Forgot your password?
typodupeerror
Spam Your Rights Online

NYTimes: Tangled Up in Spam 413

Posted by michael
from the spam-musubi-is-good dept.
ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."
This discussion has been archived. No new comments can be posted.

NYTimes: Tangled Up in Spam

Comments Filter:
  • Kudos to SA. (Score:4, Insightful)

    by clueless123 (643205) on Sunday February 09, 2003 @05:24PM (#5266419)
    I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.
    • Re:Kudos to SA. (Score:3, Insightful)

      by WowTIP (112922)
      I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

      But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

      But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?

      Am I just incredibly lucky with my two "real" email addresses?

      If you took the same precautions I did, how do you think you got into the spam-generals addressbook?
      • Re:Kudos to SA. (Score:4, Interesting)

        by MeanMF (631837) on Sunday February 09, 2003 @06:18PM (#5266755) Homepage
        But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever.

        If you email address is simple (e.g. first initial+last name+some number) and your domain name is that of a public ISP, then there's an excellent chance that the spammers will find you regardless of whether or not you ever use the address. Email addresses at work tend to be safer because spammers usually don't bother guessing at addresses in domains with so few valid mailboxes.
      • by bubblegoose (473320) <bubblegoose@gmai ... m minus caffeine> on Sunday February 09, 2003 @06:41PM (#5266873) Homepage Journal
        I felt the same way you did until about 6 months ago. I went two years without Spam. Then a coworker thought he would fill out one of those forms on a web page to have the site send me a link to the page. You know the "send link to a friend" that shows up on some pages. Some joke site I think.

        From that point on the crap has hitting my mailbox, about 10 per day.

        I still haven't figured out how to thank him for that damn link that started it all.
        • Re:Kudos to SA. (Score:3, Interesting)

          "I felt the same way you did until about 6 months ago. I went two years without Spam. Then a coworker thought he would fill out one of those forms on a web page to have the site send me a link to the page. You know the "send link to a friend" that shows up on some pages."

          I am wary of these thnigs too. I have various 'levels' of e-mail addresses. The actual real pop3 address practically nobody gets, except my parents, and a few technie friends. All of these people know better than to abuse an e-mail address.

          The 'next' address is what most people I know get.

          The webmail addresses are what I use if I do something related to 'the unwashed masses' . Those can get filled with spam, I don't care. I only check them once every few days.

          For anything that is shown publicly, I always anti-spam-armour it, and make it some sneakemail address or unique address for my domain name.

          Due to this strategy, I only get 3-4 spams or so per year.

        • Re:Kudos to SA. (Score:3, Insightful)

          by daveq (645397)
          Of course there are also those wonderful friends who send a bulk-ish email that doesn't hide the addresses of the thirty recipients. One of them is bound to be an account at freemail.com.

          Not only does your spams-per-hour count begin to rise, but you have to suffer the geek's frustration: How could you have a friend so mind-numbingly ignorant of technical manners?

          Every time I set up a new email address ("Okay, this one will be spam-free. Really.") spammers find a way to get it, whatever I may do to prevent them. It only takes one leak.
        • Re:Kudos to SA. (Score:5, Insightful)

          by qengho (54305) on Sunday February 09, 2003 @09:01PM (#5267663)

          send link to a friend

          A couple of months ago I got fed up with the ridiculous amount of spam I was getting at my primary address. I sent a note to the people I give a crap about, telling them that my primary address would henceforth be a new account I had created in my own domain.

          I explicitly begged them not to give the new address to "those stupid send this cool page to a friend" sites. Set up filters in my email client to segregate the old address, and so far, so good, although my Mom gave the new address to an e-greeting card site. Fortunately, the site in question doesn't harvest addresses, and I (respectfully but frantically) pointed out to her that e-cards fall into the "stupid" category, and told her how to make up a disposable address for greeting cards, using my domain name.

          Having to go to these lengths to to keep my inbox clear of spam makes me homicidal.

        • Pop over to the Scientology website and do one of their "on-line personality tests" in your friends name...for his profession put down "Venture Capitalist" or something else that suggests loadsamoney.


          Did this for Alan Ralsky - wonder how much snail-mail spam he's received from them so far?

      • Re:Kudos to SA. (Score:4, Insightful)

        by jesser (77961) on Sunday February 09, 2003 @06:52PM (#5266933) Homepage Journal
        The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

        One of the major costs of spam is that people are afraid to make their addresses available, making it much harder to contact people. I think it's sad that many geeks have become so used to spam that they think anyone who posts their e-mail address on a web page is stupid. Some geeks even go as far as to blame friends for spam they get when a friend isn't as careful with the geek's address.
      • Re:Kudos to SA. (Score:5, Informative)

        by jafiwam (310805) on Sunday February 09, 2003 @07:48PM (#5267281) Homepage Journal
        Heh. I assume you are honestly asking and not bragging about how little SPAM you get to make me jealous...

        Here are the vectors for getting on lists that I know of;

        - using a valid email address in newsgroups
        - using a valid email address on a web page
        - using a valid email address in form properties in a web page
        - using a valid email address on a mailing list or web-forum
        - using a valid email address for domain registration contacts
        - using a valid email address to sign a web page up for a search spider
        - having an email address that can be "brute forced" (i.e. almost all of them)
        - your pal puts an email address in an "e-vite" or "e-greeting"
        - getting a virus that spreads via email

        And above all, being naive about the workings of the Internet, when only a few weeks of ignorance will permenently get the address out there "in the wild". Just about everybody is this at one at one time or another.

        Some people cannot avoid having email addresses hung out there on the Internet, so getting on the lists is more or less inevitable if you are doing business or communicating on the Internet in any meaningful way. Since I cannot ignore what comes in the boxes I run, I MUST sort through whatever arrives. That makes SPAM a big issue for me.

