Google Says Spam Volumes On the Rise

alphadogg writes "Despite security researchers' efforts to cut spam down to size, it just keeps growing back. The volume of unsolicited email in the first quarter was around 6 percent higher than a year earlier, according to Google's e-mail filtering division Postini. Security researchers have won a few significant battles against the spammers in the last year, first against those hosting the spammers' control systems, and later against the control systems themselves, but they will have to change tactics again if they want to win the war. In the first half of last year, security researchers concentrated their efforts on identifying the ISPs or hosting companies that allowed command-and-control servers to operate, and shutting these botnet purveyors down. The success of that tactic was short-lived, however."

If One Person Clicks, We All Lose

[eldavojohn]

If you are successful at combating spam, you will see a rising volume. Here is the chain reaction that takes place:

1. A spammer has an established source of income that he profits from his operations. Let's say it's ten grand a month. Everything is going well--he kicks back and watches watches the money machine.
2. You implement a better spam blocking program or a better educate users or do something so that the five hundred clicks he gets a day drops to four hundred clicks a day.
3. The spammer now finishes at eight grand at the end of the month and notices something is wrong.
4. The spammer is certain that he can grab back those clicks and all he (did you ever notice how spammers are always men?) has to do is crank up the volume whether it be by getting more e-mails to spam or sending more frequent spams or revolutionizing his spamming tactic and adding new templates and variables to trick people or get around blocks.
5. In the end we see spam rise.

Now, maybe he makes that two grand back in his push and maybe he don't. Maybe your new method reduced his clicks from five hundred to five per month. Either way the best we can hope is that at some point that income shrinks to negative or so little it's not worth his time. The problem is that even if 0.0001% of his spam messages generates a click, he's making bank.

The battle for clean e-mail should be fought on a number of fronts. Public awareness is the key weak link in the chain in my opinion. And as a new net savvy generation arises, that will come naturally.

No matter how much I tell my friends and family to be safe on the net, my friend in Cairo had ten credit cards opened in her name and I had to help her clean it up over here. To make sure it didn't happen again we went over smart procedures like if your bank sends you an e-mail you should read it and then open up your browser by hand and type in the bank's URL as you know it by hand and look for the corresponding information on the site. Yeah, it's a pain in the ass but if you can't find it you can always just call them. Don't click the e-mail link and drop your username and password into some site you don't trust. If I had to guess how she got tripped up, it was when she went to Cairo for school she couldn't afford to talk on the phone and had gotten lazy and careless with doing all her banking online.

Re:If One Person Clicks, We All Lose

Mod Parent Awesome

Re:If One Person Clicks, We All Lose

+1 Redundant.

God dammit, people, this isn’t rocket science. Learn to use the internet safely or stay off it.

Re:If One Person Clicks, We All Lose

[houstonbofh]

Kidnapping for money is a big industry in Mexico. It is all but unheard of in the United States. Why? Because the FBI made it unprofitable. They use whatever resources are needed to track down and bust the kidnappers, however long it takes. We need that kind of will in the fight against spam. It is expensive at first, but less expensive as people get out of the business.

Re:If One Person Clicks, We All Lose

[voodoo+cheesecake]

Sounds like economic warfare to me.

Re:If One Person Clicks, We All Lose

[Shakrai]

Yes, because the inconvenience of mashing the 'delete" key a few times is exactly comparable to the inconvenience of having a family member kidnapped and held against their will. Why not involve the FBI in the fight against SPAM, it's not like they have anything better to do.....

Re:If One Person Clicks, We All Lose

[eldavojohn]

We need that kind of will in the fight against spam. It is expensive at first, but less expensive as people get out of the business.

The problem with your analogy is that kidnapping is a binary operation. You're either doing it or you're not. It's also often coupled with extortion and bodily harm and a host of other very serious crimes.

Spamming, on the other hand, is very hazy. What is unsolicited e-mail? People don't take the time to read shit. They just "click click oops, why am I getting these e-mail?" So if they clicked an ad and entered their e-mail address to get thirty thousand acres in farmwars by putting in their e-mail and checking a box that they understand ... where was the failure there?

I just got five messages in a minute from Boingo this weekend. Followed by an apology letter. It was some database template test process run amok that informed me about my account (which I don't have with them). I used them once in an airport. They apologized to me today in another e-mail I didn't ask for! Do we vigilantly hunt them down and jail them?

The problem with your vigilance is that it's often objective to draw the line where spamming stops and legitimate business e-mails start. The crimes that come with spam aren't on the level of human trafficking ... you get tax evasion or another white collar crime at best. Sometimes theft or grand larceny across all victims. But come on, the FBI isn't going to get the resources from the federal government to chase that rabbit down its hole when they need back hoes to dig up the whole internet.

The government's CanSPAM act has increased the severity of it when we're sure you were doing it. That's the most you can ask for ... not a special FBI initiative to relentlessly track everyone who spams. Enforcement should be increased but not to the level of tracking kidnappers.

Re:If One Person Clicks, We All Lose

[__aagctu1952]

Now, maybe he makes that two grand back in his push and maybe he don't. Maybe your new method reduced his clicks from five hundred to five per month. Either way the best we can hope is that at some point that income shrinks to negative or so little it's not worth his time. The problem is that even if 0.0001% of his spam messages generates a click, he's making bank.

Unfortunately, even if the income shrinks to negative or so little it's not worth the time, the spam will keep flowing - because someone will think that it's profitable. Besides, you're thinking too oldschool: a lone spammer using his own spamming farm. That hasn't been true in a long time; today's spammers rent capacity from botnets. Take one spammer down and those botnet owners will just keep rent out the capacity to new spammers looking to make a buck.
In fact, on the topic of profitability, I seem to recall reading that renting out botnets to spammers is much more lucrative than the actual spamming nowadays...

Re:If One Person Clicks, We All Lose

[clone53421]

In fact, on the topic of profitability, I seem to recall reading that renting out botnets to spammers is much more lucrative than the actual spamming nowadays...

Yep... the spammers themselves are getting suckered just as much as the people they’re trying to sucker.

But as long as there’s another spammer who’s eager to make a quick buck, there will be people ready to rent him a few million cheap e-mail addresses and a botnet to send the spam with.

Re:If One Person Clicks, We All Lose

[FlyingBishop]

Actually, if you look at it purely in monetary terms, spam is probably a bigger problem in the United States than terrorism. Obviously, spam rarely kills anyone, but in terms of murder, terrorism is not as significant a driver of tragedy in America as the US government would like you to think.

Re:If One Person Clicks, We All Lose

[Tom]

Good point. The strategy was invented by the Romans, in case you care. The Roman Empire had a kind of primary objective on any and all sieges, namely that they win. No matter how long or what ressources it takes, there was the order from Rome that they will never leave defeated.

A famous mountain fort considered itself invulnerable due to natural features - there was only one small path up to the fortress. The romans built a big camp at the foot of the mountain and started building a ramp. It took them years to build it, but they did it, and took the invulnerable fortress.

That's why one day, when the roman army had just begun besieging another city, its ambassador came for talks, and he boasted "we have food for ten years". To which the romans replied "then we will accept your surrender in the eleventh". The next day, the city surrendered.

I'm telling that story because I like it a lot, but also because it shows that insane investment can pay off in the end. Yes, the romans poured ressources into a few sieges that were far beyond what they gained. But once the word had spread, the return-on-investment came.

There are two things we have to do to get rid of spam, minus the small amount you can never get rid off.

One is to make it very hard to make a profit via spam. A few simple laws could cover that. Going through the credit card companies would probably work great. Simply allow people a chargeback for any and all products sold via spam. All you have to do is send the spam message to the credit card company and ask for it. The CC company may not charge you. They don't want to pay for the trouble themselves, either. They will charge the merchant. That would pretty much eliminate all the non-working crap that's being sold via spam.

Two is to go absolutely anal on the spammers themselves. While #1 reduces the ROI, #2 increases the risk. Once you do that, the business case for being a spammer goes away. I don't necessarily mean higher penalties, but more effort in actually bringing them to justice, in an international effort.

Re:If One Person Clicks, We All Lose

[jimicus]

While I don't wish to belittle the work of people who are literally saving lives, you do realise the only reason anybody's email account is even remotely usable is because all they have to do is "mash the delete key a few times"?

If your email address has been in the wild for any length of time, it's safe to assume that at least 90 spams are being discarded behind the scenes for every legitimate email you receive - and that's assuming the system in use is not very good at dealing with the risk of false positives and so errs on the side of letting things through.

I don't know of any organisation these days that doesn't put some level of spam filtering in place.

Re:If One Person Clicks, We All Lose

[Tom]

Spamming, on the other hand, is very hazy.

No, it is not.

Spammers try to make it appear hazy, but it isn't. 99.999999% of the spam volume is not from some overly zealous marketing temp who sends the company newsletter to a few more people than he should've. Pretty much all the spam you get is from address lists. You buy one of them to send those people mail, you fucking know that you're sending unsolicited mails.

The tiny fraction of mails that fall in the "you actually did sign in and forgot" category is so negliegable, you can ignore it for the general discussion. The only point where it ever comes in is if you want to define the line at "opt-in". That would be a very simple and elegant solution to the problem: $1000 fine per mail, payable to receiver unless you can produce evidence that he signed up for it. Of course, that's been discussed before and dumped due to the problem of collecting the money.

The problem with your vigilance is that it's often objective to draw the line where spamming stops and legitimate business e-mails start.

opt-in

If you send me advertisement that I didn't ask for, you are spamming. It is that simple.

Re:If One Person Clicks, We All Lose

[Shakrai]

Actually, if you look at it purely in monetary terms, spam is probably a bigger problem in the United States than terrorism

Spam bankrupted an entire industry?

Re:If One Person Clicks, We All Lose

[Tom]

Yes, because the inconvenience of mashing the 'delete" key a few times is exactly comparable to the inconvenience of having a family member kidnapped and held against their will.

You have heard about scaling factors sometime during your education, haven't you?

A small crime done to millions sums up. The math has been done before. The "few seconds" times the amount of spam just one of the major spammers sends out in a month comes to easily an entire human lifetime.

Re:If One Person Clicks, We All Lose

[damn_registrars]

The battle for clean e-mail should be fought on a number of fronts. Public awareness is the key weak link in the chain in my opinion. And as a new net savvy generation arises, that will come naturally.

That is a good idea, but it won't solve the problem - or even make a huge dent in it - on its own. Even with the new "net savvy" users, there are still plenty of users (including new users) who are uninformed and don't want to be informed. There are still plenty of technophobes who are getting on the internet because junior's teacher wanted him to look something up on wikipedia. And when mommy and daddy are both technophobes, junior won't likely be that much different.

That said, you almost hit the correct angle of attack for spam. The correct link to hit is profit. You need to break the connection between the spammer and the people who are paying him. You also need to go after the people who the spammer is paying and make their lives difficult. The end result should be dramatically increasing the cost of doing business for the spammer, while simultaneously reducing the flow of money to him. As profit is the main motivation behind spam, this will do more to drive spammers away from spamming than anything else.

Re:If One Person Clicks, We All Lose

What's worse, a murderer or someone who willfully wastes 1 minute of 10,000,000 peoples' time?

Re:If One Person Clicks, We All Lose

[Thanshin]

I like the story too.

Could you, please, provide the necessary info for me to find a more detailed description of the facts? (forts and city names should be sufficient).

Re:If One Person Clicks, We All Lose

[Shakrai]

The "few seconds" times the amount of spam just one of the major spammers sends out in a month comes to easily an entire human lifetime.

So does the time we spend idling in traffic. Your point?

