Slashdot Log In
ISP Chief on Spam
Posted by
CmdrTaco
on Sat Dec 21, 2002 12:40 PM
from the stuff-to-read dept.
from the stuff-to-read dept.
saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
live with it indeed (Score:2, Insightful)
Re:live with it indeed (Score:5, Insightful)
My god! I now get it! And your advice is so appliciable elsewhere in life!
Those people complaining about crime in urban areas? They should just shut up.
People starving to death in Africa because warlords, corrupt governments, and civil war make it impossible to grow food? They should just tighten their belts or eat dirt or something. Or maybe fight back by hiring troops to protect their subsistence farms.
And those people in small, unimportant countries that get invaded? Well, that's their mistake. They should have picked a bigger country to live in. Or domed it over or something.
Yep! The world is a hostile place, and people should learn how to deal with it instead of whining about things like laws and governments and human rights.
Parent
Re:live with it indeed (Score:3, Interesting)
-Spammers moving offshore (as if Asia wasn't already the #1 spam source)
-The amounts of the judgements increased (hitting a company where it hurt$ get$ their attention)
-The ease of getting a judgement against them increases. (which also magnifies the previous point)
Personally, I liked the simple idea of requiring all unsolicited business offers to have "Advertisement" as the first word in the subject line ... it would have made filtertering them trivial.
And, perhaps more important, falsifying headers gets slapped down under existing criminal wire laws. Either way, they're fairly easy laws to define and implement ... all it takes is getting the attention of politicos long enough to pass the laws, and then the law enforcement branches to enforce them.
Unsolicited faxes are the closest example - unwanted, and they cost the end-user - and every year some company gets slapped down hard (the most recent one I read of filed for bankruptcy due to the magnitude of the fine) - because laws were passed and enforced. That's all it would take to bring the spam problem down to manageable levels.
In other news (Score:3, Funny)
Government Bans Email (Score:3, Funny)
Keep whining and nothing happens (Score:3, Insightful)
This happens because the people who are in position to make laws and policies are directly affected. All the whining goes on in the technical community, but talk to your elected representative and ask them where spam figures in their priority.
Secondly, to get laws passed, you need a lobby. Hell, even *IAA managed to get asinine laws passed because they lobbied as a group: they were able to highlight (rightly/wrongly) how their financial interests were being compromised.
Unless a lobby is formed and pressure sustained, we can whine all day on /. We can send 100 spam's to Alan Ransky. We CAN'T end spamming.
Alternatives? (Score:2, Interesting)
I suppose the real problem now isn't finding a new protocol, but rather, getting wide-spread adoption of it, seeing as email has become a part of daily life.
Re:Alternatives? (Score:4, Informative)
Parent
I hate to rehash an old argument..... (Score:3, Interesting)
ER
Replacement needed for SMTP (Score:3, Informative)
I don't think Barry is right about the situation being about to implode. "Imminent death of the net predicted" has a poor track record for accuracy. But I wouldn't be surprised to see things get much worse over the next, let's say, three years.
What we need is to have a replacement ready. Waiting in the wings to take over. As "SMTP email" becomes more and more spammy, and people get more and more frustrated with both spam and the inconveniences caused by fighting spam, the number of people willing to adopt a replacement will grow.
My contention is that the only way to solve the problem is to make it cost something to send spam. The root of the problem is the unbelievable cheapness of delivery. Every attempt to solve the problem has been an attempt to make delivering spam more expensive (typically by getting spammers kicked off ISPs, cancelling their contracts and costing them money circuitously).
We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.
Maybe it can be done with "hash cash," requiring the email sender to spend CPU cycles to solve a math problem. Personally I don't think that's going anywhere; CPUs are way too cheap right now. But that's an ingenious approach to the problem and a good example of the kind of thinking that will be needed.
I lean toward inventing an entire micropayment system to solve this problem. The advantage is that, piggybacked on the solution to spam, you get micropayments -- which, when applied to the web, usher in a whole new era of content production.
But whatever happens, something needs to be waiting in the wings for when SMTP finally hits the wall.
