Forgot your password?
typodupeerror
Spam

Cornucopia of Spam 199

Posted by chrisd
from the i-don't-have-to-sing-the-song dept.
Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad"
torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

This discussion has been archived. No new comments can be posted.

Cornucopia of Spam

Comments Filter:
  • What's the point? (Score:4, Insightful)

    by Omkar (618823) on Wednesday March 05, 2003 @10:04AM (#5440075) Homepage Journal
    After all, we know how law-abiding spammers are. And how effective the government is in combating computer criminals. I really don't think this will make a difference.
    • by cobyrne (118270) on Wednesday March 05, 2003 @10:14AM (#5440119) Homepage

      The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised. And, therefore, it should always be possible to track down the person responsible for the spam. The point is that, without the promise of $500 for each violation, it was not economically viable to track down the spammer. Now, it may very well be.

      I once managed to track a spammer to a town about 2 hours drive from where I live. If I had been able to collect $500 out of my efforts, it is something that I would do more often...

      • by Dunark (621237)
        The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised. And, therefore, it should always be possible to track down the person responsible for the spam.

        There's a little flaw in this logic: It ignores the "joe job", which is spam that is sent to get someone else in trouble by making it look like they are spamming.
        What do you do when the apparent beneficiary of the spam claims they were joe-jobbed?
        • What do you do when the apparent beneficiary of the spam claims they were joe-jobbed?

          If only the courts relied on humans to make judgment calls about who's telling the truth, rather than using a strictly algorithmic, deterministic parser that would be fooled by a joe job!

          Oh, wait.
        • by WCMI92 (592436)
          "There's a little flaw in this logic: It ignores the "joe job", which is spam that is sent to get someone else in trouble by making it look like they are spamming.
          What do you do when the apparent beneficiary of the spam claims they were joe-jobbed?"

          If they are a legitimate company, they are required to maintain records.

          Records of payments to the spammer should be sufficient. No sane company is NOT going to record an advertising expense, as to not do so is to pay for it twice over.

          Sure there will be illegitimate businesses that DONT do this, but if they are involved in "spamcains" to sell their wares, there will be MORE THAN ONE complaint. Claiming that they were "framed" may work once. Maybe twice, but over and over? Won't work.

          The fact is, anti-spam laws WILL work if enforced, even if spam is originated overseas, because at SOME POINT, to make money from Americans, money and/or product has to be exchanged IN America...
          • The fact is, anti-spam laws WILL work if enforced, ...

            The crucial element here is "if enforced".

            I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement.
            • Essentially, enforcement would probably look like typcial bunko-squad enforcement -- a given violator has maybe a 95% chance of getting away with it, a 4% chance of getting some minor hassle, and a 1% chance of being the guy caught just as the authorities decided to Make An Example Of Somebody and spending the next 5-20 as the Bride of Bubba.
            • Re:What's the point? (Score:4, Informative)

              by WCMI92 (592436) on Wednesday March 05, 2003 @12:12PM (#5440894) Homepage
              "The crucial element here is "if enforced".
              I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement."

              Again, if a company is running "spamcains" there will be an obvious pattern of incriminating evidence. The local prosecutors should then step in and do the investigating.

              This won't net sleazeballs that do a quick, one time only, "hit and run" spamcain, but how many do that now? Most of them run CONTINUOUS spamcains, as that is the only way the law of averages (given the .005 response rate) catches up to make significant money.

              Good anti-spam laws will make doing this in the bulk required to achieve profit difficult to impossible.

      • by Murrow (144634)
        The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised.

        Mostly true.

        One exception I can think of off the top of my head is the pump-and-dump stock scam spam. All they're after is to get a bunch of victims to buy a worthless stock, push up the price, and allow them to sell the shares they've already bought at 1 cent for 20 cents.
    • Re:What's the point? (Score:3, Interesting)

      by Dukebytes (525932)
      All it will take is someone with enough money to take the spammers to court and collect that $500 bucks per spam email they recieve. I'm sure that it would involve laywers and a court to collect it and prove that it came from this company etc - so your right to a point. But maybe if someone could take a spammer to court and collect several thousand dollars from them - they will stop - hopefully.

      I think that a better way to fight this would be a tech solution that involved the ISPs - but that would be hard to get setup etc... maybe someday.

      duke

    • Blogs. Blogs will be the new spam target anyway...once legislatures and the IETF make e-mail spam hard, blogs will turn into adfests.

      • by Anonymous Coward
        That'll be OK --- no-one reads blogs except the blogger and perhaps the blogger's Mum. Whereas everyone receives email.

        Anyway, will anyone be able to tell the difference between ad-saturated blogs and the current thing? I suppose the spelling might get better when professional copywriters get to work. And the references to "mi cat mittenz 3 3 3" might be replaced with "my cat Whiskas".
    • by Dan B. (20610) <slashdot.bryar@com@au> on Wednesday March 05, 2003 @10:25AM (#5440201) Homepage
      Well if the goverment made as much money out of cracking down on spammers as say, speeding fines, with 'spamming fines', how much more aggressive do you think law enforcement would be on spammers? Then how many people would still do it?

      It always about the money, or the budget.

      Vicious circle I'm 'fraid.

      But people will always speed ;-)

      • People still speed, no matter how aggresively the law tries to catch them. I know I speed, I just try to follow situations where I wont get caught, like speeding on an expressway greatly reduces your chances, or my favorite just don't be the fastest person in the area.

        So spammers will still spam, some people will be disuaded from spamming but most will just make it less conspicuous (notably this is still an improvement over the current situation). The only real deterrent (beyond putting a bounty on their heads and thus getting every greedy person looking for them) is to allow rules they can follow. The rules I'm inclined to allow them to follow are: Opt-In not Out, marking the the subject in some obvious way (i.e. ADV:), and not faking any headers.