Re:If One Person Clicks, We All Lose

[Thanshin]

I'm telling that story because I like it a lot, but also because it shows that insane investment can pay off in the end. Yes, the romans poured ressources into a few sieges that were far beyond what they gained. But once the word had spread, the return-on-investment came.

That's how I've been told bank robberies are managed. Spread among the criminals the idea that whoever robs a bank will be hunt down and killed, even if it's more expensive than the robbed money.

Re:If One Person Clicks, We All Lose

[LingNoi]

A few simple laws could cover that. Going through the credit card companies would probably work great. Simply allow people a chargeback for any and all products sold via spam. All you have to do is send the spam message to the credit card company and ask for it. The CC company may not charge you. They don't want to pay for the trouble themselves, either. They will charge the merchant. That would pretty much eliminate all the non-working crap that's being sold via spam.

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(X) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:If One Person Clicks, We All Lose

[MikeFM]

I'm just glad I get my email through GMail (Google Apps actually). Those accounts get as much spam as any of my other accounts but almost none of it reaches my inbox which I can't say for any of the other email services/servers/programs I use. Very few false positives these days either.

Re:If One Person Clicks, We All Lose

[Tom]

Traffic is a crime :-)

The difference is that in one case, someone is making a commercial profit off your expense. A spammer is essentially someone who steals half a cent from you and everyone else, every day. Sure, it's not much, but for him it adds up. And so does it for society as a whole. The damage to each individual is small, but to us all as a group, it is huge. Easily higher than a kidnapping.

Traffic jams, OTOH, are not something that someone has intentionally create in order to make a buck.

Re:If One Person Clicks, We All Lose

[gtbritishskull]

I think it is pretty easy to differentiate between spam and not-spam. If the person sending the unsolicited mail tries to obfuscate how or from where they are sending the mail, then it is spam. If it is a company that clearly lists who they are, then they can be held liable (whether by being sued or by public opinion) for what they send out. There is no reason for law enforcement to get involved if the civil sector can sort it out. If, on the other hand, there is no reasonable way to trace the unsolicited email back to a person, they are trying to limit the ability of the civil sector to deal with them, so law enforcement should get involved.

But, that is just my opinion.

Re:If One Person Clicks, We All Lose

[FlyingBishop]

In aggregate, that lost time will likely cause at least one death. So they're roughly on par, though it obviously depends on motive and circumstances.

Re:If One Person Clicks, We All Lose

[Tom]

The template reply is a lot more funny if the answers aren't checked randomly. To pick out just one:

(X) No one will be able to find the guy or collect the money

So the CC company that he uses to be paid by his customers will be unable to find him?

Re:If One Person Clicks, We All Lose

[ColdWetDog]

Here is one.

Re:If One Person Clicks, We All Lose

[0100010001010011]

1 minute of 10,000,000 peoples time, once? Once per day? 10 times per day?

What happens when those spammers get the life savings of Grandma? What happens when they get the life savings of 10 people? What happens if those people get sick but can't get the meds?

My life isn't going great right now. I volunteer to take one for the team* if spam and scammers, from my death forward stopped completely once and for all.

*As long as it's something awesome and painless.

Re:If One Person Clicks, We All Lose

[causality]

If you are successful at combating spam, you will see a rising volume. Here is the chain reaction that takes place:

1. A spammer has an established source of income that he profits from his operations. Let's say it's ten grand a month. Everything is going well--he kicks back and watches watches the money machine.
2. You implement a better spam blocking program or a better educate users or do something so that the five hundred clicks he gets a day drops to four hundred clicks a day.
3. The spammer now finishes at eight grand at the end of the month and notices something is wrong.
4. The spammer is certain that he can grab back those clicks and all he (did you ever notice how spammers are always men?) has to do is crank up the volume whether it be by getting more e-mails to spam or sending more frequent spams or revolutionizing his spamming tactic and adding new templates and variables to trick people or get around blocks.
5. In the end we see spam rise.

Now, maybe he makes that two grand back in his push and maybe he don't. Maybe your new method reduced his clicks from five hundred to five per month. Either way the best we can hope is that at some point that income shrinks to negative or so little it's not worth his time. The problem is that even if 0.0001% of his spam messages generates a click, he's making bank. The battle for clean e-mail should be fought on a number of fronts. Public awareness is the key weak link in the chain in my opinion. And as a new net savvy generation arises, that will come naturally. No matter how much I tell my friends and family to be safe on the net, my friend in Cairo had ten credit cards opened in her name and I had to help her clean it up over here. To make sure it didn't happen again we went over smart procedures like if your bank sends you an e-mail you should read it and then open up your browser by hand and type in the bank's URL as you know it by hand and look for the corresponding information on the site. Yeah, it's a pain in the ass but if you can't find it you can always just call them. Don't click the e-mail link and drop your username and password into some site you don't trust. If I had to guess how she got tripped up, it was when she went to Cairo for school she couldn't afford to talk on the phone and had gotten lazy and careless with doing all her banking online.

That's why spam has become an arms race, an exchange of measures and countermeasures. The only real solution is to get the word out and equip the average Internet user to identify spam and understand why it should never be responded to. That would remove the profits from the spammers and force them out of business. Then and only then will the spam problem end.

Re:If One Person Clicks, We All Lose

[noidentity]

1. A spammer has an established source of income that he profits from his operations. Let's say it's ten grand a month. Everything is going well--he kicks back and watches watches the money machine.
2. You implement a better spam blocking program or a better educate users or do something so that the five hundred clicks he gets a day drops to four hundred clicks a day.
3. The spammer now finishes at eight grand at the end of the month and notices something is wrong.
4. The spammer is certain that he can grab back those clicks and all he (did you ever notice how spammers are always men?) has to do is crank up the volume whether it be by getting more e-mails to spam or sending more frequent spams or revolutionizing his spamming tactic and adding new templates and variables to trick people or get around blocks.
5. In the end we see spam rise.

Excellent analysis, and the solution is clear: we all need to start reading all our SPAM and buying the products, then we'll get less SPAM and it won't be such a problem. Genius!

Re:If One Person Clicks, We All Lose

Spam bankrupted an entire industry?

Southwest must have missed that memo. Everyone else bankrupts themselves on a regular basis with or without terrorism as an excuse, usually because they signed ridiculous contracts with unions.

It seems that for corporations, bankruptcy is the easy way out of contractual regret.

Re:If One Person Clicks, We All Lose

[causality]

Actually, if you look at it purely in monetary terms, piracy is probably a bigger problem in the United States than terrorism. Obviously, piracy rarely kills anyone, but in terms of murder, terrorism is not as significant a driver of tragedy in America as the US government would like you to think.

If you remember from all those piracy and P2P stories, most people say that police should rather be investigating real crimes like murder, rape and terrorism. Spam and piracy are both crimes, but I would think that most people think to those the same way. They're inconvenience or money lost, but they don't hurt people. If we go by monetary terms, I think piracy is a lot bigger problem.

Lets re-word the GP too...

They use whatever resources are needed to track down and bust the kidnappers, however long it takes. We need that kind of will in the fight against piracy. It is expensive at first, but less expensive as people get out of the business [and P2P sites and networks closed].

Except that piracy is generally not a crime. It's almost always a civil tort.

Re:If One Person Clicks, We All Lose

[Qzukk]

What's worse, a murderer or someone who willfully wastes 1 minute of 10,000,000 peoples' time?

I dunno, if one of these people who keeps buying stuff from spam gets killed by fake/off-spec pills does that make the spammer a murderer?

Re:If One Person Clicks, We All Lose

[plover]

This description is from the spam merchant's POV, not the spammer who operates the spamming equipment. The merchant wants to get his message out to X people. The spam operators charge money per address.

What'll happen here is the spam operators will find it more difficult to operate in conditions of continual crackdowns. Taking down a 100,000 bot net does not suddenly create 10 10,000 bot networks. The laws of supply and demand will kick in, meaning the price-per-address will rise. And spammers are going to be impacted by price.

Re:If One Person Clicks, We All Lose

[RobertLTux]

"better" answer we start locating the datacenters used cut the outbound network lines and then level the DC
(use Naval Gunfire or Bombers as required). And of course we would cut the outbound lines first to prevent switchover and then fire/drop warning round so that the folks can evac before the center goes up (or down as the case may be).

Re:If One Person Clicks, We All Lose

[fermion]

I think a better analogy is the recreational drug trade. Like spam, there are a few vendors and many recipients. To combat the trade, as ill conceived as such efforts are, requires prosecution of the users and the vendors. Furthermore, it requires the suspension of constitutional rights of the vendors, as vendors may be deprived of personal property without due process. If we are to destroy spam, we must do the same thing

I think the analogy is valid at other levels. Like recreational drugs, people seem to have lost all sense of proportions. A single unsolicited email can make some people believe that they have been injured beyond all recourse. Some has used tainted their computer, used the bandwidth they paid for, to send a 20 KB message. Call out the FBI, send the CIA to the country, at any cost in terms of lives and tax payer money. We must stamp out this threat.

Of course, like drugs, some significant harm can come of spam. Some spam does contain payloads that can damage computers. Some spam can shut down servers. And the amount of spam does have a non trivial effect on costs to the consumer. But I wonder if part of the reaction to spam, like recreational drugs, is simply emotional. It is something we do not like, so it should not exist.

I think that if we concentrated on functional harm, and minimizing that function, rather than focusing so much on the potential, we might end up doing more good. Of course, like the pharmcos, google is going to feel harmed by any spam email, so it will of course insist that spam must be destroyed. But what is good for google is not neccesarily good for the world.

Re:If One Person Clicks, We All Lose

[carp3_noct3m]

Anyone who uses the word piracy (as in IP) in the same sentence as terrorism, murder, or tragedy should be kicked off the interwebz. Oh crap, guess I have to go now, noooo{#`%${%&`+'${`%&NO CARRIER")

Re:If One Person Clicks, We All Lose

[courteaudotbiz]

Learn to use the internet safely or stay off it.

Unfortunately, staying OFF the net completely is becoming more and more difficult. From making your homework at school to searching for products for your job, it becomes increasingly hard for Joe Average NOT to use the Internet.

I think that we eventually will get most people aware of how to act safely on the Internet. But as in real life, there will always be fools who can't be educated.

Re:If One Person Clicks, We All Lose

[LingNoi]

The person sending the spam isn't necessary the same person selling the goods; and I very much doubt that Viagra companies pay spammers via credit card.

Also your idea wouldn't solve the spam issue. All it would do is provide a way for people to steal legitimate purchases the same way fraudsters used to do with ebay and paypal purchases.

So I buy a Samsung TV and get the credit card company to do a charge back because I got a newsletter or I forge some email myself?

Your idea is completely ridiculous, stop defending it.

Re:If One Person Clicks, We All Lose

[Krahar]

Actually, if you look at it purely in monetary terms, spam is probably a bigger problem in the United States than terrorism

Spam bankrupted an entire industry?

Neither did terrorism. The main cost associated to terrorism in the US is the cost of the emotion-based, expensive and ineffectual responses the American people demand to see from their leadership. The direct financial cost of terrorism is infinitesimal compared to that. Terrorism is "just" another kind of murder, and treating it as such in a low-public-profile way is exactly what Americans could do to make terrorism unattractive as a method of attack. It is the response of the American people to terrorism that is driving terrorism. It is the response of the American people through their politicians that inflicted great costs on American Airlines - the terrorists didn't. The terrorists killed lots of people, and that is the entire extent of *their* crime. Everything else you can blame your neighbors for, if you live in the US. Not that many other countries would respond in a better way, mind you, which is exactly what makes terrorism effective.

