Forgot your password?
typodupeerror
Spam

Austria Bans Spam 100

Posted by CmdrTaco
from the things-are-heating-up dept.
Dan Kegel writes "PC Welt reports the Justice Committee of Austria's Parliament has decided to ban spam. Commercial e-mail in Austria must go only to people who have opted in. Violations are to be punished with a large fine. The new law presumably still needs to be approved by the full house. Seen in the German Linux site LinuxTicker.com. " Der Webpage ist auf Deutsch. Use Babelfish. I suspect the only way we'll kill spam is if we start charging a penny per email or something, but thats a bummer of a solution. I'd settle for simply requiring unsolicited emails to say in the subject that they were spam.
This discussion has been archived. No new comments can be posted.

Austria Bans Spam

Comments Filter:
  • His ISP said he needed a 2 terabyte mailbox to accept all the return-to-sender email*. They only sell that size mailbox by the year, so he was looking at a $20,000 start-up cost. He couldn't afford it...the days of cost-shifting were gone.

    (The ISP explained that all POP servers only accept email with a valid reply-to address, which they querey. After the first thousand recipients send your spam back, as either return-to-sender, requests for more info, or mailbombs, your box is full. The other POP servers refuse to handle any more mail since the reply-to is no longer valid, and no other spam gets delivered.)

    Who was the ISP? Any ISP of the future. This is an example of how this problem could be solved without any new legislation(although it may help in the interim). Holes in the email system need to be addressed so it's on par with ground mail. The problem with legislation that "requires" spammers to tag their spam is with enforcement. Spammers are already sending illegal pyramid schemes and violating their ISP's acceptable-use policies. Prevention is the better way to go here.

    *Yes, if there was a way to return spam to the sender you could use the analogy of comparing it to junk (ground) mail. But since spam is defined by it's inability to be returned, that comparison doesn't holds.

  • You could just get a program that allows you to delete the mail off the server without downloading it.
  • Posted by 2B||!2B:

    What I've done to get around spam is set up my email so on receipt everything is automatically routed into its own folder (I'm up to 27 folders now; I do too much email! But it's great archiving). Anything which isn't routed on receipt goes to the default inbox, which is assumed to be spam. On occasion I review the default box to see if anything useful is there, and normally I immediately find that I can just delete its entire contents. I wish I could do the same with what arrives in the mailbox.

    It's just a matter of considering all unexpected email suspect. Spam isn't any worse than Publishers Clearinghouse Sweepstakes and other snail-mail spam. Just ignore it. Why is everybody freaking out so much about spam that comes through email, yet perfectly content with the mounds of garbage that's delivered by the mailman?! Personally, I would prefer filtering for regular mail first.
  • Never collected, never expected to, never said I did. Pissed them off enough though, got quite a few angry letters. It was fun, lighten up, enjoy the ride.
  • I agree with the other comment here - people PAY for their internet, whereas snail mail spam is paid for by the spammer.

    And spam eats bandwidth, hello.

    The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk
  • If it's easy and obvious, where's the code?

    Sheesh. What's this supposed to mean?

    If it were easy and obvious, it would have been done already.

    For your spam signature program, be prepared to deal with hashbusters in the subject and body.

    For each indidivual message?

    Damn straight. There is at least one bulk mailing program which throws in a message counter (body and subject), a line of astericks, and varies the subject line. If you can find a reliable means of counteracting this, by all means, write it.

    I don't think network bandwidth is the worst thing about SPAM. The time lost on the part of the end user who has to download the mail, read it, spend time working out it's not something they want, etc. is more of a problem.

    It's been claimed that 10% of an ISP bill is to covering the costs of spamming. Unless you have to pay a metered rate, which is not too common in the US, the end-user part is not that big of a problem.

    The real impact of spam is on the ISP mail server. Spam, by nature, tends to be spikey. One spammer, even with a modem, can deliver 50K messages in under an hour. These messages often have lots of bounces, and they have to be delivered, and usually those bounce. If you are running sendmail, you better hope you have a separate machine that just does your customer's SMTP, because when you get that many messages, your load average is going to increase to the point where it will start refusing connections. When your customers can't send mail, they tend to call, usually all at once.

    I am skeptical about your spam signature scheme working (it's not as easy as you think), but don't let that discourage you from trying.

  • Maybe users just need to be able to bounce mail rather than merely delete it.

    That is what I was referring to, but with a twist.

    Bouncing a mail is a fairly expensive procedure. The bouncing server has to generate a non-delivery report. A modern mail server will generate delivery status notifications compliant with RFC 1891, which is a fairly extensive procedure. Then, after generating the report, the same server has to deliver it. That involves additional CPU resources AND network bandwidth.

    Traditional user-level mail filtering kicks in after the users' mail server has already accepted the message, so if it's bounced at that point, you bear the cost of bouncing the mail. And, if the return address if forged, you've just contributed to mailbombing of a third party.

    What you should do is have the filters kick in earlier, when your mail server is receiving the message. If it's flagged as spam, the server rejects it with an SMTP 5xx error code. Then, it is the relay that's spamming you, not the server that's receiving the spam, that has to spin its cycles handling undeliverable mail.

    After everyone starts doing that, poorly configured mail servers - that are hijacked for spam runs - will end up mailbombing their own postmaster instead of spamming all over the place, because everyone will reject its mail. Which is as it should be.
    --

  • Personally, I "freak out" about spam because I pay for my online time at home - I live in the UK, where we pay per minute for local 'phone calls. Therefore, I pay to download this crap.

    I also object to the printed variety, because it's a complete waste of the planet's limited resources...