Re:Replacement needed for SMTP (Score:5, Insightful)
People have said the same thing about HTTP, FTP, and pretty much every other standard protocol on the internet. So far, SMTP seems to have come under the most fire because of spam. I've been wondering when Microsoft will write their own closed mail protocol that effectively gets rid of spam, then proposes that everyone "migrate" from email to ms-mail or whatever the hell they wanna call it.
I think that we can all see that the ability to have an open, widespread protocol with spammers abusing people is a much lesser evil than microsoft controlling the entire email market. I propose that instead of getting rid of email, we add extensions to SMTP, just like they did for HTTP1.1 in order to better suit the needs of the growing net.
Parent
I don't want to pay that (Score:3, Interesting)
Hash cash seems more reasonable, but in order to really stop a spammer you want to delay him/her (it?) for probably on the order of a second per message, at least. Even if you find some algorithm to do that, it'll really annoy me to have to wait a second to send regular email also. So, I'm bitching about a second. But those can add up.
Now, maybe what you could do is charge for bounced email messages. The recipient decides whether he/she wants to open the message. If they open it, it is automatically free of charge. If they bounce it without opening it, the sender gets a small charge. The idea being, you get payed for the unwanted mail people send to you.
I hate it (Score:2)
I've heard that before, and I don't think it's enough. All you need is one idiot to say, "Yes, I do wish my penis was larger!" and at $39.95, he's just covered 40,000 emails. Are spammers getting a 1 in 40,000 response rate right now? I don't know, but they're paying for net access somehow. So raise it. A dollar an email. Then you have a 50 million dollar outlay to spam the world. Better have a good response rate with a pricey item to get that back.
But that doesn't work for me. Why should I have to pay that, or any amount, to use a service I'm already paying for? Isn't that why I shell out 20 bucks a month - to use the intarweb, 80% of which is still probably email?
Re:Replacement needed for SMTP (Score:5, Interesting)
Think about it people, this is not going to happen. I could list a thousand problems with the idea (How do you deal with international ISPs, how do you deal with ISPs that do not require it, where does the money go, and so on).
Some more basic questions that will prevent it: We here on Slashdot are hesitant about doing anything that might ruin our privacy. Think about the full implications of *whatever SMTP server you use having some credit card information about you*.
Think about the protests when AOL and MSN are taking in tens of thousands of dollars a week for email.
I cannnot believe that people that propose these ideas do not ever think through it fully. Email is so great because it is easy *and free*. Charging for email, even
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
The big problem, of course, is international mail. I get mail from Korea, China, and Russia. Almost all of it is Spam. Whatever we do is going to have to get at that problem.
Think about the Slashdot article in four years, talking about how a lot of Chinese rebels are not able to send email to the United States because of micropayments and the problems they have with that.
Parent
SMTP is not the culprit (Score:5, Insightful)
Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.
I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem [ordb.org].
It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.
Parent
Teergrubes are the answer (Score:5, Interesting)
That's what I'm doing right now.
I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.
If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.
So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.
Parent
Re:Teergrubes are the answer (Score:4, Insightful)
This is a prime example of a half assed solution that causes more problems than it solves.
Teergrubbing is really easy to detect, the sender simply measures the rate at which a link is accepting data and if it is below a threshold shuts down the connection. So don't think this sort of attack hurts the spammers, it doesn't, they take countermeasures.
Instead the attack takes out legitimate senders whose emails are incorrectly identified by the teergrubbing algorithm. It is a classic example of a counter attack that creates more problems than it solves.
There are similar problems with the much touted blacklists, many of which have been involved in blacklisting for arbitrary reasons. The problem being that the people who end up running the lists (as opposed to starting them) often turn out to be pretty involved in their own control freakery.
There is no sure fire solution to spam, but there are plenty of systems that provide a useful degree of mitigation and in compbination provide a pretty solid solution.
Parent
Latency is good! (Score:5, Interesting)
http://www-106.ibm.com/developerworks/library/l
Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.
I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.
There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)
Parent
Stop crying and take action! (Score:5, Informative)
They can implement strong AUPs that will do the following:
Re:Stop crying and take action! (Score:3, Informative)
What do you think the staffing requirements of ruthlessly enforcing the AUP would be? What kind of attorney's fees do you think bullets one and three would cause an ISP to incur?