        Your usage of your email addresses is probably typical (not on web pages and so on..) but you are probably fortunate to both be clueful about it and not dealing with your email address publicly available out of necessity.
      • Re:Kudos to SA. (Score:3, Interesting)

        by IvyMike (178408)

        If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

        Co-worker unknowingly installed spyware on their computer which harvested my email address out of their email software address book. Sucks.

      • Re:Kudos to SA. (Score:3, Insightful)

        by FuzzyBad-Mofo (184327)

        If you ever put your resume on a job-seeker board, prepare for an onslaught of spam. It's a catch-22: You want your email address to be seen by a potential employer, unfortunately the spammers can easily scrape the sites for their email addresses. These bastards are truly the lowest forms of life.

      • Re:Kudos to SA. (Score:5, Insightful)

        by cicho (45472) on Sunday February 09, 2003 @11:43PM (#5268257) Homepage
        The parent is not "insightful" - it's shallow. If you're going to be so protective of your email address, you might as well ditch it altogether.

        I work as a freelancer. My website hosts my CV, as do several online databases, where companies go to look for people of my profession. The CV of course includes not one, but several of my email addresses, because, in the long run, this translates directly into payable work.

        I write software for fun (not profit). I even do email support, so my email address is again right there in plain html, and displayed by every software archive site I've ever uploaded my stuff to.

        But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.
  • At last (Score:5, Interesting)

    by Mourgos (621534) on Sunday February 09, 2003 @05:24PM (#5266421)
    now that it has been advertised in NYTmag, more people will become aware that spam is something they can actually stop. Can't wait for the new tricks spammers will use to disable anti-spam programs.
    • Re:At last (Score:5, Informative)

      by qengho (54305) on Sunday February 09, 2003 @09:25PM (#5267778)

      Can't wait for the new tricks spammers will use to disable anti-spam programs.

      Wait no more. I got a spam today that purported to be an apology for how the sender got my address, something like "so sorry, but these stupid porn sites like [link] must have sent me a virus. I can't believe my kids are visiting sites like [another link] even though I never go to sites like [yet another link], blah blah blah."

      I have to admire the creativity of spammers even as I wish for Bad Things to happen to them.

  • by trmj (579410) <tmacfarlan@noSPaM.gmail.com> on Sunday February 09, 2003 @05:24PM (#5266423) Journal
    By simply filtering out all e-mails that have the word "Nigeria" in them.
    • Filter any e-mails containign the phrase, "this is not an unsolicited message".
    • By simply filtering out all e-mails that have the word "Nigeria" in them.

      I think they've wised up to that - I seen versions of the scam claiming to be from "Sierra Leone" and "Cote d'Ivoire".