        I know I would be much more likely to follow the rules if they were fair but not too limiting. If you were allowed to speed if you used a special lane and you always wore your seatbelt, would you be willing to follow those rules? I would. So if the spammers are still allowed to make their money by sending advertisements in email but they had to follow the rules, would they? I don't know.

        It seems to me that them sending spam to me is a waste, I'm never going to make them money. So limiting myself and the many others like me out of their lists actuialy saves them some money without costing them any potential funds. It's like telemarketers, they dont mind if you use a TeleZapper or things like that, because if you're willing to get such a device you aren't going to buy anything from them.
      • The thing with traffic violations, you know the car is in your physical location/jurisdiction. Let's say the spam is coming across from overseas. How do we fine these people? That's the problem with online business management. There are no physical boundaries, making the laws that applay confusing. I'm at a loss for what to do for international spam, but for spam within the United States, I say do it like shipping companies. Apply the law of the recipient. You want to send to California? You have to meet California standards.
    • After all, we know how law-abiding spammers are. And how effective the government is in combating computer criminals. I really don't think this will make a difference.

      Agreed. Maybe the solution would be to set up the law to also target the people who hire the spammers since they are really the ones fueling the fire by paying the spam kings to do their dirty deeds. They should also be easier to track down as they need to put some kind of contact info in the message for it to be effective, i.e. you can bounce emails advertising your penis enlargement pills off some campus server or off China, but you have to have a website with a credit card service if you want to actually sell penis enlargement pills. Having the credit card service implies that MasterCard, Visa, etc., have the business address of the folks who asked the spam to be sent out. Since the sellers are therefore much more easily tracked down, they have the kind of accountability that is needed to effectively impose fines. After a few of them get whacked with boku bills, many of the rest of them will start putting ADV in the subject line which in turn will cause my ISPs filter to kill the messages, meaning that advertising via spam will become yet more unprofitable and the number of people hiring spam agencies will drop. It's not a perfect solution since some spam doesn't need a formal contact point to be effective (i.e. the folks from Nigeria who need help getting money out of their country), but it'd be a start.

  • by ratbag (65209) on Wednesday March 05, 2003 @10:06AM (#5440083)
    Arkansas obviously believe that if you
    • underline something it MUST be obeyed
  • by Raul654 (453029) on Wednesday March 05, 2003 @10:08AM (#5440089) Homepage
    Think of spammers like an infection. How does your body deal with it? It attacks the infections in a bunch of different ways. Why can't we do the same with spam? Rather than working hard for the magic bullet, why not use some combination of: Bayesian filtering, artificial bandwidth scarcity, blacklisting, aggressive collection of fines, targeting of domains that are advertised, etc. If you were to do all of these together, I'd imagine spam would not be a pleasant buisness to be in...
    • by gmuslera (3436)
      Following with the analogy of an infection... you can cure the symptoms or cure the disease as a whole. Doing things in your side simply minimizes how you feel about the problem of the spam ("it almost not happens to me"), but it will still rampart in the rest of internet, slowing things, making email an unreliable method of communication, and people will still be buying things from spammers. This only will make the problem grow much bigger and not matter what measures you had taken, you will be also as affected as the rest of the world.
      • Not quite (Score:5, Insightful)

        by Raul654 (453029) on Wednesday March 05, 2003 @10:19AM (#5440164) Homepage
        From the spammer's perspective, if he has to worry about huge fines and/or jail time every time he sends out spam, and if only 1% of the emails are getting through, and after 10 minutes his connection goes dead, how long is he going to be a spammer?
        • From your previous list
          • Bayesian filtering blacklisting: this are local measures, this affects you only, and the others that takes them
          • artificial bandwidth scarcity: at the best, it can take out your users from spammers users list, at the worst, they will not care (for the ones that use open relays, i.e.). Still, will be a local measure.
          • aggressive collection of fines: the $500 one? anyway, means legislation.
          • targeting of domains that are advertised: how? enforcing ISP policies about spam? and what if the ISP (from Verio [spamhaus.org] to most in .cn) is spam friendly or doesn't care? That also could mean legislation.

          Having legislation and expanding them worldwide in some way is more like a cure than technical measures (is expressely prohibited, not that some hackers do this to limit my rights).

          You can have local technical measures, but this is not guarantee that the spammers don't find a way to bypass them (i.e. most of spam that reach me by now have modified words to bypass bayesian filters, like v*i*a*g*r*a, V1AGRA or embedded html comments, fortunatelly popfile also have workarounds for most of this). Having a good percent of domains that implement that measures will be bad for spammers, of course, but there still a long way to go before this is reached.

          • What if you got together a list of known spammer domains (many exist already), and ISPs were to automatically redirect or disable their DNS entries for those domains? What if they did this before people got the email? Then the spammer is wasting his time, because the domain won't be there by the time Grandma gets his ad for penis englargement. And if that happens often enough, combined with the serious consequences that legislation can bring (jailtime!), then how long will we have spammers?
    • by Dan B. (20610) <slashdot.bryar@com@au> on Wednesday March 05, 2003 @10:19AM (#5440159) Homepage
      How about imposing things like JAIL TERMS on people convicted of 'serial spamming'.

      I read an article once about a guy who lives in a multi-million dollar house in one State and just burns though trial ISP accounts in other states that can't properly prosecute (if that's the right term, since most States don't yet have decent laws against spam).

      Big Karma bonus for the governors of NV though, 41-0 on passing laws to nail the perpetrators AND finig them $500 for each successful plaintif in court.

