Eric Savage writes
"The IETF, through IRTF, has formed an Anti-Spam Research Group. If there is any hope for a technical solution the problem, it appears the first significant step has been taken. More info here in itworld and here in ComputerWorld." Three more exciting spam related posts inside, including news from the Nevada legislature regarding spam, Arkansas dislike of the meaty email and "when students go bad"
torklugnutz writes "The NV state assembly just voted 41-0 in favor of a bill which allows spam recipients to collect up to $500 per piece of spam. The new law also requires ADV to be added to the subject line so that recipients can more easilly identify unwanted ads. In addition, spoofing of sender's email address or having an invalid return address is made illegal. The old law imposed a $10 fine on spammers, but required prosecuters to collect it. This law will, more than likely, increase my chances of reading the spam I get so that I can try to cash in. So, maybe I CAN make an incredible amount of money from this "Amazing Offer""
And in Arkansas: A.G. Russell writes "With House Bill 1008, Subtitled "Unsolicited Commercial and Sexually Explicit Electronic Mail Fair Practices Act." Arkansas looks to join other states that have criminal and cival legislation in place to deal with spam. Can we help them craft this?"
And from academia: mansemat writes "Seems spammers are using a new tactic these days by paying students to send spam over univeristy networks. This particular student will be disciplined by losing his computing privileges, and being educated on the policy he violated. One can only hope the education includes being subscribed to every pr0n, male enhancement, mortage, etc. spam on the planet." Should have booted the miscreant.
What's the point? (Score:4, Insightful)
Re:What's the point? (Score:5, Insightful)
The point is that there is no point in a spammer sending out an email that does not contain instructions on how to obtain the product/service being advertised. And, therefore, it should always be possible to track down the person responsible for the spam. The point is that, without the promise of $500 for each violation, it was not economically viable to track down the spammer. Now, it may very well be.
I once managed to track a spammer to a town about 2 hours drive from where I live. If I had been able to collect $500 out of my efforts, it is something that I would do more often...
Re:What's the point? (Score:3, Insightful)
There's a little flaw in this logic: It ignores the "joe job", which is spam that is sent to get someone else in trouble by making it look like they are spamming.
What do you do when the apparent beneficiary of the spam claims they were joe-jobbed?
Re:What's the point? (Score:3, Funny)
If only the courts relied on humans to make judgment calls about who's telling the truth, rather than using a strictly algorithmic, deterministic parser that would be fooled by a joe job!
Oh, wait.
Re:What's the point? (Score:3, Insightful)
What do you do when the apparent beneficiary of the spam claims they were joe-jobbed?"
If they are a legitimate company, they are required to maintain records.
Records of payments to the spammer should be sufficient. No sane company is NOT going to record an advertising expense, as to not do so is to pay for it twice over.
Sure there will be illegitimate businesses that DONT do this, but if they are involved in "spamcains" to sell their wares, there will be MORE THAN ONE complaint. Claiming that they were "framed" may work once. Maybe twice, but over and over? Won't work.
The fact is, anti-spam laws WILL work if enforced, even if spam is originated overseas, because at SOME POINT, to make money from Americans, money and/or product has to be exchanged IN America...
Re:What's the point? (Score:2)
The crucial element here is "if enforced".
I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement.
Re:What's the point? (Score:2)
Re:What's the point? (Score:4, Informative)
I'm also not sure how you plan to get companies to produce self-incriminating evidence that they paid for a spam run. The only means I can think of is to file a lawsuite and then use discovery to subpeona the records, but this would be prohibitively expensive. Few people would spend $1000 or more for a chance to collect a $500 judgement."
Again, if a company is running "spamcains" there will be an obvious pattern of incriminating evidence. The local prosecutors should then step in and do the investigating.
This won't net sleazeballs that do a quick, one time only, "hit and run" spamcain, but how many do that now? Most of them run CONTINUOUS spamcains, as that is the only way the law of averages (given the
Good anti-spam laws will make doing this in the bulk required to achieve profit difficult to impossible.
Re:What's the point? (Score:3, Insightful)
Mostly true.
One exception I can think of off the top of my head is the pump-and-dump stock scam spam. All they're after is to get a bunch of victims to buy a worthless stock, push up the price, and allow them to sell the shares they've already bought at 1 cent for 20 cents.
