We had a big discussion about this in the "bounce instead of eat" thread in the spamgourmet discussion groups.
The Joe Job is happens so frequently that it pretty much resolved the argument (we *eat* instead of bouncing).
Early on, when someone used a spamgourmet address in a Joe Job, the effect of the bounce backs and angry replies was so great that it warped our statistics...
Well, I for one didn't get around to posting on the first run:)
I once bought a HD from a storefront computer shop. Everything had been deleted, but it was so easy to undelete that I couldn't resist -- there were dozens of documents from a criminal law practice specializing in parole related procedures. Nothing terribly interesting, but definitely another lesson in the pitfalls of attorney-client privilege in the electronic age...
As chance would have it, IAL, (I'm the one who Asked Slashdot) although not I'm not a patent attorney.
I'm reasonably familiar with IP law, and the high quality of the discussion here makes me wish I had laid out my concerns with more precision.
I think everyone has outlined the driving issues: certainly one of them is that I'm looking for the least-cost alternative that will enable the software to proliferate without interruption, and without FUD for me and for those who use it.
I'm willing to file the patent application myself (pro se), even though it may result in several iterations with the PTO due to my ignorance of the finer points of filing. Additionally, I'm really not at all concerned with the quality of the patent as regards my ability to prevent others from using the technology (because, of course, I want them to!).
Based on my own litigation experience (and fees) I think it's easy to say that, if getting the patent prevents the patent office from issuing a conflicting patent (and therefore keeps me out of court), it's bound to be cheaper. Picture yourself sitting in Texas (or the locale of your choice), and getting served for a lawsuit that is proceeding in New York or San Francisco (or the other locale of your choice). May as well get out your check book right away...
I'd be interested to know whether release on SourceForge would count as publication (and therefore defensive publication) - the software has been available there for quite awhile now. I suppose I'm the one to do the research on this one...
Another alternative is to use disposable email addresses for untrusted applications - qv spamgourmet.com (open source, with a free-to-use implementation).
The SMTP structure we have is a remarkable piece of engineering - it does a fantastic job of delivering each and every piece of mail, notifying the sender of failure, and trying for days to get through to intermittent servers. These principles are great for a network of people who are trustworthy -- we don't have that anymore. Spammers don't deserve this kind of reliability. Prolific use of disposable addresses that don't report back, and delete by default, would tend to lessen the value of the spammer's efforts.
Where did this dichotomy between "real spam" and "legitimate" marketing come from? True, if I indicate that I'd like to receive email from a particular site and it's "trusted affiliates", I'm consenting to get some mail in the future -- but the line here becomes so blurry as to obfuscate what I'd say is the real definition:
spam is email [newsgroup posting | IRC chatter] that I did not want to see that interferes with me seeing the things I did want to see.
I don't care whether someone can pull out a dusty database record that murkily indicates the "right" to send me crap -- it's still spam!!!
Trying not to do an obvious plug here -- this was the definition that fueled the code for spamgourmet - the system aggressively deletes messages that don't conform to simple rules I specify at the time I give out a disposable address. That is, if I give a site an address that indicates I want to receive three messages, the first three messages they send are not spam, and the rest are spam (and deleted spam, at that). By this definition, almost 90% of the messages that reach spamgourmet are spam.
would have to have an aircraft carrier to enforce it. There are, however, tech solutions *other* than black lists that work with little or no undesirable side effects: spamgourmet.com, for instance.
After I tried submitting a free web service to Webware, I got this email message:
Dear Provider,
Thanks for submitting your product or service to be listed in the
Webware.com directory. However, Webware.com will cease publication on
August 31, 2001, so we are unable to list your product at this time.
If you have a downloadable version of your product, please submit it to
Download.com.
Houston's had free internet access in libraries for as long as I can remember. So what's so good about offering email?
The effort will (hopefully) involve an appropriately scaled public information campaign -- that's probably the only way to reach a good number of the city's residents who stand to benefit from email.
It's easy to say that the effort would work just as well if the promoted hotmail or yahoo, etc., but would that be appropriate? What if hotmail goes under (or gets hacked!) - as a Houston taxpayer, I don't want city employees providing free tech support for those services.