      I'll be interested to see how the new Mozilla 1.3 mail filters work, but I don't want to try an alpha release.
    • by Anonymous Coward on Sunday February 09, 2003 @08:11PM (#5267382)
      >URGENT ASSISTANCE - FROM USA
      >
      >IMMEDIATE ATTENTION NEEDED :
      >HIGHLY CONFIDENTIAL
      >
      >FROM: GEORGE WALKER BUSH
      >202.456.1414 / 202.456.1111
      >FAX: 202.456.2461
      >
      >DEAR SIR / MADAM,
      >
      >I AM GEORGE WALKER BUSH, SON OF THE FORMER PRESIDENT OF THE UNITED STATES
      >OF
      >AMERICA GEORGE HERBERT WALKER BUSH, AND CURRENTLY SERVING AS PRESIDENT OF
      >THE UNITED STATES OF AMERICA. THIS LETTER MIGHT SURPRISE YOU BECAUSE WE
      >HAVE NOT MET NEITHER IN PERSON NOR BY CORRESPONDENCE. I CAME TO KNOW OF YOU
      >IN MY SEARCH FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY
      >CONFIDENTIAL BUSINESS TRANSACTION, WHICH INVOLVES THE TRANSFER OF A HUGE
      >SUM
      >OF MONEY TO AN ACCOUNT REQUIRING MAXIMUM CONFIDENCE.
      >
      >I AM WRITING YOU IN ABSOLUTE CONFIDENCE PRIMARILY TO SEEK YOUR ASSISTANCE
      >IN
      >ACQUIRING OIL FUNDS THAT ARE PRESENTLY TRAPPED IN THE REPUBLIC OF IRAQ. MY
      >PARTNERS AND I SOLICIT YOUR ASSISTANCE IN COMPLETING A TRANSACTION BEGUN BY
      >MY FATHER, WHO HAS LONG BEEN ACTIVELY ENGAGED IN THE EXTRACTION OF
      >PETROLEUM
      >IN THE UNITED STATES OF AMERICA, AND BRAVELY SERVED HIS COUNTRY AS DIRECTOR
      >OF THE UNITED STATES CENTRAL INTELLIGENCE AGENCY (CIA).
      >
      >IN THE DECADE OF THE NINETEEN-EIGHTIES, MY FATHER, THEN VICE-PRESIDENT OF
      >THE UNITED STATES OF AMERICA, SOUGHT TO WORK WITH THE GOOD OFFICES OF THE
      >RESIDENT OF THE REPUBLIC OF IRAQ TO REGAIN LOST OIL REVENUE SOURCES IN THE
      >NEIGHBORING ISLAMIC REPUBLIC OF IRAN. THIS UNSUCCESSFUL VENTURE WAS SOON
      >FOLLOWED BY A FALLING-OUT WITH HIS IRAQI PARTNER, WHO SOUGHT TO ACQUIRE
      >ADDITIONAL OIL REVENUE SOURCES IN THE NEIGHBORING EMIRATE OF KUWAIT, A
      >WHOLLY-OWNED U.S.-BRITISH SUBSIDIARY.
      >
      >MY FATHER RE-SECURED THE PETROLEUM ASSETS OF KUWAIT IN 1991 AT A COST OF
      >SIXTY-ONE BILLION U.S. DOLLARS ($61,000,000,000). OUT OF THAT COST,
      >THIRTY-SIX BILLION DOLLARS ($36,000,000,000) WERE SUPPLIED BY HIS PARTNERS
      >IN THE KINGDOM OF SAUDI ARABIA AND OTHER PERSIAN GULF MONARCHIES, AND
      >SIXTEEN BILLION DOLLARS ($16,000,000,000) BY GERMAN AND JAPANESE PARTNERS.
      >BUT MY FATHER'S FORMER IRAQI BUSINESS PARTNER REMAINED IN CONTROL OF THE
      >REPUBLIC OF IRAQ AND ITS PETROLEUM
      >RESERVES.
      >
      >MY FAMILY IS CALLING FOR YOUR URGENT ASSISTANCE IN FUNDING THE REMOVAL OF
      >THE PRESIDENT OF THE REPUBLIC OF IRAQ AND ACQUIRING THE PETROLEUM ASSETS OF
      >HIS COUNTRY, AS COMPENSATION FOR THE COSTS OF REMOVING HIM FROM POWER.
      >UNFORTUNATELY, OUR PARTNERS FROM 1991 ARE NOT WILLING TO SHOULDER THE
      >BURDEN
      >OF THIS NEW VENTURE, WHICH IN ITS UPCOMING PHASE MAY COST THE SUM OF 100
      >BILLION TO 200 BILLION DOLLARS ($100,000,000,000 - $200,000,000,000), BOTH
      >IN THE INITIAL ACQUISITION AND IN LONG-TERM MANAGEMENT.
      >
      >WITHOUT THE FUNDS FROM OUR 1991 PARTNERS, WE WOULD NOT BE ABLE TO ACQUIRE
      >THE OIL REVENUE TRAPPED WITHIN IRAQ. THAT IS WHY MY FAMILY AND OUR
      >COLLEAGUES ARE URGENTLY SEEKING YOUR GRACIOUS ASSISTANCE. OUR
      >DISTINGUISHED
      >COLLEAGUES IN THIS BUSINESS TRANSACTION INCLUDE THE SITTING VICE-PRESIDENT
      >OF THE UNITED STATES OF AMERICA, RICHARD CHENEY, WHO IS AN ORIGINAL PARTNER
      >IN THE IRAQ VENTURE AND FORMER HEAD OF THE HALLIBURTON OIL COMPANY, AND
      >CONDOLEEZA RICE, WHOSE PROFESSIONAL DEDICATION TO THE VENTURE WAS
      >DEMONSTRATED IN THE NAMING OF A CHEVRON OIL TANKER AFTER HER.
      >
      >I WOULD BESEECH YOU TO TRANSFER A SUM EQUALING TEN TO TWENTY-FIVE PERCENT
      >(10-25 %) OF YOUR YEARLY INCOME TO OUR ACCOUNT TO AID IN THIS IMPORTANT
      >VENTURE. THE INTERNAL REVENUE SERVICE OF THE UNITED STATES OF AMERICA WILL
      >FUNCTION AS OUR TRUSTED INTERMEDIARY. I PROPOSE THAT YOU MAKE THIS
      >TRANSFER
      >BEFORE THE FIFTEENTH (15TH) OF THE MONTH OF APRIL.
      >
      >I KNOW THAT A TRANSACTION OF THIS MAGNITUDE WOULD MAKE ANYONE APPREHENSIVE
      >AND WORRIED. BUT I AM ASSURING YOU THAT ALL WILL BE WELL AT THE END OF THE
      >DAY. A BOLD STEP TAKEN SHALL NOT BE REGRETTED, I ASSURE YOU. PLEASE DO BE
      >INFORMED THAT THIS BUSINESS TRANSACTION IS 100% LEGAL. IF YOU DO NOT WISH
      >TO CO-OPERATE IN THIS TRANSACTION, PLEASE CONTACT OUR INTERMEDIARY
      >REPRESENTATIVES TO FURTHER DISCUSS THE MATTER.
      >
      >I PRAY THAT YOU UNDERSTAND OUR PLIGHT. MY FAMILY AND OUR COLLEAGUES WILL
      >BE
      >FOREVER GRATEFUL. PLEASE REPLY IN STRICT CONFIDENCE TO THE CONTACT NUMBERS
      >BELOW.
      >
      >SINCERELY WITH WARM REGARDS,
      >
      >GEORGE WALKER BUSH
  • NO NO NO (Score:2, Interesting)

    by johnburton (21870)
    >>> 2) a specific header entry should identify the email as unsolicited." NO NO NO There is no excuse for sending spam. I fail to see how marking it as junk makes it any better. So I can sort it from the mail I actually want? NO. Just stop people sending me crap I don't want.
    • Too bad the spammers from all of APNIC are out of your reach een if forged headers are illegal. the only way to address thisis to have end to end certification certification of where the email is coming from.
    • Its effective.. as stupid as that sounds, if it wasnt they would not be wasting $$ on it.

      Id love to see the types that do fall for spam, but they must be out there.. somewhere..

    • Re:NO NO NO (Score:2, Interesting)

      by Noren (605012)
      I see this as a variant of the 'opt-out' strategy without some of the disadvantages- i.e. without having to place one's address on a list (and we all know what that would lead to...) This would make opting out simple for the user- I'm certain all major email clients would enable spam filtering by this flag as soon as it was established. This is an attempt at compromise, not as desirable to the user as an 'opt-in' rule, but better than simple 'opt-out' and harder for the spammers to argue with than 'opt-in'.

      On the other hand, I doubt that any of this is enforcable in any event.

    • by JonTurner (178845) on Sunday February 09, 2003 @06:03PM (#5266668) Journal
      >>1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

      Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.

      The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile [sourceforge.net]
    • Re:NO NO NO (Score:3, Insightful)

      by 1u3hr (530656)
      Another "no no" to me is the suggestion that all headers and thus senders be verifiable and real. This would mean the end of anonymity, which in some situations, such as ratting out a former business partner, or any number of reasons in countries like China or the US with intolerant governments. Bulk spammers already use real accounts sometimes, and just burn them, this wouldn't slow them down much.

      However, a method to force identification of BULK email (more than, say, 100 similar messages) might have fewer undesirable side-effects.