Re:What's the point? (Score:3, Interesting)
I think that a better way to fight this would be a tech solution that involved the ISPs - but that would be hard to get setup etc... maybe someday.
duke
Drink RagingCow!!!! (Score:2)
Re:Drink RagingCow!!!! (Score:2, Insightful)
Anyway, will anyone be able to tell the difference between ad-saturated blogs and the current thing? I suppose the spelling might get better when professional copywriters get to work. And the references to "mi cat mittenz 3 3 3" might be replaced with "my cat Whiskas".
Re:What's the point? (Score:5, Insightful)
It always about the money, or the budget.
Vicious circle I'm 'fraid.
But people will always speed
Re:What's the point? (Score:2)
So spammers will still spam, some people will be disuaded from spamming but most will just make it less conspicuous (notably this is still an improvement over the current situation). The only real deterrent (beyond putting a bounty on their heads and thus getting every greedy person looking for them) is to allow rules they can follow. The rules I'm inclined to allow them to follow are: Opt-In not Out, marking the the subject in some obvious way (i.e. ADV:), and not faking any headers.
I know I would be much more likely to follow the rules if they were fair but not too limiting. If you were allowed to speed if you used a special lane and you always wore your seatbelt, would you be willing to follow those rules? I would. So if the spammers are still allowed to make their money by sending advertisements in email but they had to follow the rules, would they? I don't know.
It seems to me that them sending spam to me is a waste, I'm never going to make them money. So limiting myself and the many others like me out of their lists actuialy saves them some money without costing them any potential funds. It's like telemarketers, they dont mind if you use a TeleZapper or things like that, because if you're willing to get such a device you aren't going to buy anything from them.
Re:What's the point? (Score:2)
Re:What's the point? (Score:2)
Agreed. Maybe the solution would be to set up the law to also target the people who hire the spammers since they are really the ones fueling the fire by paying the spam kings to do their dirty deeds. They should also be easier to track down as they need to put some kind of contact info in the message for it to be effective, i.e. you can bounce emails advertising your penis enlargement pills off some campus server or off China, but you have to have a website with a credit card service if you want to actually sell penis enlargement pills. Having the credit card service implies that MasterCard, Visa, etc., have the business address of the folks who asked the spam to be sent out. Since the sellers are therefore much more easily tracked down, they have the kind of accountability that is needed to effectively impose fines. After a few of them get whacked with boku bills, many of the rest of them will start putting ADV in the subject line which in turn will cause my ISPs filter to kill the messages, meaning that advertising via spam will become yet more unprofitable and the number of people hiring spam agencies will drop. It's not a perfect solution since some spam doesn't need a formal contact point to be effective (i.e. the folks from Nigeria who need help getting money out of their country), but it'd be a start.
Arkansas emphatic (Score:5, Funny)
Re:Arkansas emphatic (Score:2)
This makes a nice corollary to:
Seeger's Law: Anything in parentheses can be ignored.
Underline is standard markup for text insertion (Score:2, Informative)
It isn't so obvious in this bill, because it's a completely new section. But, if an existing statute is being changed, it can be cited or excerpted and show the insertions and deletions in context.
Re:Arkansas emphatic (Score:2)
underline something it MUST be obeyed
SILLY LEGISLATORS -- THAT'S WHAT CAPS ARE FOR
Re:I think you mis-HTMLed (Score:2)
Techinical solution (Score:5, Insightful)
Re:Techinical solution (Score:3, Insightful)
Not quite (Score:5, Insightful)
Re:Not quite (Score:2)
Having legislation and expanding them worldwide in some way is more like a cure than technical measures (is expressely prohibited, not that some hackers do this to limit my rights).
You can have local technical measures, but this is not guarantee that the spammers don't find a way to bypass them (i.e. most of spam that reach me by now have modified words to bypass bayesian filters, like v*i*a*g*r*a, V1AGRA or embedded html comments, fortunatelly popfile also have workarounds for most of this). Having a good percent of domains that implement that measures will be bad for spammers, of course, but there still a long way to go before this is reached.
There are ways (Score:2)
Re:Techinical solution (Score:5, Interesting)
I read an article once about a guy who lives in a multi-million dollar house in one State and just burns though trial ISP accounts in other states that can't properly prosecute (if that's the right term, since most States don't yet have decent laws against spam).
Big Karma bonus for the governors of NV though, 41-0 on passing laws to nail the perpetrators AND finig them $500 for each successful plaintif in court.
Oh yes, I see the day when I no longer need the words 'rape, enlargement, mortgage, lolita, diploma and toner' in my filter list for 'Permanantly delete'.