Now if the email is anything like the public works projects going on downtown, we're in big trouble (along the lines of 4,000 servers providing about 10 email accounts), but nevertheless, I think this is a good idea.Spam, we can just turn them on to Houston's spamgourmet:)
When I saw the strikeback script, I immediately installed in on my poor little beat up P166 running Linux/Apache -- hapless enough to be in my laundry room and the 24.x.x.x class A at the same time.
I was so excited, I modified the script to add a log file that showed whether a shutdown had occurred.
First thing I noticed is that the server shutdown really couldn't happen logically, since the first strikeback request would have shut down IIS, which would have to running to get the server shut down request. Easy workaround there...
Then I looked at the log and noticed the the shutdowns weren't occurring, so I tried a the strike back requests manually on a couple of the attackers. They generally refused my connection because there were 'too many users'. Is this MS personal web server, which maybe allows only one connected user at a time?
Anyway, many thanks to the folks who wrote that script! Made my vengeance-starved day!
Of course, using a good filtration service like spamgourmet immunizes you from all the activities. Besides being free, ad-free, (and spam free, for that matter), spamgourmet is pretty darned easy to use.
Does anyone remember when employers didn't *have* to do stupid stuff like this? I for one see this as a refreshing reminder that the balance of power has shifted significantly toward the employees. Even though the tech sector is somewhat crunched right now, the workforce has vastly better information and interaction than similar groups as little as 10 years ago.
Employers have long put forth free market theories to justify their positions. These theories assumed roughly equal bargaining power and good information for both parties (employer and employee), neither of which was really present. Now that employees do have good information, and, we might assume better bargaining power, can we expect employers to stop citing economics and start doing silly, desparate things? I think so.
Cornell has been giving lifetime addresses for awhile -- your netID there is your initials, then a number, which is the number of people with your initials who've come before you plus one. Each time they issue an ID, it gets retired, and the address stays alive after you graduate (on a forwarding basis) provided you receive at least one message every once in awhile
-- which, of course, you do
They don't appear to be giving it out to anyone (after about 5 years), but darned if every spammer on the planet doesn't have it anyway.
there's got to be a way to make it work
on
When ASPs Go Under
·
· Score: 1
First, a quick word as to the value or wisdom of an ASP -- seems a little hasty to summarily dismiss the whole concept. My company has been running a hosted application (extradesk</plug>) that serves as a mulit-function team workspace since 1998. Our clients are mostly project teams made up of people from different companies -- none of which wants to pony up the IT resources for the project. These folks (and their IT departments) are perfectly happy to use the service to store their stuff and automate some of their processes. Size of the projects in total expenditure ranges from very small (school & stuff) to pretty large (front end engineering & design for sizable offshore development projects).
We never took any external investment, have always operated cash flow positive (by reducing our salaries, at times) and don't anticipate shutting down. Sure, whatever -- the truth is that alone shouldn't be enough for a customer to entrust a bunch of business critical-information to an outsourced service. Our clients can always (and do frequently) download their entire database and file collections -- that, along with our backups is apparently enough for them. We do run our entire business out of it, as well.
That said, it seems like there should be a fairly standardized legal/risk instrument that can guarantee the integrity of information like this. For instance, businesses:
a) put lots of their money in the bank
b) outsource such critical processes as payroll
c) lease critical production facilities
d) etc.
The FDIC/FSLIC provides depositors some protection from bank failure, insurance, bonding, hedging instruments, etc. fill in the gaps.
So, is there, or shouldn't there be, a suitable product (insurance policy, etc.) for ASPs?
The business of opt-in and opt-out assumes you're dealing with an address that's going to be valid into the future. Check out spamgourmet.com -- a non-commercial service that allows you, the email user, to determine how many messages you want to receive on each email address, without having to preconfigure the address on the server (you remember the rule for forming a self-destructing address, then just use it when you need it.)
I got so sick of all the blurred definitions of opt in and opt out that disposable addresses started to make sense.
