attachments, so we took away attachments.

Last I knew they were sending out a group policy that disabled script execution in Office as well, I no longer have anyone on the inside since the last 2 rounds of layoffs have gutted their IT hard.

Re:Your post advocates a....

[jeffasselin]

And then spammers started putting their viruses and malware in zip files.

And then you had to start over again.

Re:Your post advocates a....

[Geoffrey.landis]

I like your checklist. Lots of really good points there.

I'm just not quite sure that I agree with this one, however:

( ) Sending email should be free

First, philosophically, I'm not sure I agree with any statement that anything "should" be free. What does "should" mean here? I can list ten thousand things that "should" be free, and if I had my choice, food, shelter, medical care, and beer (free, as in beer) all "should" be free. I'd call all of these higher priority than listing which internet services "should" be free.

Second, why should sending email be free? Sending email has a cost. Why "should" the cost be paid by somebody else?

Re:Your post advocates a....

[jgtg32a]

TAR

Re:Your post advocates a....

[dkleinsc]

You do realize that's not written by mindstorms, and is just a standard form to be used in all discussions of how to solve spam, right? You can find it at http://craphound.com/spamsolutions.txt.

It came about because there are so many "this is how to solve spam" posts with the same set of flaws, so this simply radically sped up the process of demonstrating why the plan wouldn't work.

Re:Your post advocates a....

[_Sprocket_]

And for some reason, people find it funny every single time it gets posted. I suppose memes don't survive if someone doesn't find it new.

Re:Your post advocates a....

[Lumpy]

There is a slight advantage. when you open the Zip file the contents are scanned by the corporate virus scanner before the user can click on it. This neuters many of the viruses that have the ability to usurp the Virus scanner before they can be stopped.

Re:Your post advocates a....

[pohl]

I like how you think. Let's replace HTTP with a protocol that generates microrevenue per hit too!

Re:Your post advocates a....

[hobbit]

Good thing you don't do security at airports, otherwise anyone who puts their bag inside another bag would get waved straight through...

Re:Your post advocates a....

[Curien]

Sending email has a cost. Why "should" the cost be paid by somebody else?

I believe he means simply that sending e-mail should not have additional costs above normal network use.

Re:Your post advocates a....

[Hillgiant]

New-ness is not required for humor. While not as good as it was back in the late 90's, I still get a chuckle out of these.

Re:Your post advocates a....

[_Sprocket_]

I chuckled the first time. However, I find that its the sort of joke that gets stale. Maybe its got to do with dealing with the problem and these forms being more annoyance than help.

Perhaps

[lord_sarpedon]

Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee! I'm sure with significant compensation, these professionals could be convinced to spam the DoJ.

In all seriousness, all this will do is make a certain few people very very sad inside when they see just how easy it is to fool the common deskmonkey, and just how much info you can get. At best, some of those certain few people will become motivated to make it their profession...

Re:Perhaps

[Hanners1979]

Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee!

I hear MediaSentry aren't very busy at the moment...

I do respond to some

[camcorder]

From my garbage Gmail account with swearing and flame. Yes, I do have some free time to waste, as obvious.

So how does that help?

[captainpanic]

I guess it's better to receive one spam than the other? Like it's better to have political advertisement than laundry detergent advertisement?

Spam = spam
If you start fighting spam with spam, you become part of the problem.

Re:So how does that help?

I guess it's better to receive one spam than the other? Like it's better to have political advertisement than laundry detergent advertisement?

Spam = spam
If you start fighting spam with spam, you become part of the problem.

PHAIL!!!

The idea is to educate the user what spam is and not to respond and buy stuff. If people stop buying stupid pen0r enlargement kits, spammers would stop sending their "offers".

Two wrongs don't make a right

[pinkushun]

Even fake spam will circulate and congest the tubes, not? It's like punishing someone for being naive. Rather educate than catch, it goes a lot further.

Phishing side-effect

[paulthomas]

Let me get this straight -- we should suggest to people who are highly credulous that there is the possibility that they might receive legitimate email from "suitably important-looking government address"?

That will never cause bigger, more successful phishing scams.

Re:Phishing side-effect

Perhaps the traditional postal system could be used. Maybe even have an internet enforcement officer drop around to their house.

Antivirus virus!

[nomorecwrd]

Then, how about a government funded antivirus, to be distributed and replicated as a virus? Everybody will then be protected.
It's relatively cheap to do and will save millions in loss due to malicious viruses.
Talking about fighting fire with fire.

not a tech problem - it's a PEOPLE problem

[petes_PoV]

> It is a technological problem,

No.

