NYTimes: Tangled Up in Spam

ezekieldas writes "Congratulations to the SpamAssassin developers and community! There's a mention of SA in the NYTMag as "one of the best tools for network administrators..." in an extensive article entitled Tangled Up in Spam. The article is quite substantial and the author, James Gleick, is more technically educated than what we've come to expect from the big press. Central to the story is the complexity in dealing with spam effectively in both technical and legal terms and the confusion it brings upon the neophyte. The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited."

At last

[Mourgos]

now that it has been advertised in NYTmag, more people will become aware that spam is something they can actually stop. Can't wait for the new tricks spammers will use to disable anti-spam programs.

NO NO NO

[johnburton]

>>> 2) a specific header entry should identify the email as unsolicited." NO NO NO There is no excuse for sending spam. I fail to see how marking it as junk makes it any better. So I can sort it from the mail I actually want? NO. Just stop people sending me crap I don't want.

SpamAssasin in large corporate use?

[stonebeat.org]

I was wondering how many large corporation are using SpamAssasin. And if not, why not?

Illegal?

[waytoomuchcoffee]

The conclusion drawn may be oversimplified but nonetheless pragmatic: 1) forged headers should be illegal 2) a specific header entry should identify the email as unsolicited

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Experiment

[Guillaume Ross]

Two weeks ago, on my old email that I don't use anymore, I decided to "unsubscribe" from all these lists, thinking it would "confirm" the existence of my email address. However, the number of spams I get has reduced from 15-20 to 3-5 a day ! I'll have to see if it goes up again in a few weeks though...

MIT's Post Servers...

[g_arumilli]

now use SpamAssassin. Basically, a set of new headers is attached to the e-mail of the form X-Spam-foo, and if X-Spam-Score is 7.5 or greater (on a scale of 10 I believe), then X-Spam-Flag is yes. It's really useful for sorting out spam quickly, and I haven't gotten a false positive yet...It doesn't get all of the spam, but it gets the vast majority of it...

Always with the legislation...

[Sheetrock]

Spam is a technical problem, so why can't we come up with a technical solution? For example, it should be impossible to forge headers, not illegal. Why rely on a legal solution from many of the people who have brought us such brilliant solutions as the DMCA and the CDA in the past when all that's required is what our community has always been good at: sitting down and thinking things out?

Garunteed Way to Block Most Spam

[Cyno01]

Filter any e-mails containign the phrase, "this is not an unsolicited message".

Interesting free speech point

[jenkin sear]

Towards the end of the article, Gleick makes a really interesting point- he says that as commercial speech, spam isn't entitled to any particular first amendment protection:

The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''

Looks like we have the supremes on our side; if we could just congress to issue some letters of marque and reprisal on the spamhausen, we'd be getting somewhere...

Techical Solutions Are Required

[esme]

As much as I'd like to see spammers prosecuted for fraud (and think making various deceptive tactics illegal is a good short-term approach), legal and social approaches are doomed to failure. The number of people you can spam is so vast, that even if only one in a million takes the bait, it's still profitable -- that's a powerful economic imbalance that you don't find anywhere else. And it's going to make people forge headers, spam from overseas, etc. to get around any legal and social roadblocks.

I think that breaking that economic model -- ending the reciever-pays system for email -- is the only way to fix spam. If you had to pay some amount of money -- event 1 cent -- for each message that is delivered, spam would stop being economical. And that's the only thing that's going to make it stop.

-Esme

The real way to get rid of spam

[KevinIsOwn]

Sure all these programs help, but think about what creates spam in the first place.

There are clearly people out there willing to buy the things offered in spam. Obviously not that many, but enough to make a profit. I think that there should be more of an effort to target these people and tell them not to buy stuff from spam!

There is only so much a program can do to stop spam. As we've seen numerous programs have been made, Spam Assasin being one of the best (I use it), but the spam just keeps coming

Until there is no incentive to send spam in the first place people will do it despite any laws against it.

