Re:Why do people do this?
on
I, Spammer
·
· Score: 1
If it's not a huge secret (don't know who you work for anyway), how does that compare with what your company does? You mentioned sending out emails to a million "supposed optin" emails... Do you guys see that kind of response?
Re:Why do people do this?
on
I, Spammer
·
· Score: 1
Money. According to the article, 1-2 percent of the emails he sends out are responded to. If he makes a 10% commission off of the products that he is promoting, he is making a ton of money off of 100 million emails... The company I work for does the same thing. We send out over 1 million emails a day...
Isn't that a big "if" though? I've always heard that the spam response rate was in the neighborhood of 15 per million. 1% or 2% would be 10,000 to 20,000 per million. Is that really possible for a non-targetted, unsolicited spam campaign?
If 10,000 to 20,000 people per million are really responding to the garbage that guy sends then we have are dealing with a bigger stupidity problem than we thought.
I can't help but believe that he was overstating his response rate when he stated 1% or 2%, unless he's talking about "open rate" which might just be poor people accidentally opening the spam or being deceived into doing so--hardly a measure of true interest in his garbage.
Try the link in my signature. It'll grab your email, filter the spam, and you'll only download the good stuff. Feel free to browse the filtered spam on the website or you get a nightly notification of everything filtered in one simple email so you can quickly see if anything was filtered out in the last 24 hours that you wanted to see.
Shameless plug, I know, but relevant to the discussion and your post.
Re:Dang it, there goes my stomach lining...
on
I, Spammer
·
· Score: 1
If you send an unwanted email as an advertisement, you must have a method of truly getting someone off of the list.
No, unwanted email shouldn't be sent, period. Unless the spammer has a TRUE double-optin list of people that REALLY want to receive the spam, there should be no assumption that anyone wants to receive it. But if its a real double-optin list then it's not spam--it's a mailing list.
If you sell the email addresses of your clients, you should be required to state to whom they have been sold so you can opt out *before* you get spam mail.
Selling or sharing the email address of your clients should not be permitted. At the very least, it should be explicitly requested in the webform and defaulted OFF. If the user sets it, it should be verified by email first (I.e. an email that reads "You have selected that we share your email. To confirm, please click this link...").
There should be a "national opt-out" spam list that all spam senders must check before sending a message.
A one-way hash so that email addresses can't be extracted but a given email address can be checked in the database. Unfortunately, that requires a WORLDWIDE opt-out list, not nationwide. And the thought of a law implemented by every country in the world to make it so makes me nervous... would they resist the temptation to limit other forms of communication? Or would they really limit themselves to spam? Could agreement be reached on WHAT spam is? Half the time we can't even agree amongst ourselves.
Violating these agreements, or sending another message after the user has "opted out" is punishable by a $1000 fine per email sent.
Simply a law the explicitly states that hijacking open relays is punishable by $1000 per email relayed and each unwanted spam reported by a user is also worth $1000. What's missing is a central clearinghouse for making those claims. It's not feasible for everyone to sue a spammer right now because hiring a lawyer to collect damages is going to be more expensive than the amount recovered. There should be an organization that consolidates claims, sues the spammers, keeps a 50% cut for themselves, and the other 50% is distributed to those that reported the spam.
If there was a $1000 fine per spam I was sent and I was able to collect $500 of that I wouldn't mind letting a third party keep the other half for doing the legwork of getting the money--or putting the spammer into bankruptcy.
So then would you agree that what ICANN and Verisign are doing "CANNOT" be done?
Yup, over the long term. Verisign is already seeing that first-hand: Domains can cost less than $9/year at most registrars and they're a lot easier to deal with than Verisign. Quite a change from 8 years ago when it cost $35/year and you had to do everything manually through Verisign as opposed to via a web interface. Likewise, expensive SSL certificates from Verisign and Thawte can now be purchased for just $50/year from Comodo.
So, yes, over the long term Verisign's situation is not maintainable.
As for ICANN, that's more of a political issue. They've been given control which is more like a "government" than a "corporation" that has to live with a free market.
The Congress shall have power...[t]o promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries...
Lots of important tidbits there. First, it was "to promote the progress of science and useful arts," not to "promote the pocketbooks of distributors." Also, it was to secure "for limited times" the exclusive rights to their respective writings and discoveries. The current situation can hardly be considered "limited."
No, but they are entitled to have exclusive control over all copies made of their intellectual property. If they want to charge money for it, they're also entitled to that.
Sure, they can charge money for it. But when the amount charged is too high there WILL be a black market. Like I said, I'm not saying it's legal--but it's a fact of a free market economy that a company or individual that tries to gouge the market will be gouged in return, often by competition or often by illegal black markets.
But the fact is, in a free market, products WILL find their NATURAL PRICE, legally or not. Deal with it.
Apparently, if you were just mowing down innocent bystanders the game would be fine for minors that would otherwise be damaged by simulated combat with the police.
I'm not a fan of "we know what's best for you" and this kind of thing borders on silly. On the other hand, I doubt a video game where the goal was to hijack a plane and crash it into a building would be well-received even if the targets weren't police, so I don't think it's really a question of police being more valuable. The fact is, they're easier to identify targets on the street and promoting that targetting of police is no different than a game targetting blacks, whites, or garbage collectors. It's all sick.
Almost as alarming as the law is the fact that the designers of video games are so completely out of creativity that they have to resort to something as disgusting as shooting law enforcement officers. Is there truly nothing more interesting or fun that they can come up with for new video games?
I might be showing my age, but Space Invaders, Asteriods, Pole Position... They were all fun and didn't involve killing humans. I know things change and evolve and I'm not suggesting we bring back Space Invaders, but I have to believe that fun games can still be sold that don't require the killing of other humans, police or not...