Spam persists because a tiny (absolutely, infinitesimally small) proportion of the recipients actually respond to it. Whether that's due to stupidity, greed (oooh - I might get something for nothing), boredom, accident or simply curiosity (hmm, I've never replied to SPAM before, I wonder what happens).

The costs of sending it are so low, that it is still worthwhile, providing there's one idiot in a million who takes the bait.

How do you cure this people problem? I don't know. Even if you spend you whole life telling children not to put dirt in their mouths, some still will. You'll never get rid of spam until all the dirt-eaters and spam-responders get a dose of common sense, and that'll never happen.

Re:not a tech problem - it's a PEOPLE problem

[Kral_Blbec]

Just to be a bit of a devil's advocate, eating dirt in childhood helps develop the immune system and can prevent allergies later in life.

Re:not a tech problem - it's a PEOPLE problem

[IBBoard]

How do you cure this people problem?

Send a hit-squad round to the house of everyone found responding to spam? Nuke the earth from orbit, thereby removing both the spam emails (fry the drives) and the recipients/clickers (fry the people)? I'm sure there are ways ;)

Re:not a tech problem - it's a PEOPLE problem

[Chyeld]

Disease is a biological problem. You can't eliminate disease from the world using a purely technological approach.

However, if you have an internet connection to post to /., then chances are good that you and I both have living conditions that are far far more livable and comfortable thanks to the fact that people did use technology when it was possible to prevent what could be prevented and aliveate what couldn't.

You and I get the flu, pneumonia, or even TB, we are likely to live through it. That wasn't the case in 1809 or even 1909.

Spam is not a purely technological problem, you are right about that. But it's also not completely divorced from technology, and there are plenty of things out there that could be done that would cut down on the volume and the 'sting' of spam. Someday, I hope we implement them.

Re:not a tech problem - it's a PEOPLE problem

[hummassa]

Send the "melt your brain" e-mail seen in Fringe last week to the people that respond to the spam?

Re:not a tech problem - it's a PEOPLE problem

[geobeck]

How do you cure this people problem?

Get rid of the people. Seriously, that's the only way to cure a people problem. We're stuck with spam, phishing, Nigerian scams, forward-forever scams, and everything else that comes from stupid, gullible net-o-phytes.

You could reduce it by improving the quality of computer-related education in elementary and middle school, but there's no hope for the truly technologically inept.

Re:not a tech problem - it's a PEOPLE problem

[AlXtreme]

You'll never get rid of spam until all the dirt-eaters and spam-responders get a dose of common sense, and that'll never happen.

Two birds, one stone: force all the spam-responders to eat dirt!

It might not solve the spam problem, but at least we could get a laugh out of it. Hell, you could make a TV show out of it.

Oh wait, a metaphor? Never mind...

Re:not a tech problem - it's a PEOPLE problem

[Ironica]

Someone mod this post up! Very true. The problem with spam is that there's so darned *much* of it. A little spam wouldn't be that big a problem for anyone; you just delete the one or two spam emails you get every week. It's the unmitigated onslaught that makes spam a serious problem.

I'm with ya brother

[zappepcs]

The last damn thing I want is to click a link out of curiosity and within five minutes be standing there having to listen to the IT guy say "here's your sign" or end up in the HR office explaining my seeming poor hand-eye coordination because I accidentally clicked on a link in an email from the fscking HR department. Don't these people have enough work to do?

Re:I'm with ya brother

[hobbit]

The last damn thing I want is to click a link out of curiosity and within five minutes be standing there having to listen to the IT guy say "here's your sign" or end up in the HR office explaining my seeming poor hand-eye coordination because I accidentally clicked on a link in an email from the fscking HR department. Don't these people have enough work to do?

Your "curiosity" is another guy's security problem. If your HR department is sending out spam, you've got another, different, problem.

Re:I'm with ya brother

[zappepcs]

My post was sarcasm, often another guy's trash. In reality the HR here likes to send out emails to "TheEntireFuckingCompanyIncludingContractors" group list with a 1.2MB Powerpoint presentation containing dramatically important information that could have been presented with.. oh, about 400 bytes of text, including the signiature: a piece of work in and of itself.

Soon, the IT department is going to have to re-organize company file systems because they are running out of room. I wonder why?