Re:If One Person Clicks, We All Lose

[Krahar]

Most anything is a bigger problem than terrorism. The big problem is the public's response to terrorism, and not many things are a bigger problem than that.

Re:If One Person Clicks, We All Lose

[Simon80]

Except that piracy doesn't destroy wealth, it merely affects how much wealth gets transferred from the lower and middle classes up to giant media companies. Given that these companies seem to be doing just fine, and the world isn't facing some kind of terrible shortage of shitty pop music and blockbuster movies, I don't think there is any reason to believe piracy is actually a serious problem for society.

Re:If One Person Clicks, We All Lose

[X0563511]

I don't think you realize just how much time, energy (electricity to run the infrastructure, cool said infrastructure etc), and manpower is wasted because of spam.

Lets put it this way.

To deal with spam at my company, we use a 10-server cluster. This cluster may seem excessive to you... but note that we get alarms once or twice daily that the load on one of the nodes has exceeded critical levels.

Now, comes the fun part.

These servers use about 3 amps each, at 110v RMS. If left without cooling, they would quickly melt down - so add on the air conditioning. I won't factor the AC into this calculation because it cools many other things too, but just be aware of it's presence.

So, we have 30 ampers at 110v 24/7/365. Now P=VA (where P = watts) so:
3300 = 30 * 110
These servers are responsible for a total energy use of 3.3 kW on average. Every day has 24 hours, and lets settle on say 29 days/m. This comes out to 696 hours per month. 3.3 kW * 696 = 2296.8 kWh per month.

Holy shit! This is a fairly small datacenter too.

So, you see... take this little anecdotal calculation and scale it up worldwide... and you begin to see the problem.

Re:If One Person Clicks, We All Lose

[biryokumaru]

Worked for Vietnam.

Re:If One Person Clicks, We All Lose

[biryokumaru]

The Siege of Tyre has always been my favorite, personally.

Re:If One Person Clicks, We All Lose

[jonbryce]

There's no probably about it. How many terrorist incidents have you had in the last 10 years other than 9/11? I'm pretty sure I could count them on the fingers of one hand.

Re:If One Person Clicks, We All Lose

[jonbryce]

I think he means the type of piracy that takes place off the coast of Somalia. If you have to sail your American owned ship the other way round Africa to avoid them, that costs a lot of money.

Re:If One Person Clicks, We All Lose

Except, confound that by spamming with a competitor's information... all seemingly on the up and up. Who do you go after and how would you know?

It may be easy to differentiate spam v non-spam, but it is difficult to know who sent it.

Re:If One Person Clicks, We All Lose

[TheRaven64]

If you send me advertisement that I didn't ask for, you are spamming. It is that simple.

What if it's not an advert? Most of the spam I get is just a random collection of words trying to damage bayesian filters, much like a typical Slashdot post.

Re:If One Person Clicks, We All Lose

[DNS-and-BIND]

I propose kidnapping spammers for money. That would kill two birds with one stone.

Re:If One Person Clicks, We All Lose

[Shakrai]

Normal murders don't shut down the national airspace for three days....

Re:If One Person Clicks, We All Lose

[sjames]

Interestingly, if the same person managed to transfer $0.005 from each bank account in the U.S. just one time, the FBI would hunt him to the ends of the earth. If he did it every single day, they'd mount the biggest manhunt in history.

Re:If One Person Clicks, We All Lose

[aztracker1]

I have an easy solution... Make it legal to kill spammers. I jest, but how effective would the message of 15-20 well known spammers all shot dead one night in a coordinated effort. Who'd want to be the new spam king then?

Re:If One Person Clicks, We All Lose

[TheRaven64]

I like your idea, but it's very difficult to put into practice. The problem is that email in general, and spam in particular, is not authenticated and is trivial to forge. How much evidence do I need to be able to get a charge back from my credit card? Just the text of the email? Fine, that'll take me five minutes. Mail server logs? Two minutes for me to insert them into /var/log/maillog in the right place. Logs from the sending server? Sorry, it's a machine in a botnet in a foreign country.

Re:If One Person Clicks, We All Lose

[Hatta]

Ten grand a month sounds a bit high. I'm willing to bet these people make about minimum wage. Enough to keep up with rent in a trailer park and fill the fridge with Miller High Life. That's why it's so hard to get rid of. These are people with no other prospects, and nothing to lose.

Re:If One Person Clicks, We All Lose

[sjames]

Massive botnets for rent to the highest bidder are a threat to national security. Send the army out to find and kill the bastards. Unlike terrorists living in caves, they have to have regular contact with banks and other aspects of the modern world, so they CAN be found.

Re:If One Person Clicks, We All Lose

[X0563511]

So?

The cost that I just figured is pure loss.

Not a loss cut from a greater profit - this is stone cold 100% loss... and this is just to keep the stuff that deals with it ON. It gets even worse when you factor in the cost of people to manage/administer them, cost of bandwidth, cost of the equipment itself...

The list goes on, and the tally grows larger. Piracy is peanuts on this scale.

Re:If One Person Clicks, We All Lose

[stabiesoft]

Maybe we could trick the terrorists into killing the spammers (& telemarketers).

Re:If One Person Clicks, We All Lose

[tophermeyer]

But there is still a big difference between me buying a list of e-mails to spam and advertising to people that don't ask for it. I don't ask for the TV ad's I'm exposed to (though I am aware that they are part of the TV watching experience). Same goes for ads on webpages, magazines, newspapers, etc. If someone stops me on the street and tries to sell a product or get me to give to charity thats not truly spam, even though it is frustrating and at times unwanted.

What about businesses that buy qualified sales leads? What about my friends that stand to receive a referral bonus from organizations they refer me too? What about when my Bank sends me promotional material for services they offer that they think might appropriate for me based on my current accounts? These are all advertisements that I didn't ask for, but not truly spam.

Re:If One Person Clicks, We All Lose

[mdielmann]

Piracy only causes losses equal to what pirates would buy if they couldn't pirate, not equal to what they pirated. Think of it as opportunity costs - sure, it's money you might have made if you'd done things differently, but actual cost is what comes out of your pocket.
The trick for measuring the value of opportunity costs, similar to measuring the cost of piracy, is determining how much of that speculative loss could be turned into income.

Re:If One Person Clicks, We All Lose

[archangel9]

Obviously, spam rarely kills anyone...

Spam can kill, but it requires a substantial amount of surprise.

Re:If One Person Clicks, We All Lose

So does the time we spend idling in traffic. Your point?

If someone intentionally causes a traffic jam wasting a huge amount of resources, I fully expect them to be punished. Your point?

Re:If One Person Clicks, We All Lose

[hclewk]

According to the GP, neither did terrorism... directly. National airspace being shut down for three days was an overreaction due to the outrage of the public. Now, if the terrorists had somehow disabled critical aviation controls so that no planes could fly, you would have a point.

I'm not saying that I agree with the GP's perspective, I'm just saying that your response is off the mark.

Re:If One Person Clicks, We All Lose

[GameboyRMH]

Sopssa's post would make a lot more sense that way, but I've never heard of the term P2P being used in relation to steal-your-boat piracy.

If you remember from all those piracy and P2P stories

(wait, am I getting whooshed?)

Re:If One Person Clicks, We All Lose

[stonewallred]

Being these are trying times in America, from an economic standpoint, I think the right thing to do is for some kind person here on /. write a tutorial on how to make money from spam. I promise that I would not use it to make 10k a month, but just to make a meager 9,900.00 US dollars a month to support the standard of living I would become accustomed to rather quickly.

Re:If One Person Clicks, We All Lose

[GameboyRMH]

You make the classic, giant "mistake"* of assuming that 1 piece of pirated media = 1 lost sale. If I make short films and sell them for $300 a copy (say I'm an "edgy" beret-wearing European independent filmmaker who feels my movies are worth this much), and 1 million high school kids all around the world torrent it instead, do you think I "lost" three hundred million dollars? I'd say it would be the height of narcissistic self-entitlement to call any of it losses. If a crate of them was stolen from a warehouse, I lost the material costs of those DVDs (maybe a couple bucks each). The only way to incur a loss is for your total operating costs to exceed your total income.** Period.

*(I'm trying really, really hard here to give you the benefit of the doubt, and assume you aren't just being incredibly obtuse.)

**(Don't get pedantic here, I'm not an accountant)

Re:If One Person Clicks, We All Lose

[Interoperable]

The way to do it is to target the machines that are sending the spam. So far, much of the effort has been to take down the control networks for the bots. I think that internationally ISPs should agree to charge people trivial amounts for each e-mail sent. People who own infected computers would take notice pretty quickly and take steps to clean up their machines. Legitimate advertisers would have to organize arrangements with the ISPs, but I wouldn't be too sad if that got cut down on as well. Ideally, the revenue would be donated to charity.

Re:If One Person Clicks, We All Lose

[Krahar]

Exactly, and that's the problem - terrorism shouldn't shut anything down for three days, yet it does because American leadership made that choice. The terrorists had only the power to destroy property and kill many people. Everything else Americans did on their own.

Doing something extra for airplane security in the time immediately following a multi-plane incident makes sense. It should have been business as usual the day after.

It's very understandable that American leadership chose and continue to choose to overreact. If they overreact and there are no further incidents, no one will blame them for taking action in response to such terrible events. If they behave reasonably and there is another terrorist murder, people will blame them for not overreacting. The problem is that people don't want to face that crime happens whether we like it or not, and that applies as well to the most heinous of crimes imaginable.

Think of the response there would be if 4000 people died in the whole US over 10 years. Police would look into those murders, and there would be an effort to prevent them. Civil liberties would not be curtailed and industries would not be bankrupted. That is the appropriate level of response. Terrorism is just another crime and it needs to be treated as such. Especially because terrorism is perpetrated exactly in order to cause terror in people who were not victims of the crime, and having that be successful is in large part dependent on an inappropriate response from the authorities, media and populace. The 9/11 bombers CONTINUE to this day to be successful in having Americans terrorize themselves and influencing American politics, so many years after their deaths.

Re:If One Person Clicks, We All Lose

[Krahar]

What he said.

Re:If One Person Clicks, We All Lose

[Tom]

The person sending the spam isn't necessary the same person selling the goods;

No, and I didn't say that. But the person selling the goods is hiring a spammer. Cut their profits through spamming and they'll stop doing that.

Re:If One Person Clicks, We All Lose

[Tom]

If someone stops me on the street and tries to sell a product or get me to give to charity thats not truly spam, even though it is frustrating and at times unwanted.

Multiply that by 1000 or so and you see why spam is a problem.

What about businesses that buy qualified sales leads?

If that "lead" hasn't opted in to receive sales pitches, then for all I care they can die. Just because you made a business out of something doesn't mean you have an eternal subscription to stay in business. We don't have a moral problem about all the torturers and inquisitors that are out of a job because we don't do that kind of stuff anymore, do we?

What about when my Bank sends me promotional material for services they offer that they think might appropriate for me based on my current accounts? These are all advertisements that I didn't ask for, but not truly spam.

In my country, they can only do that if you said they could. It's usually a smallprint somewhere on the form you sign when you open your account, and most people don't bother, but you can X it out.

Re:If One Person Clicks, We All Lose

[Tom]

What if it's not an advert? Most of the spam I get is just a random collection of words trying to damage bayesian filters, much like a typical Slashdot post.

Then it's harrassment. You can classify spam as a subtype of that if you're into nice tree-structures. I personally care a lot more about getting rid of the crap.

Re:If One Person Clicks, We All Lose

[fyngyrz]

Public awareness is the key weak link in the chain in my opinion. And as a new net savvy generation arises, that will come naturally.