    Tim
  • Fine. E-mail is not a fax, even if his computer is a fax machine. You would be very hard pressed to find a judge to side with the position that junk e-mail is in violation of the junk fax law.
  • If it's easy and obvious, where's the code? For your spam signature program, be prepared to deal with hashbusters in the subject and body. Also, such a system will not stop the transmission of spam, since all the spam signature can only be computed after the message is sent, so this does not alliviate the main problem of the spam eating up network bandwidth. In fact, testing will eat up more CPU bandwidth, and a distributed spam signature network will eat even more network bandwidth. Even if it worked and kept spam out of end-user mailboxes, it wouldn't solve the real problems.

    Here's a tip for a real-time spam monitoring system (this would be implemented on the SMTP server): Track IP numbers, and see how many recipients/sec each host sends to. Real MTAs take the time to check the SMTP return codes. Some spam MTAs don't. As it so happens, the dial-up spammers send at a faster recipient rate than is normal. particularly if they start multiple simultaneous SMTP sessions. Those hosts can then be given special treatment. I leave that to your imagination.

    Suffice it to say that this system does exist somewhere and is not hard at all to implement (at least with qmail; sendmail would be rough, due to the use of syslog), and it does a hilarous job of killing off spammers before they even get to send a DATA command, and it continues to stomp on them until they go away.
  • I got a spam recently that ended up being from an ADSL customer. His ISP (bcnet.com? I don't remember) e-mailed me back (not a form letter, which was nice) to let me know that not only had they cancelled his ADSL account, but they'd actually gone out and REMOVED THE EQUIPMENT from his residence. That felt good. :)

    This ISP also had a rather novel method for using dynamic hostnames with dynamically assigned IP addresses: They place the MAC address in the hostname. Quite excellent not only for tracking purposes, but for network services (such as IRC) where losers on dynamic IP addresses usually give us headaches.
  • Legal solutions won't ever stop spam because it crosses too many borders. Law enforcement agencies who can't stop much more serious offenses won't have the resources to put much effort into stopping spam.

    Given that reality, laws against spam are doomed to fail. Laws requiring headers or real return addresses will fail for exactly the same reason. Outlaws ignore laws by defination.

    The problem is easy enough to solve if people were really mad as hell and ready to not take it anymore. Try this one:

    Get the top ten providers into cahoots and build a database. Every time an email comes into one of them check the IP of the relay against the database and take action as follows:

    If it is a known secure relay pass the mail normally.

    If it is a known open relay bounce it or trash it.

    If it is unknown, try to forge an email through it. Example: AOL wants to know if cannery.spamnet.com is ok so it forges an email from an AOL IP through the relay in question to a netcom address (using the closed accounts of previous spammers as the test accounts). Propagate the results to the other copies of the database.

    Within a couple of weeks all of the open relays will get the hint and fix their relays. Once the problem of open relays have been addressed there are only two more sources of spam:

    1. Spam canneries, which the Realtime Blackhole can easily deal with.

    2. Disposable accounts. The RBH can help with this problem also, but in the end there is really only one solution to this problem. End disposable accounts.

    This is also easily done. Enact an RFC requiring anyone given access to a system to have been authenticated in some way by the provider if said provider wants to be absolved from blame for that customer's actions. Enforce 'SMTP death sentences' against sites that can't control their users.

    AOL could still pass out bisks, just put a warning in big type that new users MUST read and consent to stating that their credit card will be charged $100US and their account closed if they are found guilty of spamming. If it is legal, build and share a database of people/business entities that spam and just ban the bastards from the Internet for five years. (Or as an alternate, since that probably isn't legal in most of the popular spamming countries like the US, require an upfront security deposit for any future accounts.)

    Spam could be a distant memory by this time next year if we the users would a) demand such firm steps be taken and b) be understanding of the disruptions such steps would likely cause and not raise a ruckus. This sort of voluntary action would actually solve the problem without requiring censorship by either the government or industry.
  • So you want to trust in government to get it right? And to have the same idea that you do as to what right is?

    Better filtering programs are needed. And bouncing e-mail without a valid return address is a good idea.

    Modest Proposal: (Atten. grad students!) it would be good if there were a server based AI program that could learn (v. conservatively) what you considered spam, and bounce it before you ever saw it (which is why the "very conservatively"). This would involve a "spam" button on the e-mail interface that you could click (or otherwise invoke) to indicate that YOU considered a piece of e-mail to be spam, and what others thought wouldn't matter. This would need to be rather efficient, since all e-mails would need to be processed by it. Possibly the parameter learning could be done on the user's machine, so the server would only need to process the incoming mail against pre-computed rules.
  • You could just get a program that allows you to delete the mail off the server without downloading it.
    I'm wondering whether `just' does not in this context constitute a four-letter word. :-)
  • I think what's needed here is a collaborative effort of some sort.

    Someone in the community could set up a mail server similar to hotmail (or forward the email on to each person's private email account). If enough people had their mail sent through the server, a particular advertisement would show up many times, and the source address or server could be flagged as a spammer and then dealt with.

    Of course, you wouldn't want to block mailing lists... but most mailing lists don't contain pornographic words or telltale marketing phrases.
  • I'm wondering whether `just' does not in this context constitute a four-letter word. :-)

    Er, um, well, I know several such programs exist to allow you to delete mail off your POP server without having to download it for MacOS. I had assumed that there would be ones for other OSes, too.
  • Prohibition is not a good analogy. Censorship laws on anything, spam included, are very dangerous, but I don't think that prohibition is a convincing analogy. The "Index Liberorum Prohibitorum" (I think I spelled that correctly) is much better. To support that Bruno was burned alive, and Gallileo was imprisoned, threatend with torture, and lived the rest of his life under house arrest.
  • It doesn't come in separate parts. Autocraticly controling government spreads like athletes foot... not only does it tend to spread all over one place, it tends to spread from place to place.
  • I want to see some of these letters. The thought of a spammer being angry brings joy to me.

