Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Spam Security

SendMail CTO Sounds Off On Spam and FTC 233

CowboyRobot writes "Eric Allman takes his well-deserved turn in commenting on the state of spam, the dark future, and the need for intervention. He calls spam an "arms race" where "in the long run everyone loses (except the arms dealers)." As you might imagine, he's on our side, and he does a good job of clearly describing the current state of spam, and the possible solutions."
This discussion has been archived. No new comments can be posted.

SendMail CTO Sounds Off On Spam and FTC

Comments Filter:
  • I like the idea (Score:5, Insightful)

    by Transient0 ( 175617 ) on Monday October 06, 2003 @07:07AM (#7142612) Homepage
    of the do not spam registry that they mention in the article. But it seems like a real pipe dream considering how much trouble there has been getting the do-not-call registry up and running.

    Also, most telemarketing is done from in-country because of LD charges. Not so with e-mail. It's pretty hard to enforce US laws on a Taiwan spamhaus.

    Ah well, every little voice against spam warms me a little at least.
    • The do-not-spam registry will not work primarily because A. spammers are already breaking the law to spam, and B. it's easy to set up an offshore spam factory outside the US to send spams. Unlike telemarketing, where making phone calls to other countries is too expensive, it's fairly cheap to bypass legislation and spam outside the US...not to mention a do-not-spam registry is stupid in the sole fact that it gives spammers a huge list of millions of VALID email addresses - doing their job FOR them.
      • Re:I like the idea (Score:3, Interesting)

        by stilwebm ( 129567 )
        The do-not-spam registry will not work primarily because A. spammers are already breaking the law to spam, and B. it's easy to set up an offshore spam factory outside the US to send spams.

        If the do not spam registery, as proposed by at least some lawmakers, penalizes the beneficiaries of the spam, then the true source will still be subject to the regulations. Sure, some offshore businesses will continue to spam, and some big guys may move off shore, but it really will nullify many of the cost advantages
        • a do-not-spam registry is stupid in the sole fact that it gives spammers a huge list of millions of VALID email addresses - doing their job FOR them

          This is the hard part. How can you make it a crime to traffic or abuse a list of email addresses?

          Salt the list with honeypot email addresses. Only supply the list under contractually binding terms and conditions which prohibit its abuse. Then just monitor the honeypot inboxes, and be ready to whack any Do-Not-Spam list-abusers for breach of contract so hard th

    • Also, most telemarketing is done from in-country because of LD charges. Not so with e-mail. It's pretty hard to enforce US laws on a Taiwan spamhaus.


      That's true, but bare in mind that most (>90% ?) spam is from US companies advertising US products and stocks...

      Also, if the idea takes up, more countries could implement this...

      • Most spam originates in the US currently (that is, it is people in the US causing it to be sent, although most of it comes via computers in other countries), but it's mostly not US companies, it's individuals. The stuff for stocks and property is usually a scam, and the actual stocks and any real property are also victims of the situation. The stuff for herbal/generic viagra/vicodin etc etc could equally well be shipped internationally.

        The big time spammers are already involved in various illegal activit
  • by The One KEA ( 707661 ) on Monday October 06, 2003 @07:17AM (#7142644) Journal
    ....the more I realize that no amount of technology or legislation is ever going to completely eradicate spam from our lives. More and more it seems to me that the only way we can get rid of spam is through educating the next generation of Internet users to ignore it.

    Spammers spam because they make money. Educate people to ignore spam, and the spammers don't make money. Bingo, no more spam!

    I know it sounds like a pipe dream, but what other options are there?
    • Speak for yourself. I haven't gotten a spam in months, although my quarantine box [nuclearelephant.com] has caught thousands. My kids aren't going to know what spam is because they'll never see one.
    • ....the more I realize that no amount of technology or legislation is ever going to completely eradicate spam from our lives. More and more it seems to me that the only way we can get rid of spam is through educating the next generation of Internet users to ignore it.

      That's like telling your kids to ignore the high-pitched painful squeeling noise that has continually been emitted in your neighborhood at all hours of the day and night for the past 10 years.

      "Honest kids, after 3 or 4 months of your ears

      • And you probably will. Soon its presence will become habitual and you will no longer notice it and allow it to annoy you.

        Like I said, spammers do this because they think they can make money. Right now, they DO make money spamming people. If they don't make any money, why would they do it? Because they enjoy /.ing mail servers?
    • by azav ( 469988 ) on Monday October 06, 2003 @07:41AM (#7142738) Homepage Journal
      Or we could pool our money and hire a hit man to have them killed.

      Just one at a time. Let's start with Eddie Marin.

    • I beg to differ with you. Regardles of any level of education , there will be fools who will fall in to this fraud. I admit they are a microscopic minority .But that doesnt matter and spammers can keep moving with that as the per capita expense of spam is near to zero. It bas been reported that even the manager of a 6 billion dollar mutual fund had placed orders for "penis enlargement pills" (http://www.wired.com/news/business/0,1367,59907,0 0.html).
    • While I don't know if it stands a chance to actually eradicate spam as you suggest, you make a solid point.

