Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Experts See End to Computer 'Spam' by 2006 2
- Thread starter BJCooperIT
- Start date
- Status
-
1
- #22
lionelhill
Technical User
(1) On the word filter thing, I'm wondering how long it will be before I have to buy a bit of software that screens my e-mails to see if common anti-spam software is going to eliminate them? A sort-of anti-anti-spam?
(2) More and more organisations are incorporating automatic spam dumping. At its worst it means you can't rely on receiving important mails any more. If you don't want to use e-mail for unnecessary things, and can't use it for really necessary things, what's the point of it at all?
(3) My worst sources of unsolicited e-mails (by far!) are mail-servers telling me about viruses sent in my name but not by me. I mean, if the virus is known to spoof the from field, why on earth send a message back to the "sender"? You can be certain they didn't send it!
So if spamming is to be illegal, so should running a mail-server that sends these pointless messages.
(2) More and more organisations are incorporating automatic spam dumping. At its worst it means you can't rely on receiving important mails any more. If you don't want to use e-mail for unnecessary things, and can't use it for really necessary things, what's the point of it at all?
(3) My worst sources of unsolicited e-mails (by far!) are mail-servers telling me about viruses sent in my name but not by me. I mean, if the virus is known to spoof the from field, why on earth send a message back to the "sender"? You can be certain they didn't send it!
So if spamming is to be illegal, so should running a mail-server that sends these pointless messages.
SMTP as a means of moving a message from A to B is fine - it works well as was designed.
Look at the issue from a prosecution standpoint:
You've got this nice shiny law that says SPAM is not legal.
You get complaints about SPAM, check them out, and sure enough, they're SPAM as defined by the law.
Now you've got to locate the true source of the SPAM to begin procedings against, or, if you can try anonymously, how are you going to assess a penalty against a non-existent perpetrator?
Some type of protocol will need to be implemented that does at least 2 things:
Verify that the originating server is real, and
Verify that that server sent the message in question.
Look at the issue from a prosecution standpoint:
You've got this nice shiny law that says SPAM is not legal.
You get complaints about SPAM, check them out, and sure enough, they're SPAM as defined by the law.
Now you've got to locate the true source of the SPAM to begin procedings against, or, if you can try anonymously, how are you going to assess a penalty against a non-existent perpetrator?
Some type of protocol will need to be implemented that does at least 2 things:
Verify that the originating server is real, and
Verify that that server sent the message in question.
"how are you going to assess a penalty against a non-existent perpetrator
Should we also ask criminals to patent and record their MO so that we can easily apprehend them?
This type of argument has been used with guns. Some suggest that each gun should be proof fired when it is bought so that we can track down the owner via stray bullets markings.
What is overlooked in both arguments is that rightful owners seldom perpetrate that type of crimes.
Limiting software capability in an effort to make it easy for lazy Internet providers to catch spammers is a lame idea.
I refuse to dumb down my tools because a traffic cop is inept. Let's train/make better cops.
Dimandja
Should we also ask criminals to patent and record their MO so that we can easily apprehend them?
This type of argument has been used with guns. Some suggest that each gun should be proof fired when it is bought so that we can track down the owner via stray bullets markings.
What is overlooked in both arguments is that rightful owners seldom perpetrate that type of crimes.
Limiting software capability in an effort to make it easy for lazy Internet providers to catch spammers is a lame idea.
I refuse to dumb down my tools because a traffic cop is inept. Let's train/make better cops.
Dimandja
How is it limiting software capability?
The gun analogy analogy is simply not valid as you are talking about an object that supposedly has set physical characteristics. You must concede that current SMTP does not permit a 'lock down' of the characteristics of a message. Anybody can create a message appearing to come from anyone else and send that message from still a third person's computer.
As is noted - "...rightful owners seldom perpetrate that type of crimes."
Exactly - now how are you going to assess a penalty? Presently, a SPAMMER who wishes to remain hidden can do so simply by spoofing source header info and bouncing off a relay, or even better, using a spambot infection to send from thousands of machines.
If the receiving machine could verify source information, knowing that legitimate messages have correct and unaltered source info, this anonymity is greatly reduced.
The gun analogy analogy is simply not valid as you are talking about an object that supposedly has set physical characteristics. You must concede that current SMTP does not permit a 'lock down' of the characteristics of a message. Anybody can create a message appearing to come from anyone else and send that message from still a third person's computer.