    -------------------------------------------------- ----
  • If spammers start sending large messages with attachments, the user-end programs that allow you to delete messages without retrieving them won't help. Why? Because the huge bloated messages still need to be relayed all the way to the ISP, which still needs to store it until the user gets rid of it or retrieves is.

    Luckily, I've found that most spam I get (not counting legitimate promotional mailing lists that I route to /dev/null) is short and plain text. Usenet spam is typically under 25 lines (including headers), although there are sometimes longer messages or huge crossposts about Jesus or Nostradamus or free cash or some other fable.

    -Imperator

  • Now, everyone knows that 99.9% of the spam out there is sent using the point and drool spamming tools that are available" for a limited time purchase!!! get spamthem and 90billion email address free!"

    Now, we cant stop them with laws... we can but their spam butts with technology... a spamprogram specific virus that when it detects ant spam software it erases the hard drive of the spammer and then eats the flash-bios.

    This would be one virus that the world would tout as the best thing for humanity...

    Otherwise, make the penalty a large bruiser gang wielding baseball bats, you can spam, but these guys get to hit your head once for every email you sent.
  • > maybe flag all the outgoing mail like Mr. Taco
    > suggested. Not perfect, but not too bad either.

    Sure. What the hell. I mean, we're not going to stop companies from dumping toxic waste, so let's just have them post little signs wherever they dump so that we know to avoid it. Geezus H. Rob still does not get it. Maybe he'll never get it.

    > So why is it that the free-mail systems don't
    > get tipped off somehow when one user mails more
    > than 1000+ users in a single day? Am I missing
    > something here?

    Yes. The spammers generally do not use the free-mail systems to send. They either use them to receive "remove requests" (i.e. complaints that serve to confirm that they have valid addresses), or they just make up addresses with free-mail services' domain names as red herrings.

    They also LOVE using free-home-page services to post pages full of ad banners, so they can spam people with the URLs and rack up page views and click-throughs. The free-home-page services typically respond with a slap on the wrist.
  • If it's easy and obvious, where's the code?

    Sheesh. What's this supposed to mean?

    For your spam signature program, be prepared to deal with hashbusters in the subject and body.

    For each indidivual message? I'm sure there are aspiring proponents of the language analsyis school that could come up with decent ways around this - like I say though, absolutes aren't obtainable.

    Also, such a system will not stop the transmission of spam, since all the spam signature can only be computed after the message is sent, so this does not alliviate the main problem of the spam eating up network bandwidth.

    Not initially, it won't. But reducing the effectiveness of SPAM by giving people the ability to reduce the amount they read naturally results in less SPAM being transmitted.

    I don't think network bandwidth is the worst thing about SPAM. The time lost on the part of the end user who has to download the mail, read it, spend time working out it's not something they want, etc. is more of a problem.

    In fact, testing will eat up more CPU bandwidth, and a distributed spam signature network will eat even more network bandwidth.

    If the signature distribution is well designed, it won't matter that much.

    Even if it worked and kept spam out of end-user mailboxes, it wouldn't solve the real problems.

    Which are?


  • I like the analogy that spam is like direct marketing through collect phone calls - the recipient always pays. It's a succinct and easily understandable statement that leads easily and directly to illegalization.

    Spamming is more like sending junk mail without paying, so the recipient has to pay. Oh, your post office doesn't allow that? Doesn't matter, because the spammer actually break into the post office in order to place his sacks of junk mail. And he uses a fake identity too so he won't get caught.

    Sounds like a double crime to me. No radical new laws needed, just apply existing mail laws to email.
  • Listen RNG,

    every contry has its ways of dealing with problems in their society. There are on one side countries which you call "liberal", where governement thinks that bussiness regulates the problems itself (and you can be sued if people consume your products and then say "I didnt know that smoking causes cancer - nobody told me that I have to believe what's written on this cigarette-packs...") and on the other side where governement trust the self-responsibility of the people and just tries to regulate things where people cant help themselves by laws (privacy, spam, for ex.).

    I cant see your "facist touch". From the consumers point of view, its better to have *SOME* things regulated...

    I think that nobody can say which side is right (and I dont want to say the more liberal approach is wrong), it's just a thing of a persons culture, experience and his or her point of view.

    Gery

  • I bet you never collected one cent either, because your computer is not a fax machine.

    His computer may very well be a fax machine, equipped with a faxmodem, scanner & printer. It may then do everything a fax machine does. I.e. it is a fax machine with a computer attached for additional services. Do the law in question require that the spam arrived through the phone line? Or is reaching the fax machine in some way enough?
  • Please calm down. I think what the anonymous coward was trying to say was that "english is not the only language on earth". Although Slashdot is an "english-speaking-site" ;) So this would match for "If you dont speak french, spanish, chinese, mandarin, duch, whatever use Babelfish (your very personal translator)".

    And yes, the majority on earth (including me) is very happy that Hitler did not win the WWII.

    Peace, Gery

  • You know, we wouldn't need to use translating programs or human translators if everyone would just learn, and publish everything in, Esperanto.
  • As an experiment, I opened up a Hotmail Account, and I just let it sit. I never used it, and never published it's address to anyone. Within 2 weeks, it was getting regular E-Mails for "Affordable dental / Optical plan" and "See the best Cocksuckers HERE!" Makes you wonder how much MSN is getting in Kickbacks for them to shut up.

    Needless to say, this crappy mail ALSO pounds the accounts of people who don't really want it. (not just hotmail, but I get the occasional spam e-mail in my ISP account too. I've been very careful of letting that addy get out.) My philosophy is, if you don't ask for it, you shouldn't get it. You can say "Yeah, but do you ASK for television commercials? Isn't THAT spam?" Yes, you DO ask for it, and no it's NOT spam. You ask for the sponsored advertising because you are using the product (watching the show). Since you don't pay for the show, commercials aren't a problem. But, when you have an E-mail address to talk to friends and family, you wouldn't want porno ads flooding in. There's a difference.

