Spam is Back With A Vengence 510
Ant writes "The Red Tape Chronicles reports that just last December (2006), the FTC published an optimistic state-of-spam report. It cites research indicating spam had leveled off or even dropped during the previous year. It now appears spammers had simply gone back to the drawing board. There's more spam now than ever before.
In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now."
Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)
Until the SEC hasn't gone aggresively against one of the most blatant pump-and-dumps. nothing will change.
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
The images are, ironically, using the same technique used in captchas [wikipedia.org].
Re: (Score:3, Insightful)
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:5, Funny)
Re: (Score:3, Insightful)
I'd rather get one 200k message that I can identity with near 100% certainty as spam - than 200 1k messages with a 98% detection rate.
Re: (Score:3, Interesting)
Actually, you overlooked something ... the body can be 20 bytes - just a link. People will click any old $hit nowadays, and using stuff like tinyurl helps obfuscate/defeat anti-spam proggies.
I'm surprised more spammers don't use tinyurl and other services to get around filters. Of course, now that the "secret" is out, we'll see an increase in tinyrurl, permalink, and pingback spam.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Junk faxing actually predates email spam, and we got laws prohibiting it quite a while ago. You're entitled to something like $200 per fax
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:5, Insightful)
Old fashioned 'pump and dump' scams were fairly easy to track, as they would go after the brokers who pushed the stock, and then it was a simple task to just follow the money. As we all know emails can be awfully hard to trace back to their creator.
I used to wonder why people would fall for such scams, 'how could they fall for these things time and time again?'. Well, a couple of years back I was having a conversation with a woman who was distressed that an 'old friend' of her husband had contacted him again. Apparently, this guy has sold (taken) her husband on a variety of pyramid schemes, 'mlm's, and many other 'get rich quick plans. Later, ss nicely as possible I confronted him on 'why' he let this happen. He was a little angry with me, but without any hesitation, he told me that 'one day it will pay off' That day I learned a little something about some people's nature. He knew that these were scams, but he worked them anyways. To the best of my knowledge, he wasn't a crook, and he never approached me with those affairs. So I'm guess that he had hoped that if he just participated, someone else would do the dirty work which would make him rich.
I suspect that the reason why these latest 'pump-and-dump' scams seem to work (otherwise why would you be seeing so much of it), is not action by those easily duped, but by those who hope that they could exploit the 'opportunity'.
Re: (Score:3, Insightful)
No they are not. It may require a small amount of skill and knowledge (MSCE, anyone?), or a subpoena, but its is not actually hard.
Really? are you sure? First of all, the MCSE tests have virtually NOTHING to do with email servers, SMTP, or POP (unless it's changed significantly over the last 10 years). Secondly, if you have ever set up an mail server you would know how easy it is to mis configure one as an open relay (it used to be the default). Third, if you have read Slashdot for more than a week you would know about the zombie networks and their tendencies to be used for spam.
In any case, stock scams are particularly easy to trace, since the perp has to have a financial connection with someone already holding the stock or involved in trading it.
Why? No the 'perp' doesn't have to have a financi
Use FuzzyOCR and be mostly done with image spam (Score:5, Informative)
Filtering is wrong (Score:5, Informative)
The bandwidth already been spent once the spam reaches your filter.
A much better approach (IMHO) is to use greylisting along with a few fast spamtrap driven RBLS, this way the mail doesn't even get transmitted to my server and I save both CPU, bandwidth and time.
Since I switched I have gotten a max of 2 spams pr. day, some days the count is even zero.
There are two reasons this approach is so great:
1) The greylisting on its own will weed out all the non-compliant MTAs, most spammers use zombies that don't care if their payload gets delivered, so they never retry.
2) The real MTAs that spam might get to me before hitting a spamtrap, but the greylisting tells them to come back a bit later, by that time they have hit one or more spamtraps and get blocked by an RBL.
I have yet to think of a way for spammers to defeat this scheme and the cost to legitimate mail is a 10 minute delay the first time someone sends me mail.