      Spam is far too slippery to actually legislate, but we are already developing pretty decent methods for filtering. Perhaps spam is an arms race, but we seem to be a step or two ahead of the spammers and it is costing me no money and only a small amount of time to stay there.

      I think the real trick is to make things like not putting your real e-mail address on forms (paper or electronic) and setting up
    • Spammers spam because they make money. Educate people to ignore spam, and the spammers don't make money. Bingo, no more spam!

      That might help. Though it only takes a few suckers.... (Either among the customers, falling for the spammers' sales pitches, or among the spammers, falling for the spam-software sellers' sales pitches.)

      Actually the vast majority of my "spam" right now is the result of a virus that could just as well have been written by a teenager on a whim.

      As long as the system is so fragile

    • no amount of technology or legislation is ever going to completely eradicate spam from our lives

      Therefore, worthless are methods that greatly reduce but fall short of complete eradication?

  • by Anonymous Coward
    When 99% of the spam on the internet passes through your product at some time, I'd say you should have an opinion.
  • by LennyDotCom ( 26658 ) <Lenny@lenny.com> on Monday October 06, 2003 @07:30AM (#7142694) Homepage Journal
    Why can't certain specified mail servers be something like the look outs. If a certain percentage of them recieve the same email in a specified amount of time then they can designate it as spam and delete it from all the mail servers. then ISP's could subscribe to the "lookout server" list and delete any messages that have been designated as spam?

    • This is what both the Razor and DCC projects are about, although their approaches differ slightly.

      This is almost exactly what the DCC does. This strategy works very well for certain types of spam, but it doesn't catch everything and needs manual intervention to allow legitimate mailing list traffic through.
    • That already exists. (Score:4, Informative)

      by Alioth ( 221270 ) <no@spam> on Monday October 06, 2003 @07:56AM (#7142823) Journal
      That already exists.

      It's called the Distributed Checksum Clearinghouse (http://www.rhyolite.com/dcc). I use the DCC as part of my SpamAssassin configuration (sitewide, called by Exim) and around 85% of spam I receive is already listed in the DCC. The latest version (2.60) of SpamAssassin, plus the SBL plus the DCC works as a very effective shield. My JE (link in the sig) describes my recent experience with SA 2.60.
      • Make sure you use the DCC with SpamAssassin rather than merely alone, though (sounds like you don't have this problem, but just for the education of other readers). The shorter and more filled with garbage a message is, the more likely DCC will not be able to form the same fuzzy checksum as a different message.

    • then ISP's could subscribe to the "lookout server" list and delete any messages that have been designated as spam?

      I think such a product already exist. Lemme remember the name of the company that makes it... soft-something? Ah, there I remember: Softmicro!

    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
  • ...because the 'email' economy doesn't have to connect to the real economy, as long as you (or your ISP) sends roughly as many emails as you receive. Which is true of personal emails. Genuine mailing lists would need a free pass, which could be set up when you opt in. ISPs Of course, an ecash mechanism imposes a cost in CPU cycles. But spam prevention doesn't need as strong a mechanism as the real economy: even if the spammer manages to spend each incoming email 100 or even 1000 times, they still can't sen
  • by swb ( 14022 ) on Monday October 06, 2003 @07:57AM (#7142839)
    If the government would enforce the laws against fraud, deceptive advertising and some of the outwardly criminal schemes advertised via spam by following the money trail, it should put a big dent in the spamming business, perhaps enough that the trailer-court spam king seen on Slashdot lately would have to figure out something else to do.

    I do not believe that a "do not spam" law would work; at worst, the law of unintended consequences guarantees we'll end up having to give John Ashcroft a sperm sample to get a license to run a mail server due to the slippery slope of regulation. At best, we'll have an empty law that punishes no one.

    Instead we've got Ashcroft forming an American Schutzstuffel to protect us from ourselves, and his big anti-crime initiative is to go after people that make bongs. Gee, I feel safer already.

    As long as people willing to commit fraud or other "entrepenuers" feel they can lie, cheat and steal via email with no consequences they will, and someone will be willing to deliver the message for them. Get the seller via the money trail and you stop the spam, and can probably nail the spammer as an accessory as well.
  • I didn't see a real definition of spam in the article. (I did RTFA, but I'm on my first cup of coffee.. it might have been there, bear with me)

    The first question was, "What is spam?" This is much harder to answer than it at first sounds. For example, some people define spam as "any e-mail I don't want to get," even if the mail is for a list that they really did sign up for. As one panelist pointed out, some people really do want to receive pornography. Most people agreed that getting a newsletter that th

  • by Filik ( 578890 ) on Monday October 06, 2003 @07:59AM (#7142851)
    Darn, article got slashdotted before I could read it, so this reply is just general musings.

    The spam problem has to do with the whole future of person to person communication, as well as the whole future of adverticement. Whichever way it will be solved, a very likely outcome is that in 10 years it will no longer be possible in any way to get in touch with someone you don't already know from outside the Internet, and the first decade of Internet will be looked back upon with nostalgia as the only decade of totally free communication. This is because the real problem lies in the initial contact.