I think your suggestions make sense, but fail to take the economics into account.
-Peter
Try reading the article next time. (Score:3, Insightful)
That's the most common problem. I run my own domain and do battle with the spammers on a daily basis. I don't have trouble with spam going out of my network. I have problems with spammers trying to send it in. I am blasted by spammers typically operating out of Brazil, China, Korea, and Russia. Complaints to the ISPs seldom even result in even an autoresponse -- much less any action.
Re:Stop crying and take action! (Score:3, Insightful)
Yeah. Great. Most spammers are "smart" enough that they don't spam from their own domain -- they open multiple web hosting accounts elsewhere and blast out their mail from there via perl or php scripts activated by something as simple as wget or a perlbot.
Sure thing. Oops, said credit card was stolen. There's the money they owe you, plus a $25 handling fee for a chargeback.
Sure thing (actually, that's in our AUP as well). Oops, they're actually
- a foreigner, and
- they signed up with fictitious information and a stolen credit card to boot
Looks like the only thing we've got is an IP address in Indonesia, since they raped an open SOCKS proxy or someone else's web hosting server to sign up.Sure thing. It was an AOL/earthlink/someotherlargeISPthatcaterstoidiots user, and all the information matches. Most cards aren't reported stolen until several MONTHS after they've been used for this purpose, simply because of the "honey, did you charge this?" "I might have" effect.
That's always a given.
The typical scenario in this type of situation goes something like this:
Sure, you could attempt to track down each and every spammer, but even the credit card companies and merchant account providers don't care, because the chargebacks make them MORE money on top of everything.
The simple fact of the matter is that the REAL people who could do something about this scenario, the credit card companies, who could actually provide contact information (like a home phone number!) to merchants checking to verify the charges, as well has changing their chargeback policy, couldn't care less because this type of fraud only nets them more money from providers who can only tell if the card and its information are "good" or "bad".
Live with it? (Score:2, Informative)
I know I still get about a spam a day, after my personal filters ditch about 80% of what comes in. And that's after my ISP filters out what is likely an equal amount.
That means about 25 spams a day are sent my way. Multiply by the tens of thousands of e-mail accounts on a mid-sized ISP, and it starts to cost these businesses real money.
email as we know it is the problem (Score:4, Interesting)
Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.
Email needs to be cleaned up, secured and as easy to use as it is today. Encrypting it helps, but you also need to design the protocol so that headers can't be faked. You need to design anti spam into it from the beginning. Anything we do to SMTP now is just a hack on a very old outdated protocol.
Oh and yes I know what I'm talking about, I've run several nationwide mail systems for two ISP's. It's a nightmare I wouldn't wish on an enemy.
Re:email as we know it is the problem (Score:3, Informative)
Actually SMTP does a good job with e-mail. Mostly ISPs need to use what's already provided in SMTP and in mail servers. For example, use one mailserver for outgoing mail and require SMTP AUTH to use it. The seperate incoming server has to not require authorization, but it should only accept incoming mail and reject anything that wouldn't be delivered to one of your customers. Doing that and implementing standard anti-relaying rules and keeping current on security patches would eliminate much of the problem.
As for unforgeable headers, as long as you require people to go through an ISP's mail servers and don't have an authoritative list of all mail servers in the world, you have to allow the client system to provide headers that your server accepts. If you allow that then anyone can forge headers, and if you don't then how do you handle the headers on a message being relayed through the sender's ISP's mail server? You don't know what the sender's username is unless you trust the sending server, and if you trust the sending server then I can set my software up to impersonate a trustable server and get forged headers through. Encrypted and authenticated connections won't help, not without aforementioned authoritative list of legal mail servers which we don't have. And how do you handle legal forgery, eg. my using a "silverglass.org" e-mail address on messages originating from a non-silverglass.org system (my mail isn't handled by the same entity that handles my Internet connection and I plan on keeping it that way)?
