<div class='os_post_top_link'><a href='http://www.theinquirer.net/?article=16648' target='_blank'>http://www.theinquirer.net/?article=16648</a><br /><br /></div>McFeelme Johnson over at <a href="http://www.theinquirer.net/">The Inquirer</a> has written a very thought provoking, if not downright depressing analysis of the current problems with email and Spam. He talks about the current problem of unreliability of email due to Spam overloading and how the problem is likely to get steadily worse. He mentions how AOL is killing mail coming from blocks of IPs commonly used by spammers and says that it's symptomatic of the larger problem:<br /><br /><i>"This is the first serious symptom of e-mail's malaise. The doctors keep saying that treatment will fix it, and e-mail will be well again. But once the patient is out of the room the doctors talk about how long the patient has left. They know the case is terminal, they hope for a miracle, but sadly miracles don't usually come in time. All sorts of treatments are discussed - paying a very small amount of money per mail, having the e-mail client do some computation, meaning regular e-mail will take a little bit longer, but sending huge amounts of mail then takes a long time. All of this is the modern day equivalent of bleeding with leeches. Communication systems rely on one thing and that's reliability. Once reliability is compromised, the system of communication becomes useless."</i><br /><br />It's depressing that even the smartest spam filters can be continually outwitted by spammers in the Darwinian arms race between the Spammers and the Spammed. An uneasy equilibrium may be the best we can hope for, i.e. the <a href="http://pespmc1.vub.ac.be/REDQUEEN.html">Red Queen Hypothesis</a> (running as fast as you can to stay in the same place). McFeelme finishes with these comforting? words:<br /><br /><i>"Because the only human nature that can be counted on is that people are not only dumber than you think, they are dumber than you can imagine. The problems that we currently have will continue to increase over time. Interruptions in service, lost mails and the like will increase, until e-mail becomes so unreliable that its value disappears."</i><br /><br />Thoughts?

"Most importantly, everyday users should never respond to spam, ever, under any circumstance. The simple fact of the matter is that if anyone is trying to offer you a deal too good to be true by a mass mailing, guess what. It's a scam. These reptiles would go out of business and stop sending Spam if they never got a response, yet still they get enough to make the expenditure of their time worthwhile."

That is the only thing in the article I totally agree with! :D

Spam is not a bother to me right now. It may some day and some day I may get hit by an asteroid! But I am not going to predict it. Spam is just a fact of life these days. Live with it or....

:D

And just imagine the reaction the world would have if this problem was occurring on the same scale on the telephone networks (Mobile and Fixed). It would be headline news! Action against it would be swift.

I fear email as currently implemented, has seen its heyday and some more closed implementation will have to come along and replace it.

So the concept will live, but the life of the current technology is rapidly being sucked out by the spammers.

Cheers

It's all very well to theorise. Email is still being relied on now - and more than ever : :!:

I've heard all of this before - the end of the world is nigh etc. Go stand on the street and preach this message :mrgreen:

So we should do nothing, simply give up without a fight, whine and complain about the inevitability of failure?

Take some prozac and get on with things.

Please notify me when you decide to again report on something useful.

I refused to let my email fall victim to the clutches of a processed pork product. To do it, I signed up for SpamArrest at Spamarrest.com. It's a challenge/authentication system where people send you an email and get a challenge back. If they don't respond, I never see the mail.

I can manage a queue of messages manually if I were so inclined, or let them manage it for me and just delete all the messages that are unverified after a few days.

Needless to say, I have not gotten a single spam since I started using it, and all the people who grumbled about having to verify are now checking with me to find out if it's still working and how much it costs.

The way email is going, challenge authentication is going to be the way to go with email. I'm very happy with my service and I think the perpetually proclaimed "death of email" might be a bit premature. It's like telling someone who has a cold that they're gonna die.

Sure they will, if you don't treat the problem!

So we should do nothing, simply give up without a fight, whine and complain about the inevitability of failure?

Just so no one misunderstands: my earlier post represents my reaction to The Inquirer entertaining "editorials" which are nothing more than thinly veiled trolling, not Jonathon's posting or reference of it on PPC Thoughts.

Were The Inquirer's article to appear as a usenet posting, everyone would instantly recognise it.

My post is in no way intended to be an attack of Jonathon's posting.

There's an "old west" analogy here...

On the American frontier, it was common for communities to suffer the vandalism and lawlessness that thrived in young outpost communities... until the residents, lawmakers and law enforcers responded to the needs of the community.

Unfortunately, the current vandals have long since discovered the vulnerabilities of our new community and taken it as their right to exploit them for their own gain at the community's cost.

Unless the community majority (us?) can establish fair law and enforcement to do so, the community will continue to suffer if not die.

Us "old folk" enjoyed a couple of decades of rare beauty and productivity in this medium under the concept of common courtesy, but, we apparently failed to pass on that foundation to those that followed and it's probably lost forever.