Re:Techinical solution (Score:2)
I'm not arguing over killing spammers, but surely beating the most tenacious should soften them up...:)
Re:Techinical solution (Score:2)
Do those topics come up a lot in your non-spam emails?
Re:Techinical solution (Score:5, Funny)
Re:Techinical solution (Score:2)
I'm no longer a chunky monkey though because filtering out the weight loss ones is a bit hard - they use such normal English.
The chinese/Korean ones are easier 'cos they use double bit entry, which usually puts a whole string of 'à' characthers in the subject line.
And I never filter by body-text, just subject line. It blocks 99% of spam without a need for extra software.
Re:Techinical solution (Score:2)
Once again, Nevada takes the moral high road, leaving the rest of the nation to follow.
I hope that makes sense, I've been up all night drinking 'cause I lost my paycheck at the craps table.
Re:Techinical solution (Score:5, Insightful)
I for one would prefer to live in a country where prostitution was legal and the cops conducted nightly sweeps to round up and jail spammers.
Jailed for spam? (Score:2)
They could charge admission... I wouldn't pay $30 for a "male enlarger" but I might to throw some rotten eggs at a spammer.
Re:Techinical solution (Score:2)
I love Australia...
Re:Techinical solution (Score:5, Funny)
An interesting proposal. Spews and SBL are probably Leukocytes [redcross.org]. SpamCop users might be APCs [myimmune.com]. But I don't see any Macrophages [supercolostrum.com] in our virtual immune system. That must be why spam is so rampant -- we need activists to go eat the spammers! Volunteers, anyone?
I wholeheartedly agree (Score:3, Funny)
Re:Techinical solution (Score:2)
White blood cells may be very good at dealing with Viruses and bacterial infections, but are going to be less usefull in dealing with deliberate poisoning.
Thick skin, better prevention, and increasing tollerance to the poison seems to be the only way to deal with the issue. Treating the person doing the injecting as a criminal seems legitimate to me.
Then again I may be wrong.
-Rusty
Re:Technical solution (Score:4, Informative)
A better analogy than you may realize! Spam is like bacteria; it is self-reproducing (spam for spam software, spam for millions-of-addresses CDs). Using spam filters exerts a selection pressure on the spammers, and the stronger spammers adapt to the filters, become resistant, and multiply.
At AOL, as the single biggest target of spammers, we had to think very carefully about the effects of filters before we implemented them; turning on a weak filter would be just as bad as taking weak antibiotics for a day and stopping, and in some cases it could make the problem worse. For instance, we once decided to start treating any message with >N recipients as likely spam. All we did was force the spammers to start sending messages with one recipient each - which meant we now had to process N times as many messages as before!
(Incidentally, the antibiotic analogy led me to discover, and donate to, the Alliance for Prudent Use of Antibiotics [apua.org], which fights overuse and improper use of antibiotics, helping to keep resistance down. Check them out and give them some money; you'll save on your own health care costs in the long run.)
Jay the ex-AOL Mail Guy
No, but (Score:2)
Re:What is the best software techinical solution n (Score:3, Funny)
I've been pretty much spam-free since I activated it for my account. Good luck!
--K.
Re:What is the best software techinical solution n (Score:2)
spam spam spam (Score:3, Interesting)
Still, I have to wonder if this is a slippery slope that we are travelling down. How long before chain emails and inoccuous humorous forwards are also denied?
Spam: defined (Score:3)
Re:spam spam spam (Score:3)
Not at all. "Spam" is unsolicited bulk e-mail. The only part of that definition that is in the least ambiguous is the minimum quality that constitutes "bulk" (however, this is not a problem in practice -- the gray-area range of a few hundred or thousand is several orders of magnitude below the size of a typical spam dump).
Something Smarter Is Needed (Score:5, Interesting)
Re:Something Smarter Is Needed (Score:3, Interesting)
The vast majority of my spam comes from Americans, though not always via US ISPs. I get the occasional pyramid scheme - the same one every time, and it's fun to watch it wander around the world - and of course the Nigerian fraud, and once in a while a spam all in Chinese, but on the whole it's Americans who are the problem. A strong US spam law would go a long way to solving this.
Re:Something Smarter Is Needed (Score:5, Insightful)
Once laws start up the SPAMMERS will move offshore. Just like the guy who lives in Detroit. This SPAMMER lives in the US, but does not send the SPAM via the US.