Re:SpamAssasin in large corporate use?

[Webratta]

I don't work for a large corporation, but a state-wide ISP. I asked my boss, the chief technical officer of the company, why we weren't using Spam Assassin. He replied that while it is a very neat program and does a great job of filtering spam, the performance just isn't quite there yet. He's of the mindset that it needs some tweaking still before it can be a competitor to commercial products like what Brightmail offers.

Personally, I'd like to see more companies using SpamAssassin just to prove that it can stack up against other products, because I think it can work well if it's configured properly and you use spamd. I use it on my mail server at home and at last check it catches 98.2% of all spam message sent to my machine, and I haven't had any false positives since I set up my whitelists.

No hope

[pben]

How may of you have seen the current Microsoft TV ad running in the USA. There is Microsoft saying that it would be great to spam everybody in the Chicago area that bought a band's CD to get them to see the concert. If Microsoft is promoting spam on TV is any wonder that the little schemers don't see anything wrong with it.

I just wish that I would not get emails in the same day to enlarge my breast and penis. It is just too sad and stupid.

Re:Illegal?

[JaredOfEuropa]

The law aims to force spammers to make their spam easily identifyable, allowing simple filtering, and it makes circumventing those filters (like those random letters that appear in most spam subject lines) illegal. Is that a good thing? I think so, for two reasons:

First of all, it's a start. If the USA adopts this law, it may well be that many other nations follow suit, making life harder for spammers.

Second, it will help against spam originating from the USA. That guy Ralsky seems to be responsible for a sizable portion of all Internet spam. He is based in the USA, and taking orders from sites and companies in the USA. Even if his actual spam originates from an ISP in China, you'd still be able to take him to court for this.

Re:Illegal?

[jjo]

People don't assume this. What they do assume is that, by and large, people who try to get money from US residents are actually situated in the USA, regardless of where the e-email might have originated. Even those who are not in the USA will mostly use a US agency to get their money. That is their Achilles heel: Follow The Money.

Stop the flow of money from US residents, and you will be effectively making everyone in the world obey US law, with respect to spamming within and into the USA.

Re:Illegal?

[jdreed1024]

Why does everyone in the USA assume that everyone else in the world will somehow obey US law when it is made "illegal"?

Um, that wasn't a troll. It's a valid point. If sending spam becomes illegal in the U.S., big fucking deal. Plenty of spammers are not in this country, and those that are will move offshore (c.f. KaZaA). Good luck prosecuting a bunch of spammers in some pacific island country...

Another cool anti-spam tool

[yiingineer]

I've been using Cloudmark's SpamNet [cloudmark.com] for the past few months and it's been working quite well.

The smart thing that SpamNet does, is that it relies on its users to determine if something is spam or not. If some email lands in your inbox and a few hundred SpamNet members have proclaimed it spam, it most likely is, and it gets immediatly filtered out. This has the net effect of a few user's needing to filter out a few message ocassionally, while the vast majority of messages are filtered out for all users. Although SpamAssassin seems quite good, it's still based upon filtering rules and spammers are constantly tweaking their emails to try to get around them. Since people are still better at determining what's spam and what's not, I find that its accuracy is generally better.

SpamNet isn't perfect though, as far as I know, it only works with Outlook on Windows and doesn't have a Unix, Linux or Mac version. It also sometimes filters out valid bulk mailings, but overall, I would definitely recommend it.

Re:Always with the legislation...

[TGK]

I'd say the best technical solution I've seen to breaking the SPAM system is the use of the internets distributed nature against the spammer.

Consider the following. We all access the internet from a fixed and typicaly small number of physical and virtual locations. Were we to map the internet as a whole, starting from any given location the map would look like an expanding cone.

In short, almost all of the traffic from a given point flows through a very small number of servers and routers at some point close to the source.

