Cornucopia of Spam

Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad"

torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

The more spam I get, the better Mozilla does

[Anonymous Coward]

Mozilla 1.3's spam filter has really come along nicely. The Bayesian method really is working nicely.

Re:Technical solution

[Jay L]

Think of spammers like an infection

A better analogy than you may realize! Spam is like bacteria; it is self-reproducing (spam for spam software, spam for millions-of-addresses CDs). Using spam filters exerts a selection pressure on the spammers, and the stronger spammers adapt to the filters, become resistant, and multiply.

At AOL, as the single biggest target of spammers, we had to think very carefully about the effects of filters before we implemented them; turning on a weak filter would be just as bad as taking weak antibiotics for a day and stopping, and in some cases it could make the problem worse. For instance, we once decided to start treating any message with >N recipients as likely spam. All we did was force the spammers to start sending messages with one recipient each - which meant we now had to process N times as many messages as before!

(Incidentally, the antibiotic analogy led me to discover, and donate to, the Alliance for Prudent Use of Antibiotics [apua.org], which fights overuse and improper use of antibiotics, helping to keep resistance down. Check them out and give them some money; you'll save on your own health care costs in the long run.)

Jay the ex-AOL Mail Guy

Summary of IETF ASRG discussions

[wayne]

I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.

The most interesting discussions that I've seen so far are:

• Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later.

  Most spam specific programs will not queue and retry, and thus the spam will be dropped.

  Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.

  Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.

  Apparently the "canit" program already does this, but I had not heard of this technique before.

• Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server. This is completely backwards compatible and doesn't require end users to do anything.

  If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.

  Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.

• There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.

  Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.

  The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.

No! Wrong! Never!

[wirefarm]

How can I UN-subscribe, when I never subscribed in the first place?!?!?

If you haven't figured out, unsubscription is really just a confirmation that you exist.

Until you either reply or unsubscribe, they don't really know if they have a 'live' email or not, unless you're allowing html mails to access url-loaded external elements, such as gifs and other web bugs.

If you allow them to push the idea that what they do is OK until you object by unsubscribing, they have won critical ground. At that point, you are on the defensive. You will have to unsubscribe to every email spam that you receive.

Of course, then, they just re-sell your address and the whole cycle starts again.

I never agreed to an opt-out scheme. When I decide to opt-in, I'll let them know.

Cheers,
Jim

Most IETF work is done on mailing lists

[wayne]

The meetings are really just get togethers and a chance to hold more formal proceedings. Most of the real work has always been done via mailing lists and such.

Re:Techinical solution

[ThatMadeNoSense]

Well when your in the buisness of morgaging...

That made no sense.

Re:What's the point?

[WCMI92]

"The crucial element here is "if enforced".
I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement."

Again, if a company is running "spamcains" there will be an obvious pattern of incriminating evidence. The local prosecutors should then step in and do the investigating.

This won't net sleazeballs that do a quick, one time only, "hit and run" spamcain, but how many do that now? Most of them run CONTINUOUS spamcains, as that is the only way the law of averages (given the .005 response rate) catches up to make significant money.

Good anti-spam laws will make doing this in the bulk required to achieve profit difficult to impossible.

Underline is standard markup for text insertion

[ptbarnett]

Inserted text is underlined, while deleted text has a strike through it. Texas uses the same standard.

It isn't so obvious in this bill, because it's a completely new section. But, if an existing statute is being changed, it can be cited or excerpted and show the insertions and deletions in context.