ISP Chief on Spam

saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.

live with it indeed

[carpe_noctem]

Yes, that's right. You probably just have to live with it. The best that ISP's can hope to achieve is a reasonable amount a spam filtering, and locking down their own systems to prevent abuse. Beyond that, quit your whining....the internet is a hostile place, and spam is just one part of it that you have to learn how to fight.

Re:live with it indeed

[dubl-u]

the internet is a hostile place, and spam is just one part of it that you have to learn how to fight.

My god! I now get it! And your advice is so appliciable elsewhere in life!

Those people complaining about crime in urban areas? They should just shut up.

People starving to death in Africa because warlords, corrupt governments, and civil war make it impossible to grow food? They should just tighten their belts or eat dirt or something. Or maybe fight back by hiring troops to protect their subsistence farms.

And those people in small, unimportant countries that get invaded? Well, that's their mistake. They should have picked a bigger country to live in. Or domed it over or something.

Yep! The world is a hostile place, and people should learn how to deal with it instead of whining about things like laws and governments and human rights.

Re:live with it indeed

[lrichardson]

There have been dozens (OK, probably thousands) of solutions floated, of which many are feasible. A couple of (US) states have passed laws prohibiting 'spam'. And, as the number of judgements against those companies violating those laws increases, we will see a number of things:

-Spammers moving offshore (as if Asia wasn't already the #1 spam source)

-The amounts of the judgements increased (hitting a company where it hurt$ get$ their attention)

-The ease of getting a judgement against them increases. (which also magnifies the previous point)

Personally, I liked the simple idea of requiring all unsolicited business offers to have "Advertisement" as the first word in the subject line ... it would have made filtertering them trivial.

And, perhaps more important, falsifying headers gets slapped down under existing criminal wire laws. Either way, they're fairly easy laws to define and implement ... all it takes is getting the attention of politicos long enough to pass the laws, and then the law enforcement branches to enforce them.

Unsolicited faxes are the closest example - unwanted, and they cost the end-user - and every year some company gets slapped down hard (the most recent one I read of filed for bankruptcy due to the magnitude of the fine) - because laws were passed and enforced. That's all it would take to bring the spam problem down to manageable levels.

internet outside of the US

[zogger]

--the web is worldwide, yes it is. the us has a huge chunk of the web. We make the US a place where spam is illegal, I mean, they got laws up the wazoo about everything else. One simpleeasy to understand law, no unsolcited commercial email. Email has to be truly opt-in. snail mail has a definete serious cost associated with it, tends to be a lot more self regulating that way, wheras email being so completely cheap and easy to send out billions, that it'slong past become a serious problem. So,with it illegal inside the US, and resulting lawsuits and fines, etc taking care of domestic spammers pretty much, the spammer's servers move offshore to send the spam-easy fix to those nations,do they want access to the humongous part of the WWW that is inside the borders of the US? Easy! No problems! Don't send spam, do what YOU have to do inside your countries. We proceed to block those nations internet connections that allow spam to be sent. awhole nation at a time or large netblock followed by another until they get the "message" that spam won't be tolerated. After a few nations start losing millions a day lost revenue and lost connections to the US cash cow, they'll get the message and hunt down their own spammers. It won't END until SPAM DOESN'T PAY, same as with the ridiculous "war on drugs", drug abuse and the crimes associated with it won't get any better until the huge cash profits are removed from it.

I have thought about this a lot, we don't need an "arms race" of anti spam "filter" programs,that just leads to spammer's counter measures, which will lead to anti-anti counter measures,etc, back and forth ad absurdum,forever and ever, it just needs to be made clear to spammers everywhere that there are other ways to make a living.

In other news

[Anonymous Coward]

internetweek.com talk to Alan Ralsky - someone highly affected by spam - "I'm a victim of crime and no-one gives a damn!"

Government Bans Email

[jlharris_50010]

WASHINGTON, DC- Instead of dealing with the email spam problem, the Congress today passed a bill that blocks the use of email by all American citzens. Although this may hurt buisness in the short term, officials expect that this will probably help the post office.

Keep whining and nothing happens

[slashuzer]

Quote: We're victims of crime, and nobody gives a damn.

This happens because the people who are in position to make laws and policies are directly affected. All the whining goes on in the technical community, but talk to your elected representative and ask them where spam figures in their priority.

Secondly, to get laws passed, you need a lobby. Hell, even *IAA managed to get asinine laws passed because they lobbied as a group: they were able to highlight (rightly/wrongly) how their financial interests were being compromised.

Unless a lobby is formed and pressure sustained, we can whine all day on /. We can send 100 spam's to Alan Ransky. We CAN'T end spamming.

If this is what a small world is all about....

[BigBlockMopar]

This happens because the people who are in position to make laws and policies are directly affected... Secondly, to get laws passed, you need a lobby... Unless a lobby is formed and pressure sustained, we can whine all day on /.

Dude, last time I checked my incoming spam, the originating IP address for most of it was from China and other third-world shitholes. You *don't* honestly think that they'll stop because the USA has a new law which will give them a slap on the wrist?

This is NOT a problem which can be legislated away. These are not 20-year-old mothers of 4 living in trailer parks in Florida.

A friend of mine, of Chinese descent, told me that it's unlucky to refuse to take someone's business card, and it's even unluckier to throw it out. This is the tradition with which we're dealing, and if an e-mail is seen as merely an electronic business card....

At this point, I have configured my mailserver to send all incoming mail from .cn, .kr, .pl, .pk and a few other choice hellholes directly to /dev/null. With no apologies. I know nobody in any of those places, and until they stop spamming, I have no interest in knowing anybody in any of those places.

I will tell you this, it sure does take most of the crap out of the mail spool.

Alternatives?

[Anonymous Coward]

Though I've never really investigated it, there HAS to be some kind of alternative to SMTP. It's always struck me as a horribly insecure protocol and something that should have been replaced long ago.

I suppose the real problem now isn't finding a new protocol, but rather, getting wide-spread adoption of it, seeing as email has become a part of daily life.

Re:Alternatives?

[CommanderTaco]

There is: ESMTP [ietf.org]. Provides a framework for extending SMTP, including allowing for username/password authentication. Wrap it with SSL/TLS and you're good to go. Most of the popular MTA's (sendmail, postfix, qmail) either have built-in support or patches available, and many popular MUA's (outlook/oe, mozilla, evolution) support it as well.

Re:Alternatives?

[ninthwave]

So is TCP/IP but try replacing that even slowly.

The net was based on trusting each machine you connected to. The problem isn't the protocols its the systems of giving trust to users. Right now it is pay me $ per momth get a connection. If you have enough money you can buy enough bandwidth and then do what you want with the trusts you are now connected to.

Re:Alternatives?

[Micah]

Has anyone checked out Dan Bernstein's IM2000 idea [cr.yp.to]? The first time I heard about it was a Slashdot post a few days ago, and I'm extremely impressed. I think switching to a system like this WOULD be do-able. Not overnight, of course, but get a few ISPs on board and we'll get there. Seems like it would solve the spam problem pretty nicely.

I hate to rehash an old argument.....

[rindeee]

...but I am going to anyway. There are a handful of very feasible ideas out there for stopping spam. Permission to send systems. Systems that require a token to be processed with each message sent (sending a message is trivial, sending millions of messages at once requires a server farm doing nothing but processing tokens). The list goes on (probably considerably longer than I realize). I hoenstly think it is simply a matter of time until the Open Source community begins implementing this and the rest of the industry follows. Now, lets get hopping.

ER

Replacement needed for SMTP

[jamie]

I think we're living in the last days of SMTP as our email delivery protocol. It worked great for the first ten years but now the commons is being exploited. This is a simple truth of economics. It costs nothing to send an email -- it's too cheap to measure -- and high-volume advertising is a natural consequence.

I don't think Barry is right about the situation being about to implode. "Imminent death of the net predicted" has a poor track record for accuracy. But I wouldn't be surprised to see things get much worse over the next, let's say, three years.

What we need is to have a replacement ready. Waiting in the wings to take over. As "SMTP email" becomes more and more spammy, and people get more and more frustrated with both spam and the inconveniences caused by fighting spam, the number of people willing to adopt a replacement will grow.

My contention is that the only way to solve the problem is to make it cost something to send spam. The root of the problem is the unbelievable cheapness of delivery. Every attempt to solve the problem has been an attempt to make delivering spam more expensive (typically by getting spammers kicked off ISPs, cancelling their contracts and costing them money circuitously).

We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.

Maybe it can be done with "hash cash," requiring the email sender to spend CPU cycles to solve a math problem. Personally I don't think that's going anywhere; CPUs are way too cheap right now. But that's an ingenious approach to the problem and a good example of the kind of thinking that will be needed.

I lean toward inventing an entire micropayment system to solve this problem. The advantage is that, piggybacked on the solution to spam, you get micropayments -- which, when applied to the web, usher in a whole new era of content production.