Re: (Score:3, Insightful)
The biggie for me is sender verification (in postfix, probably in other MTA's too) - the MTA looks up the MX for the sending domain and basically says 'do you know who cheapviagra@foo.com is?'. This catches over 80% of spam before it even rea
Greylisting is intrusive; unknown fp rate (Score:4, Insightful)
We have no way of knowing how many legitimate delivery failures are caused by greylisting. That's because, as the parent points out, messages are rejected a priori and there's no quarantine to check. If you reject and for whatever reason it is not retransmitted, your mail is lost. Maybe this "shouldn't" happen but it does, and it happens often enough that it is not entirely obvious that its false positive rate is less than that of a spam filter.
It is also trivial for a spammer to defeat greylisting. Perhaps they don't at this time, but at any moment they could flip a switch and render your approach useless. Contrary to popular belief, state-of-the-art spam filters aren't so easily defeated.
Blacklisting doesn't suffer from the immediacy problem of greylisting, but it shares the problem of an unknown false positive rate, and mediocre false negative rate.
Re:Greylisting is intrusive; unknown fp rate (Score:4, Insightful)
Whoever sold your email as a realtime medium clearly has no idea what he was talking about. Or he did and you fell for it. Want to buy a bridge?
Re: (Score:3, Informative)
If you want immediate, use IM or make a phone call.
Not really (Score:3, Informative)
1) Email has never been an instant messaging system, I've tried getting people to stop asking for an IRC/ICQ/MSN/AIM/whatever chat and just use email, but nobody listens.
2) Any mail server that doesn't retry when given a temporary failure code is broken and needs to be replaced, sooner rather than later.
In any case, I do review my mail logs (well I did the first two weeks of using the new system) and I saw exactly zero false positives.
The spamtrap driven RBLS I use all list and delist servers qui
Re: (Score:3, Informative)
This is not in the spec.
I want that receipt for my airplane ticket right now, not in a few {minutes, hours, whatever}
Whilst this may happen there are plenty of reasons for it not happening. Including having outgoing email checked by a human being and sent as a batch job.
We have no way of knowing how many legitimate delivery failures are caused by greylisting. That's because, as the parent points out, messages are rejected a priori and there's no quaran
Greylisting is so 2005 ...... (Score:3, Informative)
Greylisting + RBL (Score:3, Informative)
Most spammers seem to hit a number of spamtraps with each zombie at some point, so using spamtrap driven RBLS in front of greylisting means that the RBLs will take care of the verified spammers.
greylisting gives the spamtraps some extra time to get hit, so rather than do actual blocking itself it augments the RBLs.
Failure Notice (Mail Sub-System) (Score:5, Funny)
To get a hard copy of this message please send $1 to Happy Dude, 742 Evergreen Terrace, Springfield.
Promotional consideration has been provided by the Russian Mob.
Failure Notice (Moderation Sub-System) (Score:3, Insightful)
1. Satire: Perhaps the most confounding form of humor, note the subtle reference to the discussion embedded in a story about something else. This wasn't flaming slashdot, it was about how spam that appears to originate from your domain (but doesn't) can get you blacklisted by site admins as clueless as the moderators who flagged the parent as flamebait. Here is a good example of satire:
I'm sorry but your message from articles.slashdot.org was REJECTED because it has been flagged by our system as spam. You may not be the source of the spam, but our servers do not respect SPF flags and therefore accept, process and then bounce almost any old slutty slice of bits that get hucked our way. We blame you, the owner of the spoofed domain.
For further reading, see the wiki [wikipedia.org].
2. Obligatory references to The Simpsons [wikipedia.org]
Comment removed (Score:4, Informative)
Re:SpamAssassin still works (Score:5, Informative)
Re: (Score:2)
SpamAssassin/filters only part. Need callerid/DKIM (Score:3, Insightful)
before we blame ISP's for not doing it by default we must (those people who read slashdot) ask out hosts to do it
make sure we have done it for our domains
ANTISPAM NEEDS YOU
simple
if you send mail from a domain make sure it has a callerid and if possible use DKIM
ISP's who sell domains and put a MX record in by default Without at least a callerid record are wrong... lets correct ours and then ask them to corre
Comment Spam (Score:4, Interesting)
I'm posting AC so slashdot doesn't melt my server again...