So, our legacy to you is for you to take up the pen and sword and fight the vandals that exploit this vulnerable medium... or loose it.

Oh please, the "death of email"? Look, I get 1,000 spam messages a day and I would love to figuratively smack someone in the chops for it. But I still use email and probably more than ever. I do think the rare user of email may become dismayed and quit but certainly not business and moderate and advanced users.

Spam is annoying. It can be destructive (i.e. virii). And the unfortunate thing is there's absolutely nothing the recipient can do to stop it at the source.

Sure, I have an anti-spam software program in place and have changed my mailbox on occasion, take reasonable precautions distributing my email address but sooner or later I know it will end up on another spam list. But I can't stop myself receiving spam once it begins. My ISP refuses to do it and I cannot trust them not to filter out a false-positive email by mistake.

The solution? Nothing practical, realistic. Simply avoidance.

What I want? I don't believe in Microsoft's irritating manual postage stamp/problem solving emails. I enjoy being able to send a trouble and thought-free one-line reply to my friends similar to sms. Sooner or later, as this problem grows, either email will evolve (unfortunately so will spam) or somebody, somewhere with a lot of power will have to take a hard-line against spam. I categorise spam in the same category as viruses. Unwanted, unnecesary, and created simply to fool and irritate the s**t out of other people. As such, creators of spam need to be actively hunted down, traced, have their assets seized and thrown into jail. Pity I don't believe in the death penalty... but it comes might close. :devilboy:

I find it highly fascinating that the writers of viruses and worms are actively sought out and prosecuted while adware and spam that can really be just as harmful as a virus remains legal. Heck I thought e-mail bombing IS illegal. How is sending out several thousand e-mails across a domain @hotmail @comcast etc not considered a form of mail bombing? If the various countries of this world, more like if the US would bend a bit, would work together on this problem tracking the originator of spam, adware, etc would become trivial and if a prison sentence was the repercussion for distributing this **** it might make people think twice before sending out 100,000 e-mails. As it stands there is little consequence to spamming or distributing an adware product.
When are we going to say enough is enough and treat this behavior the same as we treat the scum that creates and distributes viruses and worms?

I agree with much of what's been said.
I think a grassroots campaign to persuade people not to respond, and legilators to legislate is needed.
Until then, I'm using www.mailblocks.com, which is cheap, and reliably keeps all spam out.

I was getting more spam than I could tolerate a year ago (about 10-20 pieces per day, maybe). I used to forward all spam to ISPs shown in the headers, but that had gotten too tedious. Even forwarding to the U.S. government's spam trap ([email protected]) had gotten too much for me. So I decided to take action and did several things.

First, I had my ISP rename my E-mail address from something reasonably easy to guess (shm) to something more difficult (shm59ca). As I was already using a mail forwarding service, all I had to do was redirect it to my new address.

Second, because my mail forwarding address was getting too much spam, I bought my own domain. The company I went with also offered free E-mail forwarding and a catch-all address. The catch-all address was a big thing, because it allows any E-mail sent to my domain to be forwarded to my E-mail address at my ISP.

Third, any time I register at a Web site or give my E-mail address to somebody I don't trust, I assign them their own unique address. So Amazon has amazon, Pocket PC Thoughts has ppcthoughts, etc. I also visited places online that had my old forwarding address and gave them a new E-mail address to use.

This third step allows me to track how spammers get my E-mail address. If I start getting spam at one of the E-mail addresses I've given out, I can just turn that alias off (or forward it to my old forwarding address).

Fourth, I turned forwarding off on my old E-mail address, so it's now just a Web mail account. It still gets tons of spam, but I rarely even check it.

Finally, to prevent harvesting of my address on my Web sites, I used some E-mail address mangling. I use the simple version I talked about in the "The Most Irritating Spam Blocking System Ever Created" thread (http://www.pocketpcthoughts.com/forums/viewtopic.php?p=110632#110632), but you can also check out Mailto Encoder (http://www.robertgraham.com/tools/mailtoencoder.html) for more complex methods.

I rarely get one spam per day now, even though I'm a user at several Web sites. Those that I do get, I forward to the FTC.

The one problem with my system is that I'll die if somebody ever runs a dictionary spam attack on my domain, but that hasn't happened yet (and is illegal under the CAN-SPAM act, for whatever that's worth). I have gotten viruses to E-mail addresses I've never given out, but that's another issue.

Steve

I refused to let my email fall victim to the clutches of a processed pork product. To do it, I signed up for SpamArrest at Spamarrest.com. It's a challenge/authentication system where people send you an email and get a challenge back. If they don't respond, I never see the mail.
Challenge/response systems are great if you don't subscribe to any E-mail letters, but how do you handle those if you do? Jason wrote a rant about challenge/response systems in the "The Most Irritating Spam Blocking System Ever Created" thread (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=12257).

