NYTimes: Tangled Up in Spam

ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

Kudos to SA.

[clueless123]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

illegal

[Anonymous Coward]

illegal is great in theory, but there is no possible way to enforce that on a world wide basis.

white lists are the only way to stop spam.

Careful what you outlaw

[crow]

Be careful what you outlaw. If the law is too broad, it could easily be used to prohibit not only headers in email messages, but in connecting to a web server. How would you like to have it be illegal to lie about what browser you're using? Or refuse to send a referer?

Broadcast, not unsolicited

[werdna]

The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited.

I don't know what is meant by unsolicited -- and I doubt that there are good definitions that are practical. Nor do I want any single e-mail ever to be treated as spam because some unsophisticate forgot to (or didn't have the software) to make the e-mail unsolicited.

I *DO* want the anti-spam laws to have teeth and very few exceptions -- for that, the criteria for spam should be sufficient to permit adequate filtering (to be useful), not be content-based (to be constitutional), and should be relatively objective (to be practically enforeceable).

Thus, in lieu of forcing headers to identify whether an e-mail is solicited, i would punish falsely identifying an e-mail as non-broadcast. That is to say, an e-mail is not broadcast if it was sent to, say, fewer than 200 different addresses that had not specifically opted-in by affirmative request to receive it.*

Then, we simply get most e-mails clients to flag routine e-mails as non-broadcast, and you have a decent result.

*the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.

SpamAssassin is not a solution

[Anonymous Coward]

SpamAssassin is a very dumb filter. It's computationally expensive and is a very small patch for a very large hole. SpamAssassin is just playing attrition with spammers. Hell spammers can use SpamAssassin and tune their emails to pass through it!

What you need is filters that are tailored to YOU. Spammers can't read your email therefore they can't fully mimick the email you expect to get.

Go read Paul Graham's A Plan for Spam. Don't be a slave to spam.

Legislate??

[Anonymous Coward]

"The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

Is it just me, or is the internet community at large thinking about controlling SPAM from the wrong angle? If we're thinking about legislation as a means of curtailing wanton abuse of our mail systems, why don't we just push to force the system to be explicitly Opt-In rather than allowing your personal details to be passed around to all and sundry under the assumption that you implicitly asked for it just because you ticked a box that said 'please send me "stuff" from our affiliates' 5 years or so ago.

Personally, I'm sick of receiving these messages about enlarging my manly bits or being told that I had been chosen specially to participate in a "can't lose" investment scam. Sure they sometimes give you an opt-out link, but I'd rather choose what advertising crap to be bombarded with. I'd certainly prefer to know who was receiving my personal information, and what they are likely to advertise, so that I can avoid wasting hours out of my day cleaning up after these lazy cowards who aren't willing to contact me in such a way so that I can communicate personally with them and tell them what ASSHOLES they really are ;)

Re:You don't have to.

[Anonymous Coward]

Or you can register normally and help the NYT pay James Gleick's salary as well as their bandwidth bill, by allowing the NYT to get a better grasp of who their readers are.

But this Slashdot, where information wants to be free unless it's your own.

Re:Illegal?

[meringuoid]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans. The fact that the spam is sent via open relays in Korea or bulletproof accounts in China, and received in Europe or Australia, is neither here nor there. Ralsky, for instance, lives in America, regardless of where the spam is routed; indeed, _his_ location is very well known nowadays ;-)

Re:Techical Solutions Are Required

[yakko nef]

This is a horrible idea. I use email on a daily basis just to send myself notes. If I think of something at work I need to do at home, or vice versa, I send an email to myself instead of writing it down. Implementing a system which would require me to pay to talk to myself is bad. I already pay for my internet connection to be active telling me I have to pay an additional fee to use it is stupid.

Re:I get four a week.

[enos]

What's the use of having an email address if you don't give it out to any of your friends? It's like asking a hot date to call you, but you won't give her your unlisted telephone number.

Need MSSMTP

[bromoseltzer]

The technical solution is not to charge for sending email, but to make the protocol robust. SMTP is laughably insecure. A More Secure SMTP might let the email receiver get a known ISP to vouch for the email sender before accepting a message, for example.

I should be able to ask Hotmail (or whoever) "I have message #xyz from your domain. Does it originate from a user in good standing?" If the ISP gets too many queries for an individual account, it will stop vouching for it.

Likewise, you need a database of "ISP's in good standing". I.e., who is known to play by the rules with MSSMTP?

Verification would serious server resources, but better that than spam.

-mse

Who steals my .sig, steals trash.