What's a ... (Score:2)
Stock Spam (Score:3, Interesting)
Re: (Score:2, Insightful)
Re:Stock Spam (Score:5, Interesting)
1) many of the companies that are promoted in the pump and dump schemes are not involved and often dont know for months that they are also victims of the spam. basically its hard to know who really is (spam coming from open relays etc)
2) most of these stocks are what they call pink slip or OTC (over the counter) stocks not traded on exchages like the NYSE or CME, thus not falling under the SEC (i think, please correct me here im no stock expert)
3) it appears that these spams are more of a scam to drive people to brokerages, or stock advisors. if you google one of the symbols in the spams, you will find very shady looking, hastily constructed sites who's sole purpose is to grab the #1 google ranking for the word "spam" and the symbol in the email.
I could be wrong about the purpose but I think there is more to this scam than pump and dump. ymmv.
Re:Stock Spam (Score:5, Interesting)
I wonder if these "pump and dump" schemes are still working? This round of image spam has been going on for months now, so I'd expect that people just delete them. Even shorting these stocks may not be profitable at this point, which is why I think you are right, there is something else going on here. I wonder if this is some type of money laundering scheme?
As for retribution, if these are "shady looking, hastily constructed sites", then they are your targets. If I was more skilled and so inclined, I would be "analyzing" those sites.
Moo (Score:2, Interesting)
There are only a few ISPs that connect at cross-network access points. All other ISP, buy their service from up-level ISPs.
As has been suggested before, why can't every ISP have a policy (start at the top (the access points), and the rules will trickle down) that any ISP sending spam has to turn off access within a few hours or be shut down.
Ultimately, the low-level ISP, who actually connect to the users would be forced to recognize t
Re:Moo (Score:5, Interesting)
I can see you've never worked at an ISP. A customer who is cut off could not care less about why, all they want is to be reconnected immediately and with no work on their part. They will threaten leaving your service, lawsuits, and practically death threats if you do not reconnect them.
Seriously, why won't this work?
Primarily it becomes an issue of volume. One call to a customer with an abusive machine will eat up the profit from that customer for months. You can't just call them and say "fix it", you have to handhold them through the process or you will almost certainly lose their revenue altogether.
Re: (Score:3, Insightful)
Sounds to me like your pricing scheme is part of the problem.
new spam methods (Score:3, Insightful)
http://www.extremetech.com/article2/0,1697,206027
Most admins were able to find ways to eliminate that eventually: http://blog.fastmail.fm/?p=580 [fastmail.fm]
but now I notice a new trend. Some spammers are actually putting news headlines in the subject field.
On top of that the black hats are now finding ways to spam emule search results.
Every search you make in Emule will return a fake hit... something like *_using_emule_multimedia_toolbar.exe. If you exectute that program your machine will be infected with a virus.
Re: (Score:3, Funny)
Spam filters can still cope (Score:5, Informative)
http://it.slashdot.org/article.pl?sid=06/12/21/23
But it is wrong to say that this new spam requires radical new filtering techniques. That's what the spam solution vendors (whose press releases drive these
See, for example, the recent TREC tests: http://plg.uwaterloo.ca/~gvcormac/trecspamtrack06 [uwaterloo.ca]
These results show that filters achieve about the same results on 2006 spam as on 2004 spam, and those results are pretty good. Ongoing tests show that the effectiveness of filters is unchanged for 2007. In general, the volume of spam has increased, and spammers have tried various methods of defeating spam filters. But their efforts have not been particularly successful against statistical filters.
Re: (Score:3, Insightful)
Yes. The key point is that there aren't that many spammers left. The number of different spams, and especially the number of different stock spams, is quite small.
What's needed is to push on the SEC to find out who's behind the stock spams. They can do it. The number of people buying those penny stocks before the spam started is tiny, and following the money will eventually lead to the spammer. Yes, they may be working through intermediaries, but that's what FinCen and the money-laundering people tra
Re: (Score:3, Informative)
Indeed every mail provider should have such an interface: a trivial way to report filtering mistakes. But you over-estimate the value of everybody else's spam reporting. A filter based only on your own reporting can have a vanishingly small number of false positives, and a small number of false negatives. So small that the total amount of reporting you have to do is no more than for Gmail.
But many appliance manufacturers promote the scenari
Make money from spam without spamming (Score:3, Interesting)
scan for pump and dump, and buy stock based on verious
factors. If you refined you algorithm perhaps you could get
an application that would buy and sell pump and dump
stock on your behalf, and make money in the process
I would practice with virtual stock at first.
