How can we combat spam? 1

[manarth]

Given the number of threads this crops up in, I thought it deserved its own

I think it safe to say that despite some disagreement on the precise definition of spam, one common feature is that it's "unsolicited".

What is spam?
1. Unsolicited email
2. Unsolicited advertising
3. Unsolicited advertising that attempts to circumvent your blocks
(e.g. by frequently changing the sender's email addresses)
4. Something else?


What can be done to reduce spam?

There are ways a user can reduce the impact of spam - one of which is keeping your email address secret and refusing to publish it anywhere on the web or give it to anyone except your grandma (and even then your taking a risk )

The CDT gives suggestions on action a user can take to reduce the risk of ending up on a mailing list:

http://www.cdt.org/speech/spam/030319spamreport.shtml

However, I feel the onus should not be on me to take such action to prevent my email address being released. If I choose to publish my email address on a webpage, I am not giving an open invitation to any junk mailers.

Should the spammer's ISP be held accountable?
Should your ISP do more to prevent the spam reaching your mailbox?
Should there be spam legislation?

I think that legislating against ALL junk mail / mass mailings may be a bit draconian...I don't mind some of the unsolicited mail I recieve, especially if it's from a company I've dealt with before.

One potential solution would be to legislate spam - all emails to be given a spam rating of 1-10: 1 being "entirely unsolicited, no previous contact with recipient" and 10 being "personal email" with strict guidelines & penalties for misadvertising the spam rating.

Three things which should be absolutely enforced with all spam:
1. the option to opt-out of the mailing list
2. the sender should not continously change email addresses (i.e. to prevent blocking)
3. the (real world) identification of the sender

And possibly...
4. spammers forced to licence / register with an email marketing authority

Comments? <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[CajunCenturion]

I agree with points 2 and 3 of the definition.

Should the spammer's ISP be held accountable? No, I don't think so. The ISP is a only gateway, the medium. If you receive &quot;bad things&quot; via snail mail, its not the fault of the Post Office, or your mailman who places the letter in your mailbox.

Should your ISP do more to prevent the spam reaching your mailbox? I open to suggestion here, but again, I view the ISP as a gateway, and whereas Value Added Services from the ISP may be a good thing, I'm not sure they should be required. So I guess the answer to the question &quot;Should&quot; would be no, but I'm open to any suggestions as to what they &quot;could&quot; do.

Should there be spam legislation? - Couple of issues here. First of all there is a jurisdictional issue with respect to enforcement of the legislation. I'm wondering how practical any legislation could be. Secondly, I'm somewhat hesistant, but open-minded, with respect to governmental legislation over internet activities. I'm concerned about how slippery that slope could become.

Perhaps something could be done within the DNS system, at the router level, where any mail coming from previously identified spam originators, by servers IP or root domain is blocked. Such a system being managed similar to Domain Name management.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[manarth]

&quot;Perhaps something could be done within the DNS system, at the router level, where any mail coming from previously identified spam originators, by servers IP or root domain is blocked. Such a system being managed similar to Domain Name management.&quot;

I would be interested to hear suggestions on a technical level about how we can take action against spammers, and who would oversee such action (e.g. the IANA allocate IP addresses; maybe a new body - the IESP (Internet & Email Spam Police ) - could oversee counter-spam action).

Perhaps ISPs could impose a (voluntary) 50 email per day cap - anyone who wants to send more than that (e.g. fanzine authors, opt-in mail lists) would need to register with the ISP.

Or redesign the email protocol in some way, so you need to register with an internet organisation (IESP?) to send more than x emails per day.

If we make it harder and harder for the spammer, we'll eventually reduce the problem to a manageable level.

I think a key step would be making it difficult (preferably impossible!) to spoof your &quot;from&quot; email address...
If a spammer gave away his ID everytime he sent out spam, it would allow people to start taking action. <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[TheVampire]

> I would be interested to hear suggestions on a technical level about how we can take action against spammers.

Personally, I prefer the Baseball Bat/Kneecap method.... [purple]

And there currently are ways to filter out pratically 100% of spam, but it makes it tougher for legitimate users to send you mail.

Robert

 

[MadTown]

Heres a website to checkout regarding the fight against spam

http://www.cauce.org

this is the Coalition Against Unsolicited Commercial Email

Hope you all find this as interesting as I did

 

[Zarcom]

Perhaps ISPs could impose a (voluntary) 50 email per day cap - anyone who wants to send more than that (e.g. fanzine authors, opt-in mail lists) would need to register with the ISP.