Other solutions, like charging for every E-mail, will be non-starters. Who wants to pay for everything you send like you do with SMS?

However, if they put a large free limit on E-mail, I might accept that. A system where you can receive as much E-mail as you want for free and could send up to 100 E-mails per day (for example), after which you'd be charged $0.02 per E-mail sent should be reasonable for consumers. Legitimate businesses and Web sites like Pocket PC Thoughts might pay for a special class of service with unlimited E-mail sending.

I'm not sure charging would really hurt spammers much, though. They'd either just have to create more fake accounts or the users of the zombie machines would get the bills (maybe that's OK, but I hate to see innocent people pay).

Steve

Yahoo has a damn good system up for consideration right now. Microsoft too, I believe. If either are adopted I see it as a solution. Why does everyone think this is a problem with no solution?

Yahoo has a damn good system up for consideration right now. Microsoft too, I believe. If either are adopted I see it as a solution. Why does everyone think this is a problem with no solution?

Well, from the Inquirer article this quote sums up why the author is so gloomy and specifically mentions Yahoo:

More and more often we are seeing delays ranging from hours to days in our mail getting through. The delays are in both of our servers, both independent with different filtering rules. Those supporting the systems give different reasoning for the problems at different times. Always, they say it's fixed, and then days, weeks, or months later it happens again. The frequency of these outages is steadily increasing. The underlying reason for these outages and delays are really all the same. The load on these servers is already pretty heavy just moving the mail through. Nowadays that's not all these servers have to do. They also have to apply filters to the mail, checking for Spam and trying to block that Spam. This takes clock cycles, and when you consider the amount of e-mail and Spam floating around in the ether, it's a large amount of clock cycles indeed.

These filters are in essence trying to do the one thing computers aren't good at. Pattern Recognition. It's not good enough to just cut any mail that uses the word "Viagra" it has to try to figure out the context. However, computers can't do that. So people create rules based upon looking at the mail that is out there. Unfortunately as the filters become well tuned, the Spammers can see the traffic reduced, so they change the text, and more rules are required. Then more clock cycles are required to process the additional rules. Yahoo in particular can show this. The boffins at Yahoo are constantly trying to do something about the Spam their users are inundated with. During certain times I get 10 spams a week, at others I get 10 an hour. This shows the Spammers constantly fine tuning their crap to pass the filters. At times the Spammers go on binges. Having taken over more computers here and there, they can increase the amount of spams. Since their business is based entirely on the basis of volume, the more they send, the more dupes respond to them, as such they are perfectly happy to increase the volume of spams to the limits. When these spam waves happen, mail servers around the world are brought to their knees trying to process the filtering rules on the hundreds of millions of e-mails floating around the ether. It's a losing battle. Spam is so prevalent simply because it's cheap to the sender. Each spam is worthless in more ways than one. It costs nothing to send, however, there is a cost on the other end to block it. The small amount of spammers can create countless amount of spam with no added cost per e-mail, but those administrators of mail servers need to purchase more and faster equipment in attempt to block spam and still let the occasional legitimate mail through. It's a recipe for disaster.

Bbasically he is saying the the attacker (spammers) will always have the advantage over the defenders (the spammed and the ISPs), UNLESS something fundamental changes. The spammers can just go increasing Spam levels at little or no cost to themselves due to all the compromised zombie computes out there.

His argument isn't so much about what happens in our in-boxes - which may be manageable, but with the ISPs and the Internet 'pipework', which he thinks is staining dangerously. I haven't really heard any arguments yet that counter his points.

Most folks in this thread are saying 'it does not effect me becuase.....', but surely the clogging up of the entire system does effect us to to delays, lost mail etc?

Funnily enough the Inquirer has just put up brief post about the problems of legislating spam, here (http://www.theinquirer.net/?article=16690)

And therein lies the rub. When one country adopts one type of legislation but others another, and when folk like Mr Kurtz assume that because we have no country identifier in our email address we must be based in the USA, the fundamental problem of conflicting anti-spam legislation becomes very obvious.

The solution to unwanted emails is, at best, only partially solved by legislation. Other methods must be used.

If only the talk would stop and the action begin

So we should do nothing, simply give up without a fight, whine and complain about the inevitability of failure?

Just so no one misunderstands: my earlier post represents my reaction to The Inquirer entertaining "editorials" which are nothing more than thinly veiled trolling, not Jonathon's posting or reference of it on PPC Thoughts.


Thanks for the calrification Corphack. :D

We don't necessarily agree with the news and articles we post about, but they should always inform, stir debate and preferably, be thought provoking. 8)

His argument isn't so much about what happens in our in-boxes - which may be manageable, but with the ISPs and the Internet 'pipework', which he thinks is staining dangerously. I haven't really heard any arguments yet that counter his points.

Most folks in this thread are saying 'it does not effect me becuase.....', but surely the clogging up of the entire system does effect us to to delays, lost mail etc?