    You might argue that we can still communicate via boards, chat channels and similar things, where you can give out crypt-keys to those you wish to continue communicating with, but remember that these will be the next target for adverticing after open email collapses. I'm sure adverticers will even write AI's to simulate people so that they can lure the crypt-keys from innocents.

  • I just installed a spam filter for the first time, SpamPal [spampal.org]. However, of the 50-70 spam messages I get per day (and perhaps 10-15 non-spam), it flags non-spam around 1% of the time, and lets spam through about the same percent. I can handle a few spams a week.

    So my question really is, is the state of spam-filtering still improving, or have we reached a plateau where the spammers will just find more and more ways of defeating them. Much of the spam I receive contains characters like: Viagra so the filterin
    • But it should be pretty easy to filter out attempts to hide the text this way. Don't forget the filter has access to the actual codes in the mail, not the resulting image on the screen.
  • White listing may be the only way to go. Have a list of people that are allowed to send you messages in your mail client, which would drop mail from them straight to your inbox. Anybody not on the list gets dropped to the Junk folder, which you could sort through and add the people you wanted.

  • by Skapare ( 16644 ) on Monday October 06, 2003 @09:49AM (#7143718) Homepage

    "If everyone would just ..."

    I hear those words about spam and proposed solutions all the time. But the fact is, and will always remain so, that you cannot get absolutely everyone to do so (whatever that might be).

    Consider the first possibility: "if everyone would just stop sending spam". Most of the spam comes from about 200 or so different spam gangs. Most of the rest comes from a few thousand naive victims that try it once or twice, get cut off, and never do it again (and thus losing their investment into the spamware and "list of millions" they paid some spamgang for). Already, 99.999% of internet users do not send spam. A solution that requires getting so close to a percet 100% just isn't possible.

    Now for the second possibility: "if everyone would just stop reading the spam and buying from spammers". Spam works because the costs to spam senders is so utterly low, that even sending to every internet user is a lower cost than trying to trim the list down to those few people that really want what the spammers are peddling. This goes along with "just press delete". But it doesn't take much in response for the spammers to actually make a profit from their spam runs. And spammer's for hire are making money even if their clients lose money, so as long as there is a supply of naive vendors who are willing to part with their money to get a spam run in their name, spammers profit. Again, this is a case where closing the gap between 99.99% of people who don't even read the spam and the 100% needed to make spammers and their clients go away, is just not going to happen.

    But there is a third possibility: "if everyone would stop using ISPs that permit spam". If even so much as 50% of users who are using ISPs that permit spamming were to cancel and switch to a better ISP that doesn't, that would definitely have a substantial effect on that ISP. I bet even 10% would get noticed, although I think a bit more, like 25%, might be needed to get some of the worst ISPs to act. Of course many people do whine about things like "there is only one ISP here" (not anywhere near 50% face this problem) and "it costs me money to switch" (it costs the victims of spammers even more money for you to continue to support an ISP that is able to give you a discount by accepting pink money from spammers). If we were to simply identify the top 10 worst ISPs for permitting spam to come from or through their network, and get a whopping 25% to 50% of their customers to leave (preferring to go to the top 10 best ISPs for not permitting any spam in or out), this would make a substantial impact and cause some CFOs to panic. And this doesn't require anywhere near 99% to be a successful anti-spam campaign.

    The above campaign can also be pushed harder if many of us refused to accept email from those ISPs (and thus anyone in their network) as a sort of boycott against spam support. Of course there will be whiners here, too saying "You have no right to block my email since I don't send spam" (but if they are supporting a spammer anyway, guess what).

    My whole point is that we need to avoid any "solutions" that make it necessary for absolutely everyone to do something. There will be plenty of people that won't. Instead, the solutions we need are the ones which only require a practical number of people to take that action. If you don't like the ones I propose, then propose your own and say how many people would have to act to make it work.

    • "If everyone would just ..."

      I hear those words about spam and proposed solutions all the time. But the fact is, and will always remain so, that you cannot get absolutely everyone to do so
      ...without tyranny. Therefore, the fallacy of the Democratic platform.
  • by defile ( 1059 ) on Monday October 06, 2003 @11:02AM (#7144304) Homepage Journal

    The easy solution to spam is to make the identity of the spammer known to all.

    Do their neighbors know that they live next door to a spammer?

    When a customer walks into your store, do you know if they are a spammer?

    When someone hits on you at a bar, do you know if it's a spammer who is hitting on you?

    When you're on highway patrol and catch someone speeding, do you know if is the spammer that is speeding?

    When you walk down the sidewalk and pass by a car parked on the street, do you know if it is the spammer's car?

    When your kids go to school, do they know the spammer's kids?

    When you are delivering (paper) mail, do you know if it is the spammer's mail?

    When you are serving food to someone, do you know if you're serving food to a spammer?

    When you receive a call to 911/poison control, do you know if this is a spammer calling 911/poison control?

    Spam is a community problem, and the community is the one best able to deal with it.

    All the community needs is information.

    The problem will solve itself.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...