But whatever happens, something needs to be waiting in the wings for when SMTP finally hits the wall.

Re:Replacement needed for SMTP

[carpe_noctem]

SMTP won't just die, it needs to be replaced. If you can come up with a protocol that solves spam and works as well as SMTP, write an RFC and get some code out there.

People have said the same thing about HTTP, FTP, and pretty much every other standard protocol on the internet. So far, SMTP seems to have come under the most fire because of spam. I've been wondering when Microsoft will write their own closed mail protocol that effectively gets rid of spam, then proposes that everyone "migrate" from email to ms-mail or whatever the hell they wanna call it.

I think that we can all see that the ability to have an open, widespread protocol with spammers abusing people is a much lesser evil than microsoft controlling the entire email market. I propose that instead of getting rid of email, we add extensions to SMTP, just like they did for HTTP1.1 in order to better suit the needs of the growing net.

Re:Replacement needed for SMTP

[jcoy42]

I've been wondering when Microsoft will write their own closed mail protocol that effectively gets rid of spam

LOL- I ended up having to sign up for a hotmail account to do IM at work with a small group of developers/systems people during integration testing. I gave that hotmail address to no one. But I still get around 15 spam messages there every day.

I really don't think MS cares about the spam problem. And after all the outlook bugs I've seen, I don't think they have much credibility where email apps/services are concerned.

Re:Replacement needed for SMTP

[HiThere]

Sorry. The internet was built to enable communications to survive an enemy invasion. Anonymity wasn't a design goal. It just sort of came along free. (Actually, it wasn't even a feature of the system, originally. It was probably originally seen as an unimportant bug. [I wasn't there, though.])

In the original system you knew who each machine that you talked to was. That's where the hosts file comes from. And the guy who ran the machine knew who the local users were. He probably recognized them all, and called them by name. And the system was built on the sysOps trusting each other.

Well, times have changed a bit. DARPANet is no more. And DNS has arrived. An IP address doesn't mean anyone in particular. And that's why e-mail is untraceable.

Fixing SMTP: This isn't THAT hard. Not really. All that's need is an add-on for doing reverse lookups. And a public key signing chain, where each ISP signs to indicate that it received from the named IP address. And a lookup function, where you query the purported originating IP address to verify that it sent the designated email. (Timestamp, sender, subject, and to should suffice here.). A better protocol would require the check happen at each stage before forwarding, and include a technique for the recipient to vote the e-mail as spam. Too many votes, and the providing ISP becomes prohibited from forwarding. But those are refinements. The basics can easily be done as add-ons to the current system. (Another good option would be for the recipient to be able to bounce e-mail after receiving it.)

I don't want to pay that

[pclminion]

As stupid as it sounds... Would I still be "allowed" to have my own mail server that sends messages free of charge? Or would there some law declaring me to be a spam terrorist if I provide free email service?

Hash cash seems more reasonable, but in order to really stop a spammer you want to delay him/her (it?) for probably on the order of a second per message, at least. Even if you find some algorithm to do that, it'll really annoy me to have to wait a second to send regular email also. So, I'm bitching about a second. But those can add up.

Now, maybe what you could do is charge for bounced email messages. The recipient decides whether he/she wants to open the message. If they open it, it is automatically free of charge. If they bounce it without opening it, the sender gets a small charge. The idea being, you get payed for the unwanted mail people send to you.

Yes! They rely on volume *over time*

[kfg]

Just slowing them down will make the whole affair less attractive. Not eliminate it, but at least eliminate a good deal of it.

You think the second will annoy you. My guess is that, unless you are using mail as some sort of IM device, after the first few times you won't notice *10* seconds.

Delay a spammer's mail 10 seconds *per item* and you bring him to his knees.

Of course the spammers are going after IM now. . .

KFG

I hate it

[Anonymous DWord]

We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.

I've heard that before, and I don't think it's enough. All you need is one idiot to say, "Yes, I do wish my penis was larger!" and at $39.95, he's just covered 40,000 emails. Are spammers getting a 1 in 40,000 response rate right now? I don't know, but they're paying for net access somehow. So raise it. A dollar an email. Then you have a 50 million dollar outlay to spam the world. Better have a good response rate with a pricey item to get that back.

But that doesn't work for me. Why should I have to pay that, or any amount, to use a service I'm already paying for? Isn't that why I shell out 20 bucks a month - to use the intarweb, 80% of which is still probably email?

Cost of doing business

[rutledjw]

I think the parent was on the right track. The basis for most of the viable ideas is to raise the barrier of doing business for a spammer. Now how do we do that? So far, these lower life forms do business since they can do it VERY cheaply and can jump from provider to provider and in cases have used litigation to prevent them from being shut down and blocked by providers

So, as much as I loathe turning to gov't for solutions, here's what (I think) we need:

• Make it illegal to falsify headers.
• Make it explicity LEGAL to block IPs (spammers have gotten blocks removed through lawsuits, which they may have eventually lost, but which was expensive for the blocker)
• Establish criteria for making claims based on damages from SPAM. This so that it doesn't take a major ISP (AOL) to go after a spammer for damage to their systems

The trick is to have laws which allow ISPs to protect themselves without making them so heavy handed as to hurt online commerce. The first and third mean that you have to say who you are and you'll get sued for doing damage (which is now legally defined). That may push spammers overseas, but then the second means you can block IPs without fear of legal retribution.

May that affect legit users? Maybe, but enough of an ISPs customers complain ("We can't send e-mail to the U.S.A./Europe/???! Why?") and they'll eventually do something about it. Which means they'll close their &*$% e-mail relays and kick off spammers. Perfect? No. I don't care about that as much as I care about reducing the background noise to what it was even a YEAR ago...

Re:Replacement needed for SMTP

[singularity]

Every time an article about Spam comes up, someone always posts the same basic rant about micropayments and/or "hash cash", and it gets quickly moddded up to 5.

Think about it people, this is not going to happen. I could list a thousand problems with the idea (How do you deal with international ISPs, how do you deal with ISPs that do not require it, where does the money go, and so on).

Some more basic questions that will prevent it: We here on Slashdot are hesitant about doing anything that might ruin our privacy. Think about the full implications of *whatever SMTP server you use having some credit card information about you*.

Think about the protests when AOL and MSN are taking in tens of thousands of dollars a week for email.

I cannnot believe that people that propose these ideas do not ever think through it fully. Email is so great because it is easy *and free*. Charging for email, even .1 cent an email, is a step backwards, and definitely not a long-term, practical solution. Sure, it might help get rid of a lot of Spam now, but it defiitely causes more problems than it solves.

The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.

The big problem, of course, is international mail. I get mail from Korea, China, and Russia. Almost all of it is Spam. Whatever we do is going to have to get at that problem.

Think about the Slashdot article in four years, talking about how a lot of Chinese rebels are not able to send email to the United States because of micropayments and the problems they have with that.

SMTP is not the culprit

[e2d2]

The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.

Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.

I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem [ordb.org].

It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.

Re:SMTP is not the culprit

[e2d2]

That's a good point, by using both black and white lists and creating a "trust" situation between servers we can eliminate some of the spam.

Re:Replacement needed for SMTP

[timeOday]

I think you don't understand what hash cash [cypherspace.org] is.

It isn't money, it's expense. AOL and MSN wouldn't be taking in a dime (in fact they would probably limit each user to some small amount of has cash each month). It has nothing to do with somebody having credit card info on you. It has nothing to do with international correspondence either, except it would be relatively more expensive there - but still negligible unless mass mailing.

If you really were talking about hash cash, I don't see how your arguments apply.

Teergrubes are the answer

[Brian Kendig]

The only way to solve the problem is to make it cost something to send spam.

That's what I'm doing right now.

I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.

If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.

So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.

Re:Teergrubes are the answer

[Zeinfeld]

I run a tarpit on my mail server.

This is a prime example of a half assed solution that causes more problems than it solves.

Teergrubbing is really easy to detect, the sender simply measures the rate at which a link is accepting data and if it is below a threshold shuts down the connection. So don't think this sort of attack hurts the spammers, it doesn't, they take countermeasures.

Instead the attack takes out legitimate senders whose emails are incorrectly identified by the teergrubbing algorithm. It is a classic example of a counter attack that creates more problems than it solves.

There are similar problems with the much touted blacklists, many of which have been involved in blacklisting for arbitrary reasons. The problem being that the people who end up running the lists (as opposed to starting them) often turn out to be pretty involved in their own control freakery.

There is no sure fire solution to spam, but there are plenty of systems that provide a useful degree of mitigation and in compbination provide a pretty solid solution.

Re:Teergrubes are the answer

[HiThere]

It's not perfect, but one way that might work well... a modification of the Mozilla spam identifier. Once you get the spam identifier properly trained, allow it to be uploaded as an agen to the ISP, and run on their site to bounce the spam before it's ever transmitted to the end user.