Since spam messages are sent by the millions and it is fairly easy to determine what messages are likely to BE spam why not set up a filtering system on the routers that determines the rough content of a message based on both its Spam Precentage and the number of identical messages sent.

I.E. If the router sees 500,000 messages of nearly identical content with a 89% spam rating it blocks all of them. If it sees 44 messages with a 23% spam content it lets them through.

Thoughts anyone? I'm sure this idea has gaping flaws in it... what would have to be chnaged for it to work? What are the critical flaws? Is this a viable model or am I missing something major?

Re:SpamAssasin in large corporate use?

[winnetou]

I was wondering how many large corporation are using SpamAssasin. And if not, why not?

Reasons for not using SpamAssassin are the CPU and bandwidth costs. Refusing e-mail from known spam sources is cheaper and (more importantly) does not give away information about which addresses are valid.

After checking the source IP address against lists such as Wirehub [wirehub.nl], Osirusoft [osirusoft.com] (despite its name not only a list of open relays) and/or some other lists, almost no spam will be accepted.

IP space is finite and, even better, allocated in ranges. Continued spam from (or spamvertizing a website on) an IP address is a very good indicator for more spam from the IP range.

Re:NO NO NO

[Noren]

I see this as a variant of the 'opt-out' strategy without some of the disadvantages- i.e. without having to place one's address on a list (and we all know what that would lead to...) This would make opting out simple for the user- I'm certain all major email clients would enable spam filtering by this flag as soon as it was established. This is an attempt at compromise, not as desirable to the user as an 'opt-in' rule, but better than simple 'opt-out' and harder for the spammers to argue with than 'opt-in'.

On the other hand, I doubt that any of this is enforcable in any event.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Outlaw "forged" headers?

[Crispy Critters]

Whaddya mean outlaw "forged" headers? Most email I send had "forged" headers on it, because I am not sending it from a mail server. So, duh, I put in a "forged" From: line so replies go to the mail server, rather than to a machine that doesn't even listen on the SMTP port. What about masquarading in sendmail, will that be illegal too?

The only headers that should be preserved are perhaps the Received: lines which show that route that the message has taken. Still, I can think of a legitimate reason to muck with these - if a company network has a sufficiently complicated internal structure, these headers might reveal some information that they don't want widely available.

Re:Talking of spam...

[allism]

The only spam I got after registering was from NYT, but it took SEVERAL e-mails and threatening to post a story on /. about not getting removed from their mailing list to get them to stop sending me stuff.

Re:Illegal?

[waytoomuchcoffee]

That is their Achilles heel: Follow The Money

Playing devil's advocate here, you still have to prove they sent the spam out, which would be that system's Achilles heel. Else what would stop people from hiring an offshore spammer to send out fake spam from a competitor?

Re:Kudos to SA.

[MeanMF]

But how do people get on the spam-lists to begin with? I mean, I have one email address for work and one private. Neither one of these gets more than one spam/month. Ever.

If you email address is simple (e.g. first initial+last name+some number) and your domain name is that of a public ISP, then there's an excellent chance that the spammers will find you regardless of whether or not you ever use the address. Email addresses at work tend to be safer because spammers usually don't bother guessing at addresses in domains with so few valid mailboxes.

I rarely ever get spam.

[cpaluc]

Heres how:
1. Spend 10 bucks, buy a domain name (eg xyz.com).
2. Set up a few email aliases to point to your real email. eg:

joe@xyz.com ---> you@hotmail.com

temp123@xyz.com ---> you@hotmail.com

spam123@xyz.com ---> you@hotmail.com 3. Never give out 'joe@xyz.com' to anyone except friends/family.
4. Use the other emails for signing up for things on the web or in usenet.
5. When you get your first spam addressed to 'temporary21@xyz.com', delete the email address (no more spam from that source!).