Not until we actually edit our genome so that the left half of the IQ Gaussian isn't dimmer than a first generation LED lightbulb, it won't.

You cannot seriously believe that this nation, of whom the vast majority believe in the reality of Zeus, or is it Odin, I forget, anyway, someone like that, will be able to discriminate between the lies of marketing and the lies of scammers.

Re:If One Person Clicks, We All Lose

[dkf]

I won't factor the AC into this calculation because it cools many other things too, but just be aware of it's presence.

As an (inaccurate) rule of thumb, figure on having about 1W of power spent on AC for every watt of power used to heat the place up. That is, double your power to get the estimated total consumption. OK, it's wildly inaccurate as guesses go (details of datacenter layout and exterior climate really matter) but the order of magnitude will be around right. Pumping heat, especially when the temperature gradient isn't very good, it's just not a highly efficient thing to be doing. That's thermodynamics for you...

Re:If One Person Clicks, We All Lose

[martin-boundary]

Unless it's their competitors who are hiring the spammer for them. Cut their profits, and there's one less player in the market...

Re:If One Person Clicks, We All Lose

[sopssa]

Just for note, I don't think every 1 piece of pirated material is a lost sale. But I do think that a lot of people are pirating just because they can. No, you will never get everyone of them a paying customer. But as long as the casual people (maybe 90% who would buy the product if they couldn't pirate it) it's a lot better. Those who pirate just to have it, who don't buy anything or who don't have money for it, those you cannot convert.

Re:If One Person Clicks, We All Lose

[alfredos]

there will always be fools who can't be educated.

Agreed. What should worry us is, how many fools are there? This is the same as asking, what is the potential market for the spammers? If it's small enough, the spammers - at least those who profit from foolishness- will go the same way as the scam artists: They still exist, but there are so few people that falls into a classic scam scheme these days that they are very few and have become something between criminals and a touristic attraction.

Re:If One Person Clicks, We All Lose

[MartinSchou]

Actually makes me curious. What is the cost of the average email? I don't mean storage etc., just the cost to transmit it, and here just ignore sunk costs for equipment.

Or put it another way - how many emails can you send per Wh? Back in 2003, Berkley said it was about 59 kB.

I think it's fairly safe to say that most email is sent locally. I.e. there is a lot more email being sent a dozens of km than thousands of km. For the sake of argument, let's say they are sent 75 km on average.

So ... what is the energy cost in sending a 59 kB message 75 km? It's bound to be very low. Probably on the scale of 1 joule or something like that, which is 0.000'277... watt hours.

Once we have that number, we can multiply it with the daily number of spam messages. In 2007 that was 100 billion.

So, if my estimate of 1 joule/message is correct, then we're looking at 27.77... MWh daily. Since this is mostly born by companies who get bulk discount, we can probably figure along the lines of 0.10 Euro/kWh, so we're not even looking at huge costs in energy at 2,777.78 Euro a day.

To be honest, I was expecting a MUCH higher cost. Unless the energy needed is off by three+ orders of magnitude, it's not that bad. I suspect people drop more money than that daily all across the world.

Re:If One Person Clicks, We All Lose

[GameboyRMH]

Fair enough. But I think your 90% estimate is way, way off. I'd guess the people who would buy if they couldn't pirate would be well under 10% even for the "pop culture" stuff. For every rich North American kid pirating a CD who would just get it at the mall otherwise, there are 9 kids who can't afford it or just wouldn't bother, and about 10 kids in third-world countries who probably couldn't get their hands on the CD if they wanted to...and if you look at the community makeup on torrent sites and the peer locations on torrents, the numbers seem to back this up.

What about...

[Pojut]

...the amount of spam that actually makes it to an inbox, instead of being dumped into a junk folder or blocked outright?

Re:What about...

[Jaysyn]

It still has to travel thru email servers & routers costing money via electrical & bandwidth costs.

Re:What about...

[Shakrai]

It still has to travel thru email servers & routers costing money via electrical & bandwidth costs.

Aren't people around here rather fond of making the claim that bandwidth doesn't cost money, at least whenever we see a story pop up about some ISP wanting to impose caps or metered billing?

The bandwidth and electrial costs of spam are negligible. You would have made a better argument by pointing out the lost productivity when humans need to divert time away from useful tasks to clean out their inbox.

Re:What about...

That amount has steadily gone down over the last several years to the point that between my comcast account, gmail account, live mail account, and work exchange account I only see (in the inbox) about 2 spam notes per month. The others are captured by one filter or another (ISP, SMTP one at work in front of Exchange, Outlook 2007 itself). As an end user, SPAM is not a problem anymore at all. (I know it is still a real problem for system administrators, network folks, etc. - but from the point of view of me: the idiot behind the keyboard - it isn't an issue).

Re:What about...

[Pojut]

I was referring more to how much spam blocking technology has increased compared to the increase in spam volume...

Re:What about...

[nxtw]

...the amount of spam that actually makes it to an inbox, instead of being dumped into a junk folder or blocked outright?

I don't see much spam in my inbox, but I occasionally get lots of backscatter in my inbox - maybe 10 messages a day for a week, and then nothing for a few months.

Re:What about...

[LingNoi]

I don't think anyone claims that bandwidth doesn't cost money.

My guess is you're referring to articles where telecom giants try to get a company like Google to pay for transferring their content. In those instances people here argue that Google has already paid and the consumer has paid their ISP too so why should the ISP company get extra money for nothing.

Re:What about...

[KiloByte]

Network bandwidth taken by emails is indeed nearly free -- a typical piece of spam is just around 5KB (median). Yet, with more and more complex processing needed to run spam filters, you need quite a bit of CPU to weed them out. Looking at my logs, SpamAssassin runs are around 8 seconds each. Part of that time is spent for DNS queries, but there's a number of CPU-intensive tests as well.

And servers are certainly not free.

Re:What about...

[archmcd]

This sort of spam-blocking activity clogs up the tubes, causing other materials to back up, or have to find another less efficient series of tubes to traverse. Someone still has to erase all those internets to keep the tubes clear.

Re:What about...

spamd with tarpitting: reduce any bandwidth/power costs to next to nothing.

Re:What about...

"- but from the point of view of me: the idiot behind the keyboard - it isn't an issue)."

Not yet, per-se. But - it can be a serious issue over time. (Here comes another car analogy! Duck and cover!) It's like the idiots who don't know how to merge on a highway. One or two don't present a major issue. Flow continues in the other lanes with relatively no problem. Think of the merge and right lanes as the servers where the spam is forced through. They have a hiccup in the flow. Minor. The end users in the left-most, or HOV lane(s) don't notice, couldn't possibly care any less, and continue on their merry way. No harm, no foul.

Fast forward a decade. That very same exit with one or two idiots who don't know how to merge had a town explode with growth into a city. Now you have 30-50 of idiots that don't know how to merge. People in the right lane are jumping into the middle lane to avoid a serious traffic incident. People in the middle lane jump into the left lane to pass up the slow-moving person who's just come over from the right lane, and the people in the left lane have to slow down because they were just cut off by the person in the middle lane that was forced to jump over. Chain reaction which causes a traffic slowdown to ripple backward during rush hour until ultimately people seem to be stopping for no reason at all.

But there is a reason. The reason is the sheer volume of idiots that don't know how to merge onto a highway. A tiny problem that's of no consequence to the end user (HOV/left lane driver) at a given time has suddenly caused 1+ hour traffic jams for hundreds, or even thousands of drivers despite the low number of those who can't merge.

Same crap with spam. One or two get through, no big deal. You can handle that. Anybody with half a brain can handle that. A couple hundred in the filtered "spam" box. Still no big deal, you hit "empty spam" and it's gone. But what of that server all of that spam is stored on? Yeah - SysAdmins can implement "Auto-delete" rules and what-not, but eventually, that spam will still start to fill up valuable drive space that could be used to expand the size of your inbox for legitimate e-mails. Your storage space is being limited as a result of these useless "V!@gra" ads. Doesn't seem that bad, because hard drive space is becoming cheaper and cheaper over time. No big deal, until you realize spam uses 30% of all bandwidth dedicated to e-mail. In a large corporate environment, this could add up to a hell of a lot of bandwidth disappearing to the dark pit of scum that is spam.

On top of the immediately visible direct issues, spam causes a whole host of other issues, including... you guessed it... that controversial "global climate change" topic. A study performed by McAfee about a year ago showed that the sheer volume of spam uses enough electricity to power 2.4 million average US homes. The researchers calculated the average CO2 emissions for a single spam message to 0.3 grams, or the same as driving one meter in an average car. Now add that up to all of the spam messages being pushed around the 'net. The carbon footprint of my little traffic jam analogy above suddenly is dwarfed by the carbon emissions caused by spam. The number of spam e-mails sent in 2008 equalled 62 TRILLION. To put that into perspective with the carbon footprint, I'll quote Richi Jennings from the study:

"Globally, the annual spam energy use is 33 billion kilowatt-hours, or 33 TWh - that's as much electricity as 2.4 million U.S. homes use, with the same greenhouse gas emissions as 3.1 million passenger cars using 2 billion U.S. gallons of gasoline."

Methinks the numbers speak for themselves as to why we should hunt down and eliminate spammers like the scum they are. :)

Re:What about...

[MikeFM]

Somewhat funny.. the biggest cost to our company is that we exceed our DNS query limit frequently on one of our domains (I dunno why it gets picked.) and it's always people hitting it from China or someplace unlikely like that. Our web servers don't get that many visitors from China so I have to suspect it's spam. I need to fight with Ultra DNS over just blocking those hits instead of charging me for them. We should all just cut China off the net IMO until they fix their issues.

Re:What about...

[Shakrai]

Your host charges you for DNS hits? That's absurd.

Re:What about...

[Elshar]

If this is a chronic problem, you're better off just getting some cheap host and quickly setting up bind or tinydns to serve the requests. Heck, I ran a DNS server that served about 100 domains off of a P2 350 with 128MB of ram for over 10 years. It's really not CPU intensive. And there's plenty of docs out there for typical setups that you could probably set up your own DNS server in the time it takes you to deal with just one of these provider-caused outages.

Let's face it, blocking off large swathes of the 'net isn't going to help. I've noticed over the past 10 years that there's always some new haven for criminal activity, and I highly doubt that's going to change in the next 10.

Re:What about...

[lazyforker]

It still has to travel thru email servers & routers costing money via electrical & bandwidth costs.

Aren't people around here rather fond of making the claim that bandwidth doesn't cost money, at least whenever we see a story pop up about some ISP wanting to impose caps or metered billing?

The bandwidth and electrial costs of spam are negligible. You would have made a better argument by pointing out the lost productivity when humans need to divert time away from useful tasks to clean out their inbox.

The complaint is that people around here are paying for a certain amount of bandwidth and are not being allowed to use it as they wish. If the ISP sold bandwidth with a cap or max throughput or metered billing or whatever then fine; but they don't. They oversell and underdeliver; and then blame the customer for their own inadequate infrastructure.

In any case I don't pay for bandwidth and mail servers so that I can process spam, I expect to run my business with them.

Re:What about...

The host may not be charging, but the time for reverse-DNS lookups for spam resolution has a cost. It's not *if* there is a cost, but how much, and who pays it. In the end, spam raises the costs for the people who pay for their ISP service.

Re:What about...

[flyingfsck]

"8 seconds"??? My single CPU server can toss tens of thousands of spams per hour - a few million per day has been observed. Because my domain is very old, it features in every spam list this side of Betelgeuse. My incoming mail is almost exclusively spam. Out of the million or so incoming, only about 5 emails are legit. So, no, it cannot take 8 seconds to process a spam message.