There's also a sourceforge project to make the software available to mail admins -- please step on over there if you have comments or would like to help out.
There's an easy to use and free way to give out a self-destructing email address (good for x number of messages) at www.spamgourmet.com. Just sign up, remember the rules for forming such an address, and go wild.
There's also a new open source project to get this code out to mail administrators so that they, too can offer the spamgourmet service. If you run a mail server, please go the sourceforge discussion area for the spamgourmet project and put in your 2 cents.
Thanks everyone -- didn't expect so much signal and so little noise. Being a DIY perl fan, I'll probably gravitate toward the perl/vgetty approach, but will definitely check out the other info.
Interesting to note that the British system of common law has spread only by conquest, never by choice, while most nascent countries seem to choose some derivative of Napoleanic code law (I am an American...).
The common law adversarial judicial system has some redeeming qualities, but, IMHO, the way we handle expert witnesses is a major bug. Note that "fact witnesses" aka "material witnesses", etc. are generally prohibited from offering their opinions on a particular subject -- there is a grey area between opinion and observation, but that's clearly a topic for another evening... Expert witnesses, on the other hand, are required to give an opinion. This means that on any subject deemed too technical/esoteric for the average juror/judge, the floodgates are opened and it becomes a spending contest. There are 'experts' kept purposely on retainer by large corps/law firms for the express purpose of ensuring that they are _never_ called to trial. I would love to see a study on just how much of American legal costs are directly or indirectly caused by the expert witness phenomenon.
I'm told that in Germany, and probably elsewhere, the judge is the _only_ trial participant who is allowed to call an opinion (expert) witness, and that the two lawyers merely have the chance to question such a witness.
Now there's an idea. Not likely to happen in the US because the 'legal industry' is just too entrenched. Common law readers: please do keep this in mind in case it ever comes up on a referendum or something.
...but the browser I'm rooting for doesn't exist yet. In 1998, I became fixated on a web team management project (extradesk) which included a fairly complete set of features, if not a sexy look. I and another developer spent about 1500 hours coding, tweaking, fixing, etc.
And, as our records showed, approximately 60% of our project time was spent on cross browser issues.
This is nuts. IE, while generally easier to work with, is way too forgiving on HTML blunders and way too flexible on javascript syntax. NS would be nice for its strictness if it didn't have so many damn bugs (often requiring irksome work-arounds).
I won't even go into the DOM problem, but I do be leave we can fault ourselves (through our collective opportunity to influence W3C) for that, since no good standard emerged when the market was ready for it.
Having been a part of the organization that created Cello, the first web browser for MS Windows (so we believe), I often root for the outsider, and, hopefully, that's where my savior browser will come from. Opera just plain didn't work with many of the javascript twinkies on extradesk that passed the IE/NS torture test just fine. I think the truth is that making the ultimate browser such mammoth task that I may be asking too much. In the throes of my IE/NS punishment, I fantasized about getting the Cello source and starting over, but my few threads of remaining sanity stopped me...
spamgourmet - disposable addresses, opting, etc.
on
Norway Bans Spam
·
· Score: 2
IAAL, and, let me tell you, international litigation (even just finding and serving folks) is so costly and exasperating that I'll be surprised if they go very far toward doing it, except for very extreme cases.
And what is this about opting in and opting out, anyway? I think what we're seeing is that the email protocol is just too trusting and open-ended for the current net environment. I mean, lots of sites will tell you I 'opted in' to receive their junk and a bunch of others', and, if I don't believe it, I can go back and [find and] read the small print that was hovering closeby when I tried to download something or other. It would seem that we're constantly letting other people define 'consent to receive spam' for us.
Disposable email addresses are the way to go -- by this I don't mean a hotmail address or something like that, but, rather an address that is only good for x uses. My favorite site for this is www.spamgourmet.com (free and ad-free) because the addresses are created as used -- this means there's no maintenance on the site, and, theoretically, you'd never have to go back to the site unless you changed your forwarding address, or whatever. The psychology behind this is that taking control of my inbox away from the spammers has to be easier than receiving and deleting one piece of spam, and I have to perceive this fact at that critical moment when I'm signing up for something...