I find this method works extremely well. By using aliases in this way you effectively hide your real mailbox. Even if your hotmail account starts receiving spam you can just get a new one and point your aliases at it. Also, if you change ISP you don't need to change your email address.

If you use it to forward to a hotmail account it might be better if the hotmail account name isn't a dictionary word or name (ie. use a random string for an account name that the 'bots won't guess.

You're screwed if your 'trusted' address gets out there but if you're careful you'll at least get much more use out of it before needing to kill it.

Internet mail architecture sucks

[cdegroot]

Change to something like IM2000 (http://cr.yp.to/im2000.html), spam vanishes in a poof. Keep around with the current broken system, and we'll have ever more draconian laws in ever more futile attempts to suppress it.

Re:Kudos to SA.

[domninus.DDR]

Ive tested something similar to this. Make a hotmail account with jibberish (rand(), 8 char isalnum() strings is what I used) for the name and see how long it takes to get spam. Out of ten tries my average was about 3 days.

Bad idea

[Goonie]

This is near-impossible, technically. By the time the traffic flows through the "core routers", it's just a bunch of IP packets which the system doesn't even try to interpret at a higher level. Reconstructing the messages, running spamassassin on them, and selectively blocking them would put an insane CPU load on the routers. They would effectively be acting as mail relays, not routers.

There are also philosophical problems with such a scheme which others can explain...

Re:I rarely ever get spam.

[LocalH79]

Spamgourmet [spamgourmet.com] does exactly what you propose, and is much more effective.

Re:SpamAssasin in large corporate use?

[bubblegoose]

We're not a large company (only about 150 people). But here is my experience with SpamAssassin.

We run an Exchange server. I didn't go with the free version, because we don't have the skill set to maintain it at our company. I have some Linux experience, but after 3 days of trying to get it to work I finally had to give up.

I installed Deersoft's SpamAssassin on my Exchange server. Kind of expensive (about $5000) and right now Deersoft customers are left hanging due to Network Associates purchase of Deersoft. NAI pulled the Deersoft version and are releasing it in Q2 2003.

A new breed of email is on the horizon

[mcrbids]

If we can pull it off.

With Bind 9, we finally have a decent, working implementation of DNSSEC. This will allow for a new breed of secure, verified websites and email, and (Finally!) makes a RBL actually mean something.

How's that you ask?

Well, one of the biggest problems with SPAM is the forged header, open relay issue. It's a complicated issue, and one that doesn't have an obvious, "in your face" kind of answer.

DNS is designed to tell you where to go, and SSL/Certs make sure that you got there. Why aren't they joined together? The fact that you are the DNS server for a domain makes it clear and obvious that you are an authoritative designator for where you are supposed to go - why have this wholy separate and dis-jointed SSL/Cert that can't even be made to work [slashdot.org] consistently?

If an ISP can issue DNS-SEC certs with impunity, we might actually see a reason to have encrypted and ISP certified email.

And suddenly, the ISP is back in charge again, able to validate every email going out as coming from one of it's customers. Revoke the cert and their email becomes unreadable.

Now, we have an email system with a powerful mechanism built in that is:

1) Standards compliant
2) Easy to implement
3) Clearly laid out
4) Cheap
5) secure
6) private - using the ISP's cert to identify yourself doesn't mean that the ISP can read your email! (like they can now - the command is "mail -u _username_")

What's not to argue with? The issue of locking down an open relay becomes a non-issue - an ISP could simply identify an "s-mail" server (secure mail) that will only relay for those holding a valid cert at that ISP.

Roaming wouldn't be an issue, nor would open relays or forged headers.

A brave new world? Yep. One I'd like to live in? Yep. One that's coming? We can only hope...

Where spam really comes from

[Cbs228]

Spam isn't a legal problem-- it's a social problem. It is the result uncontrolled avarice, of people wanting to make money at any ethical cost. There will always be these kinds of people who will steal our time (and our bandwidth) regardless of any laws against them. There are also people (Sysadmins of certain Far East networks come to mind) who are willing to look the other way for a few extra dollars.