Now my ISP passes all of my mail to me, so it's a choke-point. But it may be in a position to identify another place where, perhaps, 30% of the spam comes through. They could forward the agent there, and this would cut the spam before it even got to them...

Unfortunately, computing costs will probably need to drop some more before this becomes practical. This saves storage costs and transmission costs at the expense of significant computational requirements.

Re:Replacement needed for SMTP

[sheetsda]

I hope you're right that SMTP is on the way out, however I like my free email. What about a system similar to a trusted computing base, with email addresses, any address that isn't in your web of trust can't send you an email. Some method for tracing through the web to find who you're trusting that trusts a spammer could quickly put an end to unwanted email. The problem of spammers breaking into systems still exists, but thats no worse off than we are now. Traversing such a web might be a problem. P2P tech might even work though its probably a better idea to stick with client-server. Seems it could be implemented as filtering software(with its own protocol in addition to SMTP) or a new protocol. Ideas? Thoughts? Elaborations? Something I missed?

Yes, and ISPs are the ones to do it.

[Tom7]

The last people who should be complaining about this are the ISPs, for they are the ones who can actually cause new mail technologies to be commonly used.

I don't think micropayments are the right way; I think just having authentication would go a long way. (Authentication acts as a sort of "hash cash" itself, since cryptographic signing is not a cheap operation.) The technology has been here for ages; we just need a coalition of ISPs to actually roll it out.

Replacement for SMTP -- ideas

[mengel]

Real micropaments are hard to implement, and most users have already paid for a reasonable amount of email service.

Instead, we need to have people use an authenticating protocol to send mail, and they should get issued a key/certificate/whatever with their e-mail account that lets them send,say, 500 emails a month. That email server is in turn issuead a certificate with a known signing authority.

The problem is, how do you prevent a spammer from obtaining an arbitrary number of email server certificates? Commercial "authorities" like Thawte, etc. are not an answer; as many credit card numbers as you can get is as many certificates you can get. As long as you can send a few million emails before your certificate gets blacklisted, the cost per email for the ceritificate is trivial.

The only answer I see is to hold all email for a day before delivery, and to have a distributed mechansim for counting email sent by each server. If a given server is sending spam-house rates of email, it gets (automatically) blacklisted, and all the email being held from that server gets deleted before its ever delivered.

That's my Idea. What's yours?

Latency is good!

[Lulu of the Lotus-Ea]

I wrote an article on spam filtering techniques at:

http://www-106.ibm.com/developerworks/library/l- sp amf.html

Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.

I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.

There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)

Re:Replacement needed for SMTP

[Martigan80]

We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.

I would rather re-invent the whole mail transport (without help from Bill) then to see some charges put into it. My thought is that if you put a price on it 1) Who will collect? 2) Would you implement this world wide? 3)Who does the money go to? 4)This will ignite the Governments reaction to start charging for other things on the net for an augmentation to the tax collection that has been lost recently. 5) You would also have to get an agreement of exactly what is SPAM, and who would be the authority to determine it.

What we need is to have a replacement ready. Waiting in the wings to take over.

You hit it on the spot. We need to take this over like a redundant power-supply, and should do it now. I'm sure some other Software heavy is already doing this, and waiting to save the day. He didn't get so much money for being stupid! I have no idea how to start doing it, but I know their are plenty of smart people out there that can. What would be helpful is if programmers from the major OS's could come together and get something started.

Re:Replacement needed for SMTP

[Florian Weimer]

I think we're living in the last days of SMTP as our email delivery protocol. It worked great for the first ten years but now the commons is being exploited.

SMTP follows the design of the Internet: just send something, the receiving side will discard it (silently or not, depending on the protocol) if it doesn't like it. No real session initialization with verification of send/receiver identity, or negotiation of some parameters (bandwidth, content parameters, etc.) is performed.

This has made the Internet so simple and successful, but on the other side, there is the large potential for DoS attacks.

For IP packets, the recommended countermeasure is "secure the edge" (i.e. get rid of IP spoofing so that you can filter quite easily), for mail, this cannot work. Spam can be injected over a myriad of channels (SMTP (direct and via an open relay), Formail CGI scripts, open CONNECT proxies etc.), so you had to stop selling IP to customers, which isn't an option. However, strict anti-spam AUPs and government support (e.g. punitive damages for spam) might be the way to go. Similar to IP spoofing/IP DoS, you have rely on others to enhance their network, but I can't see any other solution.

Re:Replacement needed for SMTP

[hoggoth]

Micropayments have never worked despite many attempts by very big players. The solution to SMTP is not to add charges to it.
The solution is to REVERSE the paradigm.
When you send email is is stored on YOUR server. A small notice is sent to the recipient's server. When he 'pops' it off THEN AND ONLY THEN is the actual message grabbed from the sender's server.
This allocates the cost to the sender. You want to send 1,000,000 messages? Fine. They sit on YOUR server. Along with this you get notification of receipt. You get easy "blocking" and blacklisting. You make it easy for an ISP to remove a troublemaker and all the spam before most of the recipients have to see it.

I don't claim I thought of this. Someone else around here on /. did. I don't remember his name. Speak up if you read this.

Stop crying and take action!

[www.sorehands.com]

ISPs are able to take action against spam!

They can implement strong AUPs that will do the following:

• If a spammer is hosting on your system, you don't shut down the server/domain/site, but redirect it to a page saying it has been shut down for spamming while locking them out from changes or accessing the data.
• Implement a stiff fine/cleanup fee.
• Provide people who complain the real information on the spammer.
• Confirm credit card information to make sure that the credit cards are not stolen.
• Secure your servers.

Re:Stop crying and take action!

[pete-classic]

ISPs don't generally run on a huge margin.

What do you think the staffing requirements of ruthlessly enforcing the AUP would be? What kind of attorney's fees do you think bullets one and three would cause an ISP to incur?

I think your suggestions make sense, but fail to take the economics into account.

-Peter

Not much cost.

[www.sorehands.com]

Make these terms of the contract. The cost to run the charge and deal with a dispute on the credit card will be included as part of the penalty cost. Pointing the website to a static page that says that it is shut down for spamming and locking the account is the same effort would be no more than the effort to clean up an account that has been closed.

Allowing the spammer's information to be given out may be what hurts a spammer more. Let 1000 spam victims file a lawsuit against them for spamming.

Of course there will have to be some defense to a joe-job.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Stop crying and take action!

[Kronovohr]

Just some notes to your message: They can implement strong AUPs that will do the following:

• If a spammer is hosting on your system, you don't shut down the server/domain/site, but redirect it to a page saying it has been shut down for spamming while locking them out from changes or accessing the data.

  Yeah. Great. Most spammers are "smart" enough that they don't spam from their own domain -- they open multiple web hosting accounts elsewhere and blast out their mail from there via perl or php scripts activated by something as simple as wget or a perlbot.

• Implement a stiff fine/cleanup fee.

  Sure thing. Oops, said credit card was stolen. There's the money they owe you, plus a $25 handling fee for a chargeback.

• Provide people who complain the real information on the spammer.

  Sure thing (actually, that's in our AUP as well). Oops, they're actually

  1. a foreigner, and
  2. they signed up with fictitious information and a stolen credit card to boot
  Looks like the only thing we've got is an IP address in Indonesia, since they raped an open SOCKS proxy or someone else's web hosting server to sign up.
• Confirm credit card information to make sure that the credit cards are not stolen.

  Sure thing. It was an AOL/earthlink/someotherlargeISPthatcaterstoidiots user, and all the information matches. Most cards aren't reported stolen until several MONTHS after they've been used for this purpose, simply because of the "honey, did you charge this?" "I might have" effect.

• Secure your servers.

  That's always a given.

The typical scenario in this type of situation goes something like this:

1. A spammer in the US pays a spammer overseas x% to spam their shit.
2. Said overseas spammer steals a credit card via scams, social engineering, or what have you
3. Said overseas spammer uses an open relay in close proximity to the actual physical address of the cardholder, or a nationwide ISP to sign up for 50-100 web hosting accounts. The phone number given is a temporary cell phone number the spammer in the US has purchased on a temporary basis.
4. The overseas spammer sets up spam bots on all of the servers mere minutes before sending the spam. Since most of these are written for each individual circumstance, there's no real way to check for them, else everyone's formmail and PHP form scripts would set them off.
5. At the last minute of operation, the spammer starts a few hundred instances of wget, or a perl script that forks an instance per spam account, and the mail begins sending from all locations near-simultaneously.
6. The hosts shut them down, redirect the site NOBODY'S EVEN HEARD OF to a page saying "This site was closed due to spam", and sometimes place the personal information of the innocent (but relatively stupid) person whose credit card number was on the order form.
7. The spammer moves on for the next kill at the next location.
8. The spammer in the US ditches the cell phone, as it was paid for fraudulently in the first place
9. After adding a $400 cleanup fee to the customer's bill, the cardholder (who isn't the customer) does a chargeback for the time the site was hosted (often several months worth) and amount + $25/month for charges, so the host takes it in the ass. We've had some sit on a site for 6 months before spamming.