Yeah, this is the overlooked part of everyone's arguments. You can do all you want to blcok spam coming into you, but what does that do? Spammers are still sending the messages to your account. and with over 80% of all US e-mail being spam, and almost 70% globally, (Internetnews.com (http://www.internetnews.com/stats/article.php/3349921)) how much strain does that put on the major internet infrastructure? Imagine removing the billions of spam e-mails sent every day from the internet pipelines. Clear up congestion and make internet traffic clearer. Because of increased spam, ISPs are faced with two options, cutting off certain services used by spammers, which can sometimes hurt legitamite consumers, such as the port 25 blocking (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=29160), or building up their infrastructure. If they are faced with bulking up the internet pipelines, who is going to pay for that, them? No, the cost will be passed down to the consumer. According to statistics (http://www.spamfilterreview.com/spam-statistics.html) from 2003, 8% of e-mail users bought from spam e-mails and 28% responded to such e-mails. That means there is still a relatively large number of people without proper knowledge. But the problem is hard to solve, and ultimately, it requires GLOBAL cooperation, which is very unlikely. If there isn't a universally aggreed on attack against spammers, then they will still be sending their spam and infecting computers from their home base in some third world country. The problem affects EVERY e-mail user. We can't ban stupid people from using e-mail, so that means the spammers must be stopped, and the programs that send e-mail from zombie machines must be eliminated. A concerted effort must be made by both the private sector and government to come up with ways (both legal and technological) to stop spam.

But the problem is hard to solve, and ultimately, it requires GLOBAL cooperation, which is very unlikely. If there isn't a universally aggreed on attack against spammers, then they will still be sending their spam and infecting computers from their home base in some third world country. The problem affects EVERY e-mail user. We can't ban stupid people from using e-mail, so that means the spammers must be stopped, and the programs that send e-mail from zombie machines must be eliminated. A concerted effort must be made by both the private sector and government to come up with ways (both legal and technological) to stop spam.
I wonder what would happen if we did something fairly simple but drastic -- change the Internet protocols used to route E-mail. It would require people to run Windows update or rebuild their operating systems, but could put technological means to block spam in place.

If there aren't new protocols already, they would have to be developed. There would be a worldwide announcement when the switch would take place. You might keep both systems in place for a month with gateways routing E-mail sent via the new system to the old system (and vice versa) for a brief period of time (no more than one month).

Sure some people wouldn't get E-mail if their systems weren't upgraded in time, but would it be worth it? Would you be willing to suffer the upgrade path and the potential loss of E-mail for a time to get rid of spam? Remember that other Internet services, like the Web and newsgroups, would still work fine.

Another "solution" would be to cut off E-mail from known spam havens, like Korea and China. The backbone systems could just reject E-mail from those places.

Corporations dealing with those countries obviously would need to set up a system to get around that, but they have dedicated IT staff to help. People with family in those countries would obviously have an issue with that, but that's a minority of users, I suspect.

Obviously, isolation isn't a great idea, but it may be viable until a technical solution is in place.

Steve

I wonder what would happen if we did something fairly simple but drastic -- change the Internet protocols used to route E-mail. It would require people to run Windows update or rebuild their operating systems, but could put technological means to block spam in place.
People are working on several extensions and replacements for SMTP in the standards groups, but there's a substantial skepticism that SMTP will easily be replaceable, and even if it is it won't happen soon; we're having a hard enough time to transition from IPv4 to IPv6. Incidentally, it wouldn't be an OS-level issue, but rather an application (mailer) and server (SMTP daemon) issue. I'd like to see it happen; SMTP is a 20+ year old protocol that was envisioned to be used with open networks. It's amazing it still works OK, but it's clear the cracks are showing given new usage patterns.

--janak

I refused to let my email fall victim to the clutches of a processed pork product. To do it, I signed up for SpamArrest at Spamarrest.com. It's a challenge/authentication system where people send you an email and get a challenge back. If they don't respond, I never see the mail.
Challenge/response systems are great if you don't subscribe to any E-mail letters, but how do you handle those if you do? Jason wrote a rant about challenge/response systems in the "The Most Irritating Spam Blocking System Ever Created" thread (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=12257).

Steve

Ahh, but there IS a solution to this, as another, earlier responder noted. I too got tired of spam, and went to www.mailblocks.com. It's a challenge/response system, but has some pretty cool perks. One is "trackers" where you can create disposable email addresses for ordering stuff, or newsgroups, or whatever. And those can then be redirected whereever you want. To address the valid frustration Jason has, the default for trackers is to NOT challenge/response them. They're created specifically for ordering stuff on the internet and discussion groups. It works great.

Example: Let's say I subscribe to five different newsgroups. Well, I could open up a separate tracker for each one, then direct all of those incoming messages to one folder, so I only have to go one folder to read them. If I say, start to get spam at my [email protected] address, I throw it away, update my address at ppcthoughts to [email protected].

