Cornucopia of Spam

Eric Savage writes "The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad"

torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""

And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"

And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.

spam spam spam

[Anonymous Coward]

I am certainly glad that lawmakers and researchers are turning their full attention to spam. It is certainly a big nuisance. I for one get very insulted having ten thousand strangers telling me that my penis is too small. If they could just step over this way I would whip it out and clobber them with it!

Still, I have to wonder if this is a slippery slope that we are travelling down. How long before chain emails and inoccuous humorous forwards are also denied?

Something Smarter Is Needed

[chayim]

Creating laws, regulations, and whatnot will come nowhere near solving the problems. Sure, if a spammer lives in the US then maybe this would work; but what about all these scams from Europe, Australia, Britain, etc. Just because laws exist in one jurisdication, it doesn't mean that others will play ball. And even having laws does nothing if they're not enforced. Why not have a group of IT police hunt down spammers? After all, they're already guilty of theft and fraud (think bandwidth people). Why not prosecute under existing laws and treat spammers like the theives they are. Even though you won't catch spammers outside your legal jurisdicition, you'll help. And every country that helps would quickly be eliminating the spam problem we live with.

Re:What's the point?

[Dukebytes]

All it will take is someone with enough money to take the spammers to court and collect that $500 bucks per spam email they recieve. I'm sure that it would involve laywers and a court to collect it and prove that it came from this company etc - so your right to a point. But maybe if someone could take a spammer to court and collect several thousand dollars from them - they will stop - hopefully.

I think that a better way to fight this would be a tech solution that involved the ISPs - but that would be hard to get setup etc... maybe someday.

duke

Re:Something Smarter Is Needed

[meringuoid]

Creating laws, regulations, and whatnot will come nowhere near solving the problems. Sure, if a spammer lives in the US then maybe this would work; but what about all these scams from Europe, Australia, Britain, etc.

The vast majority of my spam comes from Americans, though not always via US ISPs. I get the occasional pyramid scheme - the same one every time, and it's fun to watch it wander around the world - and of course the Nigerian fraud, and once in a while a spam all in Chinese, but on the whole it's Americans who are the problem. A strong US spam law would go a long way to solving this.

Re:Techinical solution

[Dan B.]

How about imposing things like JAIL TERMS on people convicted of 'serial spamming'.

I read an article once about a guy who lives in a multi-million dollar house in one State and just burns though trial ISP accounts in other states that can't properly prosecute (if that's the right term, since most States don't yet have decent laws against spam).

Big Karma bonus for the governors of NV though, 41-0 on passing laws to nail the perpetrators AND finig them $500 for each successful plaintif in court.

Oh yes, I see the day when I no longer need the words 'rape, enlargement, mortgage, lolita, diploma and toner' in my filter list for 'Permanantly delete'.

The case for Arkansas

[forged]

...Can we help them craft this?

Since there are already some legislations out there going in the right direction (California, Washington DC, Nevada, ...) why don't they just "borrow" the text from another state ?

The best solution...

[cindik]

...is unfortunately not a realistic solution:

If no one ever buys anything from spammers, spam will stop.

Unfortunately, the one in ten thousand who buys into this makes it worthwhile to spend a buck to send 10,000,000 emails.

Some people just refuse to believe that unsolicited email offers are a problem. The marketing director at our company keeps pushing to "buy this list of targeted email addresses" or "pump up our ranking in search engines" as offered by the latest spam he receives. These people aren't responsible for spam, but they're responsible for making it profitable.

Like anything else governments try to control (US war on drugs anyone? how about the US prohibition era? prostitution?), spam will continue to exist as long as there is enough demand to justify the low cost of email.

Just say no to spam?

Re:Something Smarter Is Needed

[Steve B]

Once laws start up the SPAMMERS will move offshore.

The difference is that spammers need a point of contact to make money. Making their bandwidth thefts explictly illegal allows the police to seize the contact points.

The solution for spam - really

[Anonymous Coward]

The problem with spam is that people are highly motivated to send it, and as long as email is open in the sense that the messages can be delivered profitably, spam will continue.

Some people (notably congressmen) seem to think legislation can fix this - that's silly. How will you legislate against the spam you receive from China, for example.

There are a couple of big issues with spam - 1) the annoyance factor - people just don't like to get it - their time and brainpower are wasted searching for their "real" email, and 2) the bandwidth problem - recipients and ISPs are being forced to pay for spam themselves via bandwidth costs.

The closest thing we have to an answer today is whitelisting - the idea that you only accept email from people you've already listed as authorized senders. Whitelisting removes significant email functionality (currently a lot more functionality than really necessary because there's no standard implementation) - you can no longer get email from a long-lost friend or in response to account creations on web sites, for example.

Nonetheless, whitelists are the closest thing we have to a solution for Spam Issue #1 listed above (the waste of time and brainpower). Unfortunately, they do very little to address the bandwidth issue.

Some ISPs (Hotmail, for example) have implemented whitelists on the mail server side so that clients don't actually have to download the messages from non-whitelisted senders. However, this only relieves the bandwidth burden from the end-user, not from the ISP. ISPs can be protected from spam too.

There's also an even bigger problem with whitelists - how do you authenticate authorized senders? If you only rely upon the email address of the sender, your system will quickly become useless as spammers identify addresses you're likely to accept email from. This will happen really quickly in environments where whitelisted addresses are predictable (e.g. companies usually have a postmaster or administrator email address; people living in countries that give each citizen an address are also likely to have predictable whitelisted addresses).

So we need a whitelist solution that includes strong authentication and allows spam to be cut off before it wastes too much bandwidth. Here it is.