SSH, scp and SFTP replaced Telnet, rcp and FTP because people could state what they wanted that the older protocols couldn't do and how those things could be done. Before you can replace SMTP you need to outline exactly what you want the new protocol to do and how it can do it, and resolve any conflicts between what it allows and what people need to do.
When will they learn? (Score:3, Insightful)
I know many people who know little to nothing about computers or the internet. They have not yet been jaded by the flashing banners and e-mail spam messages that promise free programs, trips, prizes etc. So they click away, and before you know it they are getting flooded with hordes of unsolicited e-mail. My aunt recently got a warning from her ISP for exceeding her allotted mail box space 17 times last month. I had to write them a nasty e-mail critisizing the lack of filters (even though it was my aunt's fault for posting to a bunch of newsgroups).
I guess the point is this: As long as people who don't know any better keep clicking on banner ads and checking out spam e-mail, the advertising companies are going to keep flooding people with messages. Their point of view is this: As long as we are getting some kind of return on our investment, we might as well continue to exploit this service. People just need to be educated on techniques designed to avoid supporting spammers, whether purposely or inadvertantly.
Re:When will they learn? (Score:3, Insightful)
It's not your fault when someone abuses you or takes advantage of you. Certainly, there are steps to take to help prevent this abuse, but let's leave the fault where it belongs: the spammer.
Not a crime (yet) (Score:2)
Are spammers stealing from ISPs? In a way, yes; they are using the ISP's resources to earn money for themselves, wihtout the conset of, and certinly without compensating, the ISPs. It doesn't fit the current statutatory definitions of theft of service enough to prosecute, however, so methings this ISPer is mis-direcing his efforts - instead of trying to goad the cops into action, he should be seeking legislative (or better yet, technological) remedy.
Anti Spam Legislation (Score:2, Insightful)
1000 per day (Score:3, Interesting)
What is a solution? Various ones, but legal ones will not work for any length of time, it is like a hydra, cut off one head and more grow back.
What I would like to see (and what we proposed years ago, when micro-payments were in their infancy) was something that allowed you to specify users who you were willing to accept mail from. Everyone else had to pay you something (you could specify it), say, $0.01 or $0.10. Anyone willing to pay that could send you the mail, otherwise they are out of luck.
Personally I would love to get junk mail then - at 1000-2000 per day, that is a nice bit of money per year!
get a filter! (Score:3, Informative)
From the trenches (Score:5, Insightful)
If your an ISP (or related industry) your credit card vendor/bank automatically places you in a category called "high risk". This means that if a customer refutes a charge then you the money is taken AWAY from you and you are charged an additional charge called a charge back. Congratulations, you have a iron clad AUP, but if you don't have a signature (and most ISP's take signups over the phone) then your screwed should the SPAMMER SPAM. It's such a nice feeling to know your getting nailed twice by the spammer,
a. They use your system for something illegal, taking up resources in addition to the time it takes to hunt them down and turn them off.
b. They then charge their credit card back for the account and the AUP violation charge (SPAM Cleanup fee).
I have worked for ISP's for almost 10 years now (Yes THAT long). In that time I have watched and fought against the huge rise in SPAM. Currently I help administer mail servers for several domains that are high profile SPAM targets. So that you can get an idea of how bad spam is let me give you some statistics from the trenches.
1. One popular domains recieves about 120,000 messages/day for accounts that don't exist. There are actually only 35 mail accounts on that box. The target is very popular because of the domain name. That doesn't count the faked bounces which often constitute a few thousand messages/day
2. With one domain that services about 10,000 users, the implementation of a "mailgate" (BSD box with postfix and RBL and other anti-spam measures) reduced the amount of spam by 2/3s. Statistically that meant that 89% of all attempted connections to that box were refused.
3. The equipment used to deliver mail as little as 8 years ago can not be used now for reliable mail delivery. It would not survive the load. A SPARC 2 running sendmail could easily handle mail for thousands of users 8 years ago. With the advent of spam and the shere VOLUME of mail transactions such a solution today would be problematic at best. Moore new law may say something like "Every 3 years the amount of computing power required to run an e-mail server will triple"
The number one cause of complaints for ISP's is e-mail problems. If e-mail fails customers go nuts (as the rightly should). This means ISP's must invest serious money, time and effort into an e-mail solution. Stopping SPAM or preventing it from overwheling your e-mail servers is no easy task. It takes time, energy, intelligence and precious resources away from other things.