      Oh yes, I see the day when I no longer need the words 'rape, enlargement, mortgage, lolita, diploma and toner' in my filter list for 'Permanantly delete'.
      • A couple of hundreds years ago (think western) such arguments would have ended-up in the main street with a pair of pistols :)

        I'm not arguing over killing spammers, but surely beating the most tenacious should soften them up...:)

      • Oh yes, I see the day when I no longer need the words 'rape, enlargement, mortgage, lolita, diploma and toner' in my filter list for 'Permanantly delete'.

        Do those topics come up a lot in your non-spam emails?

        • by Raul654 (453029) on Wednesday March 05, 2003 @10:54AM (#5440368) Homepage
          Well when your in the buisness of morgaging out Lolitas for the purposes of rape enlargement, I should think it would
        • I can't say I've ever been known to traffic in Lolita's for rape with my enlarged penis that I paid for by remorgaging my house and/or selling cheap toner. I know that that because I'm such a smart guy with 27 degrees from Yale/Harvard/Oxford/Cambridge that I bought for $30 each.

          I'm no longer a chunky monkey though because filtering out the weight loss ones is a bit hard - they use such normal English.

          The chinese/Korean ones are easier 'cos they use double bit entry, which usually puts a whole string of 'à' characthers in the subject line.

          And I never filter by body-text, just subject line. It blocks 99% of spam without a need for extra software.
      • Big Karma bonus for the governors of NV though, 41-0 on passing laws to nail the perpetrators AND finig them $500 for each successful plaintif in court.

        Once again, Nevada takes the moral high road, leaving the rest of the nation to follow.

        I hope that makes sense, I've been up all night drinking 'cause I lost my paycheck at the craps table.
        • by Steve B (42864) on Wednesday March 05, 2003 @12:07PM (#5440861)
          Once again, Nevada takes the moral high road, leaving the rest of the nation to follow.

          I for one would prefer to live in a country where prostitution was legal and the cops conducted nightly sweeps to round up and jail spammers.

          • Jail doesn't seem like a really appropriate solution to fit the "crime." I think in the olden days they used to put criminals in stocks to allow the townspeople to throw eggs, rotten cabbage, etc at them.

            They could charge admission... I wouldn't pay $30 for a "male enlarger" but I might to throw some rotten eggs at a spammer.
          • I do live in a country where gambling on ANYTHING (well almost, no dog fighting and cruel sports) is allowed, drinking 24x7 is just fine, and if you need a shag you CAN just head down to the local whore house.

            I love Australia...
    • by frankie (91710) on Wednesday March 05, 2003 @10:53AM (#5440365) Journal
      Think of spammers like an infection. How does your body deal with it?

      An interesting proposal. Spews and SBL are probably Leukocytes [redcross.org]. SpamCop users might be APCs [myimmune.com]. But I don't see any Macrophages [supercolostrum.com] in our virtual immune system. That must be why spam is so rampant -- we need activists to go eat the spammers! Volunteers, anyone?

    • Sorry, I think of spammers as more along the lines of someone injecting low concentrations of poison into the bloodstream. An individual cell in the body is unlikely to be directly impacted, but the body as a whole losses something with each shot.

      White blood cells may be very good at dealing with Viruses and bacterial infections, but are going to be less usefull in dealing with deliberate poisoning.

      Thick skin, better prevention, and increasing tollerance to the poison seems to be the only way to deal with the issue. Treating the person doing the injecting as a criminal seems legitimate to me.

      Then again I may be wrong.

      -Rusty
    • by Jay L (74152) <jay+slash@NoSPam.jay.fm> on Wednesday March 05, 2003 @11:16AM (#5440521) Homepage
      Think of spammers like an infection

      A better analogy than you may realize! Spam is like bacteria; it is self-reproducing (spam for spam software, spam for millions-of-addresses CDs). Using spam filters exerts a selection pressure on the spammers, and the stronger spammers adapt to the filters, become resistant, and multiply.

      At AOL, as the single biggest target of spammers, we had to think very carefully about the effects of filters before we implemented them; turning on a weak filter would be just as bad as taking weak antibiotics for a day and stopping, and in some cases it could make the problem worse. For instance, we once decided to start treating any message with >N recipients as likely spam. All we did was force the spammers to start sending messages with one recipient each - which meant we now had to process N times as many messages as before!

      (Incidentally, the antibiotic analogy led me to discover, and donate to, the Alliance for Prudent Use of Antibiotics [apua.org], which fights overuse and improper use of antibiotics, helping to keep resistance down. Check them out and give them some money; you'll save on your own health care costs in the long run.)

      Jay the ex-AOL Mail Guy
  • spam spam spam (Score:3, Interesting)

    by Anonymous Coward on Wednesday March 05, 2003 @10:08AM (#5440091)
    I am certainly glad that lawmakers and researchers are turning their full attention to spam. It is certainly a big nuisance. I for one get very insulted having ten thousand strangers telling me that my penis is too small. If they could just step over this way I would whip it out and clobber them with it!

    Still, I have to wonder if this is a slippery slope that we are travelling down. How long before chain emails and inoccuous humorous forwards are also denied?
  • by chayim (653306) on Wednesday March 05, 2003 @10:09AM (#5440097) Homepage
    Creating laws, regulations, and whatnot will come nowhere near solving the problems. Sure, if a spammer lives in the US then maybe this would work; but what about all these scams from Europe, Australia, Britain, etc. Just because laws exist in one jurisdication, it doesn't mean that others will play ball. And even having laws does nothing if they're not enforced. Why not have a group of IT police hunt down spammers? After all, they're already guilty of theft and fraud (think bandwidth people). Why not prosecute under existing laws and treat spammers like the theives they are. Even though you won't catch spammers outside your legal jurisdicition, you'll help. And every country that helps would quickly be eliminating the spam problem we live with.
    • Creating laws, regulations, and whatnot will come nowhere near solving the problems. Sure, if a spammer lives in the US then maybe this would work; but what about all these scams from Europe, Australia, Britain, etc.