    When we see laws in effect Nationally, it will be a better place. However, laws aren't going to stop all of the Spam. People can still forge headers, and close accounts on AOL. But hopefully, it'll decrease significantly.

    -- Give him Head? Be a Beacon?

  • There is a better solution to the spam problem, but it involves upgrading the e-mail (SMTP) backbone to something beyond 1975 technology.

    Specifically, e-mail should contain a header with an authenticated signature for the originator. Any mail message that doesn't contain an authenticated signature can be refused at the server level and the spam problem will stop much closer to its source.

    Unfortunately, that means that someone somewhere would have to manage a pretty large key repository for everyone who wanted to send e-mail outside of their LAN. Still, it's not an insurmountable problem, since we already have to maintain an equally large repository of information, namely the DNS system. It's more efficient than DNS, since you don't have to check the signature at every mail hop, just when you want to verify someone's identity.

    And this doesn't preclude sending mail in the form (essentially anonymous) that we use today. The lack of any authentication in mail messages today doesn't prevent people from using it. If you choose to opt out of sending authenticated mail, you just have to be prepared to have intervening systems refuse to carry your mail traffic.

    I guess this really boils down to providing a more robust SMTP server architecture that really validates senders of mail before propogating the messages. Client side and legislative solutions are doomed to failure as long as spammers get to ride the mail backbone anonymously and free of charge.
  • In Austria about htree weks ago the conservative party (oevp) started a pro-spamming-initiative on their webpage. On the following weekend this feature (a web interface to send mass-emails !) was used by surfers to send their comments about this feature to the politicians - the mail system went down ......

    It wasn't such an easy decision for all parties as it seems now but at least its astounding that the Austrian are first ... Well see if the EC will follow or at leas how they'll execute it with international spam ... Is this gonna be a legalisation trip for consorship ? hope not ....

    Best wishes

    Zappa
  • I decided to check my account on My Netscape, which I haven't advertised or really used much. 57 emails waiting for me to see. They used to have a pretty decent service there with very little spam. Then something happened a few months ago and immediately I was getting several spams a day. It may have been around the time NetAddress decided they wanted to charge for accounts. I guess their philosophy is to bombard your free account so you'll pay for their filtering service.
  • by Gorphrim (11654) on Sunday July 11, 1999 @07:27AM (#1808386)
    Right now many of us are still stuck on 56K (and slower) modems. When broadband ramps up I assume spammers will begin to attach/embed pix and movie files in their emails. Assuming I've got two or three of those waiting on the server, next time I check my email I could be waiting 5, 10, or even 30 minutes just to get through to the legitimate emails. I'm not quite sure of the best remedy, but the unsolicited spam fines seems like a good start.
  • by Farce Pest (67765) <farcepest@gmail.com> on Sunday July 11, 1999 @07:00AM (#1808387) Homepage Journal
    I'm the double-bounce postmaster for over a thousand domains, so I get a lot of spam that bounces (because the recipient doesn't exist) and then bounces again (because the envelope sender is bogus). In the last month or so, the spammers have shifted heavily back to using multiple relays. I report these to ORBS [orbs.org] and lately RRSS [radparker.com]. We don't filter based on these lists, in the usual sense, but we do use them for "quality-of-service". I.e. the more lists you are on, the worse your service gets, and the more your queue backs up...

    Once upon a time I would notify relay postmasters that their relays were open and that they should fix them. That became impractical, so now I'm taking another approach: If I get a double bounced spam that has come from a host listed on ORBS, RRSS, or IMRSS [imrss.org], I have a script that automagically sends it back to the relay's postmaster. This doesn't always work; some of those hosts don't have a postmaster address, or won't accept mail for their own IP. Most of the time it works. This tends to magically break language barriers and soon thereafter the relays seem to close up, or at least I stop getting spam from them.

    So, if you have the bandwidth to pull this off, make your postmaster policy "return to sender": Send undeliverable spam back to the relay. And report open relays to one or more of the above lists. I report 30-70 relays a DAY, which probably makes it relatively expensive to spam us. Who are we? HA! Keep guessing, spammers...

  • heh. You could start by setting a better example. From now on, I'll be monitoring your posts to make sure they are in Esperanto! ;)
  • We'd love you if you would create a HOWTO for
    setting this up =)
  • If you allow spam, perhaps if it says "Spam:" in the subject, then we'll still have this problem. People will be sending out advertising and expecting us to pay for it.

    The ONLY solution for spam is to make it either against the law, or to put anti-spam clauses in EVERYONE's TOS (even the backbone providers) and then we can remove spammers, and spam friendly companies from the net.

    Allowing ANY spam is like having telemarketers phone you collect.
  • I kind of liked that "Netiquette" anti-spam recent ruling, which suggested (on the side) that in order to spam, you have get a special "spam" contract with the ISP. So they could charge mucho bucks for the privilege, and maybe flag all the outgoing mail like Mr. Taco suggested. Not perfect, but not too bad either.

    There's something I'm curious about, however-- so much we hear about Hotmail/Yahoo/whatever accounts being used to spam thousands of people . . . well, wouldn't it be somewhat trivial to simply design the mail system to limit mailing list sizes? At least I'm sure these guys aren't sending each piece of mail individually, even with a perl script or some other robot setup, and sending to a listserv would be kind of pointless. So why is it that the free-mail systems don't get tipped off somehow when one user mails more than 1000+ users in a single day? Am I missing something here?
  • Esperanto? Bah! Ido all the way!
  • Learning english would be easier, especially for readers of Slashdot (or are there any people reading this who dont speak english and use something like Babelfish?)
  • Spam should be flat out illegal. The abuse on some of the larger service providers is so bad that if your kid uses a chat room, the next day they will get 200 xxx spamvertisements. The only way to stop this is with some real punishement for the offenders, and those who host them.