Re:Something Smarter Is Needed (Score:4, Interesting)
The difference is that spammers need a point of contact to make money. Making their bandwidth thefts explictly illegal allows the police to seize the contact points.
Re:Something Smarter Is Needed (Score:2)
Pedant point: SPAM is a luncheon meat made by Hormel Foods. Spam is unsolicited bulk email. That said...
Are these spammers actually going to move offshore? Move themselves, physically? Because if not then they're Americans in America sending emails on behalf of American companies also in America to American citizens living in America. I get the feeling there's somebody there to go after.
Right now their motive in moving their electronic operations overseas is to avoid getting shut down. US ISPs have, to their credit, been learning about spammers lately; it's fairly hard for the major spammers to do business, though the chickenboners who go through throwaway dialups are unaffected. If a law were passed allowing the spammer to be pursued, rather than just his internet access, then the spammer's meatspace operation would have to leave the country too. Maybe the big boys will consider it, but it'll be too much for most of them to contemplate.
Re:Something Smarter Is Needed (Score:3, Interesting)
Telemarketers try this, but it doesn't work because of the law. The Telephone Consumer Protection Act of 1991 allows for private right of action not just against the telemarketer, but also on who's behalf the call is placed. If the same measures are placed in spam bills, it won't matter if the spam is relayed through Korea, Iraq, or the Space Station; you will be able to sue the people that hired the spammers or those that get the financial benefit. Some people will claim that the are being joe-jobbed, but that defense rarely stands up in court. You will still get software/warez ads, porm spams, offshore cigarette ads, etc where the spammer and company are offshore, but RBLs and other black lists will be able to stem that without too much of a problem.
Re:Something Smarter Is Needed (Score:2)
Opium cultivation is illegal in every counrty, but the Taleban still tolerated it 'cos that was basically their government budget float.
Unofficially the Burmese Army are also reported to cultivate opium in large quantities but since it's very hard to check on 'Rogue States', these practises are still widespread yet denied by the Government.
I don't think the spam problem is as bad as Heroin, but the people that deal in it are there soley for one thing - profit. Damn Ferengis!
PS, comment above/below RE: 99% of my spam is from the US. 100% of commercial spam is US, p0rn spam is a little broader.
Re:Something Smarter Is Needed (Score:2)
In local news today... A class action brought against Florida based company over "anti-spam" laws netted a group of Russian/Chinese/Bulgarian businessmen $1.3m, half of which was paid to the lawyers who took up the case on their behalf. After sucessfully claiming that 2600 unsoliceted messages had turned up on their mail server from the local direct marketing company...
Need I say more? People would just end up profiteering from the spammers, which would lead to laws protecting marketing business from said practices.
Again, vicious circle. Except this time it's the crooks taking other crooks to the cleaners.
Pay me for spam? (Score:3, Funny)
Re:Pay me for spam? (Score:2)
$500 a piece? (Score:3, Funny)
Instead of all this, (Score:5, Funny)
Don't forget (Score:2)
Re:Don't forget (Score:2)
I can see the e-mails now (Score:5, Funny)
Please sign this bill from your state assembly! I did it and I got my wish! If you don't want to get this e-mail from the state anymore click the sucker link at the bottom!
&they posted emails. Brave souls, i guess they (Score:1)
paul.judge@ciphertrust.com.
Mail List
The email list is asrg@ietf.org. You must be a list member to send mail to the list. Subscribe via asrg-request@ietf.org. An archive of the email list is available at the ASRG mail archive."
I'm HOPING that the slashdot community uses this for good, rather than for email. C'mon, people, these people DO want to help....
(on a side note entirely, i was hoping for "Anti-Spam Governing Alliance for Research Developments" or some such... you know, ASGARD? Bloody Vikings!! I mean, who else would be keeping them in line?)
The more spam I get, the better Mozilla does (Score:3, Informative)
A Tad suspicious (Score:1)
The case for Arkansas (Score:3, Interesting)
Since there are already some legislations out there going in the right direction (California, Washington DC, Nevada, ...) why don't they just "borrow" the text from another state ?
once again (Score:2, Insightful)
Great that nevada passed the law, step in the right direction. But this would only apply if the spam or the company profiting from it came from nevada, right? I dont think the male enhancement people from belarus need worry about this law...
All they need to know (Score:2, Insightful)
Can you say work ethic? (Score:3, Funny)
Way to get on the ball with those 3 meetings... a year...