      The vast majority of my spam comes from Americans, though not always via US ISPs. I get the occasional pyramid scheme - the same one every time, and it's fun to watch it wander around the world - and of course the Nigerian fraud, and once in a while a spam all in Chinese, but on the whole it's Americans who are the problem. A strong US spam law would go a long way to solving this.

      • by SerpentMage (13390) <ChristianHGross@yah o o .ca> on Wednesday March 05, 2003 @10:41AM (#5440299)
        The only reason why the SPAM is coming from the US is because right now there are no legal ramifications. Just like how there was Napster and then Kaaza. Napster was State side, shut down and now Kaaza is NOT state side.

        Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US.
        • by Steve B (42864) on Wednesday March 05, 2003 @10:55AM (#5440380)
          Once laws start up the SPAMMERS will move offshore.

          The difference is that spammers need a point of contact to make money. Making their bandwidth thefts explictly illegal allows the police to seize the contact points.

        • Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US.

          Pedant point: SPAM is a luncheon meat made by Hormel Foods. Spam is unsolicited bulk email. That said...

          Are these spammers actually going to move offshore? Move themselves, physically? Because if not then they're Americans in America sending emails on behalf of American companies also in America to American citizens living in America. I get the feeling there's somebody there to go after.

          Right now their motive in moving their electronic operations overseas is to avoid getting shut down. US ISPs have, to their credit, been learning about spammers lately; it's fairly hard for the major spammers to do business, though the chickenboners who go through throwaway dialups are unaffected. If a law were passed allowing the spammer to be pursued, rather than just his internet access, then the spammer's meatspace operation would have to leave the country too. Maybe the big boys will consider it, but it'll be too much for most of them to contemplate.

        • "Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US."

          Telemarketers try this, but it doesn't work because of the law. The Telephone Consumer Protection Act of 1991 allows for private right of action not just against the telemarketer, but also on who's behalf the call is placed. If the same measures are placed in spam bills, it won't matter if the spam is relayed through Korea, Iraq, or the Space Station; you will be able to sue the people that hired the spammers or those that get the financial benefit. Some people will claim that the are being joe-jobbed, but that defense rarely stands up in court. You will still get software/warez ads, porm spams, offshore cigarette ads, etc where the spammer and company are offshore, but RBLs and other black lists will be able to stem that without too much of a problem.
    • Even if this thing was global, there would still be a safe haven somewhere. Someone would just legalize it, and tax it, and have a monopoly on spam. Then they'd wonder why no one get's their point of view about making money out of something everyone else abhors (sp??).

      Opium cultivation is illegal in every counrty, but the Taleban still tolerated it 'cos that was basically their government budget float.

      Unofficially the Burmese Army are also reported to cultivate opium in large quantities but since it's very hard to check on 'Rogue States', these practises are still widespread yet denied by the Government.

      I don't think the spam problem is as bad as Heroin, but the people that deal in it are there soley for one thing - profit. Damn Ferengis!

      PS, comment above/below RE: 99% of my spam is from the US. 100% of commercial spam is US, p0rn spam is a little broader.
  • by Nevrar (65761) on Wednesday March 05, 2003 @10:09AM (#5440098)
    While I would definitely be keen on being paid $500 per "Enlarge your member" emails received, I somehow doubt the effectiveness of legislation to stop spam...
  • by gmuslera (3436) on Wednesday March 05, 2003 @10:09AM (#5440099) Homepage Journal
    Space tourism will have a boom after this gets approved... what else will all do with so much money?
  • by Omkar (618823) on Wednesday March 05, 2003 @10:11AM (#5440111) Homepage Journal
    I recommend spammers be designated cyberterrorists. For spammers in uncooperative totalitarian countries, replies with randomly generated subversive messages should be mandated by law.
  • by snitty (308387) on Wednesday March 05, 2003 @10:16AM (#5440137) Homepage
    IMPORTANT! READ NOW!

    Please sign this bill from your state assembly! I did it and I got my wish! If you don't want to get this e-mail from the state anymore click the sucker link at the bottom!
  • ...really do want to research spam... "The ASRG Chair is Paul Judge
    paul.judge@ciphertrust.com.
    Mail List
    The email list is asrg@ietf.org. You must be a list member to send mail to the list. Subscribe via asrg-request@ietf.org. An archive of the email list is available at the ASRG mail archive."

    I'm HOPING that the slashdot community uses this for good, rather than for email. C'mon, people, these people DO want to help....
    (on a side note entirely, i was hoping for "Anti-Spam Governing Alliance for Research Developments" or some such... you know, ASGARD? Bloody Vikings!! I mean, who else would be keeping them in line?)

  • by Anonymous Coward on Wednesday March 05, 2003 @10:19AM (#5440155)
    Mozilla 1.3's spam filter has really come along nicely. The Bayesian method really is working nicely.
  • I like the idea of the antispam research group however, I see one major problem with it. The ASRG chair is a member of cipher trust a company whose ironmail sollution is way off the map as far as Spam goes. I am just a tad bit sensitive to that. We use a program that uses text algorthyms to deal with spam and we hit 90% which is acceptable for us.
  • by forged (206127) <soltesz&gmail,com> on Wednesday March 05, 2003 @10:27AM (#5440207) Homepage Journal
    ...Can we help them craft this?

    Since there are already some legislations out there going in the right direction (California, Washington DC, Nevada, ...) why don't they just "borrow" the text from another state ?

  • once again (Score:2, Insightful)

    by JeanBaptiste (537955)
    All the spam I get is from asia, africa, and eastern europe.