Re:NO NO NO - for a different reason

[JonTurner]

>>1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.

The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile [sourceforge.net]

Re:Kudos to SA.

[WowTIP]

I been using Spam assassin for a while now, it is sad to say, but email would be almost unusable with out it.

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?

Am I just incredibly lucky with my two "real" email addresses?

If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

Re:Always with the legislation...

[KjetilK]

Spam is a technical problem,

No, it is not. It is a social and economic problem.

1. Spammers do not have the social intelligence to see that what they are doing is destructive.
2. Spammers, at least some of them, are making money.

That's why you can't come up with a technical solution, because it isn't a technical problem.

Making it impossible to forge headers is not going to solve any of the problems above. It will only make it easier to report spam to ISPs, but it will not pressure them more to whack the spammers.

You can take technical measures to shift the cost onto the spammer, but if you do that, you must consider the side-effects.

Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.

How They're Evading Filters Now

[Fringe]

The big problem I have now, new in the last two months or so, is that many of the spams are now uuencoded text bodies... so the filters don't work on them. They are reconstituted by the client (Eudora in my case), after passing through the filters.

Unfortunately the filters (e.g. Spam Weasel, Eudora,etc.) don't have an "automatically reject if no text components" option.

Re:Kudos to SA.

[jesser]

The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.

One of the major costs of spam is that people are afraid to make their addresses available, making it much harder to contact people. I think it's sad that many geeks have become so used to spam that they think anyone who posts their e-mail address on a web page is stupid. Some geeks even go as far as to blame friends for spam they get when a friend isn't as careful with the geek's address.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The real way to get rid of spam

[An Onerous Coward]

<rant mode="unnecessarily sarcastic">
Wonderful idea. Rather than fighting spam through legislative or technological means, we'll simply convince all the stupid, desperate people in the world not to fall for silly cons.

Except, wait. We can't do that because they're too stupid and desperate to get the hint!
</rant>

Seriously, though. I wish everyone were capable of being able to spot shady deals. But to do so requires an uncommon amount of common sense. I don't think you could train most people quickly enough. Come to think of it, I don't think you could train some people at all.

"forged" != "changed"

[Fastolfe]

There are many perfectly reasonable reasons why you would want to provide an alternative to the default value for many SMTP headers. It's when you lie and mislead by using values that *other* ISP's use in their own headers that you are said to have "forged" them. Bogus "Received" headers can be considered "forged headers" as well, as they are not added by the MTA per the SMTP specification, they are crafted by hand to make it *look* like they were added by an MTA.

These are forgeries. Providing alternative (but still "correct") values for some SMTP headers are not.

(Technically, instead of mucking with the From header, you might want to consider adding a Reply-To and/or Errors-To header instead.)

My name's Sangria I have the hots for you!

[tjamme]

Hi John,

I got this from my friend who works at the mall - check this girl, she's hot! ...

Spam is not a technical problem.
It is generated by the most complex processing system known (The Human brain) and obeys to one of the simplest known principle (or absence thereof: greed).

That's a pretty potent combination.
Certainly not one for a machine to match.

No AI based solution will ever be able to reliably block spam, it's like handwriting recognition: I can't even read my own handwriting sometimes!

Spam is a human problem that has two sides:

- Some nutters will stop at nothing to sell you something (expecially if the numbers look good).

- Some idiots will genuinely think a girl called Sangria has the hots for them - type in your credit card here darling.
Don't worry: if you've read that far, then you're probably not that dumb.

Of course the solution is legal.
Here in the UK, I used to receive a fair amount of junk mail. There is however an opt-out list which I subscribed to and all I get is a few of them a year for the guy who used to live here before me.

So, yes, forged headers should be illegal.
And no, an 'Unsollicited mail' one is not a solution:
Why?
Because of this:

"Hi Tee, I am your long lost cousin in Australia - I found your e-mail on your web page, So good to be in touch again..."

A header that says whether or not the email is advertising is a better idea. If the values of this field follow an agreed classification, you could actually filter IN *voluntarily* things you are genuinely interested in.

The inforcement problem about spam will eventually be resolved. Europe is getting bigger and more integrated, the USA are a big chunk too. Now if these two and, say Japan or Taiwan agreed to block any other network that does not adhere to the guidelines, there will be a lot of pressure from inside those banned countries to make them adopt compatible legislation.

Of course it takes guts (something politicians rarely have), technical awareness (ditto) and time (Well fortunately we have plenty of that - it's only our patience that's running out.)

Check this site it's hot: http://www.aptilis.com/

(Sorry couldn't help...)
Teebo.