If we keep cats in a mostly water environment for thousands of years, they don't decide that it would be more convenient to be a beaver and start evolving towards it. Natural selection states that from within the variation found within the population, the individuals best suited for survival will survive, thus causing a genetic shift over time.
So you're saying the most beaver-like cats would survive??
Re:The situation's aren't comparable.
on
RIAA vs The Economy
·
· Score: 5, Insightful
but once scarity is removed (i.e. easily available for free), the value to the legitimite owner is destroyed.
So you advocate the artificial creation of scarcity? So the owner of an otherwise non-scarce product can artificially create scarcity so that something that wouldn't otherwise have value has value?
I can understand the artist's desire to make money, but things that are by nature NOT scarce should not and, in the long term, CANNOT be made scarce. Legally or illegally the market will make certain of that.
The owner consumed resources to develop the IP, and it is reasonable for that owner to expect to extract value from that investment.
Many people create IP and don't expect to extract money from it. Many others even invest time and money creating IP *expecting* an ROI and never get it. Just because something requires time to create doesn't automatically mean they are entitled to money. The market decides what any given product (or IP) is worth. If the market has decided that music in its digital form is free then the artists either adapt to that reality by taking advantage of free music distribution to promote themselves, their products, and hopefully score endorsements, or they can find something else to do for a living.
I have yet to see a credible argument that only tangible property has value.
It's not that IP doesn't have value, it's creating artificial scarcity that gets you (or the RIAA, rather) into trouble. Charging $20 for something that costs a buck and for which even $3 should create healthy profits is as much robbery as people getting some free tunes online. You overcharge like that and you're just ASKING for a black market to be formed (file sharing) or asking for someone else to redefine your market (Apple).
The thief can justify it however he or she wants, but the IP has less value after he or she takes it without permission.
Maybe, but if the owner had chosen a price nearer to its NATURAL PRICE the owner would find that fewer people would "pirate" it and, thus, fewer people would lower its value by taking it without permission. In fact, I'd say that piracy is bringing the overall price of music to its NATURAL PRICE. They charge $20 for CDs but lots of people get it for free. Perhaps if you did the math you'd find that averaging the total amount earned and the total amount pirated that the final amount earned was, say, $6 a CD. To me that means that that's the NATURAL PRICE.
Legally or not, all products in a free market WILL find their natural price. Free markets do that.
But in the end, yes, digital distribution will reduce the "value" of music. That's because most of the value has been concentrated in the DISTRIBUTION of music and that's now nearly cost-free. I'm not convinced any of this really affects the artist who generally earns more money from concerts and endorsements than from the sales of their CDs.
They may be getting more money than you or I, but they are not earning it.
I agree. But the point is that I think they have a profit margin high enough that they can take some pretty big hits and still be GETTING enough money to keep spamming.
Me: Bayesian is extremely effective
You: But can it be implemented at the ISP level? Every implementation I have seen has been at the client level, partially because it needs to learn what you, personally, consider spam. I may have signed up for a get-out-of-debt list server that delivers messages that you would consider spam. If it's at the ISP level, the accuracy will probably be unacceptable.
It absolutely can be done at the ISP level. That's where it SHOULD be done. But on a user basis.
Check out the site in my signature. It's a service, but it could just as easily be implemented on any given ISP. The Bayesian filtering takes place at the ISP level so the user doesn't even have to download the spam. Retained emails are visible on a website and if there's a false positive by all means tag it for downloading. If any spam gets through, there's a link in the headers you click on to report that message as spam so the ISP can update your Bayesian corpus.
Bayesian *should* take place at the ISP level, but it should be done on a user-by-user basis since that's the only way Bayesian can work.
If the user must abandon their current e-mail client in order to use Bayesian filtering then it is not low-hassle.
Not necessary. Again, see site below--you just point your POP3 client to the site. Or if the ISP implemented it you wouldn't even have to point your client to another server at all.
If the user has to install software to perform the Bayesian filtering, it's not low hassle.
Again, see site below. Just point your POP3 client at the site and you're done. Nothing to install.
If the user has to train the Bayesian filtering, it's not low-hassle -- and you will find that most will not do it or understand why they should.
This is the one weakness to Bayesian, and I see three solutions that would be great to see implemented: 1) Site below also has traditional filters which will catch 85-90% of spam. With normal filters enabled the Bayesian filter will largely train itself. 2) While a users' Bayesian corpus is small, a generic could be used which represents the best and worst of email. This could help suplement the traditional filters until the user's personal Bayesian corpus grows. 3) There should be an RFC for reporting spam to any given server, defaulting to the POP3 server. It could be as simple as opening the connection, giving a username, password, and message ID#. But there should be a standard way for all email clients to report spam to whatever spam-filtering service or procedure is being utilized.
The training of a Bayesian filter is the ONLY downside, but it only lasts for a little while. I have largely trained my Bayesian filter and even though I've received nearly a thousand spam in the last week, not a single one has gotten by--and no false positives. So an ounce of effort at the beginning with Bayesian can pretty much eliminate the spam problem for any given user.
One big problem with Bayesian filtering is that the end-user has to download the entire message and then, and only then, determine if it is spam.
Again, see below. The site below does the filtering and only good email is downloaded to the client. If an ISP implements it, that's how it should be implemented as well. If a user has to waste time downloading it before any given filter works then the solution is largely useless.
Another problem is that spammers will be able to rely on less than 100% client-side participation.
I doubt *any* given spam solution is going to achieve 100% client-side participation. In fact, to tell you the truth, I'd just assume that everyone NOT use Bayesian. While Bayesian filters remain in t
The thing is, each of those response messages can have an easily identifible tag in them. This allows and ISP to see that 500 challenges have to been sent to "foo@bar.com". This can automatically set off at ISP-level block of messages from "foo@bar.com" originating from host W.X.Y.Z, since they are obviously sending bulk UCE.