  • by stonebeat.org (562495) on Sunday February 09, 2003 @05:25PM (#5266429) Homepage
    I was wondering how many large corporation are using SpamAssasin. And if not, why not?
    • by Webratta (245389) on Sunday February 09, 2003 @05:41PM (#5266535) Homepage
      I don't work for a large corporation, but a state-wide ISP. I asked my boss, the chief technical officer of the company, why we weren't using Spam Assassin. He replied that while it is a very neat program and does a great job of filtering spam, the performance just isn't quite there yet. He's of the mindset that it needs some tweaking still before it can be a competitor to commercial products like what Brightmail offers.

      Personally, I'd like to see more companies using SpamAssassin just to prove that it can stack up against other products, because I think it can work well if it's configured properly and you use spamd. I use it on my mail server at home and at last check it catches 98.2% of all spam message sent to my machine, and I haven't had any false positives since I set up my whitelists.
    • I was wondering how many large corporation are using SpamAssasin. And if not, why not?

      Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.

      After checking the source IP address against lists such as Wirehub [wirehub.nl], Osirusoft [osirusoft.com] (despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.

      IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.

    • We're not a large company (only about 150 people). But here is my experience with SpamAssassin.

      We run an Exchange server. I didn't go with the free version, because we don't have the skill set to maintain it at our company. I have some Linux experience, but after 3 days of trying to get it to work I finally had to give up.

      I installed Deersoft's SpamAssassin on my Exchange server. Kind of expensive (about $5000) and right now Deersoft customers are left hanging due to Network Associates purchase of Deersoft. NAI pulled the Deersoft version and are releasing it in Q2 2003.

  • Illegal? (Score:5, Interesting)

    by waytoomuchcoffee (263275) on Sunday February 09, 2003 @05:27PM (#5266444)
    The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

    Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?
    • Re:Illegal? (Score:5, Insightful)

      by meringuoid (568297) on Sunday February 09, 2003 @05:45PM (#5266559)
      Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

      Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans. The fact that the spam is sent via open relays in Korea or bulletproof accounts in China, and received in Europe or Australia, is neither here nor there. Ralsky, for instance, lives in America, regardless of where the spam is routed; indeed, _his_ location is very well known nowadays ;-)

      • Re:Illegal? (Score:3, Funny)

        by Gleef (86)
        meringuoid wrote:

        Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans.

        Actually, I'm an American and at least one third of the spam I get is sent from Korea, advertising in Korean, presumably for Korean products. This spam is completely unreadable by me (I have friends who can read Chinese and Japanese, but none who read Korean).

        I don't see Korea caring what laws the US passes regarding forged headers. Might help with the rest of my spam tho.
    • Re:Illegal? (Score:3, Interesting)

      by JaredOfEuropa (526365)
      The law aims to force spammers to make their spam easily identifyable, allowing simple filtering, and it makes circumventing those filters (like those random letters that appear in most spam subject lines) illegal. Is that a good thing? I think so, for two reasons:

      First of all, it's a start. If the USA adopts this law, it may well be that many other nations follow suit, making life harder for spammers.

      Second, it will help against spam originating from the USA. That guy Ralsky seems to be responsible for a sizable portion of all Internet spam. He is based in the USA, and taking orders from sites and companies in the USA. Even if his actual spam originates from an ISP in China, you'd still be able to take him to court for this.

    • Re:Illegal? (Score:4, Interesting)

      by jjo (62046) on Sunday February 09, 2003 @05:49PM (#5266585) Homepage
      People don't assume this. What they do assume is that, by and large, people who try to get money from US residents are actually situated in the USA, regardless of where the e-email might have originated. Even those who are not in the USA will mostly use a US agency to get their money. That is their Achilles heel: Follow The Money.

      Stop the flow of money from US residents, and you will be effectively making everyone in the world obey US law, with respect to spamming within and into the USA.
      • Re:Illegal? (Score:3, Interesting)

        That is their Achilles heel: Follow The Money

        Playing devil's advocate here, you still have to prove they sent the spam out, which would be that system's Achilles heel. Else what would stop people from hiring an offshore spammer to send out fake spam from a competitor?
    • Re:Illegal? (Score:2, Interesting)

      by jdreed1024 (443938)
      Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

      Um, that wasn't a troll. It's a valid point. If sending spam becomes illegal in the U.S., big fucking deal. Plenty of spammers are not in this country, and those that are will move offshore (c.f. KaZaA). Good luck prosecuting a bunch of spammers in some pacific island country...

    • Why assume that anyone anywhere will obey a US law?

      It's about enforcement, and yes US law is enforceable, especially with the many countries that have or want beneficial relationships with the U.S.

      Sure, lots of people will break the law, but without we wouldn't even have grounds to act against them.
  • So how much spam am I likely to get if I give in and register with NYTimes so I can read the article?
    • I own a domain and so can give each site a different email address (foo@mydomain, bar@mydomain, fum@mydomain, etc.) so that I can tell if they squeal. I get the NYT's very nice daily headline summaries, so they certainly know how to reach me. In eight years I have not seen even one spam with the nytimes email. I wish I could say the same of others....

      Granted there is always the risk that they could be hacked, as their main page was some time agi, but what's life without risk? :)
    • by allism (457899)
      The only spam I got after registering was from NYT, but it took SEVERAL e-mails and threatening to post a story on /. about not getting removed from their mailing list to get them to stop sending me stuff.
  • by g_arumilli (324501) on Sunday February 09, 2003 @05:28PM (#5266453)
    now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...
    • Nope, not a scale.

      The largest scored spam I've gotten is somewhere around 32
      • IIRC I once got one in the 40s or 50s, some asian teen sex toner catridge html penis enlarging money saving viagra enabled weight lose and interest rate mail of some sort I guess....
    • by jdreed1024 (443938) on Sunday February 09, 2003 @05:51PM (#5266603)
      now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...