Imagine an HTML email with a background image that is tagged with a link to a porn site? oooops!

Re:I'm with ya brother

[hobbit]

Um, what does your HR department's propensity to send out Powerpoint presentations have to do with the discussion at hand?

... the dumb ones are usually the bosses

[petes_PoV]

So what happens when the CEO falls foul of the faux-spam campaign?

My guess is that it'll be pulled faster than the pay-rise of the person who made him/her look an idiot by instigating it, in the first place.

Will not solve it but it could help

[slackoon]

I would say that a more harsh approach is needed. I like the idea but I say a 2 or three strikes and your out method would be more effective. In other words, if thery respond to one fake spam ... one strike...another...two strikes and if they respond to a third...SEND THEM PACKING!!

Man, this is messing with my head.

[Shackleford+Hurtmore]

Cool - that could mean that spammers would start writing botnets that would also block government spam from landing on the computer, in case the user gets educated and figures out how to secure their computer. I can imagine a new spam race where the government has to write ever more clever spam to get round the malware's rulebase!

phishing vs. spam

[SirGarlon]

Since I never open spam, I don't know how many messages connect to sites that really sell the advertised products, and how many only seem to sell as ruse to get people's credit card numbers. I would presume the latter far outnumber the former. Given that the only way to tell phishing from spam according to your definition is to try to buy something, it seems to me you're making the distinction overly fine.

Self identification might help zombies

[goombah99]

The "good" spam is sort of like a public education campaign about STDs. It's part of a well rounded solution in raising public awareness. Your's may not need raising but you will benefit if the awareness of others' is raised so put up with it.

Now then there's the post infection detection problem. We could take a simmilar approach of turning a bad thing to our advantage. Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability. Once some of those are known, when not sieze them and use them to get infected computers to self-identify then notify the owners or if unresponsive their ISPs?

That would not cure all infection. But there is a well known principal in medial virus infection called the R-factor and that is the minimum number of infections needed in a population before the disease becomes self sustaining or growing in infections. We don't have to eliminate all zombies before we reach a point where the infection rate is highly damped.

Re:Self identification might help zombies

[Skrapion]

The "good" spam is sort of like a public education campaign about STDs.

Ooh, terrible metaphor. By that logic, this "good" spam would be like the government having unprotected sex with people to identify who needs to be educated about proper condom use.

Re:Self identification might help zombies

[oldspewey]

Now that's what I call a stimulus package!

Re:Self identification might help zombies

The "good" spam is sort of like a public education campaign about STDs.

Flawed analogy. It's more like a federal agent going around barebacking and leaving a message like "You're lucky I'm not HIV+, next time wear a condom". OK, it's nicer than "Welcome to the club", but do you think they should do that?

Re:Self identification might help zombies

[Ironica]

If they charge, it'd be one way to raise revenue without raising taxes.

Re:Self identification might help zombies

Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability.

Relatively simple bots access a few URLs or an IRC channel, but many are more sophisticated than that these days, unfortunately. One strategy is to have a complex URL generator that deterministically spews out a couple of hundred http://fri4eie943kejkz.com garbage addresses per day, the botnet herder need only register one of them to deliver updates etc. Of course the algorithm can be reversed by sufficiently good analysts, so the next level up is for the botnet to form its own p2p network. Some of these are advanced, fully distributed systems employing encryption, automatic command and control failover (no central point of failure), "fast flux" DNS to present a constantly moving target etc. They are basically impossible to shut down, even if the legal will to do so across borders existed.

Re:Self identification might help zombies

[goombah99]

Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability.

Relatively simple bots access a few URLs or an IRC channel, but many are more sophisticated than that these days, unfortunately. One strategy is to have a complex URL generator that deterministically spews out a couple of hundred http://fri4eie943kejkz.com/ garbage addresses per day, the botnet herder need only register one of them to deliver updates etc. Of course the algorithm can be reversed by sufficiently good analysts, so the next level up is for the botnet to form its own p2p network. Some of these are advanced, fully distributed systems employing encryption, automatic command and control failover (no central point of failure), "fast flux" DNS to present a constantly moving target etc. They are basically impossible to shut down, even if the legal will to do so across borders existed.

Exactly. So if you have a bot in captivity you see what addresses of the day it is going to.

Any computer that visits one of these gets flagged as infected.

No uninfected computer would visit any of them let alone all of them.