From the faq:
Q. How do I create a disposable email address?
A. First, set up an account here, if you haven't already, and save your real email address in the space provided (don't skip this important step!). Remember your username. Later, when you need a disposable email address, just think of a word (any combination of letters and numbers (20 characters max), provided you haven't used it before), and decide how many messages you want to receive at the new address. Then, put the word, the number, and your spamgourmet username together with dots to form the disposable address. For instance, if your Username is "spamcowboy", then you could make a disposable address like so:
someword.2.spamcowboy@spamgourmet.com
Then, you can use the address to sign up for your favorite spam-prone website, get a confirmation message, get your password in the second (and final) message, then smile and consider for a moment that no one, no-how is going to send you email with that address again.
Please note: This service summarily deletes any message that doesn't pass muster with the forwarding rules, rather than preserving it for future viewing -- I love this!, but you may prefer something that saves your spam -- you may have to put up with ads or small payments to accomodate the higher cost of saving the spam, though.
Slashdot Mirror
We had a big discussion about this in the "bounce instead of eat" thread in the spamgourmet discussion groups.
The Joe Job is happens so frequently that it pretty much resolved the argument (we *eat* instead of bouncing).
Early on, when someone used a spamgourmet address in a Joe Job, the effect of the bounce backs and angry replies was so great that it warped our statistics...
Well, I for one didn't get around to posting on the first run :)
I once bought a HD from a storefront computer shop. Everything had been deleted, but it was so easy to undelete that I couldn't resist -- there were dozens of documents from a criminal law practice specializing in parole related procedures. Nothing terribly interesting, but definitely another lesson in the pitfalls of attorney-client privilege in the electronic age...
As chance would have it, IAL, (I'm the one who Asked Slashdot) although not I'm not a patent attorney.
I'm reasonably familiar with IP law, and the high quality of the discussion here makes me wish I had laid out my concerns with more precision.
I think everyone has outlined the driving issues: certainly one of them is that I'm looking for the least-cost alternative that will enable the software to proliferate without interruption, and without FUD for me and for those who use it.
I'm willing to file the patent application myself (pro se), even though it may result in several iterations with the PTO due to my ignorance of the finer points of filing. Additionally, I'm really not at all concerned with the quality of the patent as regards my ability to prevent others from using the technology (because, of course, I want them to!).
Based on my own litigation experience (and fees) I think it's easy to say that, if getting the patent prevents the patent office from issuing a conflicting patent (and therefore keeps me out of court), it's bound to be cheaper. Picture yourself sitting in Texas (or the locale of your choice), and getting served for a lawsuit that is proceeding in New York or San Francisco (or the other locale of your choice). May as well get out your check book right away...
I'd be interested to know whether release on SourceForge would count as publication (and therefore defensive publication) - the software has been available there for quite awhile now. I suppose I'm the one to do the research on this one...
Thanks everyone!
Another alternative is to use disposable email addresses for untrusted applications - qv spamgourmet.com (open source, with a free-to-use implementation).
The SMTP structure we have is a remarkable piece of engineering - it does a fantastic job of delivering each and every piece of mail, notifying the sender of failure, and trying for days to get through to intermittent servers. These principles are great for a network of people who are trustworthy -- we don't have that anymore. Spammers don't deserve this kind of reliability. Prolific use of disposable addresses that don't report back, and delete by default, would tend to lessen the value of the spammer's efforts.
not too much work.
spam is email [newsgroup posting | IRC chatter] that I did not want to see that interferes with me seeing the things I did want to see.
I don't care whether someone can pull out a dusty database record that murkily indicates the "right" to send me crap -- it's still spam!!!Trying not to do an obvious plug here -- this was the definition that fueled the code for spamgourmet - the system aggressively deletes messages that don't conform to simple rules I specify at the time I give out a disposable address. That is, if I give a site an address that indicates I want to receive three messages, the first three messages they send are not spam, and the rest are spam (and deleted spam, at that). By this definition, almost 90% of the messages that reach spamgourmet are spam.