Re:What about...

[Inda]

Strange because my gmail account currently has 830 in the spam folder, down from 3,000.

Re:What about...

Setup some SPF records as DNS TXT records and watch them pick some other domain to be victim.

spam will be with us forever

[circletimessquare]

constantly fighting it is just one of those maintenance functions of civilization

you don't declare a war on spam, win it, and then spam is forever gone. thats not the nature of the problem. its forever reborn as some "brilliant idea" in the mind of some asshole out there who has no problem abusing the commons for selfish gain. it requires constant eradication. additionally, you can't completely automate the process of spam destruction. spam is created by creative human beings. human beings always find away around any locked door. and therefore it will require the constant effort of creative human beings dedicated to police work to forever fight these other creative beings who have no decency. that's just the way it is. its stasis: good guys versus bad guys, forever

the same applies to hard core drug addicts, pedophilia, terrorism, etc: you don't declare war on terrorism, pedophilia, or hard core drugs, win it, and then those phenomena are gone forever. thats not the nature of those problems. they will always be low grade problems that always reassert themselves. unless you stop fighting them: in which case they metastasize into worse problems

as long as civilization exists, certain classes of utterly intolerable problems (problems that you cannot in any way reclassify as tolerable problems) will continually reassert themselves in every generation, and, for the sake of the health of society, require constant hard effort to simply keep them as low grade issues that don't expand into worse problems

Re:spam will be with us forever

[Shakrai]

you don't declare a war on spam, win it, and then spam is forever gone

Why not? It worked on drugs, terrorism, obesity and poverty.

Re:spam will be with us forever

[Pojut]

the same applies to hard core drug addicts

I agree with everything you said, except this. Please note that addicts are not the problem; violent dealers and a black market are the problem. Eradicate the black market and the dealers by legalizing and regulating it, and you will find much of the violence and crime associated with the substances will go away.

Last time I checked, there weren't roving gangs fighting over turf so they could sell Heineken on the back streets of inner cities...they just open a beer store.

Re:spam will be with us forever

[plover]

you don't declare a war on spam, win it, and then spam is forever gone

Why not? It worked on drugs, terrorism, obesity and poverty.

What are you, some kind of fat, poor, scary junkie?

Hey, wait a minute. I know some people like that.

Re:spam will be with us forever

[voodoo+cheesecake]

What you are basically describing is criminal behaviour. To make it "low grade" you must understand what it truly is - gaining power through lies and/ or intimidation. Then you confront it. The greatest weapon of the fascist is the tolerance of the pacifist.

Re:spam will be with us forever

[DoctorFuji]

Your answer makes me think a good analogy is junk mail. I don't request any junk mail, but it shows up in my snail mail box regularly. Junk mailers have the same modus operandi... send it out in volumes and bank that a tiny percentage will respond. I don't think that junk mail or unsolicited ad mailers will ever go away.. its part of the "system".

Re:spam will be with us forever

[Spy+der+Mann]

I said it before and I'll say it again: It's all Microsoft's fault. Thanks to the Microsoft swisscheese security model, millions of computers are turned to zombies which in turn send the spam.

Microsoft could very well give free upgrades with improved security models for old boxes - but OH NO, PIRACY! GASP! We must not give the benefit of a secure operating system to those damned overseas pirates!

Thanks to the "genuine advantage" scam, XP users are skipping Microsoft upgrades rather than having to deal with Big Brother taking control of their computers.

Meanwhile, botnets are roaming around the world, running in infected XP machines while their users are oblivious to the fact. How to solve that? Users think that by purchasing antiviruses the problem will be fixed. It's as if botnets and antiviruses formed a very well-thought ecosystem, with the antiviruses relying on the viruses' threat to survive.

Fix the security of the machines, and both will disappear: Botnets will become more and more scarse, and antiviruses will become redundant and disappear for lack of use. Sadly, that doesn't go well with Microsoft struggling to sell us more and more versions of Windows. If Microsoft comes with its own antivirus, antivirus companies will sue.

Spam will not be over until it becomes unprofitable for Microsoft and the antivirus companies to have all those zombies running in the wild. That will only happen if spam quantity becomes exceedingly high. But that won't happen because of the bandwidth costs. The outcome is that spam will increase slowly, as bandwidth costs become lower, and that people will still find it tolerable, as long as they pay for an OS with a slightly improved security and the mandatory antivirus.

For now, all we can do is educate people on spam, botnets, and contribute with our grain of sand by switching to a more secure OS.

Re:spam will be with us forever

[kangsterizer]

actually you "can". you ditch current email and use an account/certificate based messaging system, where you have to allow peers to contact you (like IM). Then you only receive the spam you've allowed send to send to you.

Worse case, you get spammed by requests, easy to ignore when it's a single case, and will be tracked down and shutdown when its a mass attack, because it will disrupt the system like a DoS would, unlike current spam where you dont *have* to stop it

Now, the quotes on "can" are there because no company is willing to ditch email as it is.

Re:spam will be with us forever

[sjames]

True, the same way we can never completely abolish burglary. However, we CAN cut it down to the point where spam is not the majority of email much like we make sure that burglary isn't the majority of visits to a home.

1 : 10.000

[thijsh]

In this regard Google is awesome... I get 1 spam message per month in my mailbox tops, but my spam box (which keeps the spam for 30 days) has over 10.000 spam messages in it. So only one in every 10.000 spam messages slips trough at maximum.

Anecdotal evidence

[Nighttime]

Going by the rolling 30 day spam folder on my Gmail account, I've currently got 167 spam emails in there. Last year, it was regularly rolling along at 800+.

Re:Anecdotal evidence

[el_tedward]

Can I ask how often you give out your address/how long you've had your account? I had my account for 3 or 4 years and usually don't get more than 30 spam messages accumulated in my spam box.

Re:Anecdotal evidence

[IANAAC]

I had my account for 3 or 4 years and usually don't get more than 30 spam messages accumulated in my spam box.

I've had my account for at least 3 years I'm currently at 679. I've maybe given the address out to less than ten family members.

But my email address contains my name, which is quite common. When I ran servers, I would see guess attempts at email addresses every day (every 10 minutes, really) in the logs, so I would imagine the more common your name/email address, the more spam you're going see.

Re:Anecdotal evidence

[Nighttime]

I've had my Gmail account since 2003. Used it a few times when posting to Usenet via Google Groups. I've also used it to subscribe to a couple of mailing lists, which don't mask email addresses for their public archives.

collateral damage

[Lord+Ender]

I've felt the pain of this battle myself. I moved to a new host, and Google rejected every message sent by my mail server as being spam. They redirected me to their "bulk email policy," which is absurd. My server has never sent anything even remotely similar to bulk email. I spent days jumping through Google's hoops (by enabling SPF, etc.) and their mail server started ACCEPTING mail from my server at least, but it still routes it all to the Spams folder in GMail.

The worst part is that Google doesn't even list a phone number I could contact to get their fuckup fixed.

The big mail operators, like Google, have the power to sabotage any small business or start-up, and we have no recourse. I can't wait to see the first lawsuits against Google or Microsoft for libel following false spam accusations like this causing real monetary damages to businesses.

Re:collateral damage

Or you can just stop sending spam. Nobody wants your mail, really, we don't.

Re:collateral damage

[clone53421]

Sounds like you switched to a less-than-reputable host...

Re:collateral damage

[el_tedward]

Doesn't have to be a non-reputable host necessarily, could just be a host that happens to have a lot of botnet members.

Re:collateral damage

[clone53421]

If they were up to snuff they’d do something about that.

Re:collateral damage

[Lord+Ender]

I am not sharing my IP address with anyone else. Google is inarguably falsely implicating my mail server as being a spam source.

I can't afford a lawyer yet, but it is only a matter of time until someone a little bigger runs into this problem.

Re:collateral damage

[clone53421]

Contact your host, or switch. It isn’t Google’s fault if you signed up for a host which got its entire IP range blacklisted by allowing its customers to send spam and ignoring the subsequent spam complaints. I’m not saying that’s definitely what happened, but there’s a good likelihood it’s exactly what happened.

It’s unreasonable to expect Google to start white-listing customers from a sleazy host on an individual basis. Screening customers is the host’s job and they failed; now they got blacklisted and all their customers suffer. Yell at the hosting company, not Google. If enough of their customers leave because they aren’t cracking down on the spammers, they’ll suddenly realise that not doing anything about the spam is hurting them economically just as much as terminating a few spamming customers would. And if they don’t realise this, or if it wouldn’t... that isn’t the sort of host you want to be associated with.

Re:collateral damage

[CorporateSuit]

A similar thing happened to my company, except it was malicious. One of our competitors is apparently very buddy-buddy with Spamhaus. Spamhaus just up and blocked our email server one day (which, up to that point, had a perfect "No-Spam" score). Every time we changed to a different host, just so we could have our website up and communicate with our clients, it was blocked within hours. Our website was erased along with any data that hadn't been backed up from that host, and to top it off: They reported that we were committing credit card fraud, associating with spammers, employing illegal business practices, and we were obviously guilty; as we were 'switching servers to hide our tracks! Only the guilty would do such a thing!' -- Basically committing gross libel against us. We're in the US, though, and they operate out of the UK, so it's not like suing them would be effective.

Eventually they lost their interest in us (took a few weeks) and business has gone back to normal (outside of the loss of webcode that our webadmin had not backed up :\), but I have forever lost my enormous confidence in vigilante groups, and that's something I fear I may never reclaim :(

Re:collateral damage

It may not be the host's fault either. There's a long history of RBLs that have little or no concern for the accuracy of their lists and are actually proud of causing collateral damage. I have seen hosting providers just give up on terminating spammers after they have one spammer sign up, get on every list there is in under a day, terminate said spammer that very day and get stuck in the penalty box for a year or more. Then they lose their legitimate customers and turn to pink contracts to stay afloat.

I don't mean that RBLs shouldn't exist, just that "Real tiime" should apply to getting off of the list as well as to being put on it.

Re:collateral damage

[el_tedward]

naw aw! They're only supposed to be tubes and nothing else.

Re:collateral damage

You moved to a new host. Chances are, your new host had someone somewhere within their network send out spam to Google, so google blacklisted them.

This isn't google's fuckup, its your server providers. If someone actually tried to sue Google for not allowing SPAM into their own network, well... I'd be laughing as they threw it out. Its not like you can sue Google for what it decides to allow onto their network! If you could, almost every company on the planet would be being sued by the spammers... TBYP.

Re:collateral damage

Two years ago, I switched ISPs. My new IP address came from a range that used to belong to an entirely different provider from an entirely different city that went out of business some years ago.

Regardless, my IP address is listed on Project Honeypot even today, more than a year after white listing it. Needless to say that the whitelist process is not automatic and I had to manually go to their website and white list myself. I'm sure there is some lazy asshat somewhere that just blocks every IP they ever listed, including my own.

I don't really have much choice in ISPs either. It's either my old ISP (they suck balls) or paying for landline I wouldn't use in order to get an inferior ADSL connection for a total of more than twice what I pay for, currently.

Moral of the story? Blacklisting doesn't work. Spammers operate their own ISPs and then dump the entire operation when it falls apart, only to start again under different names and brand.

Re:collateral damage

[Lord+Ender]

> If someone actually tried to sue Google for not allowing SPAM into their own network, well...

Well, that's not what we are talking about here. Google is not blocking spam. Google is falsely marking all legitimate mail from a small business as spam. Google is providing no means for the small business to even talk to someone about Google's fuck-up. Google is destroying a business.