But most importantly of all, we cannot forget that American consumers are responsible for spam. That's right, spam is OUR fault. It is our fault because no matter how many messages are filtered, and no matter how many websites are closed for spam complaints (or get DDoS'd by rampaging slashdotters), they still make money. They make money because of that infinitesimally small group of consumers who buy stuff from spammers. That small percent is what makes it all worth it to them.

The day that spammers' profit margins drop to nil because consumers refuse to buy from spammers is the day that spam vanishes from our inboxes forever. No laws, no filters, no problems.

Unfortunately, as P.T. Barnum would put it, "There's a sucker born every minute..."

Re:Kudos to SA.

[Jucius Maximus]

"I felt the same way you did until about 6 months ago. I went two years without Spam. Then a coworker thought he would fill out one of those forms on a web page to have the site send me a link to the page. You know the "send link to a friend" that shows up on some pages."

I am wary of these thnigs too. I have various 'levels' of e-mail addresses. The actual real pop3 address practically nobody gets, except my parents, and a few technie friends. All of these people know better than to abuse an e-mail address.

The 'next' address is what most people I know get.

The webmail addresses are what I use if I do something related to 'the unwashed masses' . Those can get filled with spam, I don't care. I only check them once every few days.

For anything that is shown publicly, I always anti-spam-armour it, and make it some sneakemail address or unique address for my domain name.

Due to this strategy, I only get 3-4 spams or so per year.

Re:Kudos to SA.

[IvyMike]

If you took the same precautions I did, how do you think you got into the spam-generals addressbook?

Co-worker unknowingly installed spyware on their computer which harvested my email address out of their email software address book. Sucks.

Two refinements: sampling and QOS filtering

[hains]

Although a router does not have time to analyze every packet, it could periodically route copies of a few thousand packets to an analyzer machine. This machine could

1. reconstruct messages from the packets
2. look for e-mail messages
3. apply its spam rules to those messages
4. return a few bits of result information to the router.

I think that the router should not use this information to shut anybody off. Rather, it should use this information to reorder its routing priority tables. Thus the router will serve its most spam-free peers first, handling the heavy spam forwarders only when it has time. Eventually consumers will leave ISPs with poor throughput, so ISPs will have a much stronger incentive to track down and terminate their members who spam.

Re:NO NO NO - for a different reason

[Anonymous Coward]

Well, you should try SpamAssassin 2.50-cvs with the Bayesian filtering.

I have it configured to use AutoWhiteLists, and I had to tweak the scores assigned to the various bayesian filter rules a bit (they didn't have enough weight by default).

Since then, every single mail I've gotten has been correctly identified as either spam or not spam. It is *amazing* how accurate the bayesian filters are. When no other SA rules identify the mail as spam, you still see that the BAYES_90 rule was activated (90% chance the message is spam).

Just don't forget to use sa-learn-spam and sa-learn-nonspam so that the Bayesian filters are more accurate! Luckily, I haven't deleted a single mail (spam or not) since Nov 2001, so SA had a large base of spam to learn from ;)

Re:I rarely ever get spam.

[Anonymous Coward]

What happens when grandma sends you an online greeting card though?

Re:At last

[The Mgt]

But even if you use a filter such as SpamAssassin you still receive the spam. Even if it ends up in a different folder or is automatically deleted the spam has still been sent, the bandwidth and cpu time has still been wasted.
In a way it's just ignoring the problem.
If you want to forward your spam to Spamcop or similar you still have to actually look at it to be sure, and it's this approach which is more effective in making life difficult for spammers.

Also, Genius: The Life ... of Richard Feynman

[JordanH]

And, don't forget his excellent biography of Richard Feynman [around.com]. Probably of interest to many typical /. readers... (hmmm... Check out what he has to say about The Microsoft Monopoly [around.com]. Also, probably of interest to the typical /. reader.)