Could an application buy and sell stock without
human intervention?
Re: (Score:2)
Re: (Score:2)
I doubt it. How many people have bitched about SCO's pump-and-dump, and nothing, nada, zip, squat, zero, rien ...
Re: (Score:2)
A lot easier than that (Score:3, Interesting)
Example: You "borrow" 500 shares of Pump-n-dump E
Riding a fictional pump'n'dump (Score:3, Insightful)
An underlying assumption is that these stock schemes are pump'n'dumps fostered by someone who has actually risked money on buying the stock. I don't think that's generally the case.
Whether a pump'n'dump succeeds or not, the broker handling the transactions will take his commission. Anyhting that increases a broker's transaction volume will increase his earnings, including shorts; he always takes his cut. A "shrewd" broker, like the ones known for calling nursing home residents to encourage them to day tra
Adopt SPF and Spamassassin (Score:2)
Adopt technologies like Spamassassin and SPF.
Use polices that check the senders address and validity. Seems to work on my hobby system. Oh, I get some, but the kill rate is quite good and the false positives are quite low to non-existent. I virtually get none of the botnet spam, which is a big chunk.
block .gif images? (Score:3, Insightful)
Let's all cripple our email! (Score:4, Funny)
In /. before (Score:2, Informative)
What I just don't get.. (Score:5, Insightful)
It simply makes no sense to me. As long as people remain so completely clueless that they will fall for spam, there will be spam.
Re: (Score:2)
Maybe the government can advertise V14GR4 and C14L15 via spam, but actually supply birth control pills. In a couple of generations, the average intelligence of the planet would go *w
Re: (Score:3, Insightful)
Apparently, plenty. It only takes a few suckers to justify the time and effort to set up a spam campaign. I'd like to think that some day everyone will be aware enough that pump-and-dumps, nigeria scams, and the myriad other flavors of spam simply won't work any more because nobody will fall for them. Unfortunately, I do not believe that is a likely outcome [wikiquote.org].
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
There's a saying in Europe:
"You know how dumb the average American is? Well, half of them are even dumber than that."
Seriously, though, people still fall for 419 scams all the time, and I'd think you'd have to be much dumber to go for that than to think you could make money on some stock you heard about in a spam e-mail.
Re:What I just don't get.. (Score:5, Interesting)
Well, a lot of it just has to do with the psychological wiring of homo sapiens. We have to think that our actions are meaningful, that our victories are entirely our doing and that our failures are caused by bad luck. Failure to think this way will make you feel very very depressed.
So, in the case of these stock options scams, there's a lot of people that *know* it is a scam, but, if they're quick enough, they might profit as well from the clueless hordes that will buy the stock later on. My bet is that the largest stake of these stock buyers thinks along theses lines. People might try that a couple of time before they realize they loose every time - and by that time new clueless humans come along.
Then, there's that pitfall of familiarity. We tend to like things we already know. This is what advertising is based on. Show me 10 advertisements for 'Toothpaste Brand A' and none for 'Toothpaste Brand B' and when I'm in a shop, I will pick brand A (even if I very consciously know that that preference is based solely on advertising). A lot of people will think along the lines "It can't be that bad if they offer it to me this often - it must be the real thing" I once read an interview with a women that suffered severe dental problems after buying teeth whitener form a tell-sell channel, and she literally said "I thought: they advertise so much for it, it must be a good product".
And then there's just basic greed: "This offer is so good, I don't want to spoil it with disbelief."
And shame: "I can't ask Viagra to my doctor, this might be a rip off, but it might also be the right thing. I won't know until I try it".
And the-only-change: "They don't sell penis enlargment kits in my pharmacy, I know it is shady, but I can't get it anywhere else"
And the list goes on... We are o so great in fooling ourselves.