      Some more clarification:
      -it's not on a scale of 10 - the SA score can go as high as necessary. I got 27 the other day. Your threshold will be configurable (sometime next week) to "high" (3.0), "normal" (7.5), or "low" (12.0), or a custom number. You'll also have custom whitelists and blacklists.

      • So what was the e-mail with a score of 27?

        "Hello, I am a Nigerian prince who is selling XXX-brand diet pills that also have the side effect of enlarging your penis. Also if you forward this email to five other people and tell them to each send you a dollar you can make money fast."

        *ducks*
  • by Sheetrock (152993) on Sunday February 09, 2003 @05:28PM (#5266454) Homepage Journal
    Spam is a technical problem, so why can't we come up with a technical solution? For example, it should be impossible to forge headers, not illegal. Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA in the past when all that's required is what our community has always been good at: sitting down and thinking things out?
    • by TGK (262438) <Killfile@nOsPAm.Nephandus.Com> on Sunday February 09, 2003 @05:58PM (#5266638) Homepage Journal
      I'd say the best technical solution I've seen to breaking the SPAM system is the use of the internets distributed nature against the spammer.

      Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

      In short, almost all of the traffic from a given point flows through a very small number of servers and routers at some point close to the source.

      Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

      I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.

      Thoughts anyone? I'm sure this idea has gaping flaws in it... what would have to be chnaged for it to work? What are the critical flaws? Is this a viable model or am I missing something major?
      • Bad idea (Score:4, Interesting)

        by Goonie (8651) <[gro.arbmaneb] [ta] [lekrem.trebor]> on Sunday February 09, 2003 @06:38PM (#5266861) Homepage
        This is near-impossible, technically. By the time the traffic flows through the "core routers", it's just a bunch of IP packets which the system doesn't even try to interpret at a higher level. Reconstructing the messages, running spamassassin on them, and selectively blocking them would put an insane CPU load on the routers. They would effectively be acting as mail relays, not routers.

        There are also philosophical problems with such a scheme which others can explain...

      • I like your idea of indexing the common paths back to typical senders and using that cone of paths as one way to validate. If that could be pulled off, I'll be very happy. It might work well as an extra bit of logic for the Bayesian filters that are being tweaked right now.

        I'm less psyched about filtering at the router (mail server). Two words: arms race.

        Having each mail server filter on content along the chain would work in the short run, as soon as it became too effective, the spamers would think of ways to eeek by the ratio. Lower the ratio, so would the spammers till you end up filtering out mail that is legitimate.

        (That, and I'd hate to have to spec a system that would do that filtering without adding substantial delays!)

        Beyond adding a cone of paths like you first described, and figuring out other technical ways to deal with this, I see a couple things that will probably be required in the future;

        1. Change or replace our existing email systems so that when the headers (the past routing information) is forged, it is obvious. Then, discard the forgeries.

          (Ob comment: Yes this is a big deal, involves pain, is likely not backward compatable, and should be thought out very carefully.)

        2. Search, locate, and find companies who buy spamming services and sue the hell out of them. Optionally: Have Guido/Jimmy/... 'ave ah talk wit im'.
      • Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

        Actually, it wouldn't due to the multihomed nature of most networks.

        Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

        I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.


        First, routers are meant to do one thing, route traffic. They do not have the memory or CPU power to do much more than that.

        Second, "identical" and "near-identical" messages are very different things. It is fairly cheap (processor/memory wise) to determine if two messages are identical. It is quite another task to determine if they are nearly identical.

        Third, there are many instances where identical or nearly identical messages sent out in bulk are not spam. Mailing lists like bugtraq or linux-kernel have very large subscriber lists, but are are not spam. If the head of IBM sends a message to all his employees, it is not spam. If my car insurance company sends out a bunch of messages warning people once a month that their policy will expire if payment isn't received, it is most definitely, not spam.
    • Spam is a technical problem, so why can't we come up with a technical solution?

      Because of the infrastructure costs associated with the existing protocols. How many mail servers are running on the Internet? How many clients are there that speak the existing SMTP protocol?

      Redesigning SMTP to add encryption, identification, and authentication, is not a big problem. Deploying the new protocol is.

      We should not have to undertake an effort that will disrupt business nationwide for months, if not years, just to avoid passing a law.

      Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA

      And let's not forget other laws, like the ones that make child pornography illegal and make it illegal to sell plutonium. Why is it that there is always some belief that laws are inherently bad? That some bad laws have been passed is no reason to abandon our entire legislative process and our form of government.
    • I am not an expert on much, but I have written servers of various kinds and have some understand of SMTP and networks. Corrections to my naivite are welcome :-)

      Seems to me that the problem could be self correcting if there were no forged headers. If spam could always be traced back to its originator, or to a bad relay who accepted forged headers, then only 1% of the recipients would have to reply to flood the miscreant's mailbox.

      So why is it not possible to prevent forged headers? Why can't SMTP relays reject mail whose most recent Received-From: header does not match the the sender? As long as you can trace these backwards, at some point you will hit a forged header or the originator. If the header is forged, that means the the next relay did not verify headers, and is a worthy target of complaints about spam, as good as the originator, in fact.

      If only 10% of SMTP relays and ISPs enforce this, that would seem to me enough to flood spammers with complaints.

      Why would this not work? Worst I can see is it would take a few months to become widespread enough to have an effect, and early adopters would have a slight processing overhead increase, due to having to check for forged Received-From: headers.
    • by KjetilK (186133) <kjetil@@@kjernsmo...net> on Sunday February 09, 2003 @06:17PM (#5266748) Homepage Journal

      Spam is a technical problem,

      No, it is not. It is a social and economic problem.

      1. Spammers do not have the social intelligence to see that what they are doing is destructive.
      2. Spammers, at least some of them, are making money.

      That's why you can't come up with a technical solution, because it isn't a technical problem.

      Making it impossible to forge headers is not going to solve any of the problems above. It will only make it easier to report spam to ISPs, but it will not pressure them more to whack the spammers.

      You can take technical measures to shift the cost onto the spammer, but if you do that, you must consider the side-effects.

      Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.