The solution involves several features: 1) a public key infrastructure that allows recipient whitelists to be looked up; 2) extensions to the SMTP protocol to allow servers to validate messages against whitelists before accepting the message (ie without opening the message itself to search for a public key); 3) interfaces to allow recipients to modify their whitelists; 4) interfaces to allow senders to request that they be added to a recipient's whitelist (although carefully designed to prevent this system itself from being co-opted into a spam method).

With such an infrastructure in place, additional spam control is possible. A compliant mail relay can check a message sender against the message recipient's whitelist and choose to reject it immediately. The cost associated with implementing this check can be passed directly to the sender - mass emailers can still do their work, they just pay more (or go elsewhere).

If a spam message still makes it to the recipient mail server, that server gets the sender, recipient, and sender's key in the SMTP headers before the "DATA" section of the SMTP exchange occurs. With that information, the recipient mail server can validate the sender against the recipient whitelist - if the key isn't allowed, then the message is rejected before the actual message is delivered, offering a huge bandwidth and cpu-overhead savings for the ISP.

So where should the actual whitelists be stored? For performance (and DDoS-limiting) reasons, the key infrastructure and the whitelists it provides will probably need to be a lot more distributed than they are now, probably to the point of being hosted on systems at the recipient ISP.

Perhaps the whitelists ought to be separated from the key infrastructure, hosted on separate systems - I think it makes sense to provide a provision for this, but not to expect it to be the initial implementation. (Thoughts?)

You may be thinking we already have a suitable key-based authentication infrastructure in place in the form of PGP - I disagree. Although I think PGP is a good start, I don't think the "web of trust" idea will hold up to spammers' attacks. Once someone is strongly motivated to compromise the web of trust, doing so becomes trivial. I believe that this fact will also reinforce the likelihood of key servers being hosted by recipient email systems, where recipients can be charged for key maintenance as part of leasing their email accounts.

Although all of this infrastructure would take a while to design, standardize, and implement, it's certainly an attainable goal, and it would dramatically improve our ability to handle spam.

Of course, whitelisting is not without its drawbacks, even when it works perfectly. The design outlined above is almost certain to incur ongoing expense for a recipient in the need to maintain a key on a server - I think it's unlikely that free email services will be willing to offer this service, at least until it is well-established.

Deployment of such a system will probably require a lot of either altruism or foresight on the part of ISPs - in the beginning the system will be virtually useless, meaning its return on investment costs will be minimal until a large user base is established. It is my hope that altruistic organizations will both fund and initially implement such a system - universities come to mind as the most likely such organizations, hopefully with some poking and prodding from other well-funded groups (government, the IETF or IEEE, etc).

Ok, now that I've written all that... do I sign my name? :-) Those are my thoughts on the problem - discussion is welcome. Please be kind though - I'm tired this morning. :-)

-- Trever, t at wondious d0t com

It's *NOT* a technical problem

[mnemotronic]

Spam is not a problem of technology, therefore any solution rooted in technology is a bandaid -- an after-the-crime attempt to cover the wound. Spam is a "people" problem and requires a "people" solution. Spam (not all spam, but in general) is caused by one person, making a conscious decision, and initiating an action which results in the disruption of millions of lives. Perhaps only a minor disruption; it only takes me a minute a day to delete all the spam from my hotmail account, but multiply this by many millions of recipients. Some users may not be affected at all, but I'd be willing to bet that for every recipient that isn't affected, 1000 are.

The only solution which will work is one that involves the spammer at a very real, intimate, and very personal level. This is definitely not a "Politically Correct" solution, would be illegal in many countries, and reprehensible to anyone with a conscious, but it would go a long way toward solving the problem.

Re:spam spam spam

[cushty]

Still, I have to wonder if this is a slippery slope that we are travelling down. How long before chain emails and inoccuous humorous forwards are also denied?

As with everything: one mans meat is another mans poison. "Spam" is a term that is unique to the person saying it or hearing it. If I lacked a sense of humour then "spam" is anything funny. If I didn't have a debt then those damn debt consolidation emails would be spam. If I lacked a work ethic then that mail I just received from my boss saying that I should stop read /. would be spam.

Signed, cushty, the hardest working poorest clown.

Re:Spam Relies Upon Deceit

[Weaselmancer]

Amen.

Currently, there is no way for RFC-821 mail to eliminate spam. It was written for a few college profs to pass notes. Trust was rampant. The command stream is in plain english. HELO anyone?

It's 1000 times more difficult to add security to something than to design it in from day 1. How many examples can you think of?

I've been thinking about a better email for a long time. How about to log onto a "SMTP2" server you need a valid user/password rather than a stupid open port? Maybe each email account could have a public/private key combination. Tack the public key on to every outbound message, and have the first hop verify the sender. If the account is hacked, drop the private key and bingo - it can't send email.

An added benefit - you could decide to PGP encrypt all email on the fly.

And let's say that only 5 sites in the world run SMTP2 servers. Wouldn't you want to be on one? "We promise spam free email communication on our new email network." I wouldn't care if I couldn't talk to anyone on AOL. Besides, once it caught on the behemoths would eventually jump in anyways.

Weaselmancer

Re:Something Smarter Is Needed

[DiveX]

"Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US."

Telemarketers try this, but it doesn't work because of the law. The Telephone Consumer Protection Act of 1991 allows for private right of action not just against the telemarketer, but also on who's behalf the call is placed. If the same measures are placed in spam bills, it won't matter if the spam is relayed through Korea, Iraq, or the Space Station; you will be able to sue the people that hired the spammers or those that get the financial benefit. Some people will claim that the are being joe-jobbed, but that defense rarely stands up in court. You will still get software/warez ads, porm spams, offshore cigarette ads, etc where the spammer and company are offshore, but RBLs and other black lists will be able to stem that without too much of a problem.