Re: (Score:3, Informative)
Greed can be a powerful motivator for some people, enough to overwhelm their sense, what little they have anyway, of logic and reason which tells them that this is a scam or that an investment promise is too good to be true. Why do people play the Lottery when they know or should know that they have
Re: (Score:3, Insightful)
Yes. The fact that modern spam is unreadable garbage is a huge win for us, the good guys. It means that to run an effective spam campaign you now need to to spend say 10 million spams instead of only one. The success rate is way, way lower so you have to bump up the volume to get the same hit. If it weren't for b
I get a lot of stock spam for viagra companies (Score:2)
How often do you hear of spammers getting busted? (Score:4, Interesting)
Arrests don't seem to happen that often. Do a google for "spammer arrested", and most of the hits are about the Buffalo spammer. He was arrested back in 2003 to much fanfare. However my mailbox is still full of. Maybe there is more than one of them out there?
I'm guessing spammers spam because they know the chance of them being caught is nigh on zero. Yet, this is a criminal racket just like any other criminal racket. If some serious money is put into law enforcement, then spammers might finally get the shakes. Apart from pump-n-dump stocks (get off yer asses SEC), spammers aren't hard to catch. Consider Mortgage spammers. If you reply to a Mortgage spam (I am told) you will later be called by a seemingly unrelated mortgage agency. They have bought your contacts off the spammers. Everything can be traced, and if we have the feds seeded spammers with 1-use-only phone numbers, buying stuff and tracking it just like they do any other illegal contraband, of course they can bust it. Make receiving spammed contact details an offence too: The recipient must be reasonably confident that the leads they received are not spam. Harder to prove, but if there is a reasonable chance of prosecution buyers of spam harvests will become shyer and the market dry up. Lets make it a legal requirement that ISPs have to report spamming users to the feds.
And let's get beyond "fines" for offenders. Fines for any profitable business are merely an operating expense. What really scares company directors is Jail time. This has been used in L.A. to force companies comply with laws they'd otherwise have simply paid out. If a spammer thinks there is a 0.0001% chance of him being caught (and then let off with a warning), they will do it. If they think they probably can't sell their harvest, have a 50% chance of being caught and will definitely go to Jail, they won't!
So why isn't this happening? (1) It's not an issue for politicans. I want to see Obama/Hillary/McCain arguing about Spam!!! and so... (2) The money isn't budgeted for law enforcement. With some Elliot Nesses on Spam, I reckon we can crack this. How do we let the politicians know this is an issue for us?
FTM - Follow the Money (Score:2)
The first rule is that spam is an advertisement that benefits an advertiser. To advertise something secret is an oxymoron - there is a product that is being promoted and somehow the spam recipiant must be persuaded to buy the product.
Broadly speaking, I see three types of spam at the moment creeping past the filters:
For the first, I'm being invited to buy something, and I have to pay by credit card. If the use of spam to advertise is illeg
Solution to stock spam? (Score:3, Informative)
SURBL (Score:3, Informative)
stock pump-n-dump (Score:3, Insightful)
Or maybe mail servers will just start rejecting all binary attachments.
Single user spam filters are too limited. (Score:4, Insightful)
A big problem with most spam filters, especially the open source ones, is that they're single user. They're trying to work out from the content what's spam. Systems like gmail (and Spamcop before IronPort bought it) look at spam addressed to a large number of addresses. When roughly similar material starts showing up at a few hundred different addresses, the probability that it's spam is very high.
Here's a thought. Mail servers should, on receiving an SMTP connection from an IP address, probe that IP address to see if it's a Microsoft consumer-grade operating system. If so, reject the connection. That would put a dent in the zombie problem.
end of no-permission email (Score:4, Interesting)
We will migrate to a system where a sender must have a "key" before email is accepted, and those keys are under the control of the reciever.
This kind of system will work much like email, as it is so popular and so useful people will only migrate from it slowly. Default keys for new email users will be simple (like a "1"). Once someone is getting enough connection, enough email, then mail clients will communicate automatically with known good senders and create an individual, bidirectional keypair so that future communication with known friends continues, while spam is shut off. In the future, sharing someone's "contact" will be more akin to sharing the private key they have to connect to a person. Once you see a new email address use a known key of someone else, you would accept it once, automatically regnerate the key for the original person, and watch the behavior to determine if it was spam or a legitimate introduction of a friend to a friend. To most users this system could work exactly like email now - just need to add more functionality to the mail clients' spam processing ability.
Re: (Score:3, Insightful)
Re:The solution (Score:5, Funny)
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re: (Score:3, Insightful)
Yeah, a spam solution is almost certainly going to involve a modification to the SMTP protocol. The devil is in the details.