As is noted - "...rightful owners seldom perpetrate that type of crimes."
Exactly - now how are you going to assess a penalty? Presently, a SPAMMER who wishes to remain hidden can do so simply by spoofing source header info and bouncing off a relay, or even better, using a spambot infection to send from thousands of machines.
If the receiving machine could verify source information, knowing that legitimate messages have correct and unaltered source info, this anonymity is greatly reduced.
Now you've got to locate the true source of the SPAM to begin procedings against
Every Spam you get is trying to sell you something, right? Put the heat on whoever is promoting their product through Spam, and they'll tell you who they paid to send it. When it comes down to them getting fined or pointing out the ones who actually sent the Spam, they will most likely pass the buck.
Hope This Helps!
Ecobb
"Alright Brain, you don't like me, and I don't like you. But lets just do this, and I can get back to killing you with beer." - Homer Simpson
Every Spam you get is trying to sell you something, right? Put the heat on whoever is promoting their product through Spam, and they'll tell you who they paid to send it. When it comes down to them getting fined or pointing out the ones who actually sent the Spam, they will most likely pass the buck.
Hope This Helps!
Ecobb
"Alright Brain, you don't like me, and I don't like you. But lets just do this, and I can get back to killing you with beer." - Homer Simpson
That might work until I get pissed at your company and decide to spam on your behalf.
"Two strings walk into a bar. The first string says to the bartender: 'Bartender, I'll have a beer. u.5n$x5t?*&4ru!2[sACC~ErJ'. The second string says: 'Pardon my friend, he isn't NULL terminated'."
"Two strings walk into a bar. The first string says to the bartender: 'Bartender, I'll have a beer. u.5n$x5t?*&4ru!2[sACC~ErJ'. The second string says: 'Pardon my friend, he isn't NULL terminated'."
You must concede that current SMTP does not permit a 'lock down' of the characteristics of a message.
Actually no, I do not concede that. Proof: when they put their mind to it, law enforcement can and does track spammers and their ilk.
All messages on Internet do live footsteps. We simply need to develop better means to sniff them out.
Dimandja
Actually no, I do not concede that. Proof: when they put their mind to it, law enforcement can and does track spammers and their ilk.
All messages on Internet do live footsteps. We simply need to develop better means to sniff them out.
Dimandja
That proof does not live in the message - that information can be altered by any person or process with access to the data streams it goes through. The only proof currently available is a SPAMMER who inadvertantly leaves a crumb to himslef in his message (dumb criminal) or in router logs.
I wouldn't exactly accuse someone of being lazy for not wanting to sift through router logs from a multitude of ISPs trying to match SMTP packets. The veracity of that information could also be questioned.
Until the message can verify itself or provide verification information, SPAM/UCE will persist and no law declaring it illegal will make a dent in the volume.
I wouldn't exactly accuse someone of being lazy for not wanting to sift through router logs from a multitude of ISPs trying to match SMTP packets. The veracity of that information could also be questioned.
Until the message can verify itself or provide verification information, SPAM/UCE will persist and no law declaring it illegal will make a dent in the volume.
This is no different then software companies predicting the end to pirated software. There will never be a fool-proof method to block spam because the spammers are just as smart as the spam blockers. They will always figure out a way to get around the new protecting method. It is not going to happen unless the government takes charge and starts casterating the idiots who are doing it.
"If we catch you spamming, and we don't care what country your coward ass is hiding in, we will find you and we will cut your balls off."
-Albion
"If we catch you spamming, and we don't care what country your coward ass is hiding in, we will find you and we will cut your balls off."
-Albion
Bob1112001
Technical User
I am not a software engineer or anything, but someone needs to find a way to stop the spam, spybots, and all of those other datamining apps. I don't think you could ever collect fees on email sending or receiving because email can be sent from anywhere in the world, which makes it impractical except for the legitimate business. I think the real solutions will come from companies that can stop spoofed email from passing through firewalls, etc.. Maybe when everyone has high speed connections, STMP and POP/ IMAP servers will be able to "handshake" and verify the reply-to email is valid and is the originating sender but until then I have to go home each night and and bulk delete 100 emails.