Spammers do such nice things as fake bounce messages, hijack school computers in the far east, use several dial up connectiosn concurrently and start running spam until the get shut down. The use faked return addresses from a legitimate domain, overloading those domain's mail servers as thousands of bounces go to it. The take over poorly maintainted machines with highbandwidth and open up hundreds of simultanteous connections to mailserver essentially preventing legitimate traffic from hitting those servers until the spam run is done.
BUT I HAVE A SOLUTION!! Using spammers logic here is my solution. I have automatically signed up every e-mail sender to a new contract. This contract says that if you send me an e-mail that I don't like I can break your kneecaps. If you don't like this arangement you can "opt-out". Just send your opt out message to dev-null@aol.com and I'll be sure to add you to the list of people that don't want their knee caps broken!
SPAMMING is nothing more than common thievery, it is a theft of services, it is theft of time, it is theft of resources and finally most spam runs should be considered a denial of service attack. In fact for small ISP's they often are. Until you bring consequences out of the cyber world into the real world there will never be a solution. Knee cap breaking is a fine real world consequence.
cluge
No the solution is simple (Score:3, Interesting)
Time to ditch SMTP (Score:3, Interesting)
Re:Time to ditch SMTP (Score:3, Insightful)
What are you talking about? I have never seen a piece of spam that contained headers from which it was impossible to determine the spam's origin. Spammers do put in fake headers, but only to fool morons, the real headers are always right in there too. The real problem is that, for the most part, knowing the IP origin of the spammer accomplishes nothing.
maru
Spam filtering (Score:2, Informative)
"The Sky is Falling" (Score:2)
But ISPs have little to complain about. All the spam people receive amounts only to a small fraction of their normal Internet bandwidth usage: per day, you almost certainly generate more bandwidth, TCP connections, and server transactions in pop-up ads than in spam. If an ISP's E-mail servers cannot handle that workload for their users, they are doing something wrong. And if they want to off-load the responsibility of running the server, broadband providers should just drop their restrictions on their customers running servers so that everybody can run their own mail drop.
Filtering still costs... and other thoughts. (Score:3, Informative)
have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants.
If an ISP is running an open relay, then they deserve to get highjacked. There's no excuse for that these days.
However, filtering at the SMTP level, whilst useful, still isn't a complete solution. Why not? Well
So, what to do? Small ISPs will have problems. Spammers sign up with credit cards, do a spam run, and flee. So, you have the credit card number, FINE THEM. Put that in your contract.
What can be done about the big boys hosting spammers, Verio, Exodus et al? Block them at the routers.
Minor mods to SMTP needed... (Score:3, Insightful)
What about the simple solution of disallowing multiple recipients in a single SMTP message? If someone legitimately needs to send to multiple email addresses, require a seperate SMTP connection and seperate copy sent for each.
I'm confident the increased overhead from people sending legitimate email to multiple recipients will be greatly outweighed by the overall reduction in email traffic from spammers.
Those of us who run mailing lists and the like could simply configure our SMTP servers to allow multiple recipients and then our server would be required to make seperate connections for each recipient.
The Bush Administration Guide to SPAM (Score:4, Funny)
As much as I detest government regulation interfering with rich business leaders trying to eek out big profits, I think it's time that the Bush administration take notice and do something about the SPAM problem. I'm suggesting you make it a Federal felony Mr. President, because the state-by-state approach just isn't working. SPAMer's are stealing the rightful profits out of the pockets of ISP owner's, just the same way that the eco-freaks are stealing new business opportunities from the oil industry. But it's much worse then that.
You see, Internet bandwidth is a lot like oil. Everyone needs to use some, but there's a big group of rustlers out there right now that don't pay their fair share for it. They steal it, right out from under the Internet oilman's nose, because there are no stiff penalties to prevent it. These rustlers, let's call them terrorists because that's what they really are, tap Internet wells from across state lines, and if the state takes an interest, they just move their pumps to another state that hasn't run into the problem yet. Some of these pirates are stealing up to 40 percent of the Internet oilman's production. How can the poor Internet oilman operate under those kinds of circumstances?