    Great that nevada passed the law, step in the right direction. But this would only apply if the spam or the company profiting from it came from nevada, right? I dont think the male enhancement people from belarus need worry about this law...
  • by kaltkalt (620110)
    As long as homo sapiens can freely send emails the spam problem cannot be solved. It's an analog gap of sorts. The MPAA/RIAA have to accept that as long as a human can hear or see it, it can be copied. We have to accept that as long as email is free, there will be spam. Why waste money researching solutions when there are none? Give the money to starving turtles or something instead.
  • by Joe the Lesser (533425) on Wednesday March 05, 2003 @10:33AM (#5440252) Homepage Journal
    The ASRG meetings will be held 2-3 times a year generally concurrent with IETF meetings and possibly concurrent with other conferences

    Way to get on the ball with those 3 meetings... a year...

  • Although I agree with the poster who said that we should try all kinds of things, the one thing that seems to be missing is fixing the SMTP protocol. SMTP [ietf.org] was never meant to be used the way it is today. Quite simply it is a relic of the 1980's originally written by Postel for reliable email communications but not secure, not authenticated and not scalable to the commercial realm. So when I read through these guys that are going to meet 2-3 times a year, I just see no real end in site coming from the standards community any time soon. SPAM will kill email as an effective tool and the costs, both hidden and measureable, are mounting.
  • Spam loopholes... (Score:5, Insightful)

    by SystematicPsycho (456042) on Wednesday March 05, 2003 @10:33AM (#5440255)
    Firstly, they can start by trying to get the following loopholes plugged with the unsubscription methods ..

    o unsubscription method is not feasible. I received an unsubscription method that went like this

    • "To unsubscribe by
    • postal mail, please send a request to P.O Box ..... Florida - quote reference number #blah"

    Who is going to send a snail mail letter long distance to seemingly be unsubscribed from a spam list? Now it's starting to cost _me money to be unsubscribed. The law says to have _an unsubscription method of some sort - this falls within the law no matter how bad it is.

    o unsubscription web page is non-existent - this happens to often
    • No! Wrong! Never! (Score:3, Informative)

      by wirefarm (18470)
      How can I UN-subscribe, when I never subscribed in the first place?!?!?

      If you haven't figured out, unsubscription is really just a confirmation that you exist.

      Until you either reply or unsubscribe, they don't really know if they have a 'live' email or not, unless you're allowing html mails to access url-loaded external elements, such as gifs and other web bugs.

      If you allow them to push the idea that what they do is OK until you object by unsubscribing, they have won critical ground. At that point, you are on the defensive. You will have to unsubscribe to every email spam that you receive.

      Of course, then, they just re-sell your address and the whole cycle starts again.

      I never agreed to an opt-out scheme. When I decide to opt-in, I'll let them know.

      Cheers,
      Jim
      • How can I UN-subscribe, when I never subscribed in the first place?!?!?

        Easy, you're on their list. How you got on their list is highly debateable - I for one did not subscribe to anything though they say I did. When you un-subscribe you are seemingly being removed from their list.

        I am aware of the ``reply to let us know you're active''. When spam lists are sold they don't tell the second spammer that the user is active, just that these are recently checked valid email addresses. They're not going to say "well we mailed this guy a few times and he didn't reply - let's just cross him off the list". Of course that scenario happens in fantasy land.

        No, the idea is that there is a legal framework to say you don't want to be sent unsolicited mail. If the law fails then all hope is lost.
  • by zentec (204030) <zentecNO@SPAMgmail.com> on Wednesday March 05, 2003 @10:35AM (#5440269)

    A large percentage of "junk mail" depends upon some fashion of deceit. Either it's by masking the true identity of the sender, a spam-haus using domain after domain and ISP after ISP in order to avoid the blacklists or simply by lying and saying that "you really indeed did ask for this".

    The answer to the spam problem is to find technical answers that start peeling away at the ways spammers use deceit.

    I've said this before and I'll say it again, the first place is to rewrite RFC-821 and require valid reverse-name lookups before accepting mail. Also permit as an authentication scheme that allows the administrator of the accepting mail system to set permissable trust levels. Example, mail that's verified (through an SSL certificate might be one way) as coming from gm.com is accepted, but mail coming from slashdot.org is set to a lower trust level (because they don't want to spend the money for a certificate). Mail from getyerviagra.com is immediately tossed into a review folder, trashed or denied because they don't reverse properly and they have a forged or self-signed certificate or simply don't have one.

    The LAST thing anyone here wants is ANY government telling us how to manage electronic mail. In the US, it'll be frought with hooks and back-doors so the feds can snoop your mail.

    Let's get it together and fix the problem on our own.
    • Actually, RFC's can't be re-written. To make changes they add a new RFC and use that instead. I guess it's for record-keeping and compatibility purposes.
    • Amen.

      Currently, there is no way for RFC-821 mail to eliminate spam. It was written for a few college profs to pass notes. Trust was rampant. The command stream is in plain english. HELO anyone?

      It's 1000 times more difficult to add security to something than to design it in from day 1. How many examples can you think of?

      I've been thinking about a better email for a long time. How about to log onto a "SMTP2" server you need a valid user/password rather than a stupid open port? Maybe each email account could have a public/private key combination. Tack the public key on to every outbound message, and have the first hop verify the sender. If the account is hacked, drop the private key and bingo - it can't send email.

      An added benefit - you could decide to PGP encrypt all email on the fly.

      And let's say that only 5 sites in the world run SMTP2 servers. Wouldn't you want to be on one? "We promise spam free email communication on our new email network." I wouldn't care if I couldn't talk to anyone on AOL. Besides, once it caught on the behemoths would eventually jump in anyways.