Most IETF work is done on mailing lists (Score:3, Informative)
Another set of attacks on the effect not source (Score:2)
Spam loopholes... (Score:5, Insightful)
o unsubscription method is not feasible. I received an unsubscription method that went like this
Who is going to send a snail mail letter long distance to seemingly be unsubscribed from a spam list? Now it's starting to cost _me money to be unsubscribed. The law says to have _an unsubscription method of some sort - this falls within the law no matter how bad it is.
o unsubscription web page is non-existent - this happens to often
No! Wrong! Never! (Score:3, Informative)
If you haven't figured out, unsubscription is really just a confirmation that you exist.
Until you either reply or unsubscribe, they don't really know if they have a 'live' email or not, unless you're allowing html mails to access url-loaded external elements, such as gifs and other web bugs.
If you allow them to push the idea that what they do is OK until you object by unsubscribing, they have won critical ground. At that point, you are on the defensive. You will have to unsubscribe to every email spam that you receive.
Of course, then, they just re-sell your address and the whole cycle starts again.
I never agreed to an opt-out scheme. When I decide to opt-in, I'll let them know.
Cheers,
Jim
Re:No! Wrong! Never! (Score:2)
Easy, you're on their list. How you got on their list is highly debateable - I for one did not subscribe to anything though they say I did. When you un-subscribe you are seemingly being removed from their list.
I am aware of the ``reply to let us know you're active''. When spam lists are sold they don't tell the second spammer that the user is active, just that these are recently checked valid email addresses. They're not going to say "well we mailed this guy a few times and he didn't reply - let's just cross him off the list". Of course that scenario happens in fantasy land.
No, the idea is that there is a legal framework to say you don't want to be sent unsolicited mail. If the law fails then all hope is lost.
Spam Relies Upon Deceit (Score:5, Insightful)
A large percentage of "junk mail" depends upon some fashion of deceit. Either it's by masking the true identity of the sender, a spam-haus using domain after domain and ISP after ISP in order to avoid the blacklists or simply by lying and saying that "you really indeed did ask for this".
The answer to the spam problem is to find technical answers that start peeling away at the ways spammers use deceit.
I've said this before and I'll say it again, the first place is to rewrite RFC-821 and require valid reverse-name lookups before accepting mail. Also permit as an authentication scheme that allows the administrator of the accepting mail system to set permissable trust levels. Example, mail that's verified (through an SSL certificate might be one way) as coming from gm.com is accepted, but mail coming from slashdot.org is set to a lower trust level (because they don't want to spend the money for a certificate). Mail from getyerviagra.com is immediately tossed into a review folder, trashed or denied because they don't reverse properly and they have a forged or self-signed certificate or simply don't have one.
The LAST thing anyone here wants is ANY government telling us how to manage electronic mail. In the US, it'll be frought with hooks and back-doors so the feds can snoop your mail.
Let's get it together and fix the problem on our own.
Re:Spam Relies Upon Deceit (Score:2)
Re:Spam Relies Upon Deceit (Score:2, Interesting)
Amen.
Currently, there is no way for RFC-821 mail to eliminate spam. It was written for a few college profs to pass notes. Trust was rampant. The command stream is in plain english. HELO anyone?
It's 1000 times more difficult to add security to something than to design it in from day 1. How many examples can you think of?
I've been thinking about a better email for a long time. How about to log onto a "SMTP2" server you need a valid user/password rather than a stupid open port? Maybe each email account could have a public/private key combination. Tack the public key on to every outbound message, and have the first hop verify the sender. If the account is hacked, drop the private key and bingo - it can't send email.
An added benefit - you could decide to PGP encrypt all email on the fly.
And let's say that only 5 sites in the world run SMTP2 servers. Wouldn't you want to be on one? "We promise spam free email communication on our new email network." I wouldn't care if I couldn't talk to anyone on AOL. Besides, once it caught on the behemoths would eventually jump in anyways.
Weaselmancer
Re:Spam Relies Upon Deceit (Score:2)
To wit:
No "rewrite" of any RFC is required to achieve this, as in fact many sites already do this. As a result, spammers now almost universally forge valid domains (and even valid usernames) in their spams, causing those innocent third parties to receive all the bounces. This has made matters worse, not better.
Incidentally, RFC 821 has been obsolete for some time. The current SMTP specification is RFC 2821.