If Google were blocking unsolicited mail, there would be no legal question about it. Bug Google is blocking legitimate, solicited mail. Sounds like grounds for a lawsuit.

If you click on SPAM

"If you click on SPAM you will be summarily shot, at dawn, in front of your family."

Problem solved.

Correction

The problem with your vigilance is that it's often objective to draw the line where spamming stops and legitimate business e-mails start.

Should read: "The problem with your vigilance is that it's often subjective to draw the line where spamming stops and legitimate business e-mails start."

It's all about the Benjamins...

[damn_registrars]

As long as spammers can continue to make money through spam, they will continue to send out more spam. You can filter all you want, you won't do shit to reduce the volume until you address the motivation behind the spam itself.

Re:It's all about the Benjamins...

[tlhIngan]

As long as spammers can continue to make money through spam, they will continue to send out more spam. You can filter all you want, you won't do shit to reduce the volume until you address the motivation behind the spam itself.

Worse yet, the business model ensures this is the case.

Business needs marketing, so they pay $100 for a million spams. Spammer takes $100, sends out million spams. Spammer gets $100 from next business and so on ad naseum.

It doesn't matter if the guy paying the spammer gets $100 worth of marketing, or if 999,999 of those emails he sent out were blocked at the firewall. Spammer got his $100, so he's happy. It's the business's problem that they paid $100 for such a "marketing" campaign that didn't generate much, if anything.

So spam volumes rise, but I doubt the number hitting mailboxes is - they just got paid for sending the email out, and businesses that pay for the service just assume it had a bad ROI. But the people being spammed aren't the spammer's customers, it's the business purchasing the service.

Anti-Spam Networks

[Doc+Ruby]

I don't know why the superior resources of spam recipients aren't harnessed to overwhelm spammers and their spam.

Whenever a message is identified as spam, either by a server or by a recipient, that message should be registered in a database network shared among servers and recipients. Then all those servers and recipients in the network should automatically identify that message as spam.

The automarking should also mark messages very similar as spam. And the "votes" from immediate identifiers should count towards some metric that each server and recipient compares to some "confidence" in the network's accuracy. And whenever a message marked as spam is marked as "not spam", that vote should count.

Combine that system with default whitelisting, so only messages from known trusted senders are immediately shown, while unknown senders automatically put in a separate inbox and automarked spam in a separate spam box for review (and setting them as spam / not spam updating the message and sender's spam status).

With the 99.999999% of email users who are not spammers using that straightforward system, spammers would be overwhelmed. Their cost of spamming would exceed their revenue, since so little spam would get through - to only people who mostly aren't together enough to buy whatever the spam is advertising. Successful spammers would have to invest a large amount of money in a relatively large organization to get back small profits. Which would make them much more easily catchable by the FBI and other cops.

Re:Anti-Spam Networks

[Bluebottel]

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email (X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Anti-Spam Networks

[damn_registrars]

you missed a couple:

(X) It will stop spam for two weeks and then we'll be stuck with it

(X) Requires immediate total cooperation from everybody at once

(X) Eternal arms race involved in all filtering approaches

(X) Bandwidth costs that are unaffected by client filtering

(X) Jurisdictional problems

(X) Why should we have to trust you and your servers?

Bill Gates?

I thought Bill Gates was supposed to eliminate spam?

pointless spam

What's the point of a spam message like this:
"-_ Viagra @ 34.0 #7k,9,."

Even if I wanted some viagra, this wouldn't help, maybe links were striped somewhere..

Re:pointless spam

The internet became sentient somewhere in the early nineties and has been trying to learn English since then. Given the quality of content generated by the netizens, though, it has only learned to babble gibberish so far. That's why.

i am for the legalization of marijuana

[circletimessquare]

also hallucinogens like lsd, psilocybin, etc

basically, these drugs should be legal:

1. highly addictive but noninebriating (nicotine, etc)
2. nonaddictive but highly inebriating (lsd, etc)
3. mildly to moderately addictive and mildly to moderately inebriating (alcohol, marijuana etc)

these drugs should never be legal:

4. highly addictive AND highly inebriating

why? because drugs like this (heroin, cocaine, methamphetamine, etc) means your normal thoughts are replaced by a zombielike monomania that puts you in a stupor in which you cannot hold a job and/ or maintain a relationship

then you become a ward of the state, and society has to take care of you. this is the point at which society has every right to stop you from using a drug: unlike all statements to the contrary, drug use is obviously NOT a personal choice that effects no one else: society have to take care of the homeless and foodless drug addicts. this gives us the additional right to (attempt) to control the distribution of substances that zombify, to not completely end the distribution, but at least keep it low grade

why? simply because exposure to some substances, like heroin/ meth/ coke, simply means you create more zombies. that is, unbridled distribution leads to more demand: use metastasizes. yes, some will alwyas bet the drugs they want, but apart from these hardcore types hellbent on personal destruction, there's a whole class of potential/ existing users who would not exist if they simply were never exposed to these drugs

yes: the drug war has plenty of negatives, like the creation of violence, mafia, untrustworthy supply, avoidant behavior by addicts, etc. and for a lot of drugs, these prohibition type effects argue for legalization. however, some few drugs are so viral (in that low grade social exposure can lead to addiction and zombiehood) that, even with all of the negative prohibition effects you and i understand, the spread of those highly addictive/ highly inebriating drugs is STILL worse in terms of destroyed lives than prohibition

Re:i am for the legalization of marijuana

[Pojut]

Drugs like Meth, Coke, etc shouldn't be legal for the very reasons you outline...but the users of those substances shouldn't be treated like criminals either.

Rehabilitate the users, imprison the dealers.

That being said, I think "designer drugs" aren't too far off in our future (2-3 decades at the most). Think about it...pharmaceutical companies already develop a huge number of different substances...so why not synthesized drugs made for a specific experience?

I certainly wouldn't take them, but I know plenty of people who would.

Re:i am for the legalization of marijuana

[icebraining]

Rehabilitate the users, imprison the dealers.

For facts showing that it works: http://www.time.com/time/health/article/0,8599,1893946,00.html
One of the few things we can be proud of :)

That being said, I think "designer drugs" aren't too far off in our future (2-3 decades at the most). Think about it...pharmaceutical companies already develop a huge number of different substances...so why not synthesized drugs made for a specific experience?

Well, if they enable us to travel in time, I'd take it!

Re:i am for the legalization of marijuana

[sjames]

Interestingly, we have historical proof that heroine addiction doesn't create the state you propose when it's legal. WWI made many otherwise normal people into heroine addicts (back when we thought it was less addictive than morphine). Many of those unwilling addicts lead productive lives after the war.

I certainly don't advocate heroine addiction, but evidence suggests that junkies are what they are through being dysfunctional to begin with and then unable to support their habit legally due to the war on drugs.

The same may be true of cocaine. It was certainly a drug of choice amongst yuppies in the '80s and Wall Street certainly hasn't turned into Skid Row. I don't advise cocaine addiction either, but again, it's quite probable that our current war on (some) drugs is a large part of the problem, and it has certainly not proven to be a solution of any sort.

I do wonder about meth. It seems to have a unique ability to induce it's users to abuse it until they become psychotic. Of course, thet could just be the hype. Since I don't advise addiction to that either, I'm not going to experiment to find out.

Certainly we should do something to curb the effects of all of those, but fulfilling the paramilitary fantasies of violent thugs in cop's clothing isn't it.

its a constant war, here's some ammunition for you

[circletimessquare]

http://www.41pounds.org/

this site is a way to globally tell junk mailers to fuck off

onwards goes the eternal arms race

next time

[circletimessquare]

read the rest of my fucking comment past the first sentence, then respond. because i already address what you write

Re:next time

[Shakrai]

Whoosh!

There's actually a proven solution ...

[slb]

... designed by Blue Security, but shutdown by the spammers themselves. If only Google would put his strengh on such a venture, spam would die.

Re:There's actually a proven solution ...

[dkleinsc]

Wouldn't that be a proven non-solution, since it was shutdown by the spammers?

Re:There's actually a proven solution ...

[slb]

Their weakness was in their business model (paid subscription by companies). Google would not have to fear this.

How can this be?

Mr. Gates predicted that spam would stop being a problem by 2006. What gives? Anyway, I use my own mail server and my own little domain (which I am getting for free from some DNS provider) and the amount of spam I am getting is exactly nothing. Spammers will go after the gmail.com, hotmail.com, yahoo.com email addresses world over, but of course just ignore my teeny weeny personal domain. Spam-free life is good.

The only way it's going away ...

[LoudMusic]

The only way you'll ever see email spam or any other highly irritating marketing ploy go away is if it stops be profitable. And email spam is pretty damn cheap for the people pumping it out.

Spam hit a legibility critical mass

[GodfatherofSoul]

All of the obvious spam messages that seem to have a practical chance of garnering hits is getting detected now. The only way to get through is to use some obfuscated content that a reader is much more likely to either detect as spam or so obscure that the email doesn't interest the reader. I can't imagine the spam business is very good anymore.

agreed 100%

[circletimessquare]

recognizing that the drug war will be on forever does not mean we have to accept tactics that don't work

its supply and demand

demand should be rehabilitated, like a health or psychological problem, not criminalized

and supply should be hit hard, criminalized harshly

GDSA

[lazarus]

The following is a variant of greylisting. You can comment on it from your soapbox if you wish but I've been running it for about three years now and it works great. I put it together for my own use and I have no desire to document it, support it, or in any way promote it. I'm posting it here because I'm tiring of hearing people whine about spam. It uses Exim and mysql to get around some of the inherent limitations of greylisting as it was originally defined (specifically the mandatory "delay" in receiving e-mail from a new source and the requirement to roll-up large senders (like google) into an IP range. Everything is automatic and I don't have problems with mail delays.

Let me be clear. I don't care if you like it or not, or use it or not. It's just data if you want it or are interested.

I've thrown the rest of my posting into a journal entry as Slashdot nixed my posting here with "Filter error: Please use fewer 'junk' characters." Seems as though Slashdot is making comments about my coding abilities... This is already more effort than I was hoping for.

Re:GDSA

[kangsterizer]

I have no desire to document it, support it, or in any way promote it.

i hope you realize its what you've just done ^^

nothing wrong with it tho, but understanding what you wrote from the strange config stuff is a bit delicate.

# Our process goes as follows:
                # We attempt to get the full host name of the sending host
                # If we fail to get it, we apply a penalty
                # Then we break down the sending host into either a TLD or an IP address
                # We check to see if the sender is existent
                # If there is no sender we add a penalty
                # We do the DSA test
                # If it fails, we add a penalty
                # Then we check to see if a record for this host/sender/receiver exists
                # If it does not, then we add it with the appropriate penalties
                # We then do a GDSA check as always
                # If the delay requirement passes and the hit requirement passes, then the e-mail gets through
                # Otherwise it is deferred

i'm wondering what is meant by "# We check to see if the sender is existent"
warn set acl_m6 = ${eval:$acl_m6 + ${if def:sender_address {0}{1}}}

and that:

# Do the DSA (TLD, sender domain match) test
                warn set acl_m6 = ${eval:$acl_m6 + ${if eq{$acl_m1}{$acl_m7}{0}{1}}}

it just seems to check if both have a score oO

Re:GDSA

[lazarus]

I suppose it is true that the DSA test is going to fail if the sender doesn't exist. In that case you will have either a sending IP or a hostname and it will never match null. The point of the exercise is that the more suspicious you look, the more I'm going to penalize you (and the harder I'm going to make it for you to get me mail). I was trying to mimic what I would do if I was looking at the connection information myself.