      Weaselmancer

    • The nonsense that gets modded +5 (Insightful) on Slashdot is at times truly astounding.

      To wit:

      I've said this before and I'll say it again, the first place is to rewrite RFC-821 and require valid reverse-name lookups before accepting mail.

      No "rewrite" of any RFC is required to achieve this, as in fact many sites already do this. As a result, spammers now almost universally forge valid domains (and even valid usernames) in their spams, causing those innocent third parties to receive all the bounces. This has made matters worse, not better.

      Incidentally, RFC 821 has been obsolete for some time. The current SMTP specification is RFC 2821.

      Also permit as an authentication scheme that allows the administrator of the accepting mail system to set permissable trust levels. Example, mail that's verified (through an SSL certificate might be one way) as coming from gm.com is accepted, but mail coming from slashdot.org is set to a lower trust level (because they don't want to spend the money for a certificate). Mail from getyerviagra.com is immediately tossed into a review folder, trashed or denied because they don't reverse properly and they have a forged or self-signed certificate or simply don't have one.

      What a nonsensical idea. It'd be a real boon for the spammers, though. This is like buying protection from the mafia. The spammers will buy their certificates and keep on spamming in the assurance their spam will be assigned a high "trust" level; the common man with his own home mail server will not be able to send mail to his friends without it getting trashed because he cannot/won't afford the certificate. Not only that, it allows the spammers to keep sending their spam. They don't care if it gets trashed - in fact, the spamming scumbags will always find enough suckers ready to respond to their bait, so they love it if people "just hit delete" instead of hunting them down and busting their asses, and your plan is simply an automated "just hit delete" scheme. This plan will thus only serve to legitimize spamming as well as increasing corporatization of the internet.

      I happen to run a set of support/discussion mailing lists for people with a certain neurological handicap. I run my own mail server because I refuse to compromise my member's privacy to an ad-supported certified spamhaus such as Yahoo Groups. Under your plan I could forget about running my lists my way. Non-commercial discussion lists would cease to exist.

      The LAST thing anyone here wants is ANY government telling us how to manage electronic mail. In the US, it'll be frought with hooks and back-doors so the feds can snoop your mail.

      Hello? What planet did you just arrive from? On mine, the feds (and their equivalents in other countries) have been snooping mail for a long time. Do you really think any solution for spam would change that one way or the other? Or are you just spouting the usual slashbot anti-government drivel?

      You might as well say that burglary should not be combatted by the government because you wouldn't want the government to tell you how to manage the locks on your front door. It'd make about as much sense.

      Spam is a social problem, not a technical one. Real technical solutions [spamhaus.org] nonetheless already exist and are pretty bloody effective for those who care to actually use them properly. That's because, rather than just deleting the spam, they prevent it from arriving into your system in the first place, and provide social pressure to internet providers to kick off their spammers. Without DNS-based blocklists, spam volume would have been growing several orders of magnitude faster than it has been.

  • The best solution... (Score:3, Interesting)

    by cindik (650476) <solidusfullstop&cindik,com> on Wednesday March 05, 2003 @10:45AM (#5440314) Homepage Journal
    ...is unfortunately not a realistic solution:

    If no one ever buys anything from spammers, spam will stop.

    Unfortunately, the one in ten thousand who buys into this makes it worthwhile to spend a buck to send 10,000,000 emails.

    Some people just refuse to believe that unsolicited email offers are a problem. The marketing director at our company keeps pushing to "buy this list of targeted email addresses" or "pump up our ranking in search engines" as offered by the latest spam he receives. These people aren't responsible for spam, but they're responsible for making it profitable.

    Like anything else governments try to control (US war on drugs anyone? how about the US prohibition era? prostitution?), spam will continue to exist as long as there is enough demand to justify the low cost of email.

    Just say no to spam?
  • by paiute (550198) on Wednesday March 05, 2003 @10:48AM (#5440331)
    Political speech is exempted. Advertising of the "call X and tell him that you are against his position on Y" is protected free speech. So expect emails of the sort: "Call Senator McGuffy and tell him that his penis can be enlarged in only three weeks!"

  • Once again (Score:5, Insightful)

    by deblau (68023) <slashdot.25.flickboy@spamgourmet.com> on Wednesday March 05, 2003 @10:54AM (#5440374) Journal
    Since the attention span here seems to be about 5 minutes, I will reiterate a basic argument about spam (and many other problems plaguing us):
    Just as you can't solve a technology problem with laws, you can't solve a social problem with technology.
    Spam is a social problem. Scam artists have been around for millenia, 'spamming' you with unwanted and unsolicited communications. The Internet is only the latest communication tool that they use to peddle their wares. Previous tools have been faxes, TV, radio, telegraph, snail mail, courier, and shouting at you from the next hill over. Don't think for one second that the 'let's DDoS them out of existence' or 'let's make email expensive to send through some complicated protocol' arguments will work. They won't.

    Here are three easy steps to stop spam:

    1. Don't buy anything you get from spammers. Yes, that 24" penis must be really tempting, and I know you're dying to lose 10^6 pounds, but don't do it.
    2. Encourage other people to restrain themselves. The indiscriminant spam approach only works if the percentage of buyers (a.k.a. suckers, marks) is high enough to justify the cost of spamming (which is very low for email). If you can knock down that percentage, spamming won't be as successful.
    3. Educate people you meet about spam. Let them know that not every email they read is for real. Let them know that responding to spam encourages spammers. Let them know that if you catch them replying to spam, you will give Indian burns to their entire family.
    In short, technology isn't the problem here. The problem is that too many people keep falling for the spam. If you do your part, we can make it more expensive for scammers to use the Internet for their schemes.
    • Spam will not disappear even if every stops buy from spammers.

      First, there are religous and political spam that isn't at all related to monitary gain.