This could be done without the hassle of C/R, though. If you see 500 messages coming from a certain IP address then you could just assume that it's all spam. This same technique can be applied to any anti-spam technique without having to implement the C/R portion.
Yes, there are ways to reduce the damage C/R can do and the volume of mail it creates. But, again, why do we need a solution that creates MORE mail and has to have special logic for damage control when that same logic would be applied just as well to other anti-spam techniques that don't require the generation of the C/R requests?
Also "obsolete" is not a proper term to use, at least not with the argument you're making.
When there are easier-to-use anti-spam techniques that achieve an extremely high level of success without adding any hassle to senders and without generating more email traffic in the process, yes, I think a system that requires a sender to go through hoops (even if only once) to get their message delivered and that has the potential of generating quite a bit more mail traffic is obsolete. It is obsolete in the sense that there are simpler, less bandwidth-intensive and more user-friendly ways to achieve the goal of keeping spam out of the inbox.
Yes, it is C/R. A challenge is issued. The challenge bounces. All e-mail from that sender is deleted.
I agree that if you implement C/R and the response bounces that you could choose to assume that all the emails from that address should be deleted. But in and of itself C/R is the challenge and the response. What you do with an email deemed to be spam is separate and can be applied to any anti-spam technique, not just C/R. Perhaps when I get a spam that has a 100% Bayesian score I go out and kill all the other "same messages" for everybody else... Does that make the "go out and kill all the same messages for everybody else" part of the Bayesian technique? No, not any more than it's part of the C/R technique. It's just a question of what you do after you've decided you've identified spam.
There is nothing stopping the ISP from issuing only a single challenge when one sender delivers mail for hundreds, thousands, or more recipients. A single response could cause all of the mail to be delivered.
What? Are you suggesting that when one sender (spammer) delivers mail for hundreds or thousands of recipients instead of issuing hundreds or thousands of C/Rs you issue only a few, and if a few are responded to you let the mail through to all hundred or thousand emails? Now THAT would definitely be vulnerable to spammers since they could just answer a few of the C/Rs and be happy knowing that was all it took to get their spam to the other hundreds or thousnads of emails.
Or perhaps I misunderstood you there...
Economics and need for a valid return address -- the latter of which you will not find on 99.99% of spam.
I'd submit the economics are not a problem since you can send more mail for little extra cost. As for a valid return address, it's not hard to open up some accounts at Yahoo that are valid and can receive replies. Sure, they'll get shut down sooner or later but you've already received and answered quite a few C/Rs before that happens--and even once the account is shut down you can send spam with that forged email address without Yahoo's help (unless you implement the other feature you were talking about regarding dumping email based on IP != professed sender's host). Even this feature is not necessarily workable because it IS possible (granted, not so common) that people use Yahoo via POP3 and send email with @yahoo.com addresses that don't necessarily go through Yahoo's outbound server.
There has always been fairly simple ways around the earlier forms of spam filtering. C/R has no simple, low-labor, low-bandwidth, low-exposure means to circumvent it.
If they go for the "send the email 100 times using 100 different commonly-unlocked email addresses" solution then it's still low-labor. Bandwidth has never seemed to be a problem for spammers, neither has level of exposure.
Plus, if they DO find a way around a given C/R system, they'll be able to spam all the people that are protected by that system. With Bayesian there's really no way to get around it since getting around a Bayesian filter requires knowing what the "innocent" words are for a given user, and they're just not going to know it. If they happen to guess a couple that doesn't automatically mean all the users using Bayesian are going to become victims as well.
Plus Bayesian is better in the sense that the spammer doesn't know what he's up against. With C/R, he knows that there is a challenge and he CAN deliver the spam if he wants to take the time. With Bayesian, he has to assume his message got through--there's no indication that it didn't. His response rate just drops through the floor and it's not going to be obvious why, or what the spammer has to do to get response rates back up.
So you know more than all of the people at Earthlink who have investigated this problem? You know more than people at MailBlocks?
I would hope that is not the case. But I've seen article after artcile in the mainstream press abou
Me: Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.
You: Then you delete all 142,675 copies of the spam, keeping it from being downloaded 142,675 times by your customers.
That's not a challenge/response system. You're talking about a networked solution to spam where spam identified by one user is used to identify other people's spam. That's fine, but the same system can be implemented with Bayesian or pure filters without having to resort to generating C/R traffic for each spam.
Then spam decreases by 99.9% because spammers know that their messages don't get through... If spammers know that their messages will be blocked because of challenge/response mechanisms, then they will stop spamming that ISP.
On what do you base that assumption? History has shown us that every time we make it harder for spammers to get their garbage to us they respond by mangling their spam, getting around the solution, and sending MORE spam, not by reducing it.
ISPs like Earthlink recognize that keeping spam out of customers' mailboxes helps them attract more customers
Yes, but C/R is not the best way to keep spam out of customers' mailboxes for reasons that I and others have already explained here.
I run the domain anti-spam.org.
Oohh, I didn't realize I was dealing with royalty. Let me cower in my lack of knowledge because I am a commoner that doesn't run anti-spam.org.:)
I know that spam would be economically infeasible with either of the methods you describe above.
You underestimate labor costs for the first one when using teen-labor and/or folks in 3rd-world countries, and I don't understand why you think the second one would be too expensive for a spammer. If they can send a million spam they can send 100 million spam to brute-force their way through commonly-unblocked email addresses.
You ignore the fact that the receiving server could easily determine, by IP address, that the mail purporting to come from "support@microsoft.com" or "enlarge_your_penis@yahoo.com" was, instead, coming from an open relay in China. Drop that connection and the problem is gone.