Check out where Gleick quotes Feynman on the inherent risk of Shuttle flights [around.com]. Prescient, that Feynman.

Re:Techical Solutions Are Required

[rthille]

There's no reason to involve money (dollars) to stop spam, make them spend CPU cycles instead. Take a look on google for 'hashcash'. Basically, it involves the sender computing a function that takes a long time to figure out, but is very easy for the receiver to verify. So, if i want to send you mail, I spend ~10 cpu seconds, and you verify that I spent the time, and you accept the mail. If I don't compute the function, you sideline/reject the mail. Whitelists can be used to prevent always needing to compute the function. That way I can accept mail from anyone who might be willing to send me mail, if they are willing to spend the CPU cycles. However, since spammers would need to spend 10 seconds per message, they could only send about 1000 messages per day. That wouldn't be economically viable for them...

Re:Kudos to SA.

[nelsonal]

I used my good address to buy something on ebay and paid via paypal, one of those two or the seller, or ebay's listing of addresses got my name on several lists. That and shortly thereafter I drank the punch and did a survey for a DVD for Colonize.

Spam is not about content, it's about behaviour

[Skapare]

Spam is not about content. Not everyone even agrees what constitutes spam when they are evaluating it based on content, so how can a program or a recipient community do this? What makes mail spam is stuff like sending it unsolicited and in bulk. It won't matter what the content is.

I have signed up with some companies for announcements about their products. While that company may not be spamming, their content could have a lot of the same wording as another company selling similar products, but is sending it to harvested addresses. The latter is spam, but the former is not. How do you tell based on the content?

Tools that evaluate a message based on content are probably going to classify both messages the same way. If they are both classified as spam, then one of them will be "collateral damage". If they are both not classified as spam, then the other will be "leaky pinky". So I still prefer to block spam on the basis of the behaviour of the sender.

Re:At last

[H310iSe]

Ugh, not spam cops - those guys, I think, have become a little unhinged in their anti-spam hatred and have developed some kind of a demigod complex as a result. I helped run a mailing list generated from submissions to a website - they sent out mailings to people who opted-in for various sex clubs (I know, but sex does not automatically equal spam). We never hid who we were, where we were sending from, we told everyone why they got our mail (because they signed up at the website) and had a valid reply-to address as well as an unsubscribe feature.

Someone sent an email from us to spamcops saying we were spamming - I checked our logs and in one day one person sent us 4 unsubscribe requests - they never got another email but I wonder if it wasn't them. Anyway, we were totally shut down with no warning, two different sites (one hosted the website the other hosting the email program) yanked off the internet when spamcops complained to our ISP.

This is downright stupid. One, anonymous complaint (never did find out who did it so we couldn't very well remove them from our list!) and all our websites, over a dozen, art galleries, political sites, stores, and some 'adult dance club' sites (you do what you can to make clients now...) all went down. No warning. And no apologies from our ISP or spamcops when we pointed out they pulled our service with absolutely NO research, no attempt to contact us, no evidence whatsoever other than a sole complaint which could have been posted by anyone (um, competitors to the adult club jump to mind).

My ISP (Speakeasy) eventually got someone in touch with us who really did nothing more than empathize with how angry we were and promised to try and not do it again. That's it. There's a movement afoot to try and reign in this sort of insane overkill, one story here [website101.com] and an a nascent organization against overzealous antispammers is here [niba4u.com].

For the record, we did not have confirmation on our opt-in list so theoretically someone could have signed up another (say a priest or something) for our mailing lists. We never got more than a couple new registrations a day so there was no systematic abuse, still, we fixed this and added confirmation (using mailermailer.com, I'm very impressed with them so far) after the complaint (no need to knock us off the web to get our attention, a simple email would have done) and, as I said, we had valid contact info if they had only bothered to ask...

Anyone else been a 'victim' of crazy blacklist providers?