You could even push this up a level and simply looks for large numbers of DNS requests by different computers for the same invalid addresses. one could imagine that a mispublished URL could get a lot of legitimate computers making a bugus DNS request but if unrelated computers make the same 100 requests it seems pretty clear you could flag this.

Re:Self identification might help zombies

Awesome post.

To take this even further OT

[PitaBred]

And a lot of times children eat dirt because they're mineral deficient, not because they're stupid.

Re:To take this even further OT

or in the case of bullying...

Not Seriously?!?

[Geoffrey.landis]

Ick. What a stupid idea.

The reply rate to spam, if I remember recent numbers recently, is something like one reply in ten million messages sent. To have even a marginal effect on the spam, you'd have to reach at least a million users. So, that means they're proposing that the government send out ten billion spam messages.

Dumb.

Much better is to follow the money trail-- the spammers have to have a way to make money. Follow that trail.

Re:Not Seriously?!?

[oldspewey]

Much better is to follow the money trail-- the spammers have to have a way to make money. Follow that trail.

Okay, I followed it to Russia. Now what?

Re:Not Seriously?!?

[philspear]

Send the evidence to MI:6, and wait for James Bond to kill them.

(Note that there must be a hot chick involved in some way for this to work.)

Re:Not Seriously?!?

No problem! My spam tells me there are plenty of these available in Russia . . . I can even send for delivery!

Better security through spam?

[Rambo+Tribble]

Couldn't they do better security through porn? That would be more fun.

Let's see how this escalates...

1. Government sends out fake spam with links to lure people who fall for phishing
2. Phishing link clickers visit government site, and fill out form
3. Government sends link clicker an email saying "Don't do that"
4. Phishers send out fake government spam with links to lure people who fall for phishing
5. Phishing link clickers visit fake government phishing site and fill out form, now asking for credit card/bank information in order to "better protect you"
6. Phishers happily collect information via another official looking form

Payload should update and clean

[patjhal]

To really be effective the spam should update any system and antivirus software. If no antivirus software is found then it should install clamwin. After the updates it runs a full virus scan in the background. The more someone falls for it the more their machine gets needed maintenance.

Almost phishing

[sabaisabai]

MTV ran a broader campaign in the same vein. It consisted of fake adverts and two gotcha web sites: http://www.hospitality-job.com/ http://www.go-with-english.com/

Average citizens are already doing this

[iYk6]

If this thing worked, than it would already be working. There are plenty of people out there attempting to "teach someone a lesson" by scamming them out of their money. Sometimes the lesson takes, and sometimes it doesn't. The thing is, actually scamming someone out of their money is a stronger lesson than pretending to, and in the millenia that this has been happening, it hasn't significantly lowered the number of gullible people on this planet.

Fake spam is so much different than real spam

[noidentity]

If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary.

Brilliant idea! They could send those out daily, so that the rest of us could receive even more spam. "More spam!" you say, but you're forgetting it'll be FAKE spam. Big difference!

Darwin

[Reibisch]

Why bother trying to protect those that Darwin should be claiming? Even if we somehow warn them suitably, they'll just be taken in by the next scam.

Let them deal with their own problems.

Infotainment

[freedumb2000]

If anyone really, the media (TV, print ect.) should step in and educate. I bet if Regis did a bit on some common sense ways to spot and avoid spam and phishing, that I am sure would go a long way to educate the average joe/mom about the dangers. Or a 60 minutes on Spam. A bit on MSNBC. I column in a monthly rag. In my experience people are very curious and/or afraid of getting infected or spammed and enjoy any helpful information that they can put to use right away to protect themselfs.

Re:Infotainment

[Yvanhoe]

Yeah, it worked well for the RIAA anyway...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Spear Phishing isn't "just spam"

[higapleez]

People need practice spotting real, highly crafted spear phishing attacks. These emails are MUCH more specialized then spam. The DOJ isn't the first to use this education technique and they won't be the last. Organizations pay for this training. Just look at www.phishme.com.

oblig

[LunarCrisis]

Spam is like XML, if it doesn't solve the problem, use more.

Kill kill kill

[wytcld]

How about we use the government resources directly against the spammers?

1. Set up false fronts to buy the products.

2. Trace the transactions.

3. Establish a swift death penalty for whoever receives the funds.

Yes, this would need safeguards - for instance when spammers start threatening to send out spam for products from businesses other than their own, to blackmail those businesses with threat of government response. But for instance when the payment can be traced directly to a Canadian "pharmacy," simply extradite and execute the pharmacists - or jail for life if the extradition treaty doesn't allow for execution.