You ignore the fact that that's NOT challenge/response and not what we're talking about and that same solution (which is not a bad one!) could be applied to Bayesian or traditional filters without the hassle of challenge/response and without generating MORE mail traffic (from C/R requests) in the process.
If you sharply increase the number of times that a spammer has to try to get a message through, you make spam unprofitable. While he may be making money with a.01% sales rate, he won't be making it at.001%
You seem to assume that it costs 100 times more to send 100 million emails than it does to send 1 million. I don't believe that is the case. In fact I KNOW it's not the case.
It is, in fact, an elegant solution that does not require legislation or a fundamental change to the e-mail infrastructure of the Internet.
As is Bayesian which doesn't require legislation or a fundamental change to the e-mail structure of the Internet, and which DOESN'T worsen bandwidth problems by sending out C/R requests to each spam received, and to which your other anti-spam techniques (networked deleting of identified spam and checking IP address to see if the mail is from who it supposedly is from) can also be applied.
Inventor invents widget A. Inventor take widget A to factory to be mass produced. Factory owner say "Hey, this is a neat invention. screw you, I'll make it at sell it myself"
That's what NDAs and contracts are for. You don't need patents to protect intellectual property. If your inventor has an NDA with the factory and the factory owner does that, he sues his butt based on either the NDA or a contract. Patent wasn't necessary to sue...
On the other hand, if the inventor does something cool and starts making money and others say "Hey, good idea, let's compete!" That's a GOOD thing and should not be discouraged by patents.
I think the key is protecting the inventor from initial exploitation like you mentioned above. But that can be covered with NDAs and contracts. Protecting the inventor from competition? I don't see where that benefits society and only benefits the inventor in the short-term since it delays any motivation to improve or innovate on top of the invention since there's no competition...
This uses the challenge response technique. It's blocked 670 SPAM messages in the last 10 days.
So you've blocked 670 spams in the lsat 10 days by sending 670 challenge/response messages to 670 probably-forged addresses which either bounced the challenge response message or went to some innocent guy's email address?
Meanwhile, I've blocked 960 spams in the last 10 days with a Bayesian filter without anyone having to go through a challenge/response hassle and without generating 670 useless C/R messages, which is arguably spam in and of itself.
Challenge/response may have been good in the past, lacking better methods. Better methods now exist and doubling spam traffic by sending out C/Rs for every spam is not helping the problem.
No, decreased load on mail servers. Spam comes in. A challenge is sent and it bounces
No, increased load. Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.
The spam is discarded, saving space on the server.
Disk space is cheap compared to bandwidth and CPU load dealing with all of it.
Spammers, recognizing the futility of sending spam to challenge-response mail servers, will stop spamming that domain.
Either that or a spammer will set up an account at Yahoo, send an email to the targetted user, will receive the challenge, will respond, and then will spam the target using that "From" address--and maybe even pass the "unlocked" Yahoo address to other spams who will send in a ton of spam taking advantage of the fact that it is currently open. The target eventually logs in, downloads a ton of spam and nukes the newly-unlocked Yahoo address... but the spam still made it through.
Or, another possibility... Spammers may deduce commonly unlocked email addresses. Perhaps a full 1% of users have unlocked "Support@microsoft.com" and another 1% have unlocked "list@bigmailist.com." So instead of dealing with the challenge response, spammers will just send the same email to each user with a hundred different "commonly unlocked" email addresses. So you'll get spam with forged email addresses that are often unlocked, and instead of a spammer sending the user the email once he will attempt to send it 100 times.
This second approach is what I think the spammers' response to challenge/response would be. They'd make a good guess at the most commonly whitelisted addresses and just send email to the user from all those addresses in the hope that at least one gets through.
So much worse than doubling spam (by sending a C/R response for each spam), you may have increased it by an order of magnitude by giving spammers an incentive to send the same spam multiple times from different forged addresses hoping that at least one is unlocked...
The load increase is manageable. Challenge response would only need to happen a small percentage of the time for valid email. For spam, yes up to 1 email would be sent per spam recieved. I think the internet can handle that. It's not like there are going to be large attachments or anything.
You are forgetting that spam is quickly becoming the MAJORITY of email being transferred. As you said, 1 challenge/response mail is being sent for every spam received. Challenge/response DOUBLES the number of spam, and since most spam isn't too big it's not impossible that challenge/response would double the VOLUME of traffic attributable to spam.
Whether the Internet can *handle* it isn't the issue. The issue is that you are INCREASING useless traffic instead of reducing it and I don't see where that helps anyone, and certainly not ISPs or backbone providers.
The only really big problem I can see is what happens if someone sends out spam with your email address.
So this great challenge-response solution essentially doubles spam traffic (by generating 1 useless C/R request for each spam received) and has the potential for creating a new way to DDoS an email user.
If I were Earthlink, I'd let Mailblocks keep their patent. Challenge-response was probably a reasonable solution half a decade ago. Filters have improved since then and with a well-maintained filter list of domains PLUS a working Bayesian filter there is no reason to make innocent senders go through the hassle of verifying themselves while at the same time doubling spam traffic (one spam received = one challenge response issued, so instead of a billion spams per day we have a billion spams plus a billion challenge/response mails).
C/R technology is inconvenient and obsolete. I'm not even sure why Earthlink decided to implement such an obsolete approach that has the side effect of doubling the amount of emails related to spam.
The law is the law and the Florida Supreme Court ruled for a solution that violated Florida's own law by violating a deadline contained in that law. Harris' action was not surprising. The U.S. Supreme Court essentially upholding it was not surprising since they, too, could read Florida's election laws. What was surprising is that the Florida Supreme Court ruled in a way totally inconsistent with Florida's law as passed by the Florida legislature and disregarded a deadline clearly included in the election law for a purpose.
