NYTimes: Tangled Up in Spam 413
ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled
Tangled Up in Spam.
The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."
Kudos to SA. (Score:4, Insightful)
illegal (Score:1, Insightful)
white lists are the only way to stop spam.
Careful what you outlaw (Score:3, Insightful)
Broadcast, not unsolicited (Score:3, Insightful)
I don't know what is meant by unsolicited -- and I doubt that there are good definitions that are practical. Nor do I want any single e-mail ever to be treated as spam because some unsophisticate forgot to (or didn't have the software) to make the e-mail unsolicited.
I *DO* want the anti-spam laws to have teeth and very few exceptions -- for that, the criteria for spam should be sufficient to permit adequate filtering (to be useful), not be content-based (to be constitutional), and should be relatively objective (to be practically enforeceable).
Thus, in lieu of forcing headers to identify whether an e-mail is solicited, i would punish falsely identifying an e-mail as non-broadcast. That is to say, an e-mail is not broadcast if it was sent to, say, fewer than 200 different addresses that had not specifically opted-in by affirmative request to receive it.*
Then, we simply get most e-mails clients to flag routine e-mails as non-broadcast, and you have a decent result.
*the only tricks here are (1) subtle and non-substantive changes in each e-mail making them different and (2) sending e-mails on behalf of many different sources (from 1000's of different e-mail accounts). The solutions can be readily addressed by (1) referring to the e-mail and "substantially similar" e-mails (the copyright standard); and (2) referring to e-mails sent by or on behalf of a particular individual. Thus, the person commissioning the spam is always liable for the crime -- regardless how many different persons send the spam on her behalf.
SpamAssassin is not a solution (Score:1, Insightful)
What you need is filters that are tailored to YOU. Spammers can't read your email therefore they can't fully mimick the email you expect to get.
Go read Paul Graham's A Plan for Spam. Don't be a slave to spam.
Legislate?? (Score:5, Insightful)
Is it just me, or is the internet community at large thinking about controlling SPAM from the wrong angle? If we're thinking about legislation as a means of curtailing wanton abuse of our mail systems, why don't we just push to force the system to be explicitly Opt-In rather than allowing your personal details to be passed around to all and sundry under the assumption that you implicitly asked for it just because you ticked a box that said 'please send me "stuff" from our affiliates' 5 years or so ago.
Personally, I'm sick of receiving these messages about enlarging my manly bits or being told that I had been chosen specially to participate in a "can't lose" investment scam. Sure they sometimes give you an opt-out link, but I'd rather choose what advertising crap to be bombarded with. I'd certainly prefer to know who was receiving my personal information, and what they are likely to advertise, so that I can avoid wasting hours out of my day cleaning up after these lazy cowards who aren't willing to contact me in such a way so that I can communicate personally with them and tell them what ASSHOLES they really are
Re:You don't have to. (Score:2, Insightful)
But this Slashdot, where information wants to be free unless it's your own.
Re:Illegal? (Score:5, Insightful)
Because the vast majority of spam is sent by Americans, advertising products sold by other Americans and hoping to sell them to still more Americans. The fact that the spam is sent via open relays in Korea or bulletproof accounts in China, and received in Europe or Australia, is neither here nor there. Ralsky, for instance, lives in America, regardless of where the spam is routed; indeed, _his_ location is very well known nowadays ;-)
Re:Techical Solutions Are Required (Score:3, Insightful)
Re:I get four a week. (Score:2, Insightful)
Need MSSMTP (Score:3, Insightful)
I should be able to ask Hotmail (or whoever) "I have message #xyz from your domain. Does it originate from a user in good standing?" If the ISP gets too many queries for an individual account, it will stop vouching for it.
Likewise, you need a database of "ISP's in good standing". I.e., who is known to play by the rules with MSSMTP?
Verification would serious server resources, but better that than spam.
-mse
Who steals my .sig, steals trash.