Sending host IP doesn't resolve? Not good. No sender address? Not good. Sending host and sender domains don't match? Not good. Each time I find something wrong with your connection to me I increment acl_m6. Can you still send me mail if you've got a really broken setup? Yep, but it's going to make you work for it.

And if you're a spammer who's flaunting the law (maybe depending on where they are set up) and have set up your own mail server so you can easily get through all the checks? Spamhause will get you and it stops being my problem. :)

Re:GDSA

[kangsterizer]

ok, i think most of these checks are actually in spamassassin btw and it uses a similar scoring system.
still, a "real" greylist on top cut quite a bit of spam, as it checks for something more: "is the remote smtp implementing all standard smtp functionalities"

thanks for the details btw

Still important to the count

[damn_registrars]

...the amount of spam that actually makes it to an inbox, instead of being dumped into a junk folder or blocked outright?

That spam is, at the very least, equally as costly as spam that makes it to the inbox. Sure, it uses less of the users' time, but it still takes CPU time, network bandwidth, and storage (somewhere).

People who rely on their filters (or similar practices) upstream of their inbox to deal with the spam problem often overlook that very important point. That is part of why filters will never be the real solution to the spam problem.

which is of course bullshit

[circletimessquare]

because people are constantly getting emails from people they never got email from before, and they WANT that functionality, for a million reasons, from registering for a site to getting a query from an old classmate to getting a reply from a stranger about a blog post

the whitelisting you describe is obviously not the solution

anti-spam resource allocation

[damn_registrars]

Whenever a message is identified as spam, either by a server or by a recipient, that message should be registered in a database network shared among servers and recipients. Then all those servers and recipients in the network should automatically identify that message as spam.

So it sounds like you are advocating for devoting more resources to fighting spam - specifically more network and CPU resources.

Which leads me to the question of who will pay for this? As it is, companies are already buying dedicated anti-spam hardware, and individuals (and some companies) are paying for anti-spam software as well. But who would want to pay for a distributed collection of servers to spend their CPU time and bandwidth on processing email? And whose email would be processed? Would you process entire mail queues for users (which could be enormous and intrusive) or just the messages that they tag as spam (which would be consuming human time then too)?

It's an interesting idea, but in the end it sounds like you are just trying to push for an escalation in the spam arms-race. Unfortunately you will find that if you do that you are still way behind the spammers and their botnets, and you'll be much more invested (monetarily and time-wise) in it than they are.

If you really want to make a difference in spam, stop filtering and start going after the root of the problem.

Re:anti-spam resource allocation

[Doc+Ruby]

No, the network is just interconnecting the resources used by existing antispam applications. Which already scan entire mail queues - however much work and intrusion that might be.

I'm talking about making the existing resources vastly more efficient by eliminating the redundancy of separate recipients each scanning the same message to determine whether it's spam. And closing the percentage of missed spam by allowing multiple different scanners to spot it their way.

And indeed I also explicitly specified the FBI and other cops should go after the root of the problem: spammers.

So it looks like you didn't understand my post at all. Try reading it again.

Re:anti-spam resource allocation

[damn_registrars]

No, the network is just interconnecting the resources used by existing antispam applications. Which already scan entire mail queues - however much work and intrusion that might be.

Which would generate more network traffic than letting the last mail host scan it in whatever way it is configured to do so. Simultaneously you would be increasing the work load of each system that scans, as it would be scanning more mail than it did before.

I'm talking about making the existing resources vastly more efficient by eliminating the redundancy of separate recipients each scanning the same message to determine whether it's spam. And closing the percentage of missed spam by allowing multiple different scanners to spot it their way.

Those sound like two different aims there. You want to work at "eliminating the redundancy" while also "allowing multiple different scanners to spot it their way". I don't see how you can do both.

And indeed I also explicitly specified the FBI and other cops should go after the root of the problem: spammers.

Sorry, wrong answer. The FBI and other US police forces don't have the jurisdiction to go after the spammers responsible for most spam. And indeed those spammers mostly reside in countries that either don't care about spam, or are actively working to support the spammers for various reasons.

The answer to stopping spam is in the money. Stop spending money trying to fight the spam you've already received. Start putting money and time into preventing money from going to the spammers instead. If they aren't getting paid, they won't send spam.

So it looks like you didn't understand my post at all. Try reading it again.

It appears I understood your post just fine. It also appears you didn't understand the problems with the plan.

Re:anti-spam resource allocation

[Doc+Ruby]

No, you don't understand what I wrote. Or maybe you don't understand what is the load of the actual processing and transmission in the different cases.

Instead of each machine scanning the same message, only a few machines that get it first scan it. They generate a hash and distribute it to the other machines receiving messages. Those machines need only generate a hash of incoming messages, which is not as intensive as scanning it for spam (like bayesian algorithms). The hashes do increase network traffic a little, but not nearly as much as the reduced spam effect decreases traffic. The hash is probably something like 16 or 32 bytes, while the average spam is hundreds or thousands of bytes, in each message. Since unidentified spam usually means multiple messages (exact or similar), the prevented spam traffic is thousands of times bigger than the hash traffic that prevents it.

Besides, the hash traffic is nothing compared to the increasing video streaming traffic we're carrying, and all the other traffic (including legit email). And the whitelisting I described would remove even more traffic and processing. So it's really negligible. Especially since even an increase in traffic that slashed spam traffic by keeping it from clicking readers is a good investment.

As for the FBI and other US police, they do indeed have the jurisdiction. They routinely bust international crime rings with some operations in the US. They routinely operate in foreign countries at the foreign countries' request, often on crimes with no US activity. And when there is a jurisdictional boundary, there is Interpol and many other intercop infrastructures.

So it looks like you did read my post. What you don't understand is how the technology or the police work.

This discussion looks like the common Web spiral where you're not interested in a working system, but in promoting your own. If your next post doesn't legitimately engage the tech and legal issues you're responding to, I won't be continuing in it.

Re:anti-spam resource allocation

[damn_registrars]

Instead of each machine scanning the same message, only a few machines that get it first scan it

Which still requires that message to be distributed to several different servers. How does this not generate additional network traffic?

They generate a hash and distribute it to the other machines receiving messages. Those machines need only generate a hash of incoming messages, which is not as intensive as scanning it for spam (like bayesian algorithms).

So does your hash then match the entire message, or some part of the header instead?

The hashes do increase network traffic a little, but not nearly as much as the reduced spam effect decreases traffic.

So are you then proposing that an upstream server filter the messages before they get to their second-to-final destination (as in, some sort of "post office" intermediate)? Otherwise the email still needs to get to that last server (generally prior to the user's system) to be filtered.

The hash is probably something like 16 or 32 bytes, while the average spam is hundreds or thousands of bytes, in each message.

What part of the email are you planning to use to identify it? And how long do you expect it will take for spammers to find a way around it?

Since unidentified spam usually means multiple messages (exact or similar), the prevented spam traffic is thousands of times bigger than the hash traffic that prevents it.

Again that only works if you trust an upstream mail relay to filter your email.

Besides, the hash traffic is nothing compared to the increasing video streaming traffic we're carrying, and all the other traffic (including legit email). And the whitelisting I described would remove even more traffic and processing.

So who upstream do you trust with that responsibility, why should others trust them, and how much will you be paying them for their services?

So it's really negligible

Not the way you described it, it isn't.

As for the FBI and other US police, they do indeed have the jurisdiction

I don't know where you got that information from. Police and law enforcement officials do not have jurisdiction outside of their home country unless it is specifically granted to them.

If you know of other countries who have ever specifically granted US law enforcement jurisdiction in their countries for the purpose of fighting spam, please share that information.

They routinely bust international crime rings with some operations in the US. They routinely operate in foreign countries at the foreign countries' request, often on crimes with no US activity

They do that in cooperation with law enforcement in those other countries. There are international laws against doing such things without.

And when there is a jurisdictional boundary, there is Interpol and many other intercop infrastructures.

Interpol has almost no interest in fighting spam, they have slightly larger issues to deal with presently.

So it looks like you did read my post

That is what I told you already...

What you don't understand is how the technology or the police work.

No, I understand it fine. You don't seem to be aware of the problems with either in light of your proposal.

you're not interested in a working system

Your "working system" is nothing more than an expansion on existing technologies. It isn't really new, its just bigger - to say nothing of the privacy implications.

but in promoting your own

I have said for a long time that filtering will never stop spam. I invite you to read through my old posts and journal articles to see how long I've been saying this.

Re:anti-spam resource allocation

[Doc+Ruby]

ME: Instead of each machine scanning the same message, only a few machines that get it first scan it

YOU: Which still requires that message to be distributed to several different servers. How does this not generate additional network traffic?

But I said just two sentences later

The hashes do increase network traffic a little, but not nearly as much as the reduced spam effect decreases traffic.

Your last response is full of disagreements that I already "prebutted", but which you ignored in a decontextualized response, and only tangentially (or not at all) engaged in a later segment. You close asking me to read your posting history, but you're not even responding to this one with integrity. I could rebut (again) your disagreement by just quoting my previous posts again. But that's not a response to a legitimate argument. Except to say

This discussion looks like the common Web spiral where you're not interested in a working system, but in promoting your own. If your next post doesn't legitimately engage the tech and legal issues you're responding to, I won't be continuing in it.

Goodbye.

Re:anti-spam resource allocation

[damn_registrars]

ME: Instead of each machine scanning the same message, only a few machines that get it first scan it

YOU: Which still requires that message to be distributed to several different servers. How does this not generate additional network traffic?

But I said just two sentences later The hashes do increase network traffic a little, but not nearly as much as the reduced spam effect decreases traffic.

But you're asking for multiple systems to examine the same message though. Previously each message was examined by only one system. I understand that you want to implement a hash-based solution to remember what messages are declared spam - after the messages are analyzed.

However, you still need the messages to get through to your "analysis" servers (each message to multiple servers) before it becomes an entry in the hash. And then, the systems that normally receive email for clients will receive the email and check against the hash for what to declare as spam.

Hence, unless you are asking people to depend on your "analysis" servers for upstream spam-filtering, you haven't done anything to reduce network traffic. Email isn't ordinarily sent in parts (aside from the network packets themselves), so the entire message will be received by the end system before it is analyzed against the hash to be declared as spam.

You close asking me to read your posting history

It's out there in the open. You can see that I have consistently argued against the utility of spam filtering, and that the solution is elsewhere. I brought that up only to point out that I have not been making this as a "new argument" - I called out spam filtering as futile somewhere over 2 years ago.

And ultimately, all you are doing is making a bigger spam filter. A distributed spam filter, but still just a filter.

but you're not even responding to this one with integrity

I challenge your definition of integrity. I responded to your idea by pointing out the flaws in it. You are proposing nothing more than an enormous spam filter for people to look to. Your idea doesn't do anything to reduce spam-driven network traffic, unless people agree to allow your analysis servers to handle, process, and reject all of their email.

This discussion looks like the common Web spiral where you're not interested in a working system, but in promoting your own. If your next post doesn't legitimately engage the tech and legal issues you're responding to, I won't be continuing in it.

I addressed both the legal and the tech issues. I pointed out yet again that the US cannot just walk into another country without permission and pursue an arrest warrant; there are international laws that specifically prohibit that (wars have been started over that kind of behavior).

I also discussed the tech issues, and the fact that your plan either requires people to entrust all of their email to your systems - for handling, processing, and filtering - or else your system will increase network traffic while not reducing spam traffic at all.

Goodbye.