I think that this is one of the best solutions I have heard. Nice one marc That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540

 

[CajunCenturion]

The 50 email per day cap per ISP has some interesting issues with it. A couple of questions

1) How many emails per day per office do you think come out of the Fortune 1000 companies?

2) For the company that has a Frac T1 or better coming directly into their server farm, just who is the ISP?
Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[lionelhill]

Wot I find puzzling is half the people I know who hate spam nevertheless send on those things that tell you that if you don't send it to 7 friends you'll have bad luck. I mean, at least, if the original message was nice etc., at least cut out the bit about sending to 7 friends or having bad luck. I mean, do you really want to wish bad luck on 7 of your friends??

When I was younger, chain letters were regarded as even more offensive than advert mail. Moving into e-space doesn't change a thing.

 

[Zarcom]

I do agree many emails will come out of a Fortune 1000 company however, that is where the registration comes in. It doesn't need to cost alot but will allow for an authoritative body to dissallow registration by a spamming company.

The company that has a T1 coming in needs to get that T1 from somewhere. And it needs to connect to the backbone somehow. So you can catch the offending party at that point. That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540

 

[sleipnir214]

The problem is that the only way to deterministically enforce the registration is to have the registration credentials included as a token in a header in all SMTP messages.

You couldn't just match a registration to a sending SMTP server IP address -- with NAT, port forwarding, subleasing of IP networks, etc., there's too many things going on with IP addresses.

It would be doable to create an SMTP routing mechanism where an application matches the registration token in a header to a registry entry. But all I would have to do as a spammer is use someone else's registration token -- either my spam goes through, or I poison a legitimate user's token. Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[algernonsidney]

Go to <

http://www.spamcop.net>.

This is war, and we must treat it as such if we are going to win.

Chris

 

[manarth]

<marc> has an idea

why not create an end user mail application that
1. uses intelligent spam filtering
2. can bounce spam as undeliverable
3. has an automated &quot;report spam&quot; button
4. updates an online database of spam hotlists

(1) doesn't really prevent the spam congestion, but reduces the impact to the end user - and if enough people use it, spam suddenly becomes that much less attractive.

(2) stops the spammer confirming you as a possible &quot;live&quot; address

(3) could use an online database to lookup the sender's IP to resolve ISP, then use the database to locate who the ISP asks you to report abuse to, then autogenerates a spam report

(4) an online hotlist may help in the event of legislation failing to manage UCE. If email servers start consulting the hotlist then bounce appropriate email, when a spammer spams, if the first people to receive the message reports it to the online database, the spammer gets blocked in his tracks...

of course (4) may not work - I don't know how long it takes for someone to send out millions of emails (not having tried it myself )

(3) & (4) help combat user lethargy - I receive so much spam, it's a pain to report it (takes up so much more time than simply deleting the junk) - automate the process to a single button, and suddenly the ISPs will be swamped with spam reports - you can imagine they'll sit up and take notice then! <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[guestgulkan]

With regard to the original posts points 1 and 2:
(usolicited email and unsolicited advertising)
I cannot see how any real action can be taken against spammers.
The advertising industry is HUGE and all of it totally unsolicited (television, clothes, billboards,back of cornflakes boxes, etc..)

I think any legal action to jail spammers/stop spamming/ etc. just because it's unsolicited will have unprecedented ramifications.

 

[manarth]

Guestgulkan said:
&quot;I cannot see how any real action can be taken against spammers.
The advertising industry is HUGE and all of it totally unsolicited...&quot;

Fortunately, the mainstream advertising industry is self-limiting: the costs to benefit rise as advertising output increases.

Email spam is such a threat because this limitation doesn't apply: you can send one piece of spam or millions of pieces for the same minimal cost....(Thanks to MadTown for the information about CAUCE (

http://www.cauce.org)

)

TV advertising is paid for by the advertisers, email spam is paid for by every user of the internet. You are paying for them to advertise to you. You should welcome the spam to your mailbox - you've already paid for it! <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[dilettante]

You should welcome the spam to your mailbox - you've already paid for it!

Well, it sure sucks to be me!

I think I'd almost have to add mail you might have once solicited but no longer want and can't get turned off as spam.

Due to recent &quot;Super DMCA&quot; legislation that passed here in Michigan (coming soon to a legislature near you) the use of SMTP email may be a felony now anyway. Actually having and not using the software may be illegal. Actually writing about it may be illegal.

Think I'm kidding? Check out

http://www.freedom-to-tinker.com/

and follow the links to the actual language of the law. And get rid of that short-wave radio or police-band scanner before you get caught while you're at it too.

 

[guestgulkan]

Hackers everywhere must be drooling in anticipation!