      Secondly, many spammers make their money off of people paying them to spam rather than directly from the sales. As long as there are people who think that since there is so much spam, people must be making money off it and therefore are willing to pay a spammer to try for a while, there will be spam. Many businesses will start spamming when times are really bad for them and they think "hey, it only costs $500 to pay the spammer, and it might save my business!".

      Thirdly, there appears to be "spam" which is really just a DOS attack.

      Forth, you can use "forged" spam to tarnish your competitor or political opponent.

      Fifth, you can spam and claim that the spam was "forged" by a competitor and/or political opponent in order to tarnish you.

    • Even social problems require technical solutions to help the system.

      Take for example theft. We lock our house doors and our car doors to prevent theft, even though theft is illegal and anti-social.

      So the spam problem, while its true that its a social problem, I don't think you have "The" solution. We need technical fixes too, and we always will.
  • by cindik (650476)
    ...what about the people who never send you anything original, just stuff that's been forwarded 20 times (with indents, attachments within attachments, and the email addresses of people they didn't think to protect by using bcc)? From where does this stuff originate anyway? I always seem to get the stuff that's been forwarded at least five times. Maybe I just don't know any creative people.

    I've come up with a name for these emails. It's full of miscellaneous stuff (indents, headers), no one knows where it originally came from, no one seems to really want it, and it gets passed around endlessly (I frequently get several copies of each - often from people who were on the same to: line as I was the first time I got it!).

    I call it "fruitcake".

    Now here's the question:

    Would it be reasonable to write a filtering program that:
    1. Strips out indents, headers, and whitespace
    2. Creates a crc or other signature for the actual cute story or magic "scroll down to see the answer" quiz
    3. Checks a database to see whether this is a known fruitcake and, if so, deletes it
    4. Allows the user to add additional fruitcake references
    Any thoughts?
  • How to defeat spam (Score:4, Insightful)

    by GnuVince (623231) on Wednesday March 05, 2003 @11:17AM (#5440526)
    Spam is a business. Like all business I know, its fuel is money. When spam stops being profitable, it will probably stop being so much a problem. Most geeks, nerds and hackers know how to recognize spam a mile away and most of us have spam filters installed, but common users do not. We need to help them by explaining them how spam works, by installing them filters (PopFile [sf.net] is an excellent free one on Windows and other platforms).

    Just make sure as much people in your neighborhood never see spam, and after a while spamming will not be as much as a problem as it is right now.

    Informing the common computer users is the first step.

  • by wayne (1579) <wayne@schlitt.net> on Wednesday March 05, 2003 @11:26AM (#5440588) Homepage Journal
    I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

    The most interesting discussions that I've seen so far are:

    • Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later.

      Most spam specific programs will not queue and retry, and thus the spam will be dropped.

      Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

      Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

      Apparently the "canit" program already does this, but I had not heard of this technique before.

    • Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server. This is completely backwards compatible and doesn't require end users to do anything.

      If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

      Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

    • There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

      Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

      The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

  • I get three hundred spam emails every day. My tarpit identifies 'em before they hit my inbox and holds the spammers' connections open to waste resources on their systems (or the open relays they're hijacking). Right now I have 100 spam connections being held open by my mail server. A large number of spambots are too stupid to break the connection until I drop them at the four day mark.

    Even though I'm tarpitting so many spammers, the number of spam attempts I'm getting is steadily increasing. It bugs me that more and more people are trying to sell me underage pornography and shady business opportunities and miracle health products. It really bothers me that my poor neighbors, who have young kids, are getting all sorts of smut and trash blasted to their emailbox (and to their screens, thanks to Windows spyware and that stupid NetBIOS alert-dialog security hole) and have no idea how to protect themselves from it.

    There needs to be a MUCH easier way of suing spammers. I've got an idea: why not form an organization whose sole purpose is to pursue legal action against spammers, on behalf of the people who are being spammed? In return for tracking down the spammers and handling the court cases, this organization would be more than welcome to keep the proceeds from winning their cases.

    To me, knowing that more spammers are being brought to justice is more important than me getting money out of them.

  • The legal process is slow, but given enough time it should follow these steps:

    1) Make local laws to criminalize spam
    2) Harmonize laws
    3) Pressure remaining rogue states to join the system
    4) Economic or military sanctions to the rest

    That is the way it went with patents, copyrights, drugs, and other laws. Spam laws will follow the same pattern. Unfortunately it can take decades.

    • Does anyone believe that SPAMming should really be illegal? Why stop there? Why not make all encrypted emails illegal as well? Then we could go onto anti-government email and other such ridiculous things. The same goes for the telephone. I do hate spam and telemarketers, but I'd rather have 500 emails/day then have my freedom of speech impaired.

      Now a do not call/email list is different. You are telling these people that you do not want them to talk to you. Violations of this type could be a type of harassment. That being said, the best way to fight technology is with technology. Legislation does not work - it only serves to restrict civil liberties.

      Perhaps it's time for a new mail protocol that employs public key encryption with signed messages that get filtered on the server level. This way, somebody who gets added to your "go-away" list cannot disguise himself as someone else, or at least someone who is on your "love to hear from you" list.

      Slashdot crowds are fickle, one minute they are all up in a rage over freedom of speech and civil liberties and "code is speech", free P2P, etc... and the next they are calling a legislative "jihad" against the very technology that they don't want regulated. Give me a break.

  • by Anonymous Coward on Wednesday March 05, 2003 @11:58AM (#5440810)
    The problem with spam is that people are highly motivated to send it, and as long as email is open in the sense that the messages can be delivered profitably, spam will continue.

    Some people (notably congressmen) seem to think legislation can fix this - that's silly. How will you legislate against the spam you receive from China, for example.