Sure, you could attempt to track down each and every spammer, but even the credit card companies and merchant account providers don't care, because the chargebacks make them MORE money on top of everything.

The simple fact of the matter is that the REAL people who could do something about this scenario, the credit card companies, who could actually provide contact information (like a home phone number!) to merchants checking to verify the charges, as well has changing their chargeback policy, couldn't care less because this type of fraud only nets them more money from providers who can only tell if the card and its information are "good" or "bad".

No, not by law.

[www.sorehands.com]

By contract, an ISP can require payment by a company that spams. If a spammer uses an ISP to either send spam or to provide services to a site advertised by spam, they can charge the spammer for it. Similar to what happens when you return a rental car with a big dent in the door. This is not a big labor issue.

Live with it?

[Nordberg]

Most users might be able to live with it, but what they don't see is the 50%-90%+ of spam that is filtered out before it even hits their inbox.

I know I still get about a spam a day, after my personal filters ditch about 80% of what comes in. And that's after my ISP filters out what is likely an equal amount.

That means about 25 spams a day are sent my way. Multiply by the tens of thousands of e-mail accounts on a mid-sized ISP, and it starts to cost these businesses real money.

email as we know it is the problem

[geek]

Lets face it, SMTP as well as POP3 and IMAP are old protocols. They came to be when networks were small and more trusted. The fact that 99% of ISP's use the email account as the service provider account is clearly insecure. Email travels around in clear text, passwords and all. This is how most crackers get into networks, by simply sniffing out the name and password of email accounts.

Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.

Email needs to be cleaned up, secured and as easy to use as it is today. Encrypting it helps, but you also need to design the protocol so that headers can't be faked. You need to design anti spam into it from the beginning. Anything we do to SMTP now is just a hack on a very old outdated protocol.

Oh and yes I know what I'm talking about, I've run several nationwide mail systems for two ISP's. It's a nightmare I wouldn't wish on an enemy.

Re:email as we know it is the problem

[Todd Knarr]

Actually SMTP does a good job with e-mail. Mostly ISPs need to use what's already provided in SMTP and in mail servers. For example, use one mailserver for outgoing mail and require SMTP AUTH to use it. The seperate incoming server has to not require authorization, but it should only accept incoming mail and reject anything that wouldn't be delivered to one of your customers. Doing that and implementing standard anti-relaying rules and keeping current on security patches would eliminate much of the problem.

As for unforgeable headers, as long as you require people to go through an ISP's mail servers and don't have an authoritative list of all mail servers in the world, you have to allow the client system to provide headers that your server accepts. If you allow that then anyone can forge headers, and if you don't then how do you handle the headers on a message being relayed through the sender's ISP's mail server? You don't know what the sender's username is unless you trust the sending server, and if you trust the sending server then I can set my software up to impersonate a trustable server and get forged headers through. Encrypted and authenticated connections won't help, not without aforementioned authoritative list of legal mail servers which we don't have. And how do you handle legal forgery, eg. my using a "silverglass.org" e-mail address on messages originating from a non-silverglass.org system (my mail isn't handled by the same entity that handles my Internet connection and I plan on keeping it that way)?

SSH, scp and SFTP replaced Telnet, rcp and FTP because people could state what they wanted that the older protocols couldn't do and how those things could be done. Before you can replace SMTP you need to outline exactly what you want the new protocol to do and how it can do it, and resolve any conflicts between what it allows and what people need to do.

Re:email as we know it is the problem

[GigsVT]

as long as you require people to go through an ISP's mail servers

Why the hell would you consider this an ideal solution? If I want to connect to a computer on port 25, I better damn well be able to, otherwise you are no longer really an ISP, you are more of a "web provider".

Re:email as we know it is the problem

[Chester K]

Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.

Is the IETF working on a solution for this?

When will they learn?

[citking]

The major problem with spam these days is that "joe user" supports its use.

I know many people who know little to nothing about computers or the internet. They have not yet been jaded by the flashing banners and e-mail spam messages that promise free programs, trips, prizes etc. So they click away, and before you know it they are getting flooded with hordes of unsolicited e-mail. My aunt recently got a warning from her ISP for exceeding her allotted mail box space 17 times last month. I had to write them a nasty e-mail critisizing the lack of filters (even though it was my aunt's fault for posting to a bunch of newsgroups).

I guess the point is this: As long as people who don't know any better keep clicking on banner ads and checking out spam e-mail, the advertising companies are going to keep flooding people with messages. Their point of view is this: As long as we are getting some kind of return on our investment, we might as well continue to exploit this service. People just need to be educated on techniques designed to avoid supporting spammers, whether purposely or inadvertantly.

Re:When will they learn?

[ConceptJunkie]

I had to write them a nasty e-mail critisizing the lack of filters (even though it was my aunt's fault for posting to a bunch of newsgroups).

It's not your fault when someone abuses you or takes advantage of you. Certainly, there are steps to take to help prevent this abuse, but let's leave the fault where it belongs: the spammer.

Re:When will they learn?

[Micah]

I agree about educating users. So many people get on the Net today and don't have a clue about proper e-mail etiquette (spam, forwards, etc).

Here's a possible solution:

Start an "email education" project. Write a good message explaining the proper use of e-mail. Don't forward crap to everyone you know, never under any circumstances click on a site advertised in an unsolicited email, etc.

Then encourage people to forward that message to every new Net user they know. :)

And have a Web site set up to send that mail automatically. Have a textarea where you can put in as many addys as you want, and the system would automatically send it to all of them.

Not a crime (yet)

[mlknowle]

There is, of course, a difference between osmehting that is a crime, and something that is obnoxious, and intereferes with the operation of a company. Right now, spam isn't, for the most part, illegal - but it is a huge headache for ISPs (and everyone else.) It isn't that the police arn't prosecuting offenders; rather,thef havn't yet been given the legislative tools to do so. This is like the owner of a stoor complaining about people with muddy feet trampsing trhough his stoor; the police can't do anything (unless the isolate a single person, and charge them with trespass - see the Intel email case!).

Are spammers stealing from ISPs? In a way, yes; they are using the ISP's resources to earn money for themselves, wihtout the conset of, and certinly without compensating, the ISPs. It doesn't fit the current statutatory definitions of theft of service enough to prosecute, however, so methings this ISPer is mis-direcing his efforts - instead of trying to goad the cops into action, he should be seeking legislative (or better yet, technological) remedy.

Anti Spam Legislation

[Sayten241]

Those of you who see this and start yelling "lets outlaw SPAM it's bad!" might want to sit back and think for it. Sure, an anti-SPAM law would be great, however, it could open the floodgates to other laws relating to the internet that would not be so great. Once the law makers get into our realm, they're not gonna leave until they've changed the internet completely.

Re:Anti Spam Legislation

[mesocyclone]

Sigh... the old slippery slope argument rears its slipper head again...

Laws already exist, all over the place, regarding the internet and things you do with this. There will be more as the internet gets more important to the economies of the world.

The creation of an anti-spam law does not "open the floodgates" - the slippery slope argument simply holds no water. The world, including the world of laws, does not work on absolutes. Everything ultimately ends up a compromise, because in human behavior there are few clear boundaries. Thus the government becomes inserted in almost all kinds of behavior at the extremes, and lots of other behavior at the norm.

Re:Anti Spam Legislation

[10Ghz]

I don't want to outlaw spam. I would be perfectly happy if they:

A) Did not forge their email addresses
B) Did not use those "click here to remove yourself from our mailinglist"-thingies that in reality just validate that the address is a real and working add (and because of that, you get even more spam)
C) did not use resources of others (MY bandwith that I'm paying for, the servers of the ISP) without asking for their permission and/or paying suitable compensation for their use
D) Did not use spam advertising "hot & horny sluts" to adds where the reader might be just a kid
E) if they placed an "ADV:" tag in front on front of the subject-line

If they do those, I'll promise to shut up. But as long as they don't, I'll keep on whining.

1000 per day

[Anonymous Coward]

We are a small company (2 people) who run some high profile (non-spam, non-porn) sites. Without the DNS BLs, spam traps etc, we would get over 1000 per day (close to 2000 on some days). One email that has not been used since 1995 still gets spam sent to it...it is a primary spam trap.

What is a solution? Various ones, but legal ones will not work for any length of time, it is like a hydra, cut off one head and more grow back.

What I would like to see (and what we proposed years ago, when micro-payments were in their infancy) was something that allowed you to specify users who you were willing to accept mail from. Everyone else had to pay you something (you could specify it), say, $0.01 or $0.10. Anyone willing to pay that could send you the mail, otherwise they are out of luck.