What a nonsensical idea. It'd be a real boon for the spammers, though. This is like buying protection from the mafia. The spammers will buy their certificates and keep on spamming in the assurance their spam will be assigned a high "trust" level; the common man with his own home mail server will not be able to send mail to his friends without it getting trashed because he cannot/won't afford the certificate. Not only that, it allows the spammers to keep sending their spam. They don't care if it gets trashed - in fact, the spamming scumbags will always find enough suckers ready to respond to their bait, so they love it if people "just hit delete" instead of hunting them down and busting their asses, and your plan is simply an automated "just hit delete" scheme. This plan will thus only serve to legitimize spamming as well as increasing corporatization of the internet.
I happen to run a set of support/discussion mailing lists for people with a certain neurological handicap. I run my own mail server because I refuse to compromise my member's privacy to an ad-supported certified spamhaus such as Yahoo Groups. Under your plan I could forget about running my lists my way. Non-commercial discussion lists would cease to exist.
Hello? What planet did you just arrive from? On mine, the feds (and their equivalents in other countries) have been snooping mail for a long time. Do you really think any solution for spam would change that one way or the other? Or are you just spouting the usual slashbot anti-government drivel?
You might as well say that burglary should not be combatted by the government because you wouldn't want the government to tell you how to manage the locks on your front door. It'd make about as much sense.
Spam is a social problem, not a technical one. Real technical solutions [spamhaus.org] nonetheless already exist and are pretty bloody effective for those who care to actually use them properly. That's because, rather than just deleting the spam, they prevent it from arriving into your system in the first place, and provide social pressure to internet providers to kick off their spammers. Without DNS-based blocklists, spam volume would have been growing several orders of magnitude faster than it has been.
The best solution... (Score:3, Interesting)
If no one ever buys anything from spammers, spam will stop.
Unfortunately, the one in ten thousand who buys into this makes it worthwhile to spend a buck to send 10,000,000 emails.
Some people just refuse to believe that unsolicited email offers are a problem. The marketing director at our company keeps pushing to "buy this list of targeted email addresses" or "pump up our ranking in search engines" as offered by the latest spam he receives. These people aren't responsible for spam, but they're responsible for making it profitable.
Like anything else governments try to control (US war on drugs anyone? how about the US prohibition era? prostitution?), spam will continue to exist as long as there is enough demand to justify the low cost of email.
Just say no to spam?
Loophole alert (Score:5, Funny)
Once again (Score:5, Insightful)
Here are three easy steps to stop spam:
Even if no one buys anything from a spammer.... (Score:2)
First, there are religous and political spam that isn't at all related to monitary gain.
Secondly, many spammers make their money off of people paying them to spam rather than directly from the sales. As long as there are people who think that since there is so much spam, people must be making money off it and therefore are willing to pay a spammer to try for a while, there will be spam. Many businesses will start spamming when times are really bad for them and they think "hey, it only costs $500 to pay the spammer, and it might save my business!".
Thirdly, there appears to be "spam" which is really just a DOS attack.
Forth, you can use "forged" spam to tarnish your competitor or political opponent.
Fifth, you can spam and claim that the spam was "forged" by a competitor and/or political opponent in order to tarnish you.
Re:Once again (Score:2)
Take for example theft. We lock our house doors and our car doors to prevent theft, even though theft is illegal and anti-social.
So the spam problem, while its true that its a social problem, I don't think you have "The" solution. We need technical fixes too, and we always will.
In addition to spam... (Score:2, Insightful)
I've come up with a name for these emails. It's full of miscellaneous stuff (indents, headers), no one knows where it originally came from, no one seems to really want it, and it gets passed around endlessly (I frequently get several copies of each - often from people who were on the same to: line as I was the first time I got it!).
I call it "fruitcake".
Now here's the question:
Would it be reasonable to write a filtering program that:
How to defeat spam (Score:4, Insightful)
Just make sure as much people in your neighborhood never see spam, and after a while spamming will not be as much as a problem as it is right now.
Informing the common computer users is the first step.
Summary of IETF ASRG discussions (Score:5, Informative)
The most interesting discussions that I've seen so far are:
Most spam specific programs will not queue and retry, and thus the spam will be dropped.
Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.
Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.
Apparently the "canit" program already does this, but I had not heard of this technique before.
If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.
Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.
Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.
The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.