  • I bet you never collected one cent either, because your computer is not a fax machine. People who spout off this 227(b)(1)(c) baloney are just as annoying as spammers, maybe more so. Criminal statutes are always narrowly interpreted, and you better be thankful of that. Think about it: If that really was true, why bother with the spammer's favorite friend, S.1618 from last year? If I had a buck for each time a spammer quoted that piece of crap to "prove" their spam was legal, I'd be retired.
  • Given that the Internet really only exists by millions of private agreements, and is simply the 'end result' of a bunch of computers being hooked together...
    it should really simply be a law regarding communication. A business may not send unsolicited advertisements using a service unless it is known up front that that is the primary purpose of that service (Television).

    You know, it still irks me to no end.
    e-mail is only e-mail because we all agree on SMTP/POP/IMAP/what have you....
    yet my ISP sells me bandwidth and in my contract tells me 'you aren't allowed to run a server of any kind'. feh.
    foo.
  • Maybe users just need to be able to bounce mail rather than merely delete it. Of course, the ISP's would need to relay the bounce (as if there were no such valid address, perhaps).

    Currently it is possible, at least for some, to verify that an address is live merely by sending an e-mail to an address. So spam needs to be marked "Moved, left no forwarding address" and bounced.

    Of course, if we count on the ISP's caring about this, perhaps a better answer would be for users to be able to press a button to issue the message "bounced as Spam", and have the message automatically forwarded to all of the appropriate parties. Currently it is so difficult to do this that most users wouldn't bother, even if they knew how.
  • Doesn't IPSec contain a Public-Key-in-the-DNS system?

    I've thought about this a bit, and while everyone hates spam, I don't think the idea of authenticated e-mail would go over very well with Internet culture, as it stands. For example, it would be impossible to send anonymous pro-Linux flames to Bob Metcalfe.

    I've even seen resistance to Corporate LAN e-mail systems such as Exchange or Notes precisely because senders are authenticated. (For example, if a secretary sends a message from the Boss, the message will read From:Boss Sent By:Secretary = Boss gets mad because secretary can't impersonate him/her)

    Furthermore, it would probably take a long time to push the infrastructure out far enough to be actually useful. If you require authenticated e-mail for customerservice@xyz.com, customers that are still on non-authenticated systems will just go through the roof. This will happen even after Authenticated mail has been "standard" for 10 years.

    So, we're really stuck with baseline SMTP for a long time. Everytime ORBS or some one catches or blocks an open relay, clueless admins somewhere in the world set up three more. (Also, noone wants to spring for commercial sendmail that supports ORBS.) What's really needed is for the upstream networks to put a No Open Relay clause in their service agreements. If all the IP traffic from a spam center starts to get blocked at UUNet or MCI, the problem would solve itself in a couple of days.
    --
  • This is not realistic for many reasons.

    Not everyone lives by POP. In fact, I doubt whether most people do. I know I certainly do not.

    It places the burden on the individual programmer to devise his own personal solution to a pernicious and global problem. This assumes a skill level or global availability of off-the-shelf software for all possible platforms which simply does not exist.

    Your approach does nothing to relieve the burden on the mail servers. If you do not think it's the end user who will ulimately bear the burden of these costs, then you're just fooling yourself.

    I like the analogy that spam is like direct marketing through collect phone calls - the recipient always pays. It's a succinct and easily understandable statement that leads easily and directly to illegalization.

  • If Hitler had won WWII this post would be relevant, but since this is not the case, and since the most widely used language in the world is definitely *NOT* German, I think we could in the interests of common sense cut /. a little slack, eh?
  • by Anonymous Coward
    There has been a technical SPAM solution for years. It's called target revokeable email and anyone with qmail or a similar system that allows users unlimited email addresses can implement it. It's clear that a technical solution is the only way to solve this; laws will never work so stop bitching about it.

    Here's the URL explaining how it works:

    Target Revokeable Email [lpwa.com]

    Currently, most e-mail users typically have a very small number of e-mail addresses. For example, one at the office and one for private use with an ISP at home. In contrast, the principle behind target-revokable e-mail addresses is that each user has many e-mail addresses. In fact, users can have a different e-mail address for each group or entity with whom they interact. Furthermore, target revokable e-mail addresses are defined such that a recipient of such an address cannot guess other target-revokable addresses belonging to the same sender and destined for different groups.

    Let Alice be our exemplary e-mail user. Alice wants to start using e-mail to communicate with her friend Bob and at the same time Alice would like to register at a web-site www.crook.com , which requires her to give a valid e-mail address. Assume Alice is smart and uses target-revokable e-mail addresses. As a consequence, Bob might receive e-mail from Alice, where Alice's sender address looks like Alice_xV78Yjklp9@company.com and the folks at www.crook.com will get Alice_hdfsjg85nK@company.com. Subsequently crook.com sells this address to a spammer. As soon as Alice get her first junk-mail message, she can revoke the address she gave to www.crook.com. She can do so by simply filtering her incoming mail according to the string hdfsjg85nK. This will not affect Alice's communication with Bob or with any other email user or Web site. Furthermore, crook.com only knows a now undeliverable e-mail address and cannot guess any other valid e-mail address of Alice.

    Target-revokable e-mail addresses provide a much more reliable method of combating junk e-mail than filtering e-mail according to sender or content, which are the two methods used by other available anti-spamming tools. Spammers can easily spoof their messages, making a filter on the sender's address useless. Spamming according to keywords in the content of the message is only a heuristic and the list of keywords must be kept secret. In contrast, we can document our method without reducing its effectiveness.

    Another new aspect of target-revokable e-mail addresses is accountability . If spam.com got Alice's e-mail address from crook.com and now sends junk e-mail, Alice can deduce that crook.com is accountable.