Personally I would love to get junk mail then - at 1000-2000 per day, that is a nice bit of money per year!

get a filter!

[RyLaN]

I went and got POPfile [sourceforge.net] and now, two weeks after I saw the link to it in a article, my spam filtering has a 99.7 sucess rate. It filters everything by adding a X-Text-Classification header and then my mailer does the rest.. Easy easy easy..just give it a bigger corpus and block those type of emails on the smtp server.

Re:get a filter!

[Dimensio]

Filters do not prevent the spam from hitting your ISP and costing them money, unless your ISP starts to deny access at the router table.

That actually isn't a bad idea, though. Get the SPEWS list and use it as a massive DENY table. Spammers will still ping your ISP's systems, but they won't get any further than that.

From the trenches

[cluge]

NUMBER ONE REASON SPAM CONTINUES - Little or no consequences for the SPAMMER. No way to make your AUP stick easily. Until you start taking the consequences for thievery out of the cyber world and start applying them in the real world, SPAM will continue.

If your an ISP (or related industry) your credit card vendor/bank automatically places you in a category called "high risk". This means that if a customer refutes a charge then you the money is taken AWAY from you and you are charged an additional charge called a charge back. Congratulations, you have a iron clad AUP, but if you don't have a signature (and most ISP's take signups over the phone) then your screwed should the SPAMMER SPAM. It's such a nice feeling to know your getting nailed twice by the spammer,

a. They use your system for something illegal, taking up resources in addition to the time it takes to hunt them down and turn them off.
b. They then charge their credit card back for the account and the AUP violation charge (SPAM Cleanup fee).

I have worked for ISP's for almost 10 years now (Yes THAT long). In that time I have watched and fought against the huge rise in SPAM. Currently I help administer mail servers for several domains that are high profile SPAM targets. So that you can get an idea of how bad spam is let me give you some statistics from the trenches.

1. One popular domains recieves about 120,000 messages/day for accounts that don't exist. There are actually only 35 mail accounts on that box. The target is very popular because of the domain name. That doesn't count the faked bounces which often constitute a few thousand messages/day

2. With one domain that services about 10,000 users, the implementation of a "mailgate" (BSD box with postfix and RBL and other anti-spam measures) reduced the amount of spam by 2/3s. Statistically that meant that 89% of all attempted connections to that box were refused.

3. The equipment used to deliver mail as little as 8 years ago can not be used now for reliable mail delivery. It would not survive the load. A SPARC 2 running sendmail could easily handle mail for thousands of users 8 years ago. With the advent of spam and the shere VOLUME of mail transactions such a solution today would be problematic at best. Moore new law may say something like "Every 3 years the amount of computing power required to run an e-mail server will triple"

The number one cause of complaints for ISP's is e-mail problems. If e-mail fails customers go nuts (as the rightly should). This means ISP's must invest serious money, time and effort into an e-mail solution. Stopping SPAM or preventing it from overwheling your e-mail servers is no easy task. It takes time, energy, intelligence and precious resources away from other things.

Spammers do such nice things as fake bounce messages, hijack school computers in the far east, use several dial up connectiosn concurrently and start running spam until the get shut down. The use faked return addresses from a legitimate domain, overloading those domain's mail servers as thousands of bounces go to it. The take over poorly maintainted machines with highbandwidth and open up hundreds of simultanteous connections to mailserver essentially preventing legitimate traffic from hitting those servers until the spam run is done.

BUT I HAVE A SOLUTION!! Using spammers logic here is my solution. I have automatically signed up every e-mail sender to a new contract. This contract says that if you send me an e-mail that I don't like I can break your kneecaps. If you don't like this arangement you can "opt-out". Just send your opt out message to dev-null@aol.com and I'll be sure to add you to the list of people that don't want their knee caps broken!

SPAMMING is nothing more than common thievery, it is a theft of services, it is theft of time, it is theft of resources and finally most spam runs should be considered a denial of service attack. In fact for small ISP's they often are. Until you bring consequences out of the cyber world into the real world there will never be a solution. Knee cap breaking is a fine real world consequence.

cluge

Re:From the trenches

[gorbachev]

A simple solution for ISPs is not to sell services to spammers in the first place.

The high volume spammers are almost all known at this time, and they have a history of terminations and other problems that you can check prior to opening their accounts. Just do some screening before you take a client. news.admin.net-abuse.sightings, ROKSO, ask the client questions ("Have you lost accounts before for TOS violations?" "If so, why?" Have a clause in your TOS that will allow you to terminate them immediately, if they lie.), etc.

The smaller fish who don't have a history, will not cause you that much trouble anyway, so you'll be fine.

Proletariat of the world, unite to kill spammers

No the solution is simple

[anthony_dipierro]

Require a cleared deposit or a credit check. If they don't have good credit, don't let them have an account. When they chargeback, sue 'em. Call the FBI, too, cause they are engaging in criminal wire fraud.

Money talks

[jesterzog]

Out of interest, how much could prices be cut if you weren't funding continuaal spam bombardment?

Time to ditch SMTP

[LostCluster]

SMTP has a fundimental flaw that spammers have been able to exploit for years. It is far too easy to place false header information, making it impossible to identify the true source of spam. The best way to isolate spammers is to require that the sender must continue to store the message and only send a smaller crypto checksum of the message with an the information about where the full message is available at the sender-provided server. Yeah, spammers could still send out there trash this way... but this system does not allow them to lie about their IP address, because the IP address the sender specifies has to be where the full message lives. Once a server is being identified as spewing spam, the server would be quickly nuked by either ISPs pulling the plug or blacklisting. The remaining users would have a key that leads to a non-existant message, which client software can drop without ever needing to present the failure to the user. Effectively, spam is killed after its been sent, and the user never is bothered.

Not so easy

[Subcarrier]

The best way to isolate spammers is to require that the sender must continue to store the message...

This doesn't work too well with mobile or off-line mail clients, or mail forwarders. The receiver could not retrieve the message if the sender has gone off-line. Also, each mail forwarder would have to store potentially unlimited amounts of per message forwarding state.

Re:Time to ditch SMTP

[thebigmacd]

How about "reverse PGP authentication"? Where everyone can decrypt the payload with a public key, but only the real sender can encrypt it? The roles of the private/public keys would be reversed. Of course, inside the "encrypted" public message, conventional PGP could be used for security. The public authentication key would be bundled with the message so any server could validate it. As well, inside the authenticated message, before the payload, a special header would contain the public key as well, so servers could validate the sender more quickly by encypting only part of the message, matching the external pubkey to the internal pubkey; if they match, voila! Got that? :) Just a thought.

Re:Time to ditch SMTP

[bad-badtz-maru]

What are you talking about? I have never seen a piece of spam that contained headers from which it was impossible to determine the spam's origin. Spammers do put in fake headers, but only to fool morons, the real headers are always right in there too. The real problem is that, for the most part, knowing the IP origin of the spammer accomplishes nothing.

maru

Spam filtering

[Huogo]

I was searching around earlier, and to solve my own spam problem I downloaded POPFile [sourceforge.net]. It is a cross platform email proxy (runs locally). You still use whatever email client you want, with just a few minor changes to your configuration (pop server is now 127.0.0.1 and username is now mail.server:username). It employs a bayesian filtering method. It is very easy to use and has been working GREAT for me so far. It can add a classification to the subject (IE an email labed hello, would become [spam] hello) or it can add a X-Text-Classification header which your mail client can search for, so you can decide exactly what you want to do with different kinds of email. I havn't found a better solution yet.

Here's another one

[Subcarrier]

Bogofilter [sourceforge.net] is pretty good, too.

"The Sky is Falling"

[g4dget]

Yes, spam is annoying. Yes, end-users have a right to complain about it.

But ISPs have little to complain about. All the spam people receive amounts only to a small fraction of their normal Internet bandwidth usage: per day, you almost certainly generate more bandwidth, TCP connections, and server transactions in pop-up ads than in spam. If an ISP's E-mail servers cannot handle that workload for their users, they are doing something wrong. And if they want to off-load the responsibility of running the server, broadband providers should just drop their restrictions on their customers running servers so that everybody can run their own mail drop.

Crocodile Tears

[maggard]

This is the same Barry Shein who used to deny his ISP was blocking emails and continued to deny such until incontrovertably proven so by his customers, then he got all pissy about it. Now he proclaims it as a service and takes credit, pardon me while I boggle at his self-serving duplicity; he's hardly a champion for customer service.

Mention his name on news://ne.internet.services [ne.internet.services] to hear his history...

Filtering still costs... and other thoughts.

[blowdart]

have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants.

If an ISP is running an open relay, then they deserve to get highjacked. There's no excuse for that these days.