Who would miss these people? Who would be sorry this had been done?

Re:Kill kill kill

[Joce640k]

Be sure to make some special playing cards with "Ace of spam" printed on them to leave at the scene.

Anonymous killings don't achieve anything.

Re:Kill kill kill

[Renegade+Iconoclast]

I don't think we necessarily have to implement the "final solution to the spammer problem" outlined in item 3.

1 & 2 would be a big leap forward. We already have laws, let's use them.

The Government ain't your daddy.

[thecoolbean]

the LAST thing any of us want is for the
bureaucracies to be responsible for what e-mail we receive and what e-mail we do not. If people cannot be trouble to acquire or hire the expertise necessary to reduce spam, then let them eat spam. People have the right to pursue happiness, bear arms, to assemble and to worship. They also have the right to be cold, hungry, homeless sick and dead.

And to have their inboxes stuffed with spam.

Is the right moment?

[gmuslera]

We are at the border of the abyss, but we will take a step forward. Adding spam to the system will do in the short term more harm than good, and in the long term? People that follow the spam links probably have not enough discern to learn the lesson, or even worse, the spam will start coming with a "this time we are serious" warning to take distance from that experiment.

Could be of consideration taking control of domains/URLs very refered by spam, and instead of taking them down (by the hosting ISPs or whatever) redirect them to a central warning "dont follow this or you will be sorry" site, you will not add more spam to the system, and still will warn people that follow the links.

Forbidden in Austria

[I)_MaLaClYpSe_(I]

I once wanted to do such a thing for my employer: sending out fake "Enter your login credentials here to win xxx" emails to our staff and invite those that responded with submitting their true credentials to security awareness trainings. However, it turned out that this would have been a violation of privacy rights here in Austria, Europe.

The employer could have been able to discriminate people for falling for the scam and thus it is illegal for my company to do such a thing.

Re:Forbidden in Austria

[ThinkingInBinary]

The employer could have been able to discriminate people for falling for the scam and thus it is illegal for my company to do such a thing.

I don't understand... are idiots protected from "discrimination" in Austria? Or is it that they entered "personal information" (their login) on the fake site and you're misusing it?

Re:Forbidden in Austria

[I)_MaLaClYpSe_(I]

Yup, idiots are kind of protected here. We have comparable strong laws protecting the privacy of the workplace, especially when it could be used against a worker. Like, video surveillance is not allowed to be used for evaluating things like when a worker makes a break or similar. Therefore, if the employer wants to access their own video surveillance tapes, he has to specify the exact reason, exact camera and a narrow timeframe and the "Betriebsrat" (workers' council) has to be involved in order to protect the privacy of individual workers shown and in order to oversee the employers actions.

Re:Forbidden in Austria

Depending on what they do for the company...

If several people hired as fork-lift drivers keep impaling the straw dummy you set up in various places in a warehouse... what about then?

Re:Forbidden in Austria

What a stupid law. Discrimination is only wrong when it is unjustified. If you can't discriminate at all, you wouldn't be able to select people by interview - if you failed to hire people who said dumb things, you'd be "discriminating".

IP blacklisting == GOOD

[hummassa]

The ideal IPbl scenario is: the collateral damage "innocents hit" force their ISP to block/evict the bad guy, everything goes back to normal after a short while. The ISP takes the hit (in financial$$ form) for the blocked time, evicts spammers faster next time around.

Re:IP blacklisting == GOOD

[IBBoard]

That depends how you do the blacklisting. If you just silently blacklist the server and don't tell the owner then you're relying on the innocents to a) notice the bounces and b) complain to the owner. That could take time, during which you're still affecting the communication and potentially business of innocents. You'd get a better response with less side-effects if you could be responsible with the blacklist and notify the responsible party.

Collateral damage is normally something to be avoided - just ask the military.

Actually, ...

[hummassa]

to go right with your metaphor, the "condom police" picks up a girl/guy in a bar, takes s/he to a hotel room, asks if they can go bareback, s/he says yes, receives a fine and a slap on the wrist (possible mandatory safe sex lessons) and goes home. Seems sensible to me.

Re:Actually, ...

Wait ... are we having sex or not?

Re:Actually, ...

[hobbit]

No, because your metaphor doesn't take account of the fact that the proposed solution causes a lot of spam to be sent.