Re:NO NO NO - for a different reason (Score:5, Insightful)
Don't we ever learn from the past? We've all seen the unintended consequences of poorly-crafted legislation (e.g. DMCA), so why run to the shelter of more restrictions which, in the end, will only cause us more problems? Like the criminals trying to scam your mom with the Nigerian-hold-my-money-for-a-day scam are going to suddenly begin obeying the law... yeah, right. Which begs another question: what law, in what jurisdiction? Even if the US were to pass this law and ruthlessly enforce it (domestically), all scammers would simple flood us from offshore servers.
The solution is not legislation, it is the creative use of technology. Build software that "learns" what is spam and what isn't, then evolves to keep up with the changing tactics of the spammers. Something like PopFile [sourceforge.net]
Re:Kudos to SA. (Score:3, Insightful)
But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever. The (obvious) reason for this is that I never use these addresses "in public" (web forms, online buying, etc.), for that I have my spam-collector, the Hotmail account, which do recieve a lot of these messages.
But then, I would guess that most people have been warned not to use their "real" mail address for the hazards I mentioned, making them as careful with their addresses as I am with mine. This would contradict my mesures beeing that effective when others still seem to get massive amounts of spam?
Am I just incredibly lucky with my two "real" email addresses?
If you took the same precautions I did, how do you think you got into the spam-generals addressbook?
Re:Always with the legislation... (Score:5, Insightful)
No, it is not. It is a social and economic problem.
That's why you can't come up with a technical solution, because it isn't a technical problem.
Making it impossible to forge headers is not going to solve any of the problems above. It will only make it easier to report spam to ISPs, but it will not pressure them more to whack the spammers.
You can take technical measures to shift the cost onto the spammer, but if you do that, you must consider the side-effects.
Frankly, I think laws are the solution. But given clueless legislators, we have to write the law.
How They're Evading Filters Now (Score:2, Insightful)
Unfortunately the filters (e.g. Spam Weasel, Eudora,etc.) don't have an "automatically reject if no text components" option.
Re:Kudos to SA. (Score:4, Insightful)
One of the major costs of spam is that people are afraid to make their addresses available, making it much harder to contact people. I think it's sad that many geeks have become so used to spam that they think anyone who posts their e-mail address on a web page is stupid. Some geeks even go as far as to blame friends for spam they get when a friend isn't as careful with the geek's address.
Comment removed (Score:4, Insightful)
Re:The real way to get rid of spam (Score:2, Insightful)
Wonderful idea. Rather than fighting spam through legislative or technological means, we'll simply convince all the stupid, desperate people in the world not to fall for silly cons.
Except, wait. We can't do that because they're too stupid and desperate to get the hint!
</rant>
Seriously, though. I wish everyone were capable of being able to spot shady deals. But to do so requires an uncommon amount of common sense. I don't think you could train most people quickly enough. Come to think of it, I don't think you could train some people at all.
"forged" != "changed" (Score:2, Insightful)
These are forgeries. Providing alternative (but still "correct") values for some SMTP headers are not.
(Technically, instead of mucking with the From header, you might want to consider adding a Reply-To and/or Errors-To header instead.)
My name's Sangria I have the hots for you! (Score:2, Insightful)
I got this from my friend who works at the mall - check this girl, she's hot!
Spam is not a technical problem.
It is generated by the most complex processing system known (The Human brain) and obeys to one of the simplest known principle (or absence thereof: greed).
That's a pretty potent combination.
Certainly not one for a machine to match.
No AI based solution will ever be able to reliably block spam, it's like handwriting recognition: I can't even read my own handwriting sometimes!
Spam is a human problem that has two sides:
- Some nutters will stop at nothing to sell you something (expecially if the numbers look good).
- Some idiots will genuinely think a girl called Sangria has the hots for them - type in your credit card here darling.
Don't worry: if you've read that far, then you're probably not that dumb.
Of course the solution is legal.
Here in the UK, I used to receive a fair amount of junk mail. There is however an opt-out list which I subscribed to and all I get is a few of them a year for the guy who used to live here before me.
So, yes, forged headers should be illegal.
And no, an 'Unsollicited mail' one is not a solution:
Why?
Because of this:
"Hi Tee, I am your long lost cousin in Australia - I found your e-mail on your web page, So good to be in touch again..."