However, filtering at the SMTP level, whilst useful, still isn't a complete solution. Why not? Well

• Even if you drop the connection after the HELO/EHLO, your bandwidth is still being used. A lot of spamware doesn't even cope with dropped connections, or user not found messages, and will still sit there, attempting to send, using your bandwidth.
• No filtering is perfect. Either it doesn't catch enough, or it deletes too much. Simply tagging mail, and not deleting means your disk space is still being used to store the spam until your users decide what to do with it.
• DNS based RBLs are wonderful. I use them (stats are at oberon.idunno.org/spam/ [idunno.org], but how much do you trust the black list providers? Then, of course, you have people suing the black list providers, who then bow out because it's easier than mounting a defence.
• "Free speech". Yes, we know free speech doesn't apply to spam, or to those of us outside the US, but the idiotic mindset of a spammer doesn't seem to realise that my private property negates their right to talk to me. And thus more legal threats begin.

So, what to do? Small ISPs will have problems. Spammers sign up with credit cards, do a spam run, and flee. So, you have the credit card number, FINE THEM. Put that in your contract.

What can be done about the big boys hosting spammers, Verio, Exodus et al? Block them at the routers.

The worst is yet to come

[fleener]

When I receive an unsolicited call on my cell phone, I get charged.

In the not so distant future ISPs will charge us for spam we receive. X cents per 100 e-mails, or somesuch.

Charging you is far, far easier and cheaper than tracking down and pursuing a hundred spammers in court.

After all, the ISP will say, it's your fault for not guarding your address from spammers. You jumped into shark infested waters and got bit. You are to blame. Oh, we'd be happy to set you up with a new address to fix your problem. There's only a $15 processing fee. Thankyouverymuch.

It's a solution politicians will love too because it allows "legit" corporations to continue spamming without regulation.

thank you cards!

[simpl3x]

i think everybody should send thank you cards and gifts to spammers. we KNOW of one, don't we? i think this person might need some sets of weights delivered to his house, perhaps several tons of weights. they are cheap. You know gifts! be healthy spammer, and thanks for all of the special offers!

Live with it...

[anthony_dipierro]

You're free to accept whatever connections you want to receive. If you don't like how other ISPs handle spammers, don't accept email from them.

We need to take the George Bush approach to spammers. "We will make no distinction between the spammers who send us the spam and the ISPs which harbor them."

That's right, when your ISP gets a bunch of spam from another ISP, contact that ISP and demand either remuneration or cooperation in identifying the spammer, suing for damages, and getting a permanent injunction. If the ISP balks, blacklist 'em.

Problem must not be that bad.

[Rai]

I'm sure there are plenty of afforadable hitmen/hired goons on the market so if the spammers were as much of a problem as the ISPs say, it could easily be fixed.

Minor mods to SMTP needed...

[mackman]

As I understand it, many spammers make their killing by sending a single email to hundreds or thousands of recipients. They just need to find a single SMTP server they can use as a relay and the bandwidth burden of redistributing all those copies falls in someone else's lap.

What about the simple solution of disallowing multiple recipients in a single SMTP message? If someone legitimately needs to send to multiple email addresses, require a seperate SMTP connection and seperate copy sent for each.

I'm confident the increased overhead from people sending legitimate email to multiple recipients will be greatly outweighed by the overall reduction in email traffic from spammers.

Those of us who run mailing lists and the like could simply configure our SMTP servers to allow multiple recipients and then our server would be required to make seperate connections for each recipient.

Re:Minor mods to SMTP needed...

[Micah]

huh? The big spammers (and even not so big ones) run their own SMTP servers anyway. They have special software that does the mailing. I don't think there would be any way for the Net at large to know that they're not making separate connections for each message.

Maybe requiring that the recipient's real e-mail address be in the "To:" header? But it seems that the benefit of that would be small compared to the hassles.

I can vouch for that..

[xchino]

I work for a relatively small, local ISP, and Spam costs us big time. You know those 210 spam emails you got that totalled to 5Megs? Well our email server is holding those for 2000 email boxes. We have constant 24/7 spam traffic on our SMTP servers. We have tried subscribing to RBL's, but as an ISP it is difficult to do that. There are several big names in the email game that are blacklisted, and inevitably you have a customer bitching that they can't get their email from user@OpenRelayX. The best you can hope for is heuristics testing to flag spam so that our users have usable mailboxes, but that, of course, doesn't help with out bandwidth HDD space theft issue.

The solution to spam

[tuxlove]

I put the finishing touches on my antispam program this week. I went from getting 150-200 spams a day to ZERO over night. It's very simple. If an email sent to me isn't from a known address, it puts the mail into a staging area and sends a confirmation request to the originator of the message. If they reply, their original email gets put in my mailbox. If they don't, their message is deleted from the staging area after a few days.

It's transparent to me. I never see anything in my mailbox except email from known people, and unknown people who actually exist and reply to the confirmation request. So far, none of the responders have been spammers, and if they had I'd then know how to find them! Works flawlessly, so for me spam is a thing of the past. Go ahead spammers, do your worst.

It's impossible to describe the feeling of liberation.

All it takes is one jailing a week

[Animats]

If one spammer went to jail every week, the problem would be gone in a year.

Now that the Direct Marketing Association is no longer opposed to anti-spam legislation, it's time to push for tougher penalties and broader coverage. It should be possible to go after the beneficiary of spam, as well as the sender. (Legally, that can work; it's routinely applied to bill posters. It's reasonable to make it a rebuttable presumption that whomever collects money from the spam is an involved party.)

go after the spammers

[Anonymous Coward]

We should go after the people and companies that spam.

1) Set up an organization of volunteers (mostly techies from big ISPs) to serve on a technical group that evaluates spam reports and hunts down the companies and individuals behind the spam.

2) Publicize spammers identities extensively.

3) Encourage all businesses not to do ANY business with these people. Make it difficult for spammers to get a mortgage, telephone line, internet connection, new car, cable TV, lawn service, private school for their children, whatever.

4) Picket their places of business and their homes. Tell their neighbors what they do for a living.

Yeah, it's harsh. But it might work.

The Bush Administration Guide to SPAM

[rmckeethen]

As much as I detest government regulation interfering with rich business leaders trying to eek out big profits, I think it's time that the Bush administration take notice and do something about the SPAM problem. I'm suggesting you make it a Federal felony Mr. President, because the state-by-state approach just isn't working. SPAMer's are stealing the rightful profits out of the pockets of ISP owner's, just the same way that the eco-freaks are stealing new business opportunities from the oil industry. But it's much worse then that.

You see, Internet bandwidth is a lot like oil. Everyone needs to use some, but there's a big group of rustlers out there right now that don't pay their fair share for it. They steal it, right out from under the Internet oilman's nose, because there are no stiff penalties to prevent it. These rustlers, let's call them terrorists because that's what they really are, tap Internet wells from across state lines, and if the state takes an interest, they just move their pumps to another state that hasn't run into the problem yet. Some of these pirates are stealing up to 40 percent of the Internet oilman's production. How can the poor Internet oilman operate under those kinds of circumstances?

Mr. President, it's simple really. SPAMers are terrorists, out to steal business profits by selling the modern equivalent of oil without paying the oilman for it. How can the administration not do something about this?

Some of these Internet oilmen are in Texas, a state I know you love and cherish. While I'm sure your advisors keep telling you that it's the hippies in the liberal-land of California that are behind this Internet thing, they're wrong. Those left-wing Silicon Valley jerks only build the equipment that the Internet oilmen use, like making the pumps and the hoses, they don't actually run the Internet oil business. Texans could run the Internet wells, if only your administration gives them a chance and does something about these profit-terrorists we call SPAMers.

Hell, if you're willing to suspend civil liberties for guys like Jose Padilla, why not just forget the legal process and let the tribunals deal with these losers? They are enemy combatants Mr. President, traitors in the war on profitability, and I'm sure you can find a nice deep hole for them somewhere. I've got addresses and phone numbers Mr. Bush, and I'm ready to help the fight on terrorism!

Re:

[account_deleted]

Comment removed based on user account deletion

Start hitting the open relays

[coyote-san]

I've contacted a number of sites running open relays that were used to joe-job one of my domains. A few were legitimately careful but got caught by Exchanges's configuration files or had non-servers hijacked (e.g., one had a Cisco router hijacked!), but most didn't know or care that their mail server was an open relay.

Because of this and the infeasibility of the per-message solutions, I think it's time to start hitting open relays with statutory penalties. Something on the order of $100-200 first offense, $200-500 second, $500-1000 on third and subsequent offsenses, collectable through the victim's local small claims court. To minimize baseless complaints (and allow companies to ensure that they're not running an open relay) the courts could require confirmation that a site is running an open relay via an approved testing service, basically what a lot of the blacklist sites already do with test messages.

It should go without saying that any fines and court costs could be passed on to the upstream site that sent the spam. Maybe they were hacked - it really doesn't matter. Either you were authorized to send mail through that relay or you weren't. In the first case your contract specifies the damages (if any), in the latter case it's already a criminal trespass case.