For my tastes, I'd be content to start with rejecting emails immediately rather than sending out "your email was rejected" messages. The number of valid "rejected" messages has got to be infinitesimal compared to the amount of address-guessing spam in the
Re: (Score:3, Informative)
Spammer: Here's some email
Server: Thanks!
Server: Hey, this is spam! Let's send it to jfengel!
to
Spammer: Here's some email
Server: Screw you. It's spam. (or "There's no such person here. I reject it now rather than having to call you back using the forged header.")
I suspect that the SMTP protocol already supports that. But in general, SMTP is heavily oriented towards store-and-forward in an intermittently connected, unreliable network,
Re:The solution (Score:5, Interesting)
Email certification.
If you want to be able to send Certified Email (CE), you apply for Certification from the company that gives you internet connectivity. They check you out, and 'Certify' you as being a legitimate emailer (ie: not a spammer). Then, you generate a private/public key pair and give them the public one. In the headers of all your email, is their certification, and an encrypted header line that's createdusing your private key.
When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.
Due to the public/private key cryptography, there can be no certified email spoofing. (Assuming the private keys are secure, the keys are of decent length, etc.) All emails are traceable back to the originating server. CORRECTION- all CERTIFIED emails are traceable. Anonymous email is still possible. People can still set up email servers for mailing lists without "having" to get them certified. And people can still receive non-certified mail.
If an email server sends out spam, the complaints go to it's certifier. They can drop the certification, deleting the public key from their server. When this happens, ALL the email from the spamming server is now 'uncertified', and gets handled accordingly by email clients. If nothing is done, complaints go to THEIR upstream, etc. Individuals and groups can keep their own blacklists, if they wish, and anyone can choose to filter emails according to those lists.
Now, I've looked over that 'form email' that people like to post to shoot down anti-spam ideas. And nothing applies to this idea. (If something seems to apply, it's because I either left out details, or explained something wrong.) This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. It's primarily a way of reliably tracing (certified) emails back to their originating server. The anti-spam part comes later: if you receive certified spam, complain and get the server un-certified. If you receive un-certified spam... well, just have your email client dump all uncertified emails in the trash. (Not nessisarilly, you could just use it's un-certifedness as a factor in filtering your email.)
This idea does not require anything be changed with SMTP. It simply requires a second connection be made to the certifying server. Now, before you bitch about the extra bandwidth, I'd like to remind you that, once this idea catches on, spam will be greatly reduced. This reduction will MORE than make up for the slight increase in bandwidth created in querying the certifying servers. Also, the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.
To sum up: Email Certification is reliable way of tracing the certified emails back to their originating server. This allows spammers to be identified unequivocally, and have their certification pulled. Email servers are NOT required to be certified, and anonymous email is still possible. Email recipients can, if they choose, set up their client to send uncertified emails to the trash, or to handle them however they wish. White lists and black lists
The approach is wrong (Score:3, Interesting)
The problem is that certification is useless until the vast majority of email servers are certified.
I know, you said this isn't true, but I don't think you understand the situation. Spam filtering at the client level doesn't affect spam -- the suckers who the spam targets are NOT configuring filters at home. Yes, the geeks will get their family server in the basement certified in th
Re: (Score:3, Interesting)
Say you've got a regional provider(ie a Chinese ISP), anyone in a given region can only connect to that ISP because there are no alternatives(this is most definitely the case). Now say that that ISP, as is often the case in certain parts of the world, doesn't give a rats about its clients sending SPA
Re: (Score:2)
Re:The solution (Score:5, Interesting)
Well then I know what to do about my pesky competitors, just have some spammers send spam in their name! Problem solved!
So who do you want to monitor everybody's commerical actions? Actually, to know that the person bought a product because of spam, we'd need to monitor them whenever they check their email. Big Brother go!
In the name of Karl Popper, though, I appreciate your proposals.
Re: (Score:2)
2- i said *prove* they used spam, so 'joe jobs' wouldnt apply here ( yes i know its hard to do, we are just dreaming here anyway )
3 - the goverment already does that..
Re: (Score:3, Interesting)
I'd settle for ten seconds of jail time and a penny fine per spam. That would (very roughly) approximate treble damages for time wasted. A million spams would yield a 4 month sentence and a $10,000 fine.