It's more like that the condom police just have sex with you bareback, and afterwards they say "okay well this time it was just genital warts... next time it might be AIDS".

Re:Actually, ...

[Locke2005]

...the condom police just have sex with you bareback, and afterwards they say "okay well this time it was just genital warts... next time it might be AIDS!

Ewww! I hate it when that happens!

how abt educating the masses on other medias...

Rather than adding to the existing SPAM traffic, the govt. just needs to make people aware of online frauds using print and television adverts. More effective and a green solution too.

A better solution to spam!

[Hordeking]

This is really easy, and it even works in Darwinism.

What if instead of continually repeating the exercise, the recipients of the fake spam get gently berated if they take the bait the first time. Then, if they fall for it again, a couple of guys in black suits and sunglasses show up at midnight to offer the option of "the pill" or a "bullet".

I think that would cut down on a lot of spam response.

Alternately, if someone falls for the v14gra spam more than once, send cyanide pills instead of viagra.

Sure, why not?

[YodaToad]

Please spend government money (my tax dollars) on filling my inbox with even more inane crap. We could even make it part of the "stimulus package".

Why not spend that money getting some of the real spam-killing ideas implemented?

Stupidity is impossible to solve

[Cookie3]

A year or two ago, I was doing helpdesk stuff when a user called in regarding a phishing e-mail they'd received regarding some transaction in Africa. They wanted to know if it was legitimate, because it sounded (to him) like the business opportunity of a lifetime. I told him that it was a scam, and explained how the scam worked. He thought for a moment, and said "Yeah, maybe, but he's promising millions!" (uh oh)

I directed him to read up on some of the 419 anti-scam sites. We read the literature together, and discussed why these operations work, and why it's dangerous to respond to them, etc.

At the end of the call, despite having spent more than 45 minutes trying to dissuade him, and having read multiple stories that all had the same general flow, he remained skeptical of MY explanation that it was a scam. He wanted to believe it was legitimate, and so he believed it was legitimate.

I haven't spoken to him since, but some of my colleagues have. We came to the general consensus that he probably sent several thousand dollars to them before realizing it was fake. :/

This is /., so...

[hummassa]

NOT.
We are having mandatory safe sex THEORETICAL lessons.
Maybe if s/he answered "no way", s/he could win the prize of a good (SAFE) lay :-)

Would a reputational system help?

[rickb928]

This is my idea - woops,it's not *my* idea, this is not new and it's not my original work.

1. Mail servers must subscribe to a 'reputational' authentication system. The authing system is pretty straightforward, but along with identification and and passcode, the system considers the server's 'reputation'.

2. Reputation is derived by any of serveral means. the most important, for spam prevention, is that reports from other servers of spam activity result in a diminished reputation, and eventually lead to inability to authenticate.

3. I choose to enroll my server in this system. If I don't many other servers will stop listening to me. If I do, I abide by the rules, mostly to minimize spam. If my users send too much spam, I am warned and eventually my server cannot authenticate, so cannot send mail to other enrolled servers. I stop sending spam on behalf of my users to these other servers.

4. A server can achieve a good reputation by sending acceptable mail to other members of this system. Some servers, probably the 'big' ones (Google, Yahoo!, MSN, etc) will accept mail from these 'beginners', and vet them so to speak. They can also tolerate spam more readily, would serve as early warning, and the gateway into the greater system.

5. Botted boxes would never get much of a reputation, as they would be sending much too high a percentage of spam. If they were using SMTP, they would find participating server would refuse their connection. We could consider dropping the mail on receipt, to both deny delivery and tie up the bot box, but that also ties up the servers. We want well-behaved servers to get through, and their recipients to be able to drop connections as soon as possible to avoid even processing incoming spam.

There are probahly issues with this - the most notable being how to deal with servers that work to gain good reputation just to spew spam in short-lived bursts. And how to deal with spoofs and hijacks, and the likely false-positives.

Certificates don't work, as all I have to do is accept one well-crafted phishing message and my cert is out there for abuse. Whitelisting fails. Blacklisting is failing. I don't see a good alternative short of going to only 'approved' servers, where the approval is based on arbitrary decisions on who will provide mail service, and that fails when some otherwise trusted entity gets subverted or paid off to allows the spammers. Try blocking .ru or .ro for a week in that scenario and see nasty it gets.