I apologize for hurting your feelings by poiting out the flaws in your system. I expected that someone on slashdot would be mature enough to handle criticism of their ideas without getting angry in the way you have. It appears you have disproven that idea as well.

If you dont cut the head of the beast

[Stan92057]

If you don't cut the head of the beast off its tentacles will only grow back. Until you catch the criminals running the spam bots and put them in jail they will just move to another host. Ive long said too that the product makes must bare a large percentage of the problem because they pay the criminals to spam. And they do KNOW who the spammers are because they pay them. Its always been Sposato be part tech and part laws to get a handle on spam,i think tech has more then did there jobs. Its time to shut the loopholes and make penalties mush harder.

email is broken. It doen't scale.

[Colin+Smith]

what i mean by that is that it doesn't scale for the individual, the technology does scale.

It is far too easy for people to get in contact with me via email. My time is wasted reading their junk, and this includes corporate spam as well. We can try lots of technical solutions, but i think i'll go down a subscription model.

You paypal me a dollar a year and i'll whitelist your email address, otherwise, go away. A few trusted friends and family get whitelisted for free.
 

Simple solution

[PPH]

I just block e-mail from gmail.com accounts. That clears up most of the spam.

For a company that whines so much about spam. Google sure seems unable to clean up their own act.

Re:Simple solution

[JaCKeL+1.0]

I never received a single spam from a gmail account. Most of my spam come form open relay SMTP server with random generated email identity. My only solution is to kill open relay SMTP server WORLDWIDE.

Wrong focus

[gmuslera]

More spam is a symptom, not the problem itself. The problem is the amount of spambots, all around the web, how many millons of computers are in a botnet or another. If spam by some magic becomes non profitable, still those millons of computers will be around, ready to be used by its owners or whoever hire them to do other kinds of nasty stuff.

In fact, is GOOD that they send spam, as could be used that traffic to identify the hosts and accounts, and do something with them, like ISPs redirecting them in a sandbox where they can't send mail and only see web pages that teach and helps them on how to be clean and keep being to be that way. Internet don't have a driving license, but the bad drivers could be sent to the school till they learn.

Where are the FBI, CIA, and their counterparts?

We have both national and international agencies who are responsible for fighting crime across all borders. Instead of spending hundreds of billions of dollars trying to spook afghan hillbillies with box cutters, maybe they should devote some resources toward combating an obvious and easily surmountable problem that costs billions in lost productivity annually. Stop targeting the ISP's and infected hosts, and track the command and control signals back to their source; and make it known that originating or actively facilitating this behavior will have dire consequences.

Wrong

[Doc+Ruby]

Sure, beating spam is impossible. If you're wrong:

> Your post advocates a
> (X) technical ( ) legislative ( ) market-based ( ) vigilante
> approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following > may apply to your particular idea, and it may have other flaws which used to vary from state to state before > a bad federal law was passed.)

The only thing you got right, though it's also market based (and uses existing legislation, where the FBI and other cops are concerned).

> (X) Mailing lists and other legitimate email uses would be affected

No they wouldn't.

> Specifically, your plan fails to account for
>
> (X) Lack of centrally controlling authority for email

No central controlling authority is part of what I described.

> (X) Asshats

Asshats are irrelevant, too.

> (X) Armies of worm riddled broadband-connected Windows boxes

It works against them. Indeed, it uses their strength, massive distributed parallelism, to defend from them.

> (X) Extreme profitability of spam

It accounts for that by turning the same economics on them.

> (X) Extreme stupidity on the part of people who do business with spammers

Again, irrelevant.

> and the following philosophical objections may also apply:

> (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

They're not that easy, and distributed trust defenses are practical.

> (X) Blacklists suck

The "blacklist" parts I described aren't simply black/white. That's why they don't suck.

> (X) Whitelists suck

No they don't, especially the grade way I described.

> (X) Killing them that way is not slow and painful enough

That's for people who write these stupid form responses. I just want to minimize spam.

>Furthermore, this is what I think about you:
>
> (X) Sorry dude, but I don't think it would work.

Sorry dude, but the reasoning demonstrated in the way you completed this form makes me not care what you think about me. The people who'd have to do something to make what I described work understand the technologies and the issues, whereas you don't even fully understand that form.

Please remove me from your list.

At least part of this is google's fault

[fyngyrz]

Google is constantly marking proper email to me as spam, when it isn't spam, and I have repeatedly told Google so with the "not spam" button (and written complaints.) I presume I'm not the only one this is happening to.

So every day, I'm forced to winnow through the spam folder, find the messages I need, mark em, click "not spam" so they'll move to the in-box, and then clear out the rest (otherwise it'll be twice as hard to find the good emails tomorrow.)

I've repeatedly written Google about this, but as usual, they may be doing no evil, but they're not doing any responding to problems, either. Very reminiscent of my experience with Google Base, full of bugs that haven't been fixed in years, despite a great din of complaints on the appropriate boards.

I suspect that a lot of Google's "rise" in spam is just good email they've marked wrong. I know at least a little of it is!

Re:At least part of this is google's fault

[Crimsonjade]

This isn't a bug. No one except Google knows for sure how they determine whether a message is spam, but it appears that each sender is assigned a score. If that score is low it gets bulked. People clicking "Report as Spam" lowers the score, while clicking "Not Spam" increases the score. Thus, the more people click an email as spam the more likely it will be bulked.

Re:At least part of this is google's fault

[fyngyrz]

No, it *is* a bug. Mainly because these emails are unique, they come from my own server and report its status to me. And NO spam comes from that server. But also because I *say* they aren't spam. Or, let me put it this way -- if it's not a bug, it's just really, really shitty spam software, and the "not spam" button is also crap. There's already a "transfer to inbox" button; that's all the "not spam" button does.

You can make excuses all day, but a spam system that can't determine spam from non-spam -- repeatedly, and WITH help -- that's just crap.

Re:At least part of this is google's fault

[geekboy642]

Automated status reports from a server are hardly unique. Unless you rolled your own software, Google's seen the exact email thousands of times. And if you did roll your own, then chances are that you use the same words as almost any other monitoring software, so to a Bayesian spam filter it's hardly a new thing.

Re:At least part of this is google's fault

[fyngyrz]

I do roll some of my own server reports (and a whole lot of other stuff.) Regardless, it's NOT spam, and should not be thrown into the spam folder. It's just that simple.

I also think that the idea that a server report would be spam is pretty silly, really. How many cases do you think there are where people who don't need them or can't turn them off, are getting them? Servers don't just email random people with tripwire data or logwatch reports; nor would custom web server log mining be a common finding in just anyone's inbox.

But again, we come down to the bare fact that I TOLD Google's lame-ass software that the emails in question were not spam, repeatedly, and it still insists they are.

This is because Google's spam identification sucks. No other reason in the world -- they have no excuse. It's like handing someone a program you claim will color things blue, and it reliably colors things red. Good job. Not.

Re:At least part of this is google's fault

[bhiestand]

I also find it annoying that repeatedly clicking "Not Spam" doesn't automatically add them to a whitelist, but...

you can always just create some filters. If ___, do not send to spam folder. Really easy.

SPAM VOLUME ON THE RISE

IT'S GETTING EVEN LOUDER NOW?

No standard protocol for stopping mail

[bill_mcgonigle]

So if they clicked an ad and entered their e-mail address to get thirty thousand acres in farmwars by putting in their e-mail and checking a box that they understand ... where was the failure there?

Probably in our lack of providing an easy opt-opt standard protocol that mailers could implement.

Many people use the 'Junk' button to mean 'Trash'. Which IT guys take as a considered decision and feed back into spam reporting databases, which gets people on RBL's.

If we gave them a 'stop this kind of mail' (glued to an unsubscribe protocol and filtering) button things would be somewhat better.

Yeah... but...

[fyngyrz]

The problem is that Google often throws legitimate messages in the spam folder, so if you don't look at it (or let the amount of spam content accumulate to unmanageable volumes), you'll miss them.

I mean, it'd be great if Google did this faultlessly, but it really doesn't. I retrieve messages *every day* that aren't spam. And yes, I click "not spam" every time... doesn't help.

I don't know about you, but to me, an email system that loses your legitimate email isn't a very good one.

Re:Yeah... but...

[thijsh]

Never had this problem... only legitemate mail I ever found there were the lamest mailinglists... then again I never look trough all 10.000 :)
I found that all the addresses I add to my address book are much less likely to be blocked, especially some foreign domains need to be added otherwise they will go to spam...

I agree

I run a mail server where I host many domains for a wide range of business users. Over the last 2-3 months I have seen a huge increase in the volume of both spam and backscatter. It now equates to around 99.8% of total spam destined to the users on my server. That is up from 88% only a few months ago. To give you an idea of numbers the server handles around 90,000 emails a week for those domains. (by no means huge)

Kennedy Frying Chickenit

[Mana+Mana]

"type in the bank's URL"

Never! Bad fucking mistake. Typosquaters---ha, ha, ha, mmmmmmm?

Also don't fucking assume spit: oh, yeah omega watches let me buy one online, for example: [www.omega.com]. Fuck you. Google, and learn that it's [www.omegawatches.com]. IOW, bookmark your bank sites, etc. And a newbie isn't half wrong when he uses google in the FF address bar or to find official sites---gad forbid s/he listens to the assholes in here authoritatively.

Bushwick Inwood

[Mana+Mana]

Maybe djb has it right? Sender's server holds email to be fetched. Your dime if you spam.

sopssa "thinking* isn't a strong suit of yours

"But the 3.6.2 update was ALREADY released WELL BEFORE the story was posted (Tuesday March 23, @02:51AM Eastern): https://developer.mozilla.org/devnews/index.php/2010/03/22/firefox-3-6-2-update-now-available-as-free-download/ Firefox 3.6.2 update now available as free download Version 3.6.2 was released THE DAY BEFORE this story even posted! Once again you are caught in your BOLD-FACED LIES, LOL! - by clone53421 (1310749) on Monday April 05, @01:36PM (#31736454) Journal

Funny how YOU backed up clone53421 above, here on your part, regarding firefox though (lol, when clone's information was STALE & OUT OF DATE already too no less):

http://slashdot.org/comments.pl?sid=1591778&cid=31755996

AND YET? LMAO:

FireFox turned up YET ANOTHER SECURITY BUG & right when you shot your big mouth off in that url above on 04/05/2010 above, which had stale out of date information regarding FireFox security issues, & proof of that's taken from here:

----

Mozilla Firefox DOM Node Moving Use-After-Free Vulnerability:

http://secunia.com/advisories/39175/

Release Date 2010-04-02
Last Update 2010-04-06

----

http://slashdot.org/comments.pl?sid=1591778&cid=31755996

That's where you quote above is from, and, Where Germany advised its peoples to stay away from FireFox 3.6, as they had for IE before that (but, never for Opera).

(Thus, yet another security bug surfaced in FireFox 3.6.2 in that time frame, yet again, 2x that week it appears (LOL!)).

sopssa - How stupid do you feel after your backing up that moron clone, sopssa, when he was quoted in error in that rant of his above that opens this posting of mine in reply, and the URL above that shows you backing his stale & out of date information?

Why?? Because YET ANOTHER SECURITY VULNERABILITY SURFACED THAT DAY OR THE NEXT DAY in FIREFOX, YET AGAIN, lmao...

"too, Too, TOO EASY!"

Obviously sopssa, you lost yet again, and backed the wrong poster in clone53421, in such a stupid mistake on his part above.

Obviously, You're too stupid to exist sopssa and it's no small wonder that all you do is post on slashdot all day, as you don't have enough skills or degrees necessary to your name in computing to actually have or hold a job in the sciences of computing.