    Target-revokable e-mail addresses have been integrated with LPWA for easy use with Web sites and Usenet newsgroups. As explained above, the concept extends to user-to-user e-mail as well. We envision that in the future whenever you communicate via e-mail, your sender address will be a target-revokable e-mail address.

  • I would love to hear the nitty-gritty details of the legality behind Seattle's anti-spam laws. As much as I hate sifting through porno ads and tech mags, I wonder just how you would go about drawing the line on such a subject.

    What happens if a mass emailing goes out with a valid return address, but the address is just a black hole, or another email repository. It's a difficult line to draw, and even however many years after the invention of the telephone, we still get unsolicited telemarketing calls. I don't see an easy and fair solution just yet. Or how about when your friend tells you about "a hot new way to make money surfing the net!" Are they a spammer?

    It's easy to look through your Inbox and find the spam, but getting some sort of architecture or filtering system up for this would be diffucult. I would imagine that legality would be the ultimate solution, but I'm kinda weary of proposing government as a solution. Dahh!!! I'm gonna go run around the block, now.
  • by \u@\h (63956)
    Strange what people do to fight spam. I used to get spam emails through my ISP's account (which I almost never use), but since I reminded the admin to turn on RBL, I haven't got a single piece of spam. The accounts I usually use also utilize RBL and I'm almost spam free.

    And yes, I'm on about 10 public mailing lists and constantly active on 3 of them. My email address can be found in Altavista. I put it verbosely and outwritten on my homepage.

    If it should ever become worse (more than one spam per week), I could easily add ORBS support to the SMTP servers I admin (and which handle my email).

    So long...
  • Yeah - I almost brought that up. "DNS with Authentication" seems like a wonderful opportunity for Microsoft to embrace and extend ActiveDirectory out to general Internet usage.

    What I don't see is SMTP going away in favor of some proprietary RPC protocol. Even MS and Lotus are moving to (E)SMTP as their "native" protocol (with HTML/MIME instead of propritary RTF). The "lock-in" for corporate e-mail systems never happened, and now coprorate customer are demanding interoperablity.
    --
  • Russian, Hindi, Farsi and Kurdish are all Indo-European languages... Bad luck! There's no such thing as an "Asian" language family, there are several. You could quote languages such as Chinese, Korean, etc.
  • Contrary to English, the grammar etc. is extremely simple.

    Since when does English have grammar? Just follow any exchange in English on the Web or Usenet and you'll see what I mean... ;-)

    Argathin
  • This is nothing new. Nowadays free email addresses are so easy to get, lots of people pick a hotmail or similar account for mailing-lists and news.

    But worse, this doesn't cure SPAM at the root, you're still receiving it, unless you control the MTA which most users don't. So you're still paying for trafic, you are just not looking at the spam, it isn't really gone.
  • > What's a "49 metre [sic] band" in English?
    (why "sic"? metre is spelled right in non-US spelling. :) )

    49 metre band is in reference to shortwave radio.
  • > If Hitler had won WWII this post would be
    > relevant, but since this is not the case, and
    > since the most widely used language in the world
    > is definitely *NOT* German, I think we could in > the interests of common sense cut /. a little
    > slack, eh?

    (Bien que plusieurs des utilisateurs de l'Internet ne soient pas les orateurs du français) La langue française est en effet la plus commune au monde, pour inclure les citoyens de beaucoup de pays en Indonésie et en Asie!

    C'est simplement "common sense" que le langage servi par la majeure partie du peuple dans le monde doit trop être écrit sur le slashdot.

    ---
  • From the "one spam a semester" I infer your primary account is an .edu address? Spammers tend to avoid these, in my experience. Some possibly out of whatever small conscience they have, more probably because they know that .edu users are often more able and willing to track down and block spamming sites. (Probably not because they think .edu users are too smart to fall for their ads--that would be giving too much credit to the American educational system.)
  • On a similar note I have had a yahoo! account for about 18 months and I have yet to receive a single spam message on that account. Similarly I have had my primary e-mail account and I don't think I've ever gotten more than one spam e-mail in a semester, except for all that real-audio stuff I forgot to uncheck when I downloaded it...:)
  • Puting spam labels on emails DOES NOT FIX THE PROBLEM. Spam is still being sent a recieved, which takes up bandwidth and HD space.

    Every time you guys post this half-solution you are just spreading a bad meme AND people that have a clue have that much more work to do cleaning up after you.

    You have a big soapbox here, so think before you speak.
    ---
    Put Hemos through English 101!
  • A woman in Australia was reported, in Adbusters Magazine, (www.adbusters.org) to have put a sign on her snail-mail box saying "All junk mail will result in a Au$75.00 processing fee." The first ten junk letters she got, she sent the senders invoices for $75.00 each, and 2 of them payed. One sent back an angry letter, and one other replied - I don't remember what they said, the last six ignoring the bill. Perhaps what I'll do is have my email box forward to /usr/bin/vacation with the .vacation file containing:

    All spam messages will result in a US$100.00 processing fee, payable to -whatever-here-.

    Signed,

    \u@\h

    Then take eery company that spam's you to small claims court. (Though that would become very tiring.)
  • So if you know German....read it Auf Deutsch! Nobody cares!

    The babelfish link is provided for new readers to be able to read the articles (Who don't know about Babelfish, or speak German.)

    Stop Complaining.

    -- Give him Head? Be a Beacon?

  • I've been forwarding my spam to the spam recycler lot that were mentioned here a while ago. If I'd just opened an e-mail account in Austria and sued the spammers to oblivion, instead, I'd be a lot better off than a measaly $5 gift certificate.
  • >I've even seen resistance to Corporate LAN e-mail systems such as Exchange or Notes precisely because senders are authenticated.
    >(For example, if a secretary sends a message from the Boss, the message will read From:Boss Sent By:Secretary = Boss gets mad because secretary can't impersonate him/her)

    (Actually, in exchange they can do this, depending on the setting. You can either give the secretary "Send on Behalf of" privs which will do as you say or "Send As" privs, which will allow the secretary to completely act like the boss)

    Speaking of Exchange, didn't MS say they were targeting ISP's with the next version of exchange (Platinum?)
    Imagine the possible (worst case) timeline...