What transpired was exactly what was mandated by law. The only thing that never made sense was the Florida Supreme Court's total disregard for the law.
Maybe, but you might be underestimating what a "normal user" is these days. What you say might have been true in, say, 1998... but these days I think most people at least are aware of the fact that there is "free" music out there, many of them get it free while those people may pass it to their friends which might not be able to get it for free.
Not to mention I think that those people who have enough money to buy any significant number of CDs at $20 a pop are very likely to be people that also have enough money to get a PC and use it.
MP3s and P2P are no longer the realm of techies...
its not as if they took up arms in defense of Iraq, they merely opted out, and the US/French relations have gone to hell.
The French didn't just opt out. They made every effort to make sure that no-one could or would opt in. There is a difference, and especially from a country that supposedly is an ally.
China, on the other hand, isn't exactly an ally. We're not going to expect their active support and not going to be upset when we don't get it. Of course if they DID lend support then that would actually be an opportunity for China to find new friends in Washington--but the absence of support isn't going to provoke ire in Washington like France did.
I think it'll be a PR problem if they don't find WMDs, but in the end we're already seeing it was the right thing to do. Just keep clicking "Reload" on news sites to see the current number of bodies that have been recovered from 3 mass grave sites. It appears that even if Saddam didn't have WMDs (a big if), he still appears to have been very effective at creating mass destruction anyway.
If North Korea *attacked* South Korea? I think China would shut up, sit back, and just try to keep North Korean refugees from flooding into their country. If North Korea attacks South Korea the entire world is going to support South Korea and whatever response is necessary to defend it, much as was the case in the original Gulf War. China isn't thrilled with the idea of North Korea having nukes and if the entire world is supporting South Korea post-invasion I can assure you they won't be going to bat for North Korea... After all, they want the Olympics in 2008 don't they?:)
Slashdot Mirror
Isn't that a big "if" though? I've always heard that the spam response rate was in the neighborhood of 15 per million. 1% or 2% would be 10,000 to 20,000 per million. Is that really possible for a non-targetted, unsolicited spam campaign?
If 10,000 to 20,000 people per million are really responding to the garbage that guy sends then we have are dealing with a bigger stupidity problem than we thought.
I can't help but believe that he was overstating his response rate when he stated 1% or 2%, unless he's talking about "open rate" which might just be poor people accidentally opening the spam or being deceived into doing so--hardly a measure of true interest in his garbage.
Shameless plug, I know, but relevant to the discussion and your post.
No, unwanted email shouldn't be sent, period. Unless the spammer has a TRUE double-optin list of people that REALLY want to receive the spam, there should be no assumption that anyone wants to receive it. But if its a real double-optin list then it's not spam--it's a mailing list.
If you sell the email addresses of your clients, you should be required to state to whom they have been sold so you can opt out *before* you get spam mail.
Selling or sharing the email address of your clients should not be permitted. At the very least, it should be explicitly requested in the webform and defaulted OFF. If the user sets it, it should be verified by email first (I.e. an email that reads "You have selected that we share your email. To confirm, please click this link...").
There should be a "national opt-out" spam list that all spam senders must check before sending a message.
A one-way hash so that email addresses can't be extracted but a given email address can be checked in the database. Unfortunately, that requires a WORLDWIDE opt-out list, not nationwide. And the thought of a law implemented by every country in the world to make it so makes me nervous... would they resist the temptation to limit other forms of communication? Or would they really limit themselves to spam? Could agreement be reached on WHAT spam is? Half the time we can't even agree amongst ourselves.
Violating these agreements, or sending another message after the user has "opted out" is punishable by a $1000 fine per email sent.
Simply a law the explicitly states that hijacking open relays is punishable by $1000 per email relayed and each unwanted spam reported by a user is also worth $1000. What's missing is a central clearinghouse for making those claims. It's not feasible for everyone to sue a spammer right now because hiring a lawyer to collect damages is going to be more expensive than the amount recovered. There should be an organization that consolidates claims, sues the spammers, keeps a 50% cut for themselves, and the other 50% is distributed to those that reported the spam.
If there was a $1000 fine per spam I was sent and I was able to collect $500 of that I wouldn't mind letting a third party keep the other half for doing the legwork of getting the money--or putting the spammer into bankruptcy.
Yup, over the long term. Verisign is already seeing that first-hand: Domains can cost less than $9/year at most registrars and they're a lot easier to deal with than Verisign. Quite a change from 8 years ago when it cost $35/year and you had to do everything manually through Verisign as opposed to via a web interface. Likewise, expensive SSL certificates from Verisign and Thawte can now be purchased for just $50/year from Comodo.
So, yes, over the long term Verisign's situation is not maintainable.
As for ICANN, that's more of a political issue. They've been given control which is more like a "government" than a "corporation" that has to live with a free market.
Lots of important tidbits there. First, it was "to promote the progress of science and useful arts," not to "promote the pocketbooks of distributors." Also, it was to secure "for limited times" the exclusive rights to their respective writings and discoveries. The current situation can hardly be considered "limited."
No, but they are entitled to have exclusive control over all copies made of their intellectual property. If they want to charge money for it, they're also entitled to that.
Sure, they can charge money for it. But when the amount charged is too high there WILL be a black market. Like I said, I'm not saying it's legal--but it's a fact of a free market economy that a company or individual that tries to gouge the market will be gouged in return, often by competition or often by illegal black markets.
But the fact is, in a free market, products WILL find their NATURAL PRICE, legally or not. Deal with it.