Mr. President, it's simple really. SPAMers are terrorists, out to steal business profits by selling the modern equivalent of oil without paying the oilman for it. How can the administration not do something about this?
Some of these Internet oilmen are in Texas, a state I know you love and cherish. While I'm sure your advisors keep telling you that it's the hippies in the liberal-land of California that are behind this Internet thing, they're wrong. Those left-wing Silicon Valley jerks only build the equipment that the Internet oilmen use, like making the pumps and the hoses, they don't actually run the Internet oil business. Texans could run the Internet wells, if only your administration gives them a chance and does something about these profit-terrorists we call SPAMers.
Hell, if you're willing to suspend civil liberties for guys like Jose Padilla, why not just forget the legal process and let the tribunals deal with these losers? They are enemy combatants Mr. President, traitors in the war on profitability, and I'm sure you can find a nice deep hole for them somewhere. I've got addresses and phone numbers Mr. Bush, and I'm ready to help the fight on terrorism!
Start hitting the open relays (Score:3, Interesting)
Because of this and the infeasibility of the per-message solutions, I think it's time to start hitting open relays with statutory penalties. Something on the order of $100-200 first offense, $200-500 second, $500-1000 on third and subsequent offsenses, collectable through the victim's local small claims court. To minimize baseless complaints (and allow companies to ensure that they're not running an open relay) the courts could require confirmation that a site is running an open relay via an approved testing service, basically what a lot of the blacklist sites already do with test messages.
It should go without saying that any fines and court costs could be passed on to the upstream site that sent the spam. Maybe they were hacked - it really doesn't matter. Either you were authorized to send mail through that relay or you weren't. In the first case your contract specifies the damages (if any), in the latter case it's already a criminal trespass case.
Shutting down the open relays won't eliminate spammers, of course, but it should reduce the damage caused to innocent third parties and the true spammers will be universally blacklisted.
$200/user-year? (Score:3, Interesting)
_I_ care about false positives... (Score:3, Insightful)
But I darn well DO care about false positives.
A few months ago "sent" me pictures from Shutterfly, an online photo-printing service that I rather like. Of course when you "send" pictures, what actually happens is that Shutterfly sends an automated email with a link in it; you click on the link, see the pictures in low-res and get to order prints. If you get the email, that is. The World was bouncing them, because something about them made it think they were spam.
A few weeks ago, I was trying to register online for a conference I want to attend. When you register, the site sends you an automated confirmation email. Again, The World was bouncing them.
I can deal with spam by deleting it. But how can I deal with email that's been improperly bounced? Unless the person who sends it happens to mention it to you, you never find out.
When I contacted The World, their response was that they couldn't do anything UNLESS I COULD SEND THEM THE BOUNCED MESSAGE, INCLUDING HEADERS.
Sounds like an Irish bull, doesn't it? "If you fail to get this, please send it to me so I can find out why it didn't get there..."
Re:I'm not that bad off (Score:5, Insightful)
Once a spammer gets a hold of it, they'll use it. They'll sell it. They'll extract the first portion (ie, the foo from foo@bar.com), and start pattern matching it against a library of domains in case you have multiple accounts (foo@aol.com, foo@yahho.com, foo@hotmail.com, foo@yourdomain.com, foo@foo.com, etc.). Hell, if your address is short enough, they don't even need to get your e-mail. They'll just generate it randomly, so they can claim it as on of their "13-million address CD", and woe to you if they actually score a hit.
Of course, the people who really get screwed are people who use e-mail for business, for example customer support, info, etc. So the next time you get really shitty e-mail service from your bank, ISP, etc., think about how much crap they had to wade through in order to get your message, and how much you have to pay in order to cover that overhead. The spammer isn't paying, that's for sure...
Parent
Re:I'm not that bad off (Score:5, Insightful)
Spammers are about to destroy all this. Because they're posting to mailing lists that are there with the same philosophy, the effort it takes to keep those mailing lists up and running is huge. They are destroying the very fora we use to communicate, they are, as I see it, the greatest threat to the free flow of opinions we are seeing today.