MasterRacker
Active member
Test your spam filter with this phrase: "If it's dirty, wash it." Odds are that it will get kicked. Perfect example of why filtering is mostly a waste of time.
You need traceable addressing and unspoofable mail protocols.
Question: If Hormel were to start a mass e-mail campaign advertising a sale on Spam, would a black hole form and destroy the Earth?
Jeff
The future is already here - it's just not widely distributed yet...
You need traceable addressing and unspoofable mail protocols.
Question: If Hormel were to start a mass e-mail campaign advertising a sale on Spam, would a black hole form and destroy the Earth?
Jeff
The future is already here - it's just not widely distributed yet...
I dont worry about SPAM filters. I know this is a workaround, but I just have a few email addresses that I use to sign up for places likely to give me spam or users with whom I will not have daily conversations.
I dont care if those mailboxes get flooded because I dont check them unless a site wants to verify my identity, and then I just look for that one email.
Should we have to do this? No. But it keeps me sane until life gets better.
Bryan
--------------------------------------------------
KruppCon -
I dont care if those mailboxes get flooded because I dont check them unless a site wants to verify my identity, and then I just look for that one email.
Should we have to do this? No. But it keeps me sane until life gets better.
Bryan
--------------------------------------------------
KruppCon -
Charging for email will not reduce spam. Fact is that companies out there wants to be known. If I am looking for viagra (please please... only an example) I know exactly where to go! To my inbox!
All that will happen, is these spammers will start to charge by the email, and bigger amounts of $$ for those emails. And companies will still pay it. Unless is becomes rediculous amounts of money, in which case no-one will use email any more. It just becomes more of a schlep.
What I do to combat spam (and I get VERY little, if any), is to always use an email alias when posting on the web. That way, the moment I get spam, I just change my alias. Of course, then I have to let everyone know that I use another email address again, but it sure beats receiving 200 emails per day that I just don't want.
All that will happen, is these spammers will start to charge by the email, and bigger amounts of $$ for those emails. And companies will still pay it. Unless is becomes rediculous amounts of money, in which case no-one will use email any more. It just becomes more of a schlep.
What I do to combat spam (and I get VERY little, if any), is to always use an email alias when posting on the web. That way, the moment I get spam, I just change my alias. Of course, then I have to let everyone know that I use another email address again, but it sure beats receiving 200 emails per day that I just don't want.
<<Unless is becomes rediculous amounts of money
Henk1,
One of the figures that was bounced around was 1/2 cent per email. The margin of responses-to-sent emails is so small that spammers need to send in the area of 20 Million emails to get enough response to make a profit.
That's $1,000,000. The 'profit' that a spammer makes per campaign is much less than that. Remember--the spammer is *not* the company selling products. Pfizer does not send mass emailings to sell Viagra illegally, nor do the scads of knock-off companies send the emails--they all hire the direct-marketing firms, who do the campiagns. The spammers get a percent of the profit from the actual producer.
So lets do the math. A 'good' hit rate is 1/10 percent, or 20,000 responses of 20,000,000. That's just responses. The actual closed sale is always less than 100% of responses, but lets say they close all the sales.
The email overhead alone is $50 per sale (1 mil emaill cost divided by the 20,000 sales). So now they're going to add $50 to each bottle of fake viagra? And the $50 is a very low estimate--since the close-to-response ration is never 100% (I've heard as low as 20%) of direct-marketing responses. People typically want to see more info about the price, shipping, etc, and many do bail and not buy once they get more info. So realistically we're looking at $100 or more overhead per sale.
The only spammers that will remain would be the big-ticket items where $100 is a small percentage of the total sales price--you'd have to be selling something where the spammers cut is $5000 or more to be at the point where you could bury that $100+ overhead and still be competetive with stuff sold through other channels.
--jsteph
Henk1,
One of the figures that was bounced around was 1/2 cent per email. The margin of responses-to-sent emails is so small that spammers need to send in the area of 20 Million emails to get enough response to make a profit.
That's $1,000,000. The 'profit' that a spammer makes per campaign is much less than that. Remember--the spammer is *not* the company selling products. Pfizer does not send mass emailings to sell Viagra illegally, nor do the scads of knock-off companies send the emails--they all hire the direct-marketing firms, who do the campiagns. The spammers get a percent of the profit from the actual producer.