I'm not a fan of "we know what's best for you" and this kind of thing borders on silly. On the other hand, I doubt a video game where the goal was to hijack a plane and crash it into a building would be well-received even if the targets weren't police, so I don't think it's really a question of police being more valuable. The fact is, they're easier to identify targets on the street and promoting that targetting of police is no different than a game targetting blacks, whites, or garbage collectors. It's all sick.
Almost as alarming as the law is the fact that the designers of video games are so completely out of creativity that they have to resort to something as disgusting as shooting law enforcement officers. Is there truly nothing more interesting or fun that they can come up with for new video games?
I might be showing my age, but Space Invaders, Asteriods, Pole Position... They were all fun and didn't involve killing humans. I know things change and evolve and I'm not suggesting we bring back Space Invaders, but I have to believe that fun games can still be sold that don't require the killing of other humans, police or not...
-- Rodney Dangerfield. :)
So you're saying the most beaver-like cats would survive??
So you advocate the artificial creation of scarcity? So the owner of an otherwise non-scarce product can artificially create scarcity so that something that wouldn't otherwise have value has value?
I can understand the artist's desire to make money, but things that are by nature NOT scarce should not and, in the long term, CANNOT be made scarce. Legally or illegally the market will make certain of that.
The owner consumed resources to develop the IP, and it is reasonable for that owner to expect to extract value from that investment.
Many people create IP and don't expect to extract money from it. Many others even invest time and money creating IP *expecting* an ROI and never get it. Just because something requires time to create doesn't automatically mean they are entitled to money. The market decides what any given product (or IP) is worth. If the market has decided that music in its digital form is free then the artists either adapt to that reality by taking advantage of free music distribution to promote themselves, their products, and hopefully score endorsements, or they can find something else to do for a living.
I have yet to see a credible argument that only tangible property has value.
It's not that IP doesn't have value, it's creating artificial scarcity that gets you (or the RIAA, rather) into trouble. Charging $20 for something that costs a buck and for which even $3 should create healthy profits is as much robbery as people getting some free tunes online. You overcharge like that and you're just ASKING for a black market to be formed (file sharing) or asking for someone else to redefine your market (Apple).
The thief can justify it however he or she wants, but the IP has less value after he or she takes it without permission.
Maybe, but if the owner had chosen a price nearer to its NATURAL PRICE the owner would find that fewer people would "pirate" it and, thus, fewer people would lower its value by taking it without permission. In fact, I'd say that piracy is bringing the overall price of music to its NATURAL PRICE. They charge $20 for CDs but lots of people get it for free. Perhaps if you did the math you'd find that averaging the total amount earned and the total amount pirated that the final amount earned was, say, $6 a CD. To me that means that that's the NATURAL PRICE.
Legally or not, all products in a free market WILL find their natural price. Free markets do that.
But in the end, yes, digital distribution will reduce the "value" of music. That's because most of the value has been concentrated in the DISTRIBUTION of music and that's now nearly cost-free. I'm not convinced any of this really affects the artist who generally earns more money from concerts and endorsements than from the sales of their CDs.
I agree. But the point is that I think they have a profit margin high enough that they can take some pretty big hits and still be GETTING enough money to keep spamming.
Me: Bayesian is extremely effective
You: But can it be implemented at the ISP level? Every implementation I have seen has been at the client level, partially because it needs to learn what you, personally, consider spam. I may have signed up for a get-out-of-debt list server that delivers messages that you would consider spam. If it's at the ISP level, the accuracy will probably be unacceptable.
It absolutely can be done at the ISP level. That's where it SHOULD be done. But on a user basis.
Check out the site in my signature. It's a service, but it could just as easily be implemented on any given ISP. The Bayesian filtering takes place at the ISP level so the user doesn't even have to download the spam. Retained emails are visible on a website and if there's a false positive by all means tag it for downloading. If any spam gets through, there's a link in the headers you click on to report that message as spam so the ISP can update your Bayesian corpus.
Bayesian *should* take place at the ISP level, but it should be done on a user-by-user basis since that's the only way Bayesian can work.
If the user must abandon their current e-mail client in order to use Bayesian filtering then it is not low-hassle.
Not necessary. Again, see site below--you just point your POP3 client to the site. Or if the ISP implemented it you wouldn't even have to point your client to another server at all.
If the user has to install software to perform the Bayesian filtering, it's not low hassle.
Again, see site below. Just point your POP3 client at the site and you're done. Nothing to install.
If the user has to train the Bayesian filtering, it's not low-hassle -- and you will find that most will not do it or understand why they should.
This is the one weakness to Bayesian, and I see three solutions that would be great to see implemented: 1) Site below also has traditional filters which will catch 85-90% of spam. With normal filters enabled the Bayesian filter will largely train itself. 2) While a users' Bayesian corpus is small, a generic could be used which represents the best and worst of email. This could help suplement the traditional filters until the user's personal Bayesian corpus grows. 3) There should be an RFC for reporting spam to any given server, defaulting to the POP3 server. It could be as simple as opening the connection, giving a username, password, and message ID#. But there should be a standard way for all email clients to report spam to whatever spam-filtering service or procedure is being utilized.
The training of a Bayesian filter is the ONLY downside, but it only lasts for a little while. I have largely trained my Bayesian filter and even though I've received nearly a thousand spam in the last week, not a single one has gotten by--and no false positives. So an ounce of effort at the beginning with Bayesian can pretty much eliminate the spam problem for any given user.
One big problem with Bayesian filtering is that the end-user has to download the entire message and then, and only then, determine if it is spam.
Again, see below. The site below does the filtering and only good email is downloaded to the client. If an ISP implements it, that's how it should be implemented as well. If a user has to waste time downloading it before any given filter works then the solution is largely useless.
Another problem is that spammers will be able to rely on less than 100% client-side participation.