    Phase (1) MS get a few major ISP's to use exchange as email backbone, supporting "legecy" SMTP support, but advanatges for intra exchange-enabled sites (user verification with NT Challege/response etc)

    Phase (2) MS add more features which only work intra-exchange sites. ISP-Exchange clients now installed as default on all windows OS's

    Phase (3) Problems sending/recieving to SMTP sites, and due to critical mass being achieved by ISP-exchange, (as all the windows pre-installed clients don't now work with SMTP) it is the SMTP sites that have to adapt.

    Unlikely, yes, but MS would be one of the few companys that could have both the will, and the market clout to decommotise email protocols

    SMTP may be old, and have weaknesses, but it is open. If we are not careful and plan an open upgrade path (past ESTMP, and to something better and different) someone else will.
    --
  • CmdrTaco writes:

    "I'd settle for simply requiring unsolicited emails to say in the subject that they were spam."

    This shows a fundemental misunderstanding of how SMTP works. The header is part of the DATA segment, which also carries the body of the message. So if you let the header through, you're also allowing full trespass and theft of service.

    Besides spam's annoyance factor, it carries a considerable cost: about 10 percent of your ISP bill, according to various sources (including the Gartner Group's recent report [brightlight.com]. So while header warnings might cut down on the annoyance factor some, it won't do anything to lessen spam's postage-due costs. Warnings in the HELO segment are a bit more acceptable, but still not great.

    --Tom

  • Free Esperanto Course with personal tutor by email. See here [www.iki.fi].

    Marko [mailto]

  • ... which I've never seen here in Austria anyway!

    :) Dave
  • of course the interesting question is, what about after labelling of unsolicited spam becomes required and standard..

    it's very likely that anything with the ADV: tag will be refused relaying. The spam _won't_ be sent and recieved, since most ISP's won't want to allow anyone within their POP3 server to get spam, and the SMTP servers will refuse to accept it..

    oh, and one more time: illegalizing spam altogether won't work. Spam will still be sent and recieved, but it will be done illegally and from fake e-mail adresses that can't be traced.

    "As evidencd by the American experience with alcohol prohibition in the 1920s, making a drug illegal causes its price to rise and its safety to decrease, but does not stop its use.." http://libertarian.org/policy.html#drugs
  • Ah, but see, the member directory is VOLUNTARY, and is also something I am not a part of.

    -- Give him Head? Be a Beacon?

  • all POP servers only accept email with a valid reply-to address, which they querey

    First, a nitpick... POP servers don't accept mail from ANYONE. The POP protocol(s) are for retrieving mail, not sending. SMTP is for sending (which is probably what you meant.)

    But anyway, what happens if someone forges the reply-to address? It's pretty simple to do - just open your mailbox preferences and type in the address of someone else.. if the servers you're talking about check the ip address to see if this is a valid email relay for this address (which isn't possible to do - for a number of reasons) then all you'd need to do is set the return address to someone else on that server...

    If your friend couldn't spam, then it's because he/she didn't know what they were doing. (for example, it's pretty trivial to set up your own SMTP server, and use that as a mail relay...)
  • Telemarketers can call you collect, but since you can selectively refuse collect calls, it's not effective.

    A better telco analogy would be a fly-by-night telemarketing service which orders a trunk of lines, calls half of North America, skips out on the bill, and repeats the process. The telco then raises everyone's rates to cover losses.

    Spammers (and the fly-by-night telemarketers) shift costs to the guy in the middle, the one providing transport (ISPs on both ends or telco). Eventually all end-users pay indirectly with higher rates, even if they never personally get spam or fraudelent telemarketer calls.
  • I guess you've never heard of the MAPS RBL [vix.com] (Mail Abuse Protection System Realtime Blackhole List.)

    This is pretty much what you describe, and isn't limited to "the top ten ISPs" - any ISP can use it (in fact, Sendmail 8.9 has a configuration macro to use their database.)

    MAPS is very successful, and has been turned against such 'giants' as Microsoft and AOL (forcing them to close open relays.)

  • Who do advertisers pay right now? Web sites, newspapers, cable networks... The internet should make advertising more direct, like the 'free computer' deal. If an advertiser paid me some fraction of a cent everytime he exposed me to some relevant or 'positioned' product, I would despise the marketing industy a lot less. As is, I have to pay for cable, then still put up with shi**y commercials.

    I like the idea of satellite radio. It's ten bucks a month, and no commercials. Now, say there was an option to pay five bucks a month, or perhaps nothing, and yet put up with commercial plugs. Fine. But give me a choice.

    d
  • Or you could pay nothing and listen to CBC or another non-US public broadcaster (CBC can be found at 5960 on the 49 metre band - at least I think its 49 metres, I can't find my shortwave...) in the US and a range of frequencies that can be found at http://www.rcinet.ca/pages/hor_sw.asp . Alternatively you can listen to scores of RealAudio stations across the internet - many of them have no advertising (other then self-promotion).

    I think that there is another email problem similar to spam that needs to be addressed though (I've only been on slashdot for a little over a week so I'm not sure if it already has been) and that's those never-ending chain letters, which I've had come back to me every few months, despite ignoring them. The worst are virus warnings.
  • Here is the reply I sent many a spammer. Pissed off alot of them and eventually caused one to complain to iName, where I had a permanent email address forward. Lost the account.