So lets do the math. A 'good' hit rate is 1/10 percent, or 20,000 responses of 20,000,000. That's just responses. The actual closed sale is always less than 100% of responses, but lets say they close all the sales.
The email overhead alone is $50 per sale (1 mil emaill cost divided by the 20,000 sales). So now they're going to add $50 to each bottle of fake viagra? And the $50 is a very low estimate--since the close-to-response ration is never 100% (I've heard as low as 20%) of direct-marketing responses. People typically want to see more info about the price, shipping, etc, and many do bail and not buy once they get more info. So realistically we're looking at $100 or more overhead per sale.
The only spammers that will remain would be the big-ticket items where $100 is a small percentage of the total sales price--you'd have to be selling something where the spammers cut is $5000 or more to be at the point where you could bury that $100+ overhead and still be competetive with stuff sold through other channels.
--jsteph
why would companies scream about having to pay a fee for each mail sent?
They did it for a hundred years sending out flyers to your mailbox.
Before I put a large sticker on mine that says I don't want unsolicited junkmail I used to get about a cubic meter of advertising flyers a month.
At the moment I get maybe 10 sheets of paper a month that shouldn't have been put in my mailbox.
That's not to say I think a scheme where the sender pays his ISP a fee per message sent will work.
Spammers right now run already run their own ISPs in order to avoid being thrown off the net for violating terms of service (ISPs which of course specialise in hijacking the bandwidth of competitors and hiding their traces). Therefore they'd not have to pay the fee because their ISP (which means they themselves) would just set the flag "paid for delivery" or whatever and the world would think it a valid message.
They've shown in the past that they're more than willing to forge mail headers so why not this one?
The ONLY thing that will work is spammers not making a decent income from their activities.
That will take a major education effort to prevent people actually buying the services/products offered and companies from paying spammers to deliver their advertising.
If I get spam from a legitimate company (usually small startups and mom and pop shops) who were suckered into paying someone to send spam I therefore send them a friendly note to the effect that they are doing themselves a disservice by allienating potential customers.
In several cases this has led to honest apologies.
If you know of someone who replies to spam to buy the products, tell them not to and why.
Education works!
"You need traceable addressing and unspoofable mail protocols."
In theory SMTP is traceable. That's why the full history of where it came from and how is preserved in the headers.
But those headers can be faked.
Any protocol can be spoofed. If you're a server that can read the headers you can write them. If you can write them you can fake them.
Better security (especially servers that validate headers and refuse to pass on mail with corrupt ones) might help some, but won't cure the problem.
They did it for a hundred years sending out flyers to your mailbox.
Before I put a large sticker on mine that says I don't want unsolicited junkmail I used to get about a cubic meter of advertising flyers a month.
At the moment I get maybe 10 sheets of paper a month that shouldn't have been put in my mailbox.
That's not to say I think a scheme where the sender pays his ISP a fee per message sent will work.
Spammers right now run already run their own ISPs in order to avoid being thrown off the net for violating terms of service (ISPs which of course specialise in hijacking the bandwidth of competitors and hiding their traces). Therefore they'd not have to pay the fee because their ISP (which means they themselves) would just set the flag "paid for delivery" or whatever and the world would think it a valid message.
They've shown in the past that they're more than willing to forge mail headers so why not this one?
The ONLY thing that will work is spammers not making a decent income from their activities.
That will take a major education effort to prevent people actually buying the services/products offered and companies from paying spammers to deliver their advertising.
If I get spam from a legitimate company (usually small startups and mom and pop shops) who were suckered into paying someone to send spam I therefore send them a friendly note to the effect that they are doing themselves a disservice by allienating potential customers.
In several cases this has led to honest apologies.
If you know of someone who replies to spam to buy the products, tell them not to and why.
Education works!
"You need traceable addressing and unspoofable mail protocols."
In theory SMTP is traceable. That's why the full history of where it came from and how is preserved in the headers.
But those headers can be faked.
Any protocol can be spoofed. If you're a server that can read the headers you can write them. If you can write them you can fake them.
Better security (especially servers that validate headers and refuse to pass on mail with corrupt ones) might help some, but won't cure the problem.