I doubt *any* given spam solution is going to achieve 100% client-side participation. In fact, to tell you the truth, I'd just assume that everyone NOT use Bayesian. While Bayesian filters remain in t
This could be done without the hassle of C/R, though. If you see 500 messages coming from a certain IP address then you could just assume that it's all spam. This same technique can be applied to any anti-spam technique without having to implement the C/R portion.
Yes, there are ways to reduce the damage C/R can do and the volume of mail it creates. But, again, why do we need a solution that creates MORE mail and has to have special logic for damage control when that same logic would be applied just as well to other anti-spam techniques that don't require the generation of the C/R requests?
Also "obsolete" is not a proper term to use, at least not with the argument you're making.
When there are easier-to-use anti-spam techniques that achieve an extremely high level of success without adding any hassle to senders and without generating more email traffic in the process, yes, I think a system that requires a sender to go through hoops (even if only once) to get their message delivered and that has the potential of generating quite a bit more mail traffic is obsolete. It is obsolete in the sense that there are simpler, less bandwidth-intensive and more user-friendly ways to achieve the goal of keeping spam out of the inbox.
I agree that if you implement C/R and the response bounces that you could choose to assume that all the emails from that address should be deleted. But in and of itself C/R is the challenge and the response. What you do with an email deemed to be spam is separate and can be applied to any anti-spam technique, not just C/R. Perhaps when I get a spam that has a 100% Bayesian score I go out and kill all the other "same messages" for everybody else... Does that make the "go out and kill all the same messages for everybody else" part of the Bayesian technique? No, not any more than it's part of the C/R technique. It's just a question of what you do after you've decided you've identified spam.
There is nothing stopping the ISP from issuing only a single challenge when one sender delivers mail for hundreds, thousands, or more recipients. A single response could cause all of the mail to be delivered.
What? Are you suggesting that when one sender (spammer) delivers mail for hundreds or thousands of recipients instead of issuing hundreds or thousands of C/Rs you issue only a few, and if a few are responded to you let the mail through to all hundred or thousand emails? Now THAT would definitely be vulnerable to spammers since they could just answer a few of the C/Rs and be happy knowing that was all it took to get their spam to the other hundreds or thousnads of emails.
Or perhaps I misunderstood you there...
Economics and need for a valid return address -- the latter of which you will not find on 99.99% of spam.
I'd submit the economics are not a problem since you can send more mail for little extra cost. As for a valid return address, it's not hard to open up some accounts at Yahoo that are valid and can receive replies. Sure, they'll get shut down sooner or later but you've already received and answered quite a few C/Rs before that happens--and even once the account is shut down you can send spam with that forged email address without Yahoo's help (unless you implement the other feature you were talking about regarding dumping email based on IP != professed sender's host). Even this feature is not necessarily workable because it IS possible (granted, not so common) that people use Yahoo via POP3 and send email with @yahoo.com addresses that don't necessarily go through Yahoo's outbound server.
There has always been fairly simple ways around the earlier forms of spam filtering. C/R has no simple, low-labor, low-bandwidth, low-exposure means to circumvent it.
If they go for the "send the email 100 times using 100 different commonly-unlocked email addresses" solution then it's still low-labor. Bandwidth has never seemed to be a problem for spammers, neither has level of exposure.
Plus, if they DO find a way around a given C/R system, they'll be able to spam all the people that are protected by that system. With Bayesian there's really no way to get around it since getting around a Bayesian filter requires knowing what the "innocent" words are for a given user, and they're just not going to know it. If they happen to guess a couple that doesn't automatically mean all the users using Bayesian are going to become victims as well.
Plus Bayesian is better in the sense that the spammer doesn't know what he's up against. With C/R, he knows that there is a challenge and he CAN deliver the spam if he wants to take the time. With Bayesian, he has to assume his message got through--there's no indication that it didn't. His response rate just drops through the floor and it's not going to be obvious why, or what the spammer has to do to get response rates back up.
So you know more than all of the people at Earthlink who have investigated this problem? You know more than people at MailBlocks?
I would hope that is not the case. But I've seen article after artcile in the mainstream press abou
You: Then you delete all 142,675 copies of the spam, keeping it from being downloaded 142,675 times by your customers.
That's not a challenge/response system. You're talking about a networked solution to spam where spam identified by one user is used to identify other people's spam. That's fine, but the same system can be implemented with Bayesian or pure filters without having to resort to generating C/R traffic for each spam.
Then spam decreases by 99.9% because spammers know that their messages don't get through... If spammers know that their messages will be blocked because of challenge/response mechanisms, then they will stop spamming that ISP.
On what do you base that assumption? History has shown us that every time we make it harder for spammers to get their garbage to us they respond by mangling their spam, getting around the solution, and sending MORE spam, not by reducing it.
ISPs like Earthlink recognize that keeping spam out of customers' mailboxes helps them attract more customers
Yes, but C/R is not the best way to keep spam out of customers' mailboxes for reasons that I and others have already explained here.
I run the domain anti-spam.org.
Oohh, I didn't realize I was dealing with royalty. Let me cower in my lack of knowledge because I am a commoner that doesn't run anti-spam.org. :)
I know that spam would be economically infeasible with either of the methods you describe above.
You underestimate labor costs for the first one when using teen-labor and/or folks in 3rd-world countries, and I don't understand why you think the second one would be too expensive for a spammer. If they can send a million spam they can send 100 million spam to brute-force their way through commonly-unblocked email addresses.
You ignore the fact that the receiving server could easily determine, by IP address, that the mail purporting to come from "support@microsoft.com" or "enlarge_your_penis@yahoo.com" was, instead, coming from an open relay in China. Drop that connection and the problem is gone.
You ignore the fact that that's NOT challenge/response and not what we're talking about and that same solution (which is not a bad one!) could be applied to Bayesian or traditional filters without the hassle of challenge/response and without generating MORE mail traffic (from C/R requests) in the process.