In addition to having multiple email addresses, each one can be independently rerouted to certain folders, or challenge/responsed or NOT! My choice. So, I've got one tracker for my "accounts" (Bank, mortgage, credit card, etc), one for my newsgroups, one for ordering stuff off the internet (the one that gets thrown out and changed the most), one for discussion groups, one for work (I have all my work email diverted to my mailblocks account), one for a business I'm thinking of starting, one for my old Yahoo account, and the inbox for my personal emails.

Since you can upload your address book, those people will never get challenged, so it makes it easy on your friends. And you can keep your old email address so you don't even have to tell your friends your email address has changed. Almost none of my friends even know that I use mailblocks!

But, it gets better. I can send out emails FROM any of these accounts, including my work account, so with one interface I can do my work, personal, and ordering emails.

Oh, and I forgot, I get no spam. But, I do pay. And I am guessing that in the future one will always be able to pay to avoid spam. You can do it right now with mailblocks! Those who choose not to pay will have to sift spam. Sort of like pay tv vs. free tv. I, personally, so no problem with spam, although I don't like the inefficiency it adds to the network overhead.

Sort of like pay tv vs. free tv.

Maybe I missed something. Where can you go for pay tv without seeing advertising?

Gai-jin

Sort of like pay tv vs. free tv.

Maybe I missed something. Where can you go for pay tv without seeing advertising?

Gai-jin

In Afghanistan! It's kind of nice, actually.

Hmm... maybe afghanistan does have something going for 'em. . . :)

OK, let's try to get back on topic, eh? ;)

I wonder what would happen if we did something fairly simple but drastic -- change the Internet protocols used to route E-mail. It would require people to run Windows update or rebuild their operating systems, but could put technological means to block spam in place.
People are working on several extensions and replacements for SMTP in the standards groups, but there's a substantial skepticism that SMTP will easily be replaceable, and even if it is it won't happen soon; we're having a hard enough time to transition from IPv4 to IPv6.
But IPv6 is a fundamental change to the Internet infrastructure, isn't it? Changing the E-mail protocol won't be quite so radical. People will still be able to browse, FTP, read newsgroups, etc. At least that's my hope. :-)

Incidentally, it wouldn't be an OS-level issue, but rather an application (mailer) and server (SMTP daemon) issue.
I'm no networking wonk, but I thought there might have to be OS upgrades to the TCP/IP stack, WinSock or something like that. If users only need a new E-mail client, it might even be easier.

My understanding is that the main need in a new E-mail system is authenticating users. We don't want people to be able to spoof headers; we may still get spam, but, if we can find out who really sent it, it will be easier to complain to their ISP and get them prosecuted using anti-spam legislation.

Steve

Another "solution" would be to cut off E-mail from known spam havens, like Korea and China. The backbone systems could just reject E-mail from those places.

Only problem with that, is that I was reading that something like 70% of all spam originated from within the US itself........

Another "solution" would be to cut off E-mail from known spam havens, like Korea and China. The backbone systems could just reject E-mail from those places.
Only problem with that, is that I was reading that something like 70% of all spam originated from within the US itself........
Well, a 30% reduction in spam would be good. :-D Plus, maybe other countries could cut the U.S. off if they're getting spam from us. :lol:

However, when you say "originated", does that mean where the person sending it actually is from, or does that mean the mail server it appeared to originate from? If I'm in the U.S., but use an open mail server in China or Korea to send the spam from, cutting them off would still reduce the spam.

Steve

OK, from memory the figures were slightly off, but only just :wink: :

UNCTAD estimates that the majority of spam victims are in the USA but it also says that in March 2003 the USA was the source of 58.4% of spam, followed at a great distance by China (5.6%), the United Kingdom (5.2%), Brazil (4.9%) and Canada (4.1%).

More details this this article at the Inq:US biggest source of spam and digital attacks (http://www.theinquirer.net/?article=12890).

Challenge/response systems are great if you don't subscribe to any E-mail letters, but how do you handle those if you do?

Steve,

As I said in my post, I just check my "unverified mail" list on Spamarrest.com once a day, and once an email address is verified, it comes directly to me permanently.

Jason may get a bounce, but that will only happen once, so in reality, it's not that annoying.

You have to do what you have to do.

But IPv6 is a fundamental change to the Internet infrastructure, isn't it? Changing the E-mail protocol won't be quite so radical. People will still be able to browse, FTP, read newsgroups, etc. At least that's my hope. :-)
Well, it is more fundamental to SMTP, but SMTP servers are everywhere, and for a meaningful switchover we have a similar adoption problem.