An organization to sue spammers? (Score:2)
Even though I'm tarpitting so many spammers, the number of spam attempts I'm getting is steadily increasing. It bugs me that more and more people are trying to sell me underage pornography and shady business opportunities and miracle health products. It really bothers me that my poor neighbors, who have young kids, are getting all sorts of smut and trash blasted to their emailbox (and to their screens, thanks to Windows spyware and that stupid NetBIOS alert-dialog security hole) and have no idea how to protect themselves from it.
There needs to be a MUCH easier way of suing spammers. I've got an idea: why not form an organization whose sole purpose is to pursue legal action against spammers, on behalf of the people who are being spammed? In return for tracking down the spammers and handling the court cases, this organization would be more than welcome to keep the proceeds from winning their cases.
To me, knowing that more spammers are being brought to justice is more important than me getting money out of them.
Laws *will* help (Score:2)
1) Make local laws to criminalize spam
2) Harmonize laws
3) Pressure remaining rogue states to join the system
4) Economic or military sanctions to the rest
That is the way it went with patents, copyrights, drugs, and other laws. Spam laws will follow the same pattern. Unfortunately it can take decades.
Re:Laws *will* help (Score:2, Troll)
Now a do not call/email list is different. You are telling these people that you do not want them to talk to you. Violations of this type could be a type of harassment. That being said, the best way to fight technology is with technology. Legislation does not work - it only serves to restrict civil liberties.
Perhaps it's time for a new mail protocol that employs public key encryption with signed messages that get filtered on the server level. This way, somebody who gets added to your "go-away" list cannot disguise himself as someone else, or at least someone who is on your "love to hear from you" list.
Slashdot crowds are fickle, one minute they are all up in a rage over freedom of speech and civil liberties and "code is speech", free P2P, etc... and the next they are calling a legislative "jihad" against the very technology that they don't want regulated. Give me a break.
Re:Laws *will* help (Score:2)
Re:Laws *will* help (Score:2)
Nonsense. A law against spamming is already a warning that you had better not spam. By your reasoning, there should be no action against a murderer unless the victim sends a complaint (via John Edward, perhaps).
Re:Laws *will* help (Score:2)
No, murder (unlike speech) is not protected under the constitution. I should have the right to send anyone any email I want, unless they first express their disinterest. A government that can regulate commercial email can also regulate personal email and this opens the door for censorship and other such undesirable impairments of civil liberties. How is this any different than receiving unsolicted junk mail via USPS? Should it also be illegal to hand out flyers to passer-bys? I'll say it again: legislation on this matter will only serve to hamper civil liberties. I for one do NOT want congress telling me what I can communicate to other people.
Re:Laws *will* help (Score:2)
OK, folks, all together now:
There, was that so difficult to comprehend?
I'll say it again: legislation on this matter will only serve to hamper civil liberties.
Theft is not a civil liberty.
Re:Laws *will* help (Score:2)
Using this logic, then ALL email is transmitted using bandwidth stolen from the recipient (which is not actually true). As a recipient I can only incur a bandwidth loss if I agree to download the message - which means I am expecting someone to have sent me email. Don't like it? Don't use email.
The solution for spam - really (Score:3, Interesting)
Some people (notably congressmen) seem to think legislation can fix this - that's silly. How will you legislate against the spam you receive from China, for example.
There are a couple of big issues with spam - 1) the annoyance factor - people just don't like to get it - their time and brainpower are wasted searching for their "real" email, and 2) the bandwidth problem - recipients and ISPs are being forced to pay for spam themselves via bandwidth costs.
The closest thing we have to an answer today is whitelisting - the idea that you only accept email from people you've already listed as authorized senders. Whitelisting removes significant email functionality (currently a lot more functionality than really necessary because there's no standard implementation) - you can no longer get email from a long-lost friend or in response to account creations on web sites, for example.
Nonetheless, whitelists are the closest thing we have to a solution for Spam Issue #1 listed above (the waste of time and brainpower). Unfortunately, they do very little to address the bandwidth issue.
Some ISPs (Hotmail, for example) have implemented whitelists on the mail server side so that clients don't actually have to download the messages from non-whitelisted senders. However, this only relieves the bandwidth burden from the end-user, not from the ISP. ISPs can be protected from spam too.
There's also an even bigger problem with whitelists - how do you authenticate authorized senders? If you only rely upon the email address of the sender, your system will quickly become useless as spammers identify addresses you're likely to accept email from. This will happen really quickly in environments where whitelisted addresses are predictable (e.g. companies usually have a postmaster or administrator email address; people living in countries that give each citizen an address are also likely to have predictable whitelisted addresses).