  • Spammage (Score:2, Funny)

    by Big Mark (575945)
    Spam Spam Spam Spam
    Where does it come from, Uncle Sam?
    "Monty Python, don't you know,
    When the madness was in full flow"

    But what when the accursed stuff
    Leads one to declare, "I've had enough!"?
    "My son, spam's easy to fail,
    When you stop using hotmail!"

    -Mark
  • by jenkin sear (28765) on Sunday February 09, 2003 @05:29PM (#5266461) Homepage Journal
    Towards the end of the article, Gleick makes a really interesting point- he says that as commercial speech, spam isn't entitled to any particular first amendment protection:


    The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''


    Looks like we have the supremes on our side; if we could just congress to issue some letters of marque and reprisal on the spamhausen, we'd be getting somewhere...
  • by esme (17526) on Sunday February 09, 2003 @05:29PM (#5266463) Homepage
    As much as I'd like to see spammers prosecuted for fraud (and think making various deceptive tactics illegal is a good short-term approach), legal and social approaches are doomed to failure. The number of people you can spam is so vast, that even if only one in a million takes the bait, it's still profitable -- that's a powerful economic imbalance that you don't find anywhere else. And it's going to make people forge headers, spam from overseas, etc. to get around any legal and social roadblocks.

    I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam. If you had to pay some amount of money -- event 1 cent -- for each message that is delivered, spam would stop being economical. And that's the only thing that's going to make it stop.

    -Esme

    • This is a horrible idea. I use email on a daily basis just to send myself notes. If I think of something at work I need to do at home, or vice versa, I send an email to myself instead of writing it down. Implementing a system which would require me to pay to talk to myself is bad. I already pay for my internet connection to be active telling me I have to pay an additional fee to use it is stupid.
      • I don't think ISPs need to charge their users per email. Since most users receive more email than they send anyway, they would generate a net income for the ISPs. They could set a quota -- even a fairly high one like 100 emails per day -- that users get included with their access.

        That said, if you don't want to pay to talk to yourself, you might try a different system like a PDA or something web-based. Just because it inconveniences you, doesn't mean it wouldn't be worth it -- after all, I don't know anyone who uses email who isn't inconvenienced by spam. So even if 10% of people were inconvenienced by the new system, it would still be a drastic improvement.

        -Esme

    • Need MSSMTP (Score:3, Insightful)

      by bromoseltzer (23292)
      The technical solution is not to charge for sending email, but to make the protocol robust. SMTP is laughably insecure. A More Secure SMTP might let the email receiver get a known ISP to vouch for the email sender before accepting a message, for example.

      I should be able to ask Hotmail (or whoever) "I have message #xyz from your domain. Does it originate from a user in good standing?" If the ISP gets too many queries for an individual account, it will stop vouching for it.

      Likewise, you need a database of "ISP's in good standing". I.e., who is known to play by the rules with MSSMTP?

      Verification would serious server resources, but better that than spam.

      -mse

      Who steals my .sig, steals trash.

      • A new SMTP (I have a hard time equating "MS" with "More Secure", for some reason...) that had a mechanism to verify the sender's status would be good. In fact, it would be pretty much required to implement a pay-to-send system, because the SMTP would need to get the authorization to debit whatever account was going to pay for the message. The list of people who had valid accounts would defacto be the same as your "ISPs in good standing".

        But I think adding the monetary element is crucial, because of the economics. In a trust system, I suspect there would be constant attacks of people hijacking trusted mail servers and using them to spam. It would, after all, still be profitable. There would also probably be people who had built up a level of trust who would then blow it all on one big spamfest. These would be corrected eventually, but the number of ISPs around the world is pretty large, so I suspect there would still be a lot of spam leaking throught the cracks.

        -Esme

    • by rthille (8526) <web-slashdot@@@rangat...org> on Sunday February 09, 2003 @11:01PM (#5268111) Homepage Journal
      There's no reason to involve money (dollars) to stop spam, make them spend CPU cycles instead. Take a look on google for 'hashcash'. Basically, it involves the sender computing a function that takes a long time to figure out, but is very easy for the receiver to verify. So, if i want to send you mail, I spend ~10 cpu seconds, and you verify that I spent the time, and you accept the mail. If I don't compute the function, you sideline/reject the mail. Whitelists can be used to prevent always needing to compute the function. That way I can accept mail from anyone who might be willing to send me mail, if they are willing to spend the CPU cycles. However, since spammers would need to spend 10 seconds per message, they could only send about 1000 messages per day. That wouldn't be economically viable for them...
  • by KevinIsOwn (618900) <herrkevin&gmail,com> on Sunday February 09, 2003 @05:32PM (#5266483) Homepage

    Sure all these programs help, but think about what creates spam in the first place.

    There are clearly people out there willing to buy the things offered in spam. Obviously not that many, but enough to make a profit. I think that there should be more of an effort to target these people and tell them not to buy stuff from spam!

    There is only so much a program can do to stop spam. As we've seen numerous programs have been made, Spam Assasin being one of the best (I use it), but the spam just keeps coming

    Until there is no incentive to send spam in the first place people will do it despite any laws against it.

  • evolution users (Score:5, Informative)

    by asv108 (141455) <alex AT phataudio DOT org> on Sunday February 09, 2003 @05:33PM (#5266489) Homepage Journal
    The one big feature missing for me in evolution is a spam filter. Fortunately, spamassassin works great even if you have to run it locally. Here are some instructions [ximian.com] for evolution users who need to run it locally or are lucky enough to have spamassassin installed on their mail server.
  • by crow (16139) on Sunday February 09, 2003 @05:35PM (#5266499) Homepage Journal
    Be careful what you outlaw. If the law is too broad, it could easily be used to prohibit not only headers in email messages, but in connecting to a web server. How would you like to have it be illegal to lie about what browser you're using? Or refuse to send a referer?
  • by werdna (39029) on Sunday February 09, 2003 @05:38PM (#5266523) Journal
    The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited.