The whole "pay to play" proposal is also dependent on the spammers being the entity actually sending the mail - rather than the millions of individual computers infected with various spam mailers that contact a host, download their "work," and send it out from Grandma's, Aunt Kate's, or neighbor Joe's computer.
The current model for Spammers is the SETI-At-Home distributed work system. All they need is a way to get the distributed engine installed on home computers - which is most likely the task of current virii.
The current model for Spammers is the SETI-At-Home distributed work system. All they need is a way to get the distributed engine installed on home computers - which is most likely the task of current virii.
jwenting
The problem with a spammer being his own ISP is that that single ISP can be blacklisted, and once it is, he's done. That's why spammers now hop from isp to isp to avoid this.
I forgot the name of the 'blacklist' site, but any ISP that is seen to have 100% of it's traffic flagged as spam by the other major ISP's recieving this will most certainly be on this list and never taken off. And even if he constantly changed the ISP's IP, domain name, etc. and all the software changes, the blacklisting would happen so quick it wouldn't be worth it.
And those mail flyers, the hit rate on those is significantly higher. The Direct Mail Association claims a 2% hit rate--that's 2000 times more effective than spam, and the bulk rate is maybe 10 cents, much lower proportionately than the 1/2 cent per email, making it cost-effective.
Although I agree on the education aspect, thousands and millions of years of human stupidity will show that there will always be a percentage of suckers, and this market, which is the market for many of the spammers, will never go away no matter how much education you try to give them.
--jsteph
The problem with a spammer being his own ISP is that that single ISP can be blacklisted, and once it is, he's done. That's why spammers now hop from isp to isp to avoid this.
I forgot the name of the 'blacklist' site, but any ISP that is seen to have 100% of it's traffic flagged as spam by the other major ISP's recieving this will most certainly be on this list and never taken off. And even if he constantly changed the ISP's IP, domain name, etc. and all the software changes, the blacklisting would happen so quick it wouldn't be worth it.
And those mail flyers, the hit rate on those is significantly higher. The Direct Mail Association claims a 2% hit rate--that's 2000 times more effective than spam, and the bulk rate is maybe 10 cents, much lower proportionately than the 1/2 cent per email, making it cost-effective.
Although I agree on the education aspect, thousands and millions of years of human stupidity will show that there will always be a percentage of suckers, and this market, which is the market for many of the spammers, will never go away no matter how much education you try to give them.
--jsteph
"The simplest solution is a fee for sending..."
By whom will this fee be collected? To whom will it be paid? It's no good talking about "ISPs", because spammers don't need to operate through ISPs - they can set up their own machines (as will bigger companies, btw). But it's a WORLD WIDE web, remember. Unless you get every country in the world to impose a similar email tax it just won't work.
And a good job too! because regulating and charging for the sending of email won't bother spammers - they're criminals, they don't pay taxes - but it would really mess up small businesses and site owners. Consider my case, I run a small site as a hobby, it costs me £30 pa offset by a small amount of Amazon affiliate income. It features a mailing list that (currently) sends out about 150 comically bad poems a day (exact stats at ). At ½p each that's raised my costs to more than £300pa - with no benefit to anybody.
The way to identify and attack spammers is through their income stream. However well they hide where their message came from, they have to tell you where they want you to send your money. Target those companies and you might reduce the volume of spam a bit. Can't see it all disappearing by 2006 though.
-- Chris Hunt
By whom will this fee be collected? To whom will it be paid? It's no good talking about "ISPs", because spammers don't need to operate through ISPs - they can set up their own machines (as will bigger companies, btw). But it's a WORLD WIDE web, remember. Unless you get every country in the world to impose a similar email tax it just won't work.
And a good job too! because regulating and charging for the sending of email won't bother spammers - they're criminals, they don't pay taxes - but it would really mess up small businesses and site owners. Consider my case, I run a small site as a hobby, it costs me £30 pa offset by a small amount of Amazon affiliate income. It features a mailing list that (currently) sends out about 150 comically bad poems a day (exact stats at ). At ½p each that's raised my costs to more than £300pa - with no benefit to anybody.
The way to identify and attack spammers is through their income stream. However well they hide where their message came from, they have to tell you where they want you to send your money. Target those companies and you might reduce the volume of spam a bit. Can't see it all disappearing by 2006 though.
-- Chris Hunt
- Status
Similar threads
- Locked
- Question