This is not much different than fax spam or good old-fashioned direct mail through the Postal Service, except there is even less cost to use as leverage, and the legal alternatives such as do-not-call and catalog blacklists are even more unenforceable.

'My' idea may not work either. DNSSEC may offer some help in being able to spot spoofs and inappropriate servers. If I could spot botted machines by knowing they were in known dynamic ranges within residential ISP pools, I'd be happier, but most of the bot spam I get I think is coming from corporate machines compromised by the same botnets, and labelling those IP addresses is very much harder and less precise. Many will show their gateway address as the same as their Exchange server, for instance, and blacklisting those is a lot of trouble.

We may have to filter, or face the choice of losing the 'free' e-mail system.

?

This could backfire

[rev_deaconballs]

This strategy builds a statistical analysis of what gets people to click or not. If spammers get a hold of this data it will lead to better phishing. Even if this data was not public domain I am sure spammers would pay good money and they will find someone that will give it to them.

Proposed Name for Fake Phishing

[srussia]

Catch-and-Release

Re:Proposed Name for Fake Phishing

[borawjm]

And do the fish ever learn?

Re:Proposed Name for Fake Phishing

[Atario]

Shouldn't it be misspelled appropriately?

"Khatch and rhelease"?

Don't punish the spammer.

[Dishevel]

Punish the idiots that respond to spam. They are way easier to find and need to be culled from the heard anyway. I am going to get Soooo nailed for being right on this one.

Why not?

[BrokenHalo]

"Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"

I know you're being funny, but a stick approach might in this case be more efficacious than the carrot. The submission naively suggests that
...it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary

...when experience shows us that greed will often override common-sense. An example uppermost in my mind is where people repeatedly sink money into Nigerian scams AFTER they were already aware that the thing was likely to be a con.

I often think this kind of thing is a good argument for chlorinating the gene pool, or at least retrospective abortion...

Hmmm, clogging the system with spam...

[iminplaya]

to fight spam...I like it! That's the government for ya, always doings things it prohibits others from doing. For our own good, of course..

Opt Out

[DrugCheese]

Can I opt out of this right now?

The last thing I want is fake spam. Just more junk email I have to download to get the messages I need.

prepare to get sued!

How dare you use my spam as templates for your own. I will see that my intellectual property will be protected. See you in court!

As goes the old metaphor...

[qreeves]

"Give a man a phish, and he'll eat for a day. TEACH a man to phish and he'll eat for a lifetime."

Sorry, terrible pun I know, but it is true; the only way to fight this sort of thing is to make people more aware of it in the first place, knowledge is power. Personally, I think they're at least trying the right thing. My concern is the automatic filtering of "spam" messages done by some ISP's and mail services (especially gMail), and how it will interfere with the success of something like this.

Re:As goes the old metaphor...

[gujo-odori]

The only way to get it past the filter (at least if your filter is any good, such as, for example, the anti-phishing ruleset I maintain for a living) is to not send it through the filter, and probably the DOJ didn't. I would expect they sent it from an internal account to all employees, thus bypassing any spam filters. In most networks, the spam filtering takes place near the network edge, just inside the firewall, on inbound (and sometimes outbound) mail streams. Internal mail is not routed through a spam filter in most environments, although my experience indicates that sometimes it ought to be.

Already do something similar

[kbielefe]

I know they already do something similar. When the draconian restrictions on pseudoephedrine were being debated, as a severe allergy sufferer, I did some research on the actual effect of the legislation so I could write an intelligent letter to my representatives. Part of that was knowing how much pseudoephedrine it takes to make a batch of meth , so I could know if the restrictions would do any good in combating meth production or just inconvenience a lot of law abiding allergy sufferers for no reason.

It may be obvious to you, but in my naivete, I googled meth recipes, and came up with nothing except links to rehab facilities and dire warnings that my IP address was logged for the DEA.

I never got a follow up from that experience (that I know of---maybe I'm considered one of the successes on a report in a classified vault somewhere), but I'd be interested to know how effective it was for its intended purpose. Might be an idea to build on for spam or really any sort of social engineering.

Why not ...

[PPH]

...get together with a few banks and credit card companies and set up some dummy accounts. Then, have law enforcement personnel reply to some actual phishing e-mail with the faux accounts. These would be set up such that anyone ordering merchandise with said account would meet the local SWAT team jumping out of the FedEx truck when it pulls up.

Publicize a few of these raids heavily ('Cops' comes to mind) and that might cut down on some of these scams.