    I don't know what is meant by unsolicited -- and I doubt that there are good definitions that are practical. Nor do I want any single e-mail ever to be treated as spam because some unsophisticate forgot to (or didn't have the software) to make the e-mail unsolicited.

    I *DO* want the anti-spam laws to have teeth and very few exceptions -- for that, the criteria for spam should be sufficient to permit adequate filtering (to be useful), not be content-based (to be constitutional), and should be relatively objective (to be practically enforeceable).

    Thus, in lieu of forcing headers to identify whether an e-mail is solicited, i would punish falsely identifying an e-mail as non-broadcast. That is to say, an e-mail is not broadcast if it was sent to, say, fewer than 200 different addresses that had not specifically opted-in by affirmative request to receive it.*

    Then, we simply get most e-mails clients to flag routine e-mails as non-broadcast, and you have a decent result.

    *the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.
  • esp SA 2.5 (Score:2, Informative)

    by AssFace (118098)
    when people say SpamAssassin is good - they should really be talking about 2.5

    that is the version with the Bayes fully in it and it is head and shoulders above the previous versions IMO
  • Legislate?? (Score:5, Insightful)

    by Anonymous Coward on Sunday February 09, 2003 @05:43PM (#5266546)
    "The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

    Is it just me, or is the internet community at large thinking about controlling SPAM from the wrong angle? If we're thinking about legislation as a means of curtailing wanton abuse of our mail systems, why don't we just push to force the system to be explicitly Opt-In rather than allowing your personal details to be passed around to all and sundry under the assumption that you implicitly asked for it just because you ticked a box that said 'please send me "stuff" from our affiliates' 5 years or so ago.

    Personally, I'm sick of receiving these messages about enlarging my manly bits or being told that I had been chosen specially to participate in a "can't lose" investment scam. Sure they sometimes give you an opt-out link, but I'd rather choose what advertising crap to be bombarded with. I'd certainly prefer to know who was receiving my personal information, and what they are likely to advertise, so that I can avoid wasting hours out of my day cleaning up after these lazy cowards who aren't willing to contact me in such a way so that I can communicate personally with them and tell them what ASSHOLES they really are ;)
  • No hope (Score:4, Interesting)

    by pben (22734) on Sunday February 09, 2003 @05:45PM (#5266561)
    How may of you have seen the current Microsoft TV ad running in the USA. There is Microsoft saying that it would be great to spam everybody in the Chicago area that bought a band's CD to get them to see the concert. If Microsoft is promoting spam on TV is any wonder that the little schemers don't see anything wrong with it.

    I just wish that I would not get emails in the same day to enlarge my breast and penis. It is just too sad and stupid.

  • I've forgotten how annoying spam is.
  • Chaos Theory anyone? (Score:4, Informative)

    by bstadil (7110) on Sunday February 09, 2003 @05:46PM (#5266567) Homepage
    James Gleick, is more technically educated

    The uneducated guy that send this story in, need to know that was instrumental in taking Chaos theory from an obscure science in Santa Fe into something that almost every scientific discipline benefits from. Incl CS. . [around.com]

  • by yiingineer (604803) on Sunday February 09, 2003 @05:57PM (#5266633)

    I've been using Cloudmark's SpamNet [cloudmark.com] for the past few months and it's been working quite well.

    The smart thing that SpamNet does, is that it relies on its users to determine if something is spam or not. If some email lands in your inbox and a few hundred SpamNet members have proclaimed it spam, it most likely is, and it gets immediatly filtered out. This has the net effect of a few user's needing to filter out a few message ocassionally, while the vast majority of messages are filtered out for all users. Although SpamAssassin seems quite good, it's still based upon filtering rules and spammers are constantly tweaking their emails to try to get around them. Since people are still better at determining what's spam and what's not, I find that its accuracy is generally better.

    SpamNet isn't perfect though, as far as I know, it only works with Outlook on Windows and doesn't have a Unix, Linux or Mac version. It also sometimes filters out valid bulk mailings, but overall, I would definitely recommend it.

  • Go with POPFile. (Score:5, Informative)

    by TDScott (260197) on Sunday February 09, 2003 @06:00PM (#5266650)
    SpamAssassin's a great idea, but for the non-technically minded user, POPFile [sourceforge.net]'s the best choice. Bayesian filters, learning, kickass UI, and a Windows installer (and Perl for other platforms.)
  • by Crispy Critters (226798) on Sunday February 09, 2003 @06:06PM (#5266686)
    Whaddya mean outlaw "forged" headers? Most email I send had "forged" headers on it, because I am not sending it from a mail server. So, duh, I put in a "forged" From: line so replies go to the mail server, rather than to a machine that doesn't even listen on the SMTP port. What about masquarading in sendmail, will that be illegal too?

    The only headers that should be preserved are perhaps the Received: lines which show that route that the message has taken. Still, I can think of a legitimate reason to muck with these - if a company network has a sufficiently complicated internal structure, these headers might reveal some information that they don't want widely available.

  • by DuctTape (101304)
    I find it ironic that on the same NYT page that talks about spam being ubiquitous, there's the paper's pop-up ads running amuck.

    Go figure.

  • by sstory (538486)
    Gliek's is the best anti-spam article I've seen. I read this article yesterday and then emailed David Price, my Rep, and John Edwards, my Senator, urging them to support national prohibitions or regulations of spam. I urge you to do the same. Politicians bow to pressure. Apply enough citizen pressure and you can overcome even lobbyists.
  • >>2) a specific header entry should identify the email as unsolicited

    I can see some problems with this. If I send a message to my mother out of the blue is that unsolicited?

    I haven't read the article (I don't like the NYT and avoid it when I can) but I'm sure the idea is that this applies to commercial email, but that's a dangerous distinction to make if you ask me.
  • by cpaluc (559921) on Sunday February 09, 2003 @06:18PM (#5266757)
    Heres how:
    1. Spend 10 bucks, buy a domain name (eg xyz.com).
    2. Set up a few email aliases to point to your real email. eg:

    joe@xyz.com ---> you@hotmail.com

    temp123@xyz.com ---> you@hotmail.com

    spam123@xyz.com ---> you@hotmail.com 3. Never give out 'joe@xyz.com' to anyone except friends/family.
    4. Use the other emails for signing up for things on the web or in usenet.
    5. When you get your first spam addressed to 'temporary21@xyz.com', delete the email address (no more spam from that source!).