    By sending an "unsolicited advertisement" to my computer, which is equiped with all nessessary components to be classified as a "telephone facsimile machine", any and all knowing participants in this unlawful email system are in violation of Title 47 United States Code, section 227(b)(1)(C). As per Title 47 United States Code, section 227(b)(3) it is my right to take each offender to court and collect damages in the amount of $500.00 per offence and per offender. I make it policy to offer offending individuals and businesses the opportunity to settle matters equitably for an amount of $200.00 which allows all parties to avoid possible further legal actions. Those who are not knowing participants need only disregard the monetary portions of this message and consider it an official complaint against a SPAMMER or SPAMMERS. If you are an entity who, by your business practices, promotes, supports or endorses SPAMMING, either by action or inaction, please feel free to change your ways because I will always be sending a copy of this message to you as a reminder.

    This settlement may be remitted, payable in U.S. Currency, to:

    My Home Address Here

    Globecomm: Please consider this an official "SPAM" complaint.

    Original Message Follows:
    -------------------------------
  • I'd settle for simply requiring unsolicited emails to say in the subject that they were spam.

    Help me to understand this. You want the government to regulate how spam can be delivered and specify how it must look, but you don't want government to be able to censor websites.

    I understand that going to websites is voluntary and that spam is out of your control, but the problem is that the [US] government is pretty much able to regulate their part of the internet or they aren't able to regulate it at all. When you give them control over part of it, it becomes control over all of it.
  • by scriptkiddie (28961) on Sunday July 11, 1999 @10:22AM (#1808440)
    I live in Seattle, where for over a year now there has been a US$500 fine for any spammer who sent mail to an address in Washington state. The law seems to work: I haven't received ANY spam on any of my local e-mail accounts, and it's really nice to be able to give sites my address and use anon FTP with relative security. Unfortunately, (I'm not a legal wiz so I might be wrong on this) the law defines spam as any e-mail with a FALSE RETURN ADDRESS.

    Obviously this leads to complications- what if I send mail with my friend's return address? What if I send out a million e-mails with my real address (and somehow claim they were not unsolicited)? I run a small Linux box that serves shell accounts to about 30 students. On the web site, I have a simple PHP3 script which allows visitors to click on any user and send an e-mail. Of course, a Web site can't determine the sender's address, so I ask senders to type it in. Since this mail is technically sent from my server, what happens if somebody clicks on a user's name, types in a false return address, and sends it? Even though the script can only send mail to users on that box, I might be exposing myself to liability. I haven't recieved any fines yet, and I doubt that I will, but I can only hope that mailers type in their real address. (P.S. No, we don't have open relays!)

    I am a member of the Seattle FreeBSD Users' Group, aka Seafug, mailing list. Recently some spam got through our cleverly designed procmail filters (I don't know how, it was now supposed to). Even though the spammer never got our individual e-mail addies, the spam was sent to all of us. To complicate the story, the actual server box is in fact the infamous dub.net, colocated somewhere fancy in Tucson. So although the spammer had an address that was in Tucson, the messages reached a few dozen people in Seattle.

    I think our spam laws are remarkably well designed, considering that th people who wrote them were civil servants annoyed that their SMTP servers were crashing, not expert hackers. But I think any legal solution to the problem is inevitably bound to have loopholes. That's why we need a technical solution to the problem - certificates would work, but a decent way for users to configure mail filtering from a client would be nice too.

  • by mrsam (12205)
    Hotmail has a member directory, like AOL, that can be harvested for addresses. There was no kickback of any sort from MSN to any spammer, sheesh. It's just some spambag running an address sucker.
    --
  • Haveing some (actually quite some) experience with Austria, I can only say that it's not a very liberal country (to say the least) with may laws literally dating back to early this century. Some laws, I would say, have slightly fascist touch. A very Austrian solution, banning what you don't like.
  • I believe that the final solution to the spam problem will be a combination of both technical and political approaches: that is, some laws against spam on the books, but, more important than that, sophisticated mail filters to block the crud.

    If you put your mind to it, you can put together a bunch of mail filters that will reliably block 95-99% of the crud with a negligible false-positive rate. However, the problem is that even with that being the case, when spam is blocked it does not get cost-shifted back to the sender.

    Spam is a problem because it is a cost-shifted method of advertising: the recipients bear most of the cost in delivering the spam. The costs consist of network resources used to deliver the spam, and spending your time sifting the crud out of your mailbox.

    But even if you block the spam, you still do not shift the cost of it back to the sender. All that happens is that the spam disappears into the bit-bucket.

    To stop the spam, the cost of it must be shifted back to the sender. Every time the spammer starts spewing to a million addresses, 990,000 of them will come back as undeliverable, basically mailbombing the spammer off the Internet.

    Once that starts to happen, that will be the last time you'll ever see anyone spam.

    Unfortunately this is not possible because SMTP is not authenticated, so the only thing that can be done is to reject the mail, bouncing it back to the relay. That still isn't completely bad -- clogging up the relay is better than nothing. However, by the time you have the spam in the mailbox, your mail server already received and accepted the message.

    What's needed is for end users to be able to set up mail filters that are used by servers while receiving the mail via SMTP. Then, if your mail filters flag the mail as spam, reject it with an error code, and let the remote relay choke on the bounce. I've been doing that for over a year now -- works great. But this is not something that everyone can do right now, you can do this only if you run your own mail server.
    --

  • I wonder about this too. While I don't know the exact form in which spam is put out it must be possible to detect it's transmission patterns, both at the transmitting and at the receiving end.

    All those ads for spam software I get spammed with promise gigantic amounts of messages per hour. Merely monitoring the transmission line should be able to detect what's going on. Yes, you wouldn't be able to setup a giant mailing list without talking to your ISP first. (That would be the least of your problems in running a giant mailing list.)

    Of course there would be 'spam-friendly ISPs', but if the rest of the net collectively cut off access to/from those ISPs...

    Why aren't there 'spam-wall' packages around?

If at first you don't succeed, you must be a programmer.

Working...