A couple of corrections

[pikine]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

Sending out spam to counter spam is bringing justice by breaking a law.

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses

(X) Mailing lists and other legitimate email uses would be affected

These mailing lists as well as end users would have to deal with additional volume of spam.

( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it

( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes

(X) Eternal arms race involved in all filtering approaches (you need to compete with spam filters)
(X) Extreme profitability of spam

( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians

(X) Extreme stupidity on the part of people who do business with spammers (they never learn)

( ) Dishonesty on the part of spammers themselves

(X) Bandwidth costs that are unaffected by client filtering (you're adding to the volume of spam bandwidth)

( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored

(X) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Great idea!

I used to be the sysadmin for a high school, filled with about 150+ employees, many of whom were absolutely clueless and laughed me off the stage when I tried telling them not to share passwords.

We're talking about users who had holy screaming fits at the beginning of the school year, when the school district [my Active Directory overlords] forced password changes on all users.

What could I have done?

- Send out a phishing e-mail from an obvious spoofing of my e-mail account.
- The link is to a page on an internal Web server that simply collects usernames and passwords entered.
- E-mail the users who fell for it, explain that it was a test, and force a password change on them.

Considering that teachers took my "lock screen on idle" policy all the way to the principal, I'd no doubt get in big trouble for this.

The janitors there would open ANY door for ANYone who asked, no questions asked. After ushering a girl out of the closed library, I asked a janitor to not do it, and he yelled at me for it. I'd love to send a friend of mine in there, have a janitor open a room, have said person remove some key equipment [say, the office receptionist's workstation], then the next say, "Maybe the janitors shouldn't open anything for anyone!"

Wir Haben Suzammen

[Anne+Thwacks]

I have been sending fake spam for years. No one can tell the difference.

like a vaccine against phishing

Sounds like a vaccine against phishing. You send a harmless version of the virus in order to teach the immune system to avoid these in the future.

Start with an email to pass around

[WoodstockJeff]

The secret would be to get an email circulating saying that the government is already doing this, with the aim being to target people who respond to the emails for further surveillance, or to take control over their computers to use them for spying.

80% of the people who would fall for spam and social engineering scams would fall for this, and take steps to protect themselves from it. Especially if you use phrases like, "a secret program put in place by George Bush as part of the Patriot act", and "steal bank information to finance illegal operations overseas".

One step further

[DigitalCrackPipe]

This would need to be taken one step further to be effective. If the government actually removed money from the "victim's" accounts, then the money wouldn't be available to give to scammers. Treat that money as a higher tax bracket category, and you don't need to raise taxes for others. Two birds with one stone.

Seriously, for this to have an effect, the resulting reprimand would have to come via snail-mail, registered mail, or a visit from government agents. Email is too easy to ignore (unless it's from a very sincere Nigerian prince).

Huh?

[Otto95]

. . . so under this plan, I'll get twice as much spam only half of it will be fake spam sent to me by the government?!?

debate between legal, social and technical problem

spam and phishing will unfortunately never get resolved. It's not just a technical problem, it is social, legal and technological. How did we stop fax spam? mail spam? unsolicited telemarketing?

teamb@game-master.com

simonbas

[simonbas]

In Soviet Russia, spam filters YOU !

Or better yet...

[Locke2005]

If the government could just identify all those people gullible enough for fall for spam, then just go ahead and sell them herbal v1agra and/or breast enlargement cream, then we could pay down a lot of the national debt! There is precedent; we already have a tax on stupidity called a State Lottery. Hey, somebody's going to screw these people over, so why not let it be the government?

To paraphrase on old saying

[Locke2005]

Sending out spam to decrease spam is like having sex to increase virginity.

Yahoo Domain Keys

[sv223]

We already have a solution to spam. Its yahoo domain keys. Its just that we cannot get anyone to use it. If we cannot people to use this, we will never be able to update the current email protocols. We live with spam for ever and resort to these attention grabbing money wasting tricks once in a while.

Well

[Xaoswolf]

that could lead to some funny performance reviews...

"Well, Jenkins, it looks like you have done ok on your key performance objectives, however, there is a note from our IT staff regarding discount viagra and russian brides..."

This is fake phishing e-mail! Do not fear!

[Petersson]

From: yourfriend@friendface.com

This is fake phishing e-mail. You can safely click on the link below, login and see how fake phishing website looks like.

---
>clicklogin
.
.
.
#@$!omgwtfpwned