 

[manarth]

Dilletante: I think you're safe with email...

&quot;(a) Offense defined.--Any person commits an offense if he knowingly and with the intent to defraud a communication service provider:

(1) possesses, uses, manufactures, develops, assembles, distributes, transfers, imports into this state, licenses, leases, sells or offers, promotes or advertises for sale, use or distribution any communication device:&quot;

As long as you're not trying to defraud your ISP (e.g. by using someone elses username), you'll be fine.

As for penalties, 1 &quot;communication device&quot; is a misdemeanor - you need at least 10 to commit a felony!
<marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[dilettante]

Regarding email I was thinking of (see my underlines here):

750.540c.amended Prohibited conduct with regard to telecommunications access device; violation as felony; penalty; amateur radio service; forfeiture; order; definitions.
Sec. 540c.

(1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following:

(a) Obtain or attempt to obtain a telecommunications service with the intent to avoid or aid or abet or cause another person to avoid any lawful charge for the telecommunications service in violation of section 219a.

(b) Conceal the existence or place of origin or destination of any telecommunications service.

(c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider.

(2) A person shall not modify, alter, program, or reprogram a telecommunications access device for the purposes described in subsection (1).

(3) A person shall not deliver, offer to deliver, or advertise plans, written instructions, or materials for the manufacture, assembly, or development of an unlawful telecommunications access device or for the manufacture, assembly, or development of a telecommunications access device that the person intends to be used or knows or has reason to know will be used or is likely to be used to violate subsection (1). As used in this subsection, “materials” includes any hardware, cables, tools, data, computer software, or other information or equipment used or intended for use in the manufacture, assembly, or development of an unlawful telecommunications access device or a telecommunications access device.

So subsection (3) says you can't provide plans or software for anything that might be likely to be used to violate subsection (1), which mentions (among other things) concealing the origin of a telecommunications service.

If you consider email messages to be a telecommunications service, since you can (as spammers do) put a false reply-to address into your email client or on individual messages to try to hide the true source then providing information on how to make an email client would violate this law.

An email user, not a developer or plans-provider, would fall under subsection (1) and may only be considered a violator if they actually did use a false reply-to address.


My point is this thing is worded to be extremely broad. Its hard to say whether a prosecutor (and then a court) might choose to connect the dots as I did here - concluding that having an installed copy of Outlook Express violates this law based on a designed-in potential for abuse.

The potential is scary.

Tek-Tips could be considered a telecommunications service. By its nature the source of our various &quot;communications&quot; is normally concealed. As I understand it this is an intended function of Tek-Tips too! Um, at least I think it is. Can you find my name, address, or email address here on Tek-Tips?

 

[aixmurderer]

There is a new motion now here in New Zealand to make the employer responsible for block spam to the employees.

HELLO! If the employee use their work email adress willy nilly on dubious sites then why should the employer take the blame for this?

Tech ways to block?
1) Some companies have firewall ACLs to only allow email from trusted companies - pretty harsh and a pain to maintain.
2) SMTP_AUTH in sendmail - theoretically should block connections from spoofed IP's, don't know how effective it will be as not many use it yet. Cannot comment on other mail server's capabilities.
3) Access list in Sendmail - also a pain to maintain.
4) Personal email - use something like Mailwasher to bounce spam, but the result is only small degree of success.
5) Use a free email account as a filter account (like hotmail) when registering at a dubious site.

One thing about Hotmail, sign up, ask for NOT listing or advertising your email address and guess what, within 1 week you start getting spam. Is Microsoft selling your email address against your wishes?

IBM Certified Confused - MQSeries
IBM Certified Flabbergasted - AIX 5 pSeries System Administration

 

[SPYDERIX]

Hi,

I have found the best way to deal with spam. I hardly ever get it now (maybe 1 message every 2-4 days if I'm lucky). I have a hotmail account that is set to EXCLUSIVE meaning if you're not on my contact list the message goes straight to the junk mail folder. I then select all the items in junk mail folder and block them all and check the address of the sender when the confirmation to block comes up. If it is an email address that I know or am expecting mail from I don't confirm the block and then open the email. If the email is ewfeegeqg@gdwgdwgdwg.wqewg or something that is totally bogus (you can always tell by the .com ending) then it just gets filtered to never be receieved again and the email isn't even opened in the first place.

I have found this extremely useful and a very good technique to combat it.

Try it out, your spam intake should reduce very quickly if you stay vigilant about it.

Hope this helps!

Keep up to date with my 2003 NHL Playoffs Wallpaper

http://www.spyderix-designz.com/nhl/nhl_playoffs.jpg