I'm no networking wonk, but I thought there might have to be OS upgrades to the TCP/IP stack, WinSock or something like that.
Nope - SMTP is strictly an application-layer protocol that runs on top of TCP. :D

If users only need a new E-mail client, it might even be easier.
If that was it, we'd be OK... the problem is upgrading servers throughout the Internet. sendmail is a pain as it is, today. ;) That said, once a new standard is developed, we'll see how it plays out.

My understanding is that the main need in a new E-mail system is authenticating users. We don't want people to be able to spoof headers; we may still get spam, but, if we can find out who really sent it, it will be easier to complain to their ISP and get them prosecuted using anti-spam legislation.
But it's not so trivial to be able to prevent spoofing. What prevents one mail server from stripping out most of the headers as the email gets relayed through a chain? It has to be cleverer than that, which is why it's taking so much time. One radical strategy is to keep mail on the sender's server, as opposed to the recipient's server, but that is also fraught with problems.

--janak

It's all very well to theorise. Email is still being relied on now - and more than ever : :!:

I've heard all of this before - the end of the world is nigh etc. Go stand on the street and preach this message :mrgreen:

Well, he is. :wink:

Welcome Marovada. Sorry I did not notice you there before. :wink:

Jonathon

Could you contact me at McFeelme_Johnson at yahoo.com

thanks mate.

***Edited 6/23/04 9:10pm EST by JJP: No one wants spam...

Jason may get a bounce, but that will only happen once, so in reality, it's not that annoying.
So, I get the newsletter bounces for PPCT.

Imagine if all 12,000 users had challenge/response. Remember - if the challenge-response thing really takes off, and becomes a large percentage of that 12,000... Then it *is* that annoying. ;)

Two other problems associated with widespread use of challenge/response system are the increased volume of e-mail it produces (every spam e-mail has a challenge and every real e-mail has a challenge and a response). That means it at least doubles the amount of e-mail traffic being sent. The second issue is that if this system becomes widely used, do you think spammers won't find a way to automate the process of responding or otherwise find a way around it? Every time a new CD or digital music/video protection method is implemented it is cracked within hours or days (with very few exceptions). So challenge/response may be good while it is still used by an insignifcant number of people, but if it caught on with the mass populous it would probably lose its effectiveness quickly.

Jason may get a bounce, but that will only happen once, so in reality, it's not that annoying.
So, I get the newsletter bounces for PPCT.

Imagine if all 12,000 users had challenge/response. Remember - if the challenge-response thing really takes off, and becomes a large percentage of that 12,000... Then it *is* that annoying. ;)

Maybe, but what else is there?

Spamassassin? Beat
Bayesian? Beat
Filters? Gotta get a spam and deal with it.

I mean, I understand that it may be rough for an admin, but really it is what it is. Unfortunately, C/R is really the only way to stop spam that really is 100% foolproof.

I refused to let my email fall victim to the clutches of a processed pork product. To do it, I signed up for SpamArrest at Spamarrest.com. It's a challenge/authentication system where people send you an email and get a challenge back. If they don't respond, I never see the mail.

I can manage a queue of messages manually if I were so inclined, or let them manage it for me and just delete all the messages that are unverified after a few days.

Needless to say, I have not gotten a single spam since I started using it, and all the people who grumbled about having to verify are now checking with me to find out if it's still working and how much it costs.

The way email is going, challenge authentication is going to be the way to go with email. I'm very happy with my service and I think the perpetually proclaimed "death of email" might be a bit premature. It's like telling someone who has a cold that they're gonna die.

Sure they will, if you don't treat the problem!

If I'm not mistaken Outlook 2003 has this feature, for no exta charge (if not them it was My hosting provider www.totalchoicehosting.com )

see my comments on the subject here (http://www.grlt.com/bb/portal.php?topic_id=51)

www.grlt.com]I[/url] really hate that these spammers think that they can have me pay to read their crappy messages. Just today I got a message to an invalid address at the this site and it was some spammer trying to extort money from somebody who doesn't exist at this site. Those idiots cost me, I pay for the bandwidth that it takes to send and receive messages, as well as the bandwidth associated with the website it self, and I only get a finite amount of bandwidth before my host starts charging me for overages. Stuff related to the site is fine, but it infuriates :evil: me that this spammer thinks this is a legitimate inexpensive way to get their "message" across, no one message isn't a big deal but these people send out billions of messages daily.

Maybe, but what else is there?

Spamassassin? Beat
Bayesian? Beat
Filters? Gotta get a spam and deal with it.

I mean, I understand that it may be rough for an admin, but really it is what it is. Unfortunately, C/R is really the only way to stop spam that really is 100% foolproof.
I see your point, but if a lot of people start using this kind of thing, we'll have to just filter and delete the challenges, and then the users won't get things like the newsletter, topic notifications, etc.

he second issue is that if this system becomes widely used, do you think spammers won't find a way to automate the process of responding or otherwise find a way around it?
Yes and no. It would require spammers to stop spoofing email addresses.