Parent
Re:I'm not that bad off (Score:2)
I'm on a new trip though, every spam I get I bounce it back to the address that sent it to me, and then deny it from my mail server, then I actually click the "Click here to unsubscribe" links, then I forward a copy to uncle sam. Hopefully I'll start to reduce my spam, but it's gotten so bad now that I really have missed important emails on numerous occassions because someone feels I need to lose 100 pounds, make my breats/penis bigger, and I just have to have a mini-rc racer. Now not all the email I get is spam, I do quite a bit of online shopping and I get emails from half and thinkgeek for example on new deals that I might be interested in, these emails I asked for, but do become somewhat annoying with the rest.
I would really like to be able to have a "return to sender" stamp for email, where it costs the sender time/money/whatever to email me a message that I do not want. I also am fed up with "opt-in" spams, these bundles of joy send you an email saying you've been opted into a service and you have to take the time to opt out to stop the emails, what kind of crap is that? The other ones that bug me are sites that are so shady that they don't even have a reverseable IP address, no abuse@ip_adress.
My last question is this, would it be so wrong then to DoS attack these mail servers that the messages come from, I mean they are taking the time to bug the hell out of me and uncle sam doesn't really want to help me out none.
I remember how I stopped getting everyone forwarding me crap messages, just reply to all and say this is stupid stop sending me this crap, and eventually everyone caught on that I was an insensitive jerk and stopped.
Re:I'm not that bad off - I am (Score:2, Interesting)
And I have a hotmail account that's used for when I buy stuff from businesses I expect spam from. Places that don't use the double opt-in and sell my name to others. I often change my name to see the spam spread. But I don't really count that email as spam because that's what it's for.
My yahoo accounts don't get much spam, and that's what I use when I sign up for mailing lists.
I've never signed up for anything under my domain name, that's bots scanning sites. I use servercentral as my webhost, and I get around 50 spams a day that are addressed to servercentral-user@spam.com
And lately, I've been getting bounce backs from servers from spam that's sent under my domain name. It's having a domain name that gets me so much spam.
I've been using MailWasher (bounces email saying I don't exist), but that's going to change I think. After a vacation, MailWasher doesn't work because there's so much spam. And besides, who sends spam without faking the From address? It's effective about 95% of the time - about 5% false-positives.
Ah, that was good. I hit preview, and got a call from a telemarketer.
Legality of Attacking Spammers? (Score:3, Interesting)
You know, he does make a good point about spam being, essentially, a denial of service attack. It denies me use of a portion of my hard drive, of my server's CPU cycles for SETI@Home, etc.
Here's a question. If I put up a page like this on my website:
Welcome to the glowingplate.com automated security test.
This is a free service provided to Internet users so that they can test the invulnerability of their computer systems.
We accept no liability whatsoever for any damages caused.
In order to test your computer - and ONLY to test your computer, no human ever reads e-mail sent to this address - send an e-mail to $E-MAIL_ADDRESS. We will retrieve your e-mail address from the message headers and immediately begin the test.
And then pound 'em into the ground with a script that runs through every known vulnerability of Windows networking.
I figure that if enough of their address lists can be polluted with enough e-mail addresses which crash their systems, they'll eventually die out.
Does anyone keep any good legal counsel on retainer? Any lawyers out there care to discuss ways that such a thing can be done legally from Canada or the US?
The alternative might be to buy service from a hosting provider in some third-world country with no laws, and take care of it from there.
Re:Legality of Attacking Spammers? (Score:3, Insightful)
I think one of the problems might be that your script could attack a semi-innocent mail relay, rather than the spammer's computer.
So while I would cheer if you really hammered their boxes into dust, I wouldn't suggest that you could get away with it. Nor do I think you'd have any legal ground to stand on. You certainly couldn't claim that you didn't realize a spammer might step into your test script, because you just published your intent to all of us.
But if you do, well, kick 'em in the URLs once for me. :-)
Re:World's first? Like hell... (Score:3, Interesting)