When I got my Treo, I didn't know that it was really just a way for people to contact me while I was playing kmoria.
spamgourmet.com is availble for free (with the code available open source) and arguably *even* more convenient, but I'm biased.
would have to have an aircraft carrier to enforce it. There are, however, tech solutions *other* than black lists that work with little or no undesirable side effects: spamgourmet.com, for instance.
Dear Provider,
Thanks for submitting your product or service to be listed in the Webware.com directory. However, Webware.com will cease publication on August 31, 2001, so we are unable to list your product at this time.
If you have a downloadable version of your product, please submit it to Download.com.
The Webware.com team
Houston's had free internet access in libraries for as long as I can remember. So what's so good about offering email? :)
The effort will (hopefully) involve an appropriately scaled public information campaign -- that's probably the only way to reach a good number of the city's residents who stand to benefit from email.
It's easy to say that the effort would work just as well if the promoted hotmail or yahoo, etc., but would that be appropriate? What if hotmail goes under (or gets hacked!) - as a Houston taxpayer, I don't want city employees providing free tech support for those services.
Now if the email is anything like the public works projects going on downtown, we're in big trouble (along the lines of 4,000 servers providing about 10 email accounts), but nevertheless, I think this is a good idea.Spam, we can just turn them on to Houston's spamgourmet
we had long talked about wiring Eliza into spamgourmet - which is perl already. Won't take long, now...
When I saw the strikeback script, I immediately installed in on my poor little beat up P166 running Linux/Apache -- hapless enough to be in my laundry room and the 24.x.x.x class A at the same time.
I was so excited, I modified the script to add a log file that showed whether a shutdown had occurred.
First thing I noticed is that the server shutdown really couldn't happen logically, since the first strikeback request would have shut down IIS, which would have to running to get the server shut down request. Easy workaround there...
Then I looked at the log and noticed the the shutdowns weren't occurring, so I tried a the strike back requests manually on a couple of the attackers. They generally refused my connection because there were 'too many users'. Is this MS personal web server, which maybe allows only one connected user at a time?
Anyway, many thanks to the folks who wrote that script! Made my vengeance-starved day!
Why not chip in on the spamgourmet project so you can offer users disposable email addresses -- this definitely does kill a lot of spam per user.
Of course, using a good filtration service like spamgourmet immunizes you from all the activities. Besides being free, ad-free, (and spam free, for that matter), spamgourmet is pretty darned easy to use.
Employers have long put forth free market theories to justify their positions. These theories assumed roughly equal bargaining power and good information for both parties (employer and employee), neither of which was really present. Now that employees do have good information, and, we might assume better bargaining power, can we expect employers to stop citing economics and start doing silly, desparate things? I think so.
They don't appear to be giving it out to anyone (after about 5 years), but darned if every spammer on the planet doesn't have it anyway.
We never took any external investment, have always operated cash flow positive (by reducing our salaries, at times) and don't anticipate shutting down. Sure, whatever -- the truth is that alone shouldn't be enough for a customer to entrust a bunch of business critical-information to an outsourced service. Our clients can always (and do frequently) download their entire database and file collections -- that, along with our backups is apparently enough for them. We do run our entire business out of it, as well.
That said, it seems like there should be a fairly standardized legal/risk instrument that can guarantee the integrity of information like this. For instance, businesses:
a) put lots of their money in the bank
b) outsource such critical processes as payroll
c) lease critical production facilities
d) etc.
The FDIC/FSLIC provides depositors some protection from bank failure, insurance, bonding, hedging instruments, etc. fill in the gaps.
So, is there, or shouldn't there be, a suitable product (insurance policy, etc.) for ASPs?
I got so sick of all the blurred definitions of opt in and opt out that disposable addresses started to make sense.
There's also a sourceforge project to make the software available to mail admins -- please step on over there if you have comments or would like to help out.
I wouldn't use a filtering service unless it was at least as easy as deleting spam -- this one's easier (IMHSBO in my humble somewhat biased opinion)
There's also a new open source project to get this code out to mail administrators so that they, too can offer the spamgourmet service. If you run a mail server, please go the sourceforge discussion area for the spamgourmet project and put in your 2 cents.