Shutting down the open relays won't eliminate spammers, of course, but it should reduce the damage caused to innocent third parties and the true spammers will be universally blacklisted.

$200/user-year?

[theonetruekeebler]

From the article:

Enterprises spend about $20 per user per year fighting spam; that's about 10 percent of the overall e-mail budget for running Microsoft Exchange

It costs $200 per user per year to run e-mail with Exchange? Just how the hell much does it cost otherwise? Regardless, it is nice to see a dollar value placed on the cost of controlling spam. If fighting spam becomes a billion-dollar cost in the U.S., will there finally be some legislation with some teeth?

false positives acceptable?

[nothings]

I used to have an account on Shein's ISP--I'm sure there are still pointers to buzzard@world.std.com on my own pages--but their attitude towards false positives was simply unacceptable to me and a lot of other people I heard who left "The World". Erring on the side of getting more spam and no false positives was clearly preferred by me and by other vocal customers, especially those who ran businesses from their World accounts.

But Barry's stance was that since the vast majority of cusomters just wanted all the spam gone, the right thing to do was to accept a certain level of false positives. Unannounced--no warning that you would have legitimate mail returned to your friends with the unhelpful '200 UCE not accepted' or even '200 No thank you' replies (I don't remember the actual number, sorry)--with no "opt-out-of-the-spam-blocking" option for other customers.

One theory I have for The World's problms is that spam-blocking doesn't scale with customers, so The World is hit by it worse than larger ISPs. It seems like the support costs of dealing with customer complaints would scale with customers, though. But, for example, there apparently is (was) a pattern of spammers taking a list of plausible user names and emailing every name on the list @ the target host. Since that list of names is the same length whether it's theworld.com or aol.com, but the number of customers is different, the cost-per-customer for dealing with that (bandwidth / etc.) is higher for the smaller ISP. But nobody at The World was willing to comment on this sort of customer scalability issue (although they mentioned that particular spam scenario because they had a fairly aggressive response to it to avoid bandwidth--they stopped accepting connections from that IP for an hour or two if it was detected, which meant legit mail from that IP was often delayed and sometimes bounced if it kept getting reblocked).

Anyway, the upshot is, I have very little sympathy for somebody who thinks it's a good idea to let legitimate email get blocked as spam because it reduces customer support costs. It's just moving the problems somewhere else where the customers don't know about them.

blame the lame protocal.

[JDizzy]

SMTP is lame, it has no built-in ways to white-list, or black-list people or things. All that stuff is left to some imaginary higher level layer in the eyes of SMTP. Thats great in theory, but then what is to stop the use of bandwidth in the first place? To make things worse is the fact that most open relays are because of inexperienced administrators. Lets face it, bad people will always look for a way to get in your face be it email, chat, junk-mail, tv commercials, whatever.

The ultimate solution is not going to be passing anti-spam laws to send spammers to jail. No, what we need is strong protocals that support the notion of privacy. Fundamentally SMTP will never be secure by itself. You add in stuff like pgp to make email secure for ytour eyes only, but SMTP itself is very insecure, it sends the email on the public network. Places your emails passed by forwared it to another place that eventually gets it to your email server. Don't blam the spammers, blame the IETF for certifing a bad protocal.

_I_ care about false positives...

[dpbsmith]

The World happens to be my ISP and I sympathize with Barry Shein and respect his views.

But I darn well DO care about false positives.

A few months ago "sent" me pictures from Shutterfly, an online photo-printing service that I rather like. Of course when you "send" pictures, what actually happens is that Shutterfly sends an automated email with a link in it; you click on the link, see the pictures in low-res and get to order prints. If you get the email, that is. The World was bouncing them, because something about them made it think they were spam.

A few weeks ago, I was trying to register online for a conference I want to attend. When you register, the site sends you an automated confirmation email. Again, The World was bouncing them.

I can deal with spam by deleting it. But how can I deal with email that's been improperly bounced? Unless the person who sends it happens to mention it to you, you never find out.

When I contacted The World, their response was that they couldn't do anything UNLESS I COULD SEND THEM THE BOUNCED MESSAGE, INCLUDING HEADERS.

Sounds like an Irish bull, doesn't it? "If you fail to get this, please send it to me so I can find out why it didn't get there..."

Re:I'm not that bad off

[silentbozo]

It only takes one slip. And it doesn't even need to be you who posts your e-mail. Maybe a helpful customer recommends you to someone else in an online forum. Maybe a mailing list archive, or an e-mail excerpt gets posted to the web. Maybe your relative/friend/significant other is running MS Outlook, got hit by an e-mail worm, and started spewing worm infested e-mails with e-mail of everyone in their address book, including your e-mail.

Once a spammer gets a hold of it, they'll use it. They'll sell it. They'll extract the first portion (ie, the foo from foo@bar.com), and start pattern matching it against a library of domains in case you have multiple accounts (foo@aol.com, foo@yahho.com, foo@hotmail.com, foo@yourdomain.com, foo@foo.com, etc.). Hell, if your address is short enough, they don't even need to get your e-mail. They'll just generate it randomly, so they can claim it as on of their "13-million address CD", and woe to you if they actually score a hit.

Of course, the people who really get screwed are people who use e-mail for business, for example customer support, info, etc. So the next time you get really shitty e-mail service from your bank, ISP, etc., think about how much crap they had to wade through in order to get your message, and how much you have to pay in order to cover that overhead. The spammer isn't paying, that's for sure...

Mailing lists

[pclminion]

I subscribe to several mailing lists at work, for work-related reasons. There's no easy way to disguise my address. Any spam bot can come along and either subscribe to the list as a lurker or just download the list archives.

One of the irritating things is the spam that comes to one of our internal mail aliases. I.e., the one that goes to all the developers. No one has ever sent a mail to the outside world using that address -- some spam software just guessed it. I've been bitching to have them close that address so only internal people can send to it...

Re:I'm not that bad off

[mgkimsal2]

So the next time you get really shitty e-mail service from your bank, ISP, etc., think about how much crap they had to wade through in order to get your message, and how much you have to pay in order to cover that overhead. The spammer isn't paying, that's for sure...

It doesn't take THAT long to 'wade' through emails - most are obviously fake. Add decent 'obvious' spam filters and you've eliminated a decent percentage.

I spoke with customer service at a large national organization - they'd taken 'webmaster@' off their site. I'd tried to send a generic complaint to them about a subsidiary company they owned, and it bounced back. So I got on the phone to register my complaint and then ask about why they'd taken 'webmaster@' off the mail server.

"We got WAY too much junk mail," the woman told me. "Sometimes we'd have 70 or 80 emails that were just junk!" She sounded exasperated. This is a national multimillion dollar organization with hundreds of employees which can't/won't effectively LIVE with 80 spams per day to a standard web address which most people know to contact without having to have to visit a website. I told her that I, in a small business, have to deal with between 300 and 500 junk emails per day, in addition to 'regular' emails from clients/customers/other, and that if they couldn't use the money I was paying them effectively WRT to technology, I was cancelling my account, which I did. The company had 'service' in its name, by the way. :/

Amen.

[raygundan]

I've had this happen several times, but never worse than this particular case. I use my work address just for work, which is mostly contacting other people at the same company and an occasional client, but once in awhile, you get bitten anyway.

I wrote a small Dreamweaver library function (javascript) as a favor for a friend in the graphics department who needed one that worked with the new-at-the-time NS6. I told him to deploy it to all the HTML folks, so that we wouldn't bump into the issue anymore-- and (here's the kicker) put my email into the comments so that if there were issues, they could find the author.

Whoops. I figured they'd clip the comments out to save page space, but I was wrong (my fault!). So my email address shows up in the HTML source of every page of a major patent-search website.

Which ends up in the browser cache of millions of people every week.

Which gets parsed by an email worm that can read IE browser caches.

Which then emails me.

When I finally had the admins shut that account out of desperation, I was getting thousands of emails a day, sometimes as frequently as one per second.

One slip, and you're gone. Of course, it's usually not so spectacular-- more along the lines of "your mom got an email virus and it raided her address book" or "your address got guessed at random and now they know it's live".

Side note-- the particular virus I was getting emails from attached files it found on the infected people's machines. I received pictures of families, .doc files entitled stuff like "Quarterly Sales Projections", a very long and tough-to-read paper on some chemistry research I didn't quite follow, and so forth. Seeing what I got was almost fun.

Re:I'm not that bad off

[KjetilK]

Because I don't want to hide away, and I don't want spammers to dictate what I can do. I want to communicate with people all over the world, if there's something they're curious about, something I wrote on my web pages, then I'd like them to contact me. That is how the world gets smaller and a better place to live.