Spamassassin? Beat
I use SpamAssassin, and it filters about 98%+ of my spam really quite well. In my case, I get communications from outside people where I really can't allow C/R... I need to get those emails, and I know some of them won't bother to authenticate. So it's a non-option for me. I also have to say, frankly, that such challenge bounces irritate me. ;) Of course, it depends on how you use your email, as to whether or not people getting a bit cranky about it matters. (Nothing personal, of course!)

--janak

Imagine if all 12,000 users had challenge/response. Remember - if the challenge-response thing really takes off, and becomes a large percentage of that 12,000... Then it *is* that annoying. ;)
Maybe, but what else is there?

Spamassassin? Beat
Bayesian? Beat
Filters? Gotta get a spam and deal with it.

I mean, I understand that it may be rough for an admin, but really it is what it is. Unfortunately, C/R is really the only way to stop spam that really is 100% foolproof.
While it may be 100% foolproof, you may also lose E-mail you wanted. As others have pointed out, some people sending you E-mail may decide not to authenticate for whatever reason.

What we need is a way to keep out E-mail with forged headers, and some progress is being made. The San Jose Mercury News (http://www.mercurynews.com/mld/mercurynews/business/8990625.htm?1c) reported yesterday (Wednesday) that some of the largest E-mail companies were working on two methods to validate senders.

One method, backed by Microsoft, AOL and EarthLink, involves checking the address of an incoming e-mail against its numerical Internet identifier. It's the digital equivalent of the post office matching people's names with their registered home addresses -- if there's no match, the e-mail doesn't go through.

The other method, backed by Yahoo, adds a unique digital signature, or key, to each outgoing message. The recipient's e-mail provider then matches the signature against another key to make sure it is authentic.
The article said they will be testing those methods for the rest of the year to see how well they work.

While validating senders won't necessarily stop spam, if spammers can be easily identified, it will make it much easier to contact their ISPs to get their accounts cancelled and to track them down for prosecution under laws like CAN-SPAM. It will also help cut down on phishing scams.

Of course, I don't really care if a method is 100% foolproof. I'm quite willing to accept 1 or 2 spam E-mails per day, especially if I can be assured of tracking the sender down. To me, it's more important to cut the volume way down than to completely eliminate spam.

As an aside, I used to contact all parties listed in E-mail headers and send notes to Postmaster and Abuse addresses. Once, I got a spam E-mail that appeared to come from a real business, meaning somebody was sending crap on company time. I sent the business a complaint, and they said they fired the person. So I might have cost a spammer his job. :-D

Steve

I see your point, but if a lot of people start using this kind of thing, we'll have to just filter and delete the challenges, and then the users won't get things like the newsletter, topic notifications, etc.

But that's not the way that works. That's what Steve said also.

It doesn't just sit in oblivion until you verify. It's in a queue which I check everyday, so even if you never check the bounce and never verify your email, I'll still get it because I check my queue once a day. Spamarrest and ZAEP both offer the ability to verify an address without the sender's intervention, so I can verify the message and get it.

No loss of emails ever.

It's in a queue which I check everyday
So it's only a partial solution, then, since you're still wading through the spam, right? SpamAssassin will give you similar results, except that it's 98% instead of 100%, and there's no verification bounceback generated.

--janak

Right - and then *I'm* wading through the "spam" of challenges...

As an aside, I used to contact all parties listed in E-mail headers and send notes to Postmaster and Abuse addresses. Once, I got a spam E-mail that appeared to come from a real business, meaning somebody was sending crap on company time. I sent the business a complaint, and they said they fired the person. So I might have cost a spammer his job. :-D

Steve

good Idea, I may have to try this des temps en temps when I'm not too busy.

As an aside, I used to contact all parties listed in E-mail headers and send notes to Postmaster and Abuse addresses. Once, I got a spam E-mail that appeared to come from a real business, meaning somebody was sending crap on company time. I sent the business a complaint, and they said they fired the person. So I might have cost a spammer his job. :-D

Steve

good Idea, I may have to try this des temps en temps when I'm not too busy.
Yeah - but now spammers spoof the headers. So a short while back I was getting a ton of spam "bounces" at my Yahoo email address. Some spammer was using MY Yahoo address as the "From" address for the spam, and I had nothing to do with it.

Yeah - but now spammers spoof the headers. So a short while back I was getting a ton of spam "bounces" at my Yahoo email address. Some spammer was using MY Yahoo address as the "From" address for the spam, and I had nothing to do with it.

:bad-words: I HATE that! One of the more recent spams I got was a few years ago and the spammer had the gall to spoof it to look like it came from my domain. At the time I had only three aliases set up and it was spoofed from from none of those. I went through the headers, found the originating address (.tw) and sent them a very long email threatening legal action. I haven't heard from them since.