    I find this method works extremely well. By using aliases in this way you effectively hide your real mailbox. Even if your hotmail account starts receiving spam you can just get a new one and point your aliases at it. Also, if you change ISP you don't need to change your email address.

    If you use it to forward to a hotmail account it might be better if the hotmail account name isn't a dictionary word or name (ie. use a random string for an account name that the 'bots won't guess.

    You're screwed if your 'trusted' address gets out there but if you're careful you'll at least get much more use out of it before needing to kill it.

  • by cdegroot (14366) on Sunday February 09, 2003 @06:28PM (#5266804) Homepage
    Change to something like IM2000 (http://cr.yp.to/im2000.html), spam vanishes in a poof. Keep around with the current broken system, and we'll have ever more draconian laws in ever more futile attempts to suppress it.
  • by gleick (62279) on Sunday February 09, 2003 @06:50PM (#5266922) Homepage
    For what it's worth, an ever-so-slightly longer version, [around.com] lacking a few bits of Times editing, is posted here, at my own site [around.com]. And may I say how helpful and fascinating the many Slashdot discussions of this subject have been?
  • by mcrbids (148650) on Sunday February 09, 2003 @06:52PM (#5266938) Journal
    If we can pull it off.

    With Bind 9, we finally have a decent, working implementation of DNSSEC. This will allow for a new breed of secure, verified websites and email, and (Finally!) makes a RBL actually mean something.

    How's that you ask?

    Well, one of the biggest problems with SPAM is the forged header, open relay issue. It's a complicated issue, and one that doesn't have an obvious, "in your face" kind of answer.

    DNS is designed to tell you where to go, and SSL/Certs make sure that you got there. Why aren't they joined together? The fact that you are the DNS server for a domain makes it clear and obvious that you are an authoritative designator for where you are supposed to go - why have this wholy separate and dis-jointed SSL/Cert that can't even be made to work [slashdot.org] consistently?

    If an ISP can issue DNS-SEC certs with impunity, we might actually see a reason to have encrypted and ISP certified email.

    And suddenly, the ISP is back in charge again, able to validate every email going out as coming from one of it's customers. Revoke the cert and their email becomes unreadable.

    Now, we have an email system with a powerful mechanism built in that is:

    1) Standards compliant
    2) Easy to implement
    3) Clearly laid out
    4) Cheap
    5) secure
    6) private - using the ISP's cert to identify yourself doesn't mean that the ISP can read your email! (like they can now - the command is "mail -u _username_")

    What's not to argue with? The issue of locking down an open relay becomes a non-issue - an ISP could simply identify an "s-mail" server (secure mail) that will only relay for those holding a valid cert at that ISP.

    Roaming wouldn't be an issue, nor would open relays or forged headers.

    A brave new world? Yep. One I'd like to live in? Yep. One that's coming? We can only hope...
  • by Cbs228 (596164) on Sunday February 09, 2003 @07:10PM (#5267068)
    Spam isn't a legal problem-- it's a social problem. It is the result uncontrolled avarice, of people wanting to make money at any ethical cost. There will always be these kinds of people who will steal our time (and our bandwidth) regardless of any laws against them. There are also people (Sysadmins of certain Far East networks come to mind) who are willing to look the other way for a few extra dollars.

    But most importantly of all, we cannot forget that American consumers are responsible for spam. That's right, spam is OUR fault. It is our fault because no matter how many messages are filtered, and no matter how many websites are closed for spam complaints (or get DDoS'd by rampaging slashdotters), they still make money. They make money because of that infinitesimally small group of consumers who buy stuff from spammers. That small percent is what makes it all worth it to them.

    The day that spammers' profit margins drop to nil because consumers refuse to buy from spammers is the day that spam vanishes from our inboxes forever. No laws, no filters, no problems.

    Unfortunately, as P.T. Barnum would put it, "There's a sucker born every minute..."

  • by yelvington (8169) on Sunday February 09, 2003 @07:52PM (#5267299) Homepage
    "the author, James Gleick, is more technically educated than what we've come to expect from the big press."

    Maybe because after many years as a reporter, he founded Pipeline, one of the first big ISPs.

  • by tacocat (527354) <tallison1@noSPAm.twmi.rr.com> on Sunday February 09, 2003 @07:54PM (#5267309)

    I think it would be great if you could actually prosecute someone for forging headers. Unfortunately you don't know who that person is, now do you?

    But how would you ever determine is something is unsolicited? After all, there are a lot of registration websites that have a tendency to quietly flag you as willing to accept spam from them. If I missed it, does that still make it UCE? If it does, how do I now remove myself from all the lists that I am now on...

    Spam has a solution and it doesn't have to be so drastic as to put in this kind of legislation or use whitelist only maling lists. We just haven't figured it out yet.

  • by Skapare (16644) on Sunday February 09, 2003 @11:41PM (#5268248) Homepage

    Spam is not about content. Not everyone even agrees what constitutes spam when they are evaluating it based on content, so how can a program or a recipient community do this? What makes mail spam is stuff like sending it unsolicited and in bulk. It won't matter what the content is.

    I have signed up with some companies for announcements about their products. While that company may not be spamming, their content could have a lot of the same wording as another company selling similar products, but is sending it to harvested addresses. The latter is spam, but the former is not. How do you tell based on the content?

    Tools that evaluate a message based on content are probably going to classify both messages the same way. If they are both classified as spam, then one of them will be "collateral damage". If they are both not classified as spam, then the other will be "leaky pinky". So I still prefer to block spam on the basis of the behaviour of the sender.

If you're not careful, you're going to catch something.

Working...