Spammers are about to destroy all this. Because they're posting to mailing lists that are there with the same philosophy, the effort it takes to keep those mailing lists up and running is huge. They are destroying the very fora we use to communicate, they are, as I see it, the greatest threat to the free flow of opinions we are seeing today.

Re:I'm not that bad off

[SuperDuG]

Well you said it yourself, you're not on mailinglists and you don't post your email everywhere you can. I've personally had the same email address for 6 years and I get roughly 300 - 400 messages of spam a day.

I'm on a new trip though, every spam I get I bounce it back to the address that sent it to me, and then deny it from my mail server, then I actually click the "Click here to unsubscribe" links, then I forward a copy to uncle sam. Hopefully I'll start to reduce my spam, but it's gotten so bad now that I really have missed important emails on numerous occassions because someone feels I need to lose 100 pounds, make my breats/penis bigger, and I just have to have a mini-rc racer. Now not all the email I get is spam, I do quite a bit of online shopping and I get emails from half and thinkgeek for example on new deals that I might be interested in, these emails I asked for, but do become somewhat annoying with the rest.

I would really like to be able to have a "return to sender" stamp for email, where it costs the sender time/money/whatever to email me a message that I do not want. I also am fed up with "opt-in" spams, these bundles of joy send you an email saying you've been opted into a service and you have to take the time to opt out to stop the emails, what kind of crap is that? The other ones that bug me are sites that are so shady that they don't even have a reverseable IP address, no abuse@ip_adress.

My last question is this, would it be so wrong then to DoS attack these mail servers that the messages come from, I mean they are taking the time to bug the hell out of me and uncle sam doesn't really want to help me out none.

I remember how I stopped getting everyone forwarding me crap messages, just reply to all and say this is stupid stop sending me this crap, and eventually everyone caught on that I was an insensitive jerk and stopped.

Re:I'm not that bad off - I am

[chimpo13]

30-50? That's pretty good. Between work and home, I get around 175 spams a day. It's nice taking a vacation, and checking my email for the first time in a week. There's about 800 messages at home, plus another hundred at work.

And I have a hotmail account that's used for when I buy stuff from businesses I expect spam from. Places that don't use the double opt-in and sell my name to others. I often change my name to see the spam spread. But I don't really count that email as spam because that's what it's for.

My yahoo accounts don't get much spam, and that's what I use when I sign up for mailing lists.

I've never signed up for anything under my domain name, that's bots scanning sites. I use servercentral as my webhost, and I get around 50 spams a day that are addressed to servercentral-user@spam.com

And lately, I've been getting bounce backs from servers from spam that's sent under my domain name. It's having a domain name that gets me so much spam.

I've been using MailWasher (bounces email saying I don't exist), but that's going to change I think. After a vacation, MailWasher doesn't work because there's so much spam. And besides, who sends spam without faking the From address? It's effective about 95% of the time - about 5% false-positives.

Ah, that was good. I hit preview, and got a call from a telemarketer.

Re:I'm not that bad off - I am

[Blkdeath]

30-50? That's pretty good. Between work and home, I get around 175 spams a day. It's nice taking a vacation, and checking my email for the first time in a week. There's about 800 messages at home, plus another hundred at work.

Ouch. Rather than quoting, I'll try to address each of your points individually;

Purchasing things via the Internet / web page form submissions; That's why I have a generic @yahoo.com e-mail account. Periodically I log in, select probably 9 of 10 messages, delete them, browse the other few messages then delete them too. When I'm expecting something I'll log in, read it, then select the whole mailbox for deletion. Problem solved.

Mailing lists; I have an account that I use solely for mailing lists. Anything that doesn't fit into one of my (very stringent) procmail recipes destined for that address is bit-bucketed. If I didn't sign up for it, I don't want it.

I don't give out any of my personal e-mail addresses in electronic form, except to individuals whom I trust (which generally precludes people who run Outlook* e-mail clients).

Running my own domain; I don't get e-mail as a result of running a domain, for a number of reasons. I host my own websites, and everything involving my domain on my own computer. I don't publish any @snerk.org e-mail addresses; instead opting to use a small, little-known CGI e-mail contact form (that has a clearly visible "[FROM EMAIL CGI]" string in the subject line. Hell-o procmail! ;)

As a result, I haven't yet had any need for a SPAM catching utility.

As to your addendum about telemarketers; as many people said in the previous telemarketting thread (I forget which story); requesting to be removed from their call lists has worked absolute wonders for me. I'm to the point where I don't recall the last telemarketer phone call I've had. Kind of upsetting, too, since I've always enjoyed playing with them. Asking carpet cleaning companies if they can get human blood out.. No, no; it's fresh... Beaming with excitement and thanking chimney cleaning companies because, hey, if they're going to install a fireplace for me (you know, so they can then clean my chimney) ...

Re:yahoo spam filter

[mgkimsal2]

You're still GETTING it, just not in your standard 'INBOX' folder. The mail is still being sent, CPU and bandwidth are still being used, but it's being moved to a 'BULK MAIL' folder. Big deal - still eating up loads of disk space.

Re:yahoo spam filter

[saskboy]

I get almost no spam at yahoo. I use other domains for email too, and yahoo beats them all. I wonder at what price though?

And someone made the point here, only the end user doesn't notice the spam. The Spammers are still costing the ISP and hence the customers.

Legality of Attacking Spammers?

[BigBlockMopar]

You know, he does make a good point about spam being, essentially, a denial of service attack. It denies me use of a portion of my hard drive, of my server's CPU cycles for SETI@Home, etc.

Here's a question. If I put up a page like this on my website:

Welcome to the glowingplate.com automated security test.

This is a free service provided to Internet users so that they can test the invulnerability of their computer systems.

We accept no liability whatsoever for any damages caused.

In order to test your computer - and ONLY to test your computer, no human ever reads e-mail sent to this address - send an e-mail to $E-MAIL_ADDRESS. We will retrieve your e-mail address from the message headers and immediately begin the test.

And then pound 'em into the ground with a script that runs through every known vulnerability of Windows networking.

I figure that if enough of their address lists can be polluted with enough e-mail addresses which crash their systems, they'll eventually die out.

Does anyone keep any good legal counsel on retainer? Any lawyers out there care to discuss ways that such a thing can be done legally from Canada or the US?

The alternative might be to buy service from a hosting provider in some third-world country with no laws, and take care of it from there.

Re:Legality of Attacking Spammers?

[plover]

As Bruce Schneier pointed out in his most recent issue of Cryptogram in a story called Counterattack, "...vigilantism: citizens and companies taking the law into their own hands and going after their assailants. Viscerally, it's an appealing idea. But it's a horrible one, and one that society after society has eschewed." He then goes on to say that laws must be applied fairly, and that the legal system is the only place to receive justice.

I think one of the problems might be that your script could attack a semi-innocent mail relay, rather than the spammer's computer.

So while I would cheer if you really hammered their boxes into dust, I wouldn't suggest that you could get away with it. Nor do I think you'd have any legal ground to stand on. You certainly couldn't claim that you didn't realize a spammer might step into your test script, because you just published your intent to all of us.

But if you do, well, kick 'em in the URLs once for me. :-)

World's first? Like hell...

[Doug Merritt]

Founded in 1989, The World was the first dial-up Internet service provider in the world, Shein said.

BS. Propaganda. I got a Netcom account in 1988 (after being dissatisfied with portal.com, who were even earlier, but who sucked)

See Netcom in computing dictionary [tiscali.co.uk]

And it wouldn't even help to say "oldest surviving" or some such. Netcom the corporation was acquired by Earthlink, but it didn't go away...I still have my original 1988 email address!

Some people might try to quibble by saying that initially Netcom only offered shell accounts with Internet access, so it didn't count, but I say that is wrong...many of us used the commercial TIA or the freeware "dipd" to forward TCP/IP from our home systems to the dialed-up shell. But even neglecting this, we were able to ftp, telnet, ping, etc any site on the net...I say that counts!

In the early days Netcom had only one server, and the founder, Bob Reiger, was initially the only sys admin...so if the system lost internet access in the wee hours of the morning, we would call the poor guy at home, wake him up and beg him to go fix it.

His wife insisted that he hire a night watch sys admin pretty early on. ;-)

Re:World's first? Like hell...

[World_Leader]

Barry Shein here, BS yerself (great initials tho), see RFC2235 for example. Netcom existed but wasn't offering customers INTERNET access other than hauling their e-mail back and forth to the internet. Big deal, even compuserve did that back then and any number of UUCP providers. Netcom started offering real internet access around April 1990 after they saw we weren't murdered for doing it. The World started offering the general public real dial-up access to the internet in November 1989, like ftp and telnet and all that (there was no web yet.) We got a lot of grief for doing it and even got blocked from big chunks of the net for a while. I remember it well, I should publish the flames I got for letting people onto the internet for mere money. Back then we were just world.std.com (std is for Software Tool & Die, the original company) but now usually go by http://www.theworld.com though the old address works just fine.