I agree with #1 but not #2

[tacocat]

I think it would be great if you could actually prosecute someone for forging headers. Unfortunately you don't know who that person is, now do you?

But how would you ever determine is something is unsolicited? After all, there are a lot of registration websites that have a tendency to quietly flag you as willing to accept spam from them. If I missed it, does that still make it UCE? If it does, how do I now remove myself from all the lists that I am now on...

Spam has a solution and it doesn't have to be so drastic as to put in this kind of legislation or use whitelist only maling lists. We just haven't figured it out yet.

Re:Always with the legislation...

[anon mouse-cow-aard]

SPAM is NOT a technical problem. I guess one could consider missles a technical problem for commercial airliners, or burglars to be a technical problem for homeowners. I am sure enterprising technical solutions could address these technical promblems, but:

• How much is an anti-missile system on every airliner going to cost ? (or an anti-spam engine on every mail server.)
• Should not activity which is actively destructive to (electronic) society at least be illegal?
• If someone came up to your children and walked along beside them on the way home from school, showing them dirty pictures, and inviting them to come play, they would be arrested in a heartbeat. Why is the same behaviour not illegal on the internet?

  That they do not know who they are mailing to only makes the problem worse.

The measures Mr. Gleick proposes are rational ones. All they do is make it easier to figure out who is sending the mail. Legitimate businesses will not mind being found. For those companies that insist on this business model, a simple filter on a single header will solve the problem for the 99.9999% of the population who do not answer in any event. Once the response rates start to drop because of those two measures, SPAM itself is very likely to decline.

Re:Kudos to SA.

[daveq]

Of course there are also those wonderful friends who send a bulk-ish email that doesn't hide the addresses of the thirty recipients. One of them is bound to be an account at freemail.com.

Not only does your spams-per-hour count begin to rise, but you have to suffer the geek's frustration: How could you have a friend so mind-numbingly ignorant of technical manners?

Every time I set up a new email address ("Okay, this one will be spam-free. Really.") spammers find a way to get it, whatever I may do to prevent them. It only takes one leak.

Re:Kudos to SA.

[qengho]

send link to a friend

A couple of months ago I got fed up with the ridiculous amount of spam I was getting at my primary address. I sent a note to the people I give a crap about, telling them that my primary address would henceforth be a new account I had created in my own domain.

I explicitly begged them not to give the new address to "those stupid send this cool page to a friend" sites. Set up filters in my email client to segregate the old address, and so far, so good, although my Mom gave the new address to an e-greeting card site. Fortunately, the site in question doesn't harvest addresses, and I (respectfully but frantically) pointed out to her that e-cards fall into the "stupid" category, and told her how to make up a disposable address for greeting cards, using my domain name.

Having to go to these lengths to to keep my inbox clear of spam makes me homicidal.

Re:Kudos to SA.

[FuzzyBad-Mofo]

If you ever put your resume on a job-seeker board, prepare for an onslaught of spam. It's a catch-22: You want your email address to be seen by a potential employer, unfortunately the spammers can easily scrape the sites for their email addresses. These bastards are truly the lowest forms of life.

Re:Kudos to SA.

[cicho]

The parent is not "insightful" - it's shallow. If you're going to be so protective of your email address, you might as well ditch it altogether.

I work as a freelancer. My website hosts my CV, as do several online databases, where companies go to look for people of my profession. The CV of course includes not one, but several of my email addresses, because, in the long run, this translates directly into payable work.

I write software for fun (not profit). I even do email support, so my email address is again right there in plain html, and displayed by every software archive site I've ever uploaded my stuff to.

But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.

Re:I get four a week.

[wbm6k]

Sounds great... but don't you think the spammers might catch on eventually and just send to:

username-amazo@the.server
username-amaz@the.server
username-ama@the.server
...
u@the.server

figuring that somewhere in there they'll hit the real address? (And they'll figure it out even quicker once they notice they have both username-amazon@the.server and username-yahooGroups@the.server in their mail-lists)

Any technological solution (widely employed) will eventually be caught up to by the spammers, perpetuating the SPAM arms race, and bringing us down to their level (as the article alludes to).

Re:NO NO NO

[1u3hr]

Another "no no" to me is the suggestion that all headers and thus senders be verifiable and real. This would mean the end of anonymity, which in some situations, such as ratting out a former business partner, or any number of reasons in countries like China or the US with intolerant governments. Bulk spammers already use real accounts sometimes, and just burn them, this wouldn't slow them down much.

However, a method to force identification of BULK email (more than, say, 100 similar messages) might have fewer undesirable side-effects.