Thanks everyone -- didn't expect so much signal and so little noise. Being a DIY perl fan, I'll probably gravitate toward the perl/vgetty approach, but will definitely check out the other info.
The common law adversarial judicial system has some redeeming qualities, but, IMHO, the way we handle expert witnesses is a major bug. Note that "fact witnesses" aka "material witnesses", etc. are generally prohibited from offering their opinions on a particular subject -- there is a grey area between opinion and observation, but that's clearly a topic for another evening... Expert witnesses, on the other hand, are required to give an opinion. This means that on any subject deemed too technical/esoteric for the average juror/judge, the floodgates are opened and it becomes a spending contest. There are 'experts' kept purposely on retainer by large corps/law firms for the express purpose of ensuring that they are _never_ called to trial. I would love to see a study on just how much of American legal costs are directly or indirectly caused by the expert witness phenomenon.
I'm told that in Germany, and probably elsewhere, the judge is the _only_ trial participant who is allowed to call an opinion (expert) witness, and that the two lawyers merely have the chance to question such a witness.
Now there's an idea. Not likely to happen in the US because the 'legal industry' is just too entrenched. Common law readers: please do keep this in mind in case it ever comes up on a referendum or something.
And, as our records showed, approximately 60% of our project time was spent on cross browser issues.
This is nuts. IE, while generally easier to work with, is way too forgiving on HTML blunders and way too flexible on javascript syntax. NS would be nice for its strictness if it didn't have so many damn bugs (often requiring irksome work-arounds).
I won't even go into the DOM problem, but I do be leave we can fault ourselves (through our collective opportunity to influence W3C) for that, since no good standard emerged when the market was ready for it.
Having been a part of the organization that created Cello, the first web browser for MS Windows (so we believe), I often root for the outsider, and, hopefully, that's where my savior browser will come from. Opera just plain didn't work with many of the javascript twinkies on extradesk that passed the IE/NS torture test just fine. I think the truth is that making the ultimate browser such mammoth task that I may be asking too much. In the throes of my IE/NS punishment, I fantasized about getting the Cello source and starting over, but my few threads of remaining sanity stopped me...
And what is this about opting in and opting out, anyway? I think what we're seeing is that the email protocol is just too trusting and open-ended for the current net environment. I mean, lots of sites will tell you I 'opted in' to receive their junk and a bunch of others', and, if I don't believe it, I can go back and [find and] read the small print that was hovering closeby when I tried to download something or other. It would seem that we're constantly letting other people define 'consent to receive spam' for us.
Disposable email addresses are the way to go -- by this I don't mean a hotmail address or something like that, but, rather an address that is only good for x uses. My favorite site for this is www.spamgourmet.com (free and ad-free) because the addresses are created as used -- this means there's no maintenance on the site, and, theoretically, you'd never have to go back to the site unless you changed your forwarding address, or whatever. The psychology behind this is that taking control of my inbox away from the spammers has to be easier than receiving and deleting one piece of spam, and I have to perceive this fact at that critical moment when I'm signing up for something...
From the faq:
Q. How do I create a disposable email address?
A. First, set up an account here, if you haven't already, and save your real email address in the space provided (don't skip this important step!). Remember your username. Later, when you need a disposable email address, just think of a word (any combination of letters and numbers (20 characters max), provided you haven't used it before), and decide how many messages you want to receive at the new address. Then, put the word, the number, and your spamgourmet username together with dots to form the disposable address. For instance, if your Username is "spamcowboy", then you could make a disposable address like so:
someword.2.spamcowboy@spamgourmet.com
Then, you can use the address to sign up for your favorite spam-prone website, get a confirmation message, get your password in the second (and final) message, then smile and consider for a moment that no one, no-how is going to send you email with that address again.
Please note: This service summarily deletes any message that doesn't pass muster with the forwarding rules, rather than preserving it for future viewing -- I love this!, but you may prefer something that saves your spam -- you may have to put up with ads or small payments to accomodate the higher cost of saving the spam, though.