A header that says whether or not the email is advertising is a better idea. If the values of this field follow an agreed classification, you could actually filter IN *voluntarily* things you are genuinely interested in.
The inforcement problem about spam will eventually be resolved. Europe is getting bigger and more integrated, the USA are a big chunk too. Now if these two and, say Japan or Taiwan agreed to block any other network that does not adhere to the guidelines, there will be a lot of pressure from inside those banned countries to make them adopt compatible legislation.
Of course it takes guts (something politicians rarely have), technical awareness (ditto) and time (Well fortunately we have plenty of that - it's only our patience that's running out.)
Check this site it's hot: http://www.aptilis.com/
(Sorry couldn't help...)
Teebo.
I agree with #1 but not #2 (Score:3, Insightful)
I think it would be great if you could actually prosecute someone for forging headers. Unfortunately you don't know who that person is, now do you?
But how would you ever determine is something is unsolicited? After all, there are a lot of registration websites that have a tendency to quietly flag you as willing to accept spam from them. If I missed it, does that still make it UCE? If it does, how do I now remove myself from all the lists that I am now on...
Spam has a solution and it doesn't have to be so drastic as to put in this kind of legislation or use whitelist only maling lists. We just haven't figured it out yet.
Re:Always with the legislation... (Score:2, Insightful)
That they do not know who they are mailing to only makes the problem worse.
Re:Kudos to SA. (Score:3, Insightful)
Not only does your spams-per-hour count begin to rise, but you have to suffer the geek's frustration: How could you have a friend so mind-numbingly ignorant of technical manners?
Every time I set up a new email address ("Okay, this one will be spam-free. Really.") spammers find a way to get it, whatever I may do to prevent them. It only takes one leak.
Re:Kudos to SA. (Score:5, Insightful)
send link to a friend
A couple of months ago I got fed up with the ridiculous amount of spam I was getting at my primary address. I sent a note to the people I give a crap about, telling them that my primary address would henceforth be a new account I had created in my own domain.
I explicitly begged them not to give the new address to "those stupid send this cool page to a friend" sites. Set up filters in my email client to segregate the old address, and so far, so good, although my Mom gave the new address to an e-greeting card site. Fortunately, the site in question doesn't harvest addresses, and I (respectfully but frantically) pointed out to her that e-cards fall into the "stupid" category, and told her how to make up a disposable address for greeting cards, using my domain name.
Having to go to these lengths to to keep my inbox clear of spam makes me homicidal.
Re:Kudos to SA. (Score:3, Insightful)
If you ever put your resume on a job-seeker board, prepare for an onslaught of spam. It's a catch-22: You want your email address to be seen by a potential employer, unfortunately the spammers can easily scrape the sites for their email addresses. These bastards are truly the lowest forms of life.
Re:Kudos to SA. (Score:5, Insightful)
I work as a freelancer. My website hosts my CV, as do several online databases, where companies go to look for people of my profession. The CV of course includes not one, but several of my email addresses, because, in the long run, this translates directly into payable work.
I write software for fun (not profit). I even do email support, so my email address is again right there in plain html, and displayed by every software archive site I've ever uploaded my stuff to.
But this is the point of having an email address in the first place, isn't it? I could be as protective of it as the parent suggests, except by doing so I would lose much more than I am losing now (in terms of time and net-related costs). But to me, it's not only a matter of give and take: I refuse, on principle, to obfuscate my email address; I refuse to give in to spammers. When people start to hide their email contact information en masse, then spammers have won and email has become usleess.
Re:I get four a week. (Score:2, Insightful)
username-amazo@the.server
username-amaz@the.server
username-ama@the.server
u@the.server
figuring that somewhere in there they'll hit the real address? (And they'll figure it out even quicker once they notice they have both username-amazon@the.server and username-yahooGroups@the.server in their mail-lists)
Any technological solution (widely employed) will eventually be caught up to by the spammers, perpetuating the SPAM arms race, and bringing us down to their level (as the article alludes to).
Re:NO NO NO (Score:3, Insightful)
However, a method to force identification of BULK email (more than, say, 100 similar messages) might have fewer undesirable side-effects.