If you sharply increase the number of times that a spammer has to try to get a message through, you make spam unprofitable. While he may be making money with a .01% sales rate, he won't be making it at .001%
You seem to assume that it costs 100 times more to send 100 million emails than it does to send 1 million. I don't believe that is the case. In fact I KNOW it's not the case.
It is, in fact, an elegant solution that does not require legislation or a fundamental change to the e-mail infrastructure of the Internet.
As is Bayesian which doesn't require legislation or a fundamental change to the e-mail structure of the Internet, and which DOESN'T worsen bandwidth problems by sending out C/R requests to each spam received, and to which your other anti-spam techniques (networked deleting of identified spam and checking IP address to see if the mail is from who it supposedly is from) can also be applied.
That's what NDAs and contracts are for. You don't need patents to protect intellectual property. If your inventor has an NDA with the factory and the factory owner does that, he sues his butt based on either the NDA or a contract. Patent wasn't necessary to sue...
On the other hand, if the inventor does something cool and starts making money and others say "Hey, good idea, let's compete!" That's a GOOD thing and should not be discouraged by patents.
I think the key is protecting the inventor from initial exploitation like you mentioned above. But that can be covered with NDAs and contracts. Protecting the inventor from competition? I don't see where that benefits society and only benefits the inventor in the short-term since it delays any motivation to improve or innovate on top of the invention since there's no competition...
So you've blocked 670 spams in the lsat 10 days by sending 670 challenge/response messages to 670 probably-forged addresses which either bounced the challenge response message or went to some innocent guy's email address?
Meanwhile, I've blocked 960 spams in the last 10 days with a Bayesian filter without anyone having to go through a challenge/response hassle and without generating 670 useless C/R messages, which is arguably spam in and of itself.
Challenge/response may have been good in the past, lacking better methods. Better methods now exist and doubling spam traffic by sending out C/Rs for every spam is not helping the problem.
No, increased load. Instead of dealing with one spam, you receive the spam, send out a useless C/R email (creating load on a third server), and then get a bounce back again requiring time to deal with on your mail server.
The spam is discarded, saving space on the server.
Disk space is cheap compared to bandwidth and CPU load dealing with all of it.
Spammers, recognizing the futility of sending spam to challenge-response mail servers, will stop spamming that domain.
Either that or a spammer will set up an account at Yahoo, send an email to the targetted user, will receive the challenge, will respond, and then will spam the target using that "From" address--and maybe even pass the "unlocked" Yahoo address to other spams who will send in a ton of spam taking advantage of the fact that it is currently open. The target eventually logs in, downloads a ton of spam and nukes the newly-unlocked Yahoo address... but the spam still made it through.
Or, another possibility... Spammers may deduce commonly unlocked email addresses. Perhaps a full 1% of users have unlocked "Support@microsoft.com" and another 1% have unlocked "list@bigmailist.com." So instead of dealing with the challenge response, spammers will just send the same email to each user with a hundred different "commonly unlocked" email addresses. So you'll get spam with forged email addresses that are often unlocked, and instead of a spammer sending the user the email once he will attempt to send it 100 times.
This second approach is what I think the spammers' response to challenge/response would be. They'd make a good guess at the most commonly whitelisted addresses and just send email to the user from all those addresses in the hope that at least one gets through.
So much worse than doubling spam (by sending a C/R response for each spam), you may have increased it by an order of magnitude by giving spammers an incentive to send the same spam multiple times from different forged addresses hoping that at least one is unlocked...
C/R is an unworkable solution to spam.
You are forgetting that spam is quickly becoming the MAJORITY of email being transferred. As you said, 1 challenge/response mail is being sent for every spam received. Challenge/response DOUBLES the number of spam, and since most spam isn't too big it's not impossible that challenge/response would double the VOLUME of traffic attributable to spam.
Whether the Internet can *handle* it isn't the issue. The issue is that you are INCREASING useless traffic instead of reducing it and I don't see where that helps anyone, and certainly not ISPs or backbone providers.
The only really big problem I can see is what happens if someone sends out spam with your email address.
So this great challenge-response solution essentially doubles spam traffic (by generating 1 useless C/R request for each spam received) and has the potential for creating a new way to DDoS an email user.
Sorry, but C/R is really obsolete technology.
C/R technology is inconvenient and obsolete. I'm not even sure why Earthlink decided to implement such an obsolete approach that has the side effect of doubling the amount of emails related to spam.
The law is the law and the Florida Supreme Court ruled for a solution that violated Florida's own law by violating a deadline contained in that law. Harris' action was not surprising. The U.S. Supreme Court essentially upholding it was not surprising since they, too, could read Florida's election laws. What was surprising is that the Florida Supreme Court ruled in a way totally inconsistent with Florida's law as passed by the Florida legislature and disregarded a deadline clearly included in the election law for a purpose.
What transpired was exactly what was mandated by law. The only thing that never made sense was the Florida Supreme Court's total disregard for the law.
Ahhh... Yes... you mean the one that certified election results on the day she was required to do so by Florida election laws. The nerve...
Not to mention I think that those people who have enough money to buy any significant number of CDs at $20 a pop are very likely to be people that also have enough money to get a PC and use it.
MP3s and P2P are no longer the realm of techies...
The French didn't just opt out. They made every effort to make sure that no-one could or would opt in. There is a difference, and especially from a country that supposedly is an ally.
China, on the other hand, isn't exactly an ally. We're not going to expect their active support and not going to be upset when we don't get it. Of course if they DID lend support then that would actually be an opportunity for China to find new friends in Washington--but the absence of support isn't going to provoke ire in Washington like France did.
Don't worry, it's all good.