Of course, if they sent a billion spams, they might as well get the death penalty, since they wouldn't be getting out in this lifetime.
Also, your American laws don't carry much power over other jurisdictions, and convincing others to share death pen
Re:The solution (Score:5, Insightful)
What I think would help is ISPs taking confirmed zombie machines offline. It's done in Sweden by some ISPs, and most people don't seem to have a problem with that.
Re:The solution (Score:5, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Fairly simply. Though today it should be able to tell the difference between legitimate bulk email* and spam
Such as mail-type discussion groups, business relations like people who want to receive tiger direct's adds, etc...
When you're having to post random segments of encyclopedias and put your actual message into an image to get through the filters, it's a clue that you're not wanted.
Those types I'd like to
Re: (Score:3, Insightful)
Consumer grade DSL is much faster than the servers that used to run ISP email systems just a few years ago - there's really no need to pay for expensive hosting unless you're a company needing 99.9% uptime. I do have hosts for some stuff but only that for which the bandwidth requirements exceed what DSL can provide.
Re:The solution (Score:5, Interesting)
Ok numbnuts, that's exactly the kind of attitude that spammers have. That they can do anything because they pay for it. You pay taxes for construction of roads and for schools, but that doesn't give you the right to drive 100 mph through a school zone. You have to have limits. There have to be rules.
Re: (Score:3, Insightful)
Last I checked, spammers didn't pay to rent the bandwidth and processor time on each zombie machine they use.
You have to have limits. There have to be rules.
However, those limits shouldn't put a stop on legitimate activity. Just because _you_ do not have a legitimate reason to be running a mail server doesn't mean no one else does.
I'm all for ISPs cracking down on spammers, but not in a wa
Re: (Score:3, Insightful)
Or you can simply block all outbound port 25 except to very specific mail servers. Cox does this. At first I was a little miffed but then I realized it makes sense. You can still send mail to anywhere you just need to go through their mail server. So if you are running your own SMTP you simply set (for example) smtp.east.cox.net as your smart host and be done with it.
This way you stop most of the mass mailing trojans because they'd have to be smart enough to use the right smart host. Then, even if the
Re: (Score:2)
Re: (Score:2)
However, as someone pointed out, it's pretty hard to make a firm connection between the spammer and the activity being advertised. However,
Punishment to fit the crime (Score:2)
A basic fact of life is that any law enforcement officer is corruptible, it's just a matter of price. An extremely harsh punishment only makes the perpetrator willing to pay m
Penology 101 (Score:3, Interesting)
and perceived to be:
- certain
- immediate
- more costly than the benefit of the crime
"Law and order" advocates generally advocate
draconian punishments, but there is no evidence
that they help, beyond counterbalancing the
benefit of the crime. Increased detection speed
and likelihood are far more effective.
You might think that draconian punishments increase
the expected cost, even with haphazard and delayed
detection, but
Doh! (Score:2)
I must get in the habit of proofreading
Re:Spam spam spam spam. Lovely spam! Wonderful spa (Score:5, Informative)
By definition, shouldn't any post about spam be marked redundant?
Anyway, I run a mailserver. What I see is surges of email for whatever happens to be the current scam. Last year it was mostly mortgage offers (Get a cheap, misspelled mortqaq3 today!!!) Spamassassin + RBLs eliminate about 70% of the flood. Image-only email is flagged by spamassassin. Now random text is added to get past the Bayesian filters. The arms race continues.
BTW, if you are the type to send copies of spam to abuse addresses, I advise you to remove identifying info and post it through an anonymous account to avoid retaliation. ISPs tend to forward it to the spammer.
Re: (Score:3, Informative)
The only exception I know of is spamcop as they're (I think) trustworthy.
Re:Spam spam spam spam. Lovely spam! Wonderful spa (Score:2, Insightful)
Maybe I think about this stuff too much.
Re:What can I say? (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
That really opens you up for all sorts of attacks, because now you're not even semi-anonymous - they will know both your email and exactly when you're online and connected. Great way to remote a machine.
Besides,
Re: (Score:3, Insightful)
How could that possibly help? Or were you just planning to pump-n-dump Microsoft from a Panera Bread the day after this law hit the books?