    There are a couple of big issues with spam - 1) the annoyance factor - people just don't like to get it - their time and brainpower are wasted searching for their "real" email, and 2) the bandwidth problem - recipients and ISPs are being forced to pay for spam themselves via bandwidth costs.

    The closest thing we have to an answer today is whitelisting - the idea that you only accept email from people you've already listed as authorized senders. Whitelisting removes significant email functionality (currently a lot more functionality than really necessary because there's no standard implementation) - you can no longer get email from a long-lost friend or in response to account creations on web sites, for example.

    Nonetheless, whitelists are the closest thing we have to a solution for Spam Issue #1 listed above (the waste of time and brainpower). Unfortunately, they do very little to address the bandwidth issue.

    Some ISPs (Hotmail, for example) have implemented whitelists on the mail server side so that clients don't actually have to download the messages from non-whitelisted senders. However, this only relieves the bandwidth burden from the end-user, not from the ISP. ISPs can be protected from spam too.

    There's also an even bigger problem with whitelists - how do you authenticate authorized senders? If you only rely upon the email address of the sender, your system will quickly become useless as spammers identify addresses you're likely to accept email from. This will happen really quickly in environments where whitelisted addresses are predictable (e.g. companies usually have a postmaster or administrator email address; people living in countries that give each citizen an address are also likely to have predictable whitelisted addresses).

    So we need a whitelist solution that includes strong authentication and allows spam to be cut off before it wastes too much bandwidth. Here it is.

    The solution involves several features: 1) a public key infrastructure that allows recipient whitelists to be looked up; 2) extensions to the SMTP protocol to allow servers to validate messages against whitelists before accepting the message (ie without opening the message itself to search for a public key); 3) interfaces to allow recipients to modify their whitelists; 4) interfaces to allow senders to request that they be added to a recipient's whitelist (although carefully designed to prevent this system itself from being co-opted into a spam method).

    With such an infrastructure in place, additional spam control is possible. A compliant mail relay can check a message sender against the message recipient's whitelist and choose to reject it immediately. The cost associated with implementing this check can be passed directly to the sender - mass emailers can still do their work, they just pay more (or go elsewhere).

    If a spam message still makes it to the recipient mail server, that server gets the sender, recipient, and sender's key in the SMTP headers before the "DATA" section of the SMTP exchange occurs. With that information, the recipient mail server can validate the sender against the recipient whitelist - if the key isn't allowed, then the message is rejected before the actual message is delivered, offering a huge bandwidth and cpu-overhead savings for the ISP.

    So where should the actual whitelists be stored? For performance (and DDoS-limiting) reasons, the key infrastructure and the whitelists it provides will probably need to be a lot more distributed than they are now, probably to the point of being hosted on systems at the recipient ISP.

    Perhaps the whitelists ought to be separated from the key infrastructure, hosted on separate systems - I think it makes sense to provide a provision for this, but not to expect it to be the initial implementation. (Thoughts?)

    You may be thinking we already have a suitable key-based authentication infrastructure in place in the form of PGP - I disagree. Although I think PGP is a good start, I don't think the "web of trust" idea will hold up to spammers' attacks. Once someone is strongly motivated to compromise the web of trust, doing so becomes trivial. I believe that this fact will also reinforce the likelihood of key servers being hosted by recipient email systems, where recipients can be charged for key maintenance as part of leasing their email accounts.

    Although all of this infrastructure would take a while to design, standardize, and implement, it's certainly an attainable goal, and it would dramatically improve our ability to handle spam.

    Of course, whitelisting is not without its drawbacks, even when it works perfectly. The design outlined above is almost certain to incur ongoing expense for a recipient in the need to maintain a key on a server - I think it's unlikely that free email services will be willing to offer this service, at least until it is well-established.

    Deployment of such a system will probably require a lot of either altruism or foresight on the part of ISPs - in the beginning the system will be virtually useless, meaning its return on investment costs will be minimal until a large user base is established. It is my hope that altruistic organizations will both fund and initially implement such a system - universities come to mind as the most likely such organizations, hopefully with some poking and prodding from other well-funded groups (government, the IETF or IEEE, etc).

    Ok, now that I've written all that... do I sign my name? :-) Those are my thoughts on the problem - discussion is welcome. Please be kind though - I'm tired this morning. :-)

    -- Trever, t at wondious d0t com
  • Let's see, I receive ~ 75-100 spams a day

    @ $500 per spam...

    so that's about 37500-50000 a day... 365 a year..

    wow... I'll be rich! Rich beyond dreams of avarice! Hoorah! I knew there was a good reason I kept all of those spam receiving e-mail addresses.
  • Spam is not a problem of technology, therefore any solution rooted in technology is a bandaid -- an after-the-crime attempt to cover the wound. Spam is a "people" problem and requires a "people" solution. Spam (not all spam, but in general) is caused by one person, making a conscious decision, and initiating an action which results in the disruption of millions of lives. Perhaps only a minor disruption; it only takes me a minute a day to delete all the spam from my hotmail account, but multiply this by many millions of recipients. Some users may not be affected at all, but I'd be willing to bet that for every recipient that isn't affected, 1000 are.

    The only solution which will work is one that involves the spammer at a very real, intimate, and very personal level. This is definitely not a "Politically Correct" solution, would be illegal in many countries, and reprehensible to anyone with a conscious, but it would go a long way toward solving the problem.

  • The basic problem here is that the entire email system used on the Internet is broken. The system needs to be replaced with something better. A new protocol that does not allow for open relays and other untrusted systems. I don't have the technical skills to tell you how the system needs to be changed. I'm a user, not a coder.

MATH AND ALCOHOL DON'T MIX! Please, don't drink and derive. Mathematicians Against Drunk Deriving

Working...