So we need a whitelist solution that includes strong authentication and allows spam to be cut off before it wastes too much bandwidth. Here it is.
The solution involves several features: 1) a public key infrastructure that allows recipient whitelists to be looked up; 2) extensions to the SMTP protocol to allow servers to validate messages against whitelists before accepting the message (ie without opening the message itself to search for a public key); 3) interfaces to allow recipients to modify their whitelists; 4) interfaces to allow senders to request that they be added to a recipient's whitelist (although carefully designed to prevent this system itself from being co-opted into a spam method).
With such an infrastructure in place, additional spam control is possible. A compliant mail relay can check a message sender against the message recipient's whitelist and choose to reject it immediately. The cost associated with implementing this check can be passed directly to the sender - mass emailers can still do their work, they just pay more (or go elsewhere).
If a spam message still makes it to the recipient mail server, that server gets the sender, recipient, and sender's key in the SMTP headers before the "DATA" section of the SMTP exchange occurs. With that information, the recipient mail server can validate the sender against the recipient whitelist - if the key isn't allowed, then the message is rejected before the actual message is delivered, offering a huge bandwidth and cpu-overhead savings for the ISP.
So where should the actual whitelists be stored? For performance (and DDoS-limiting) reasons, the key infrastructure and the whitelists it provides will probably need to be a lot more distributed than they are now, probably to the point of being hosted on systems at the recipient ISP.
Perhaps the whitelists ought to be separated from the key infrastructure, hosted on separate systems - I think it makes sense to provide a provision for this, but not to expect it to be the initial implementation. (Thoughts?)
You may be thinking we already have a suitable key-based authentication infrastructure in place in the form of PGP - I disagree. Although I think PGP is a good start, I don't think the "web of trust" idea will hold up to spammers' attacks. Once someone is strongly motivated to compromise the web of trust, doing so becomes trivial. I believe that this fact will also reinforce the likelihood of key servers being hosted by recipient email systems, where recipients can be charged for key maintenance as part of leasing their email accounts.
Although all of this infrastructure would take a while to design, standardize, and implement, it's certainly an attainable goal, and it would dramatically improve our ability to handle spam.
Of course, whitelisting is not without its drawbacks, even when it works perfectly. The design outlined above is almost certain to incur ongoing expense for a recipient in the need to maintain a key on a server - I think it's unlikely that free email services will be willing to offer this service, at least until it is well-established.
Deployment of such a system will probably require a lot of either altruism or foresight on the part of ISPs - in the beginning the system will be virtually useless, meaning its return on investment costs will be minimal until a large user base is established. It is my hope that altruistic organizations will both fund and initially implement such a system - universities come to mind as the most likely such organizations, hopefully with some poking and prodding from other well-funded groups (government, the IETF or IEEE, etc).
Ok, now that I've written all that... do I sign my name?
-- Trever, t at wondious d0t com
Wow, I don't ever have to work again.. (Score:2)
@ $500 per spam...
so that's about 37500-50000 a day... 365 a year..
wow... I'll be rich! Rich beyond dreams of avarice! Hoorah! I knew there was a good reason I kept all of those spam receiving e-mail addresses.
It's *NOT* a technical problem (Score:2, Interesting)
The only solution which will work is one that involves the spammer at a very real, intimate, and very personal level. This is definitely not a "Politically Correct" solution, would be illegal in many countries, and reprehensible to anyone with a conscious, but it would go a long way toward solving the problem.
The email system is broken. (Score:2)
Re:It'll never work... (Score:5, Funny)
Maybe you can't enforce Arkansas law in Texas, but the Texans can sure enforce their law in Arkansas. All it takes is a shotgun and a pickup truck.
Re:It'll never work... (Score:2)
Re:Darn it !!! (Score:2)
Umm, yer forgot to post your e-mail address. I'm sure someone will take the time to write you.
Re:Spam is psychological... (Score:2)
Contact Brainclone Enterprises, if you are an ISP and would like to have this set up for you and your email users. Anthony@brainclone.com
Not only is this a halfbaked attempt to make a profit from applying sender-reciever pairs to mail traffic analysis, it is attempting to actively undermine the value of email in general. Hint: if I get a bounce telling me to go type a credit card number into some random web site in order to communicate with someone, I'm going to giggle and assume there's no good reason for me to communicate with that person.
Meanwhile, actually useful methods of fighting spam will continue. Thank you, drive through.