Yeah - but now spammers spoof the headers. So a short while back I was getting a ton of spam "bounces" at my Yahoo email address. Some spammer was using MY Yahoo address as the "From" address for the spam, and I had nothing to do with it.
that happens to me every now and then and it pisses me off, thats why i'm rooting for MS and yahoo, but at the same time, my ISP does port 25 blocking and I use a third party SMTP server, that would make all of my sent mail be blocked at the server, unless they unblock port 25 (or if any of you kind soles would like to tell me a way to use my own SMTP server {in another state [I don't have root access it's linux]} with my isp, www.cox.net )

Yeah - but now spammers spoof the headers. So a short while back I was getting a ton of spam "bounces" at my Yahoo email address. Some spammer was using MY Yahoo address as the "From" address for the spam, and I had nothing to do with it.
I've gotten a couple of those, too. If you can track down the people who sent that, you can probably get them prosecuted for identity theft. I believe that's one of the things they used against the Buffalo Spammer.

More interesting, a couple of years ago, I would get E-mail that spoofed my E-mail address as the From address! There was a nice note in there explaining how they did that to "prevent traffic generated by bounce messages" or some such crap. How nice of them to not want to clutter the Internet. :roll:

Steve

we should brainstorm our own ways to torture or take spammers out of buisness

[News ancor voice] And in other news today. The PPCT Anti-Spam alliance has erradicated all spam from the net. [/ancor]

So it's only a partial solution, then, since you're still wading through the spam, right? SpamAssassin will give you similar results, except that it's 98% instead of 100%, and there's no verification bounceback generated.

--janak

Not even close, Janak. I have Spamassassin running on my server to this day, and as you can see, I went with Spamarrest on top of it...

It used to be good, but it's nowhere near where it used to be.

Not even close, Janak. I have Spamassassin running on my server to this day, and as you can see, I went with Spamarrest on top of it...
Do you run sa-learn on misclassified spam? I do so weekly, and that makes a world of difference. I'd say without sa-learn (Bayesian filtering), it probably drops down to 90%.

--janak

One of the issues that will have to be addressed and that no one here seems to even recognize is the fundamental First Amendment right of Freedom of Speech. 8O

Basically, the courts have held that the senders of junk snail mail have the right to send you crap if they want to, and all you can really do is to contact them and try to get them to stop sending it to you. It's is very likely (imho) that they will hold that the same is true for SPAM. It sucks, but there it is.

There is one very real difference, though, between SPAM email and snail mail, and that is the sender pays for delivery. With email, marketers can bulk send at no cost, but with snail mail, there's a cost associated with it. I sus[ect that the solution will lie somewhere between the solutions being touted by Yahoo, Microsoft, et al, and a charge for service like snail mail. Perhaps, as someone suggested, the first X messages for free, but a fee levied after that for every additional message or you can buy bulk lots (e.g. - 10,000 emails for $35).

Of course, there will still have to be infrastructure changes that will stop the spoofing of addresses and hacking of systems to run rogue email servers... 8)

One of the issues that will have to be addressed and that no one here seems to even recognize is the fundamental First Amendment right of Freedom of Speech. 8O

Basically, the courts have held that the senders of junk snail mail have the right to send you crap if they want to, and all you can really do is to contact them and try to get them to stop sending it to you. It's is very likely (imho) that they will hold that the same is true for SPAM. It sucks, but there it is.
The problem with that reasoning (besides your second point, which I'll address next), is that many of these are scams. While a legitimate company certainly has the right to send E-mail to potential customers, the products have to be valid.

Even with valid offers, "free speech" isn't so clear. People can now opt out of being harassed by telemarketers, violating the telemarketing industry's "free speech". I know the original anti-telemarketing bill was ruled unconstitutional, but I haven't heard that the revised one was.

Also, the First Amendment does not guarantee anybody the medium to broadcast their "free speech". If an ISP, as a private business, decides they don't want to be a spam conduit, the ISP has the right to say so. Many ISPs have in fact done that, which is why spammers now use zombie machines (which is illegal hacking and identity theft) or spoof headers (again, possibly identity theft).

If the U.S. Government supplied E-mail services, they likely would have to allow spam. Fortunately, the government has kept out of the E-mail business. :-D

There is one very real difference, though, between SPAM email and snail mail, and that is the sender pays for delivery. With email, marketers can bulk send at no cost, but with snail mail, there's a cost associated with it.
That's another semi-misleading comment people make. Spammers do have to pay to send their E-mail -- they probably have to get a computer and an Internet connection and possibly pay for bandwidth. The difference is that they don't pay specifically per E-mail.

Another difference between spam and junk mail is that the recipient can often pay for spam. With junk mail, I never have to pay when I get some, but there are many cases when the spam recipient may have to pay -- for example, if they have data-limited plans (such as on mobile Intenet connections).

That's why junk faxes were outlawed -- because the recipient's supplies (paper, toner, etc.) were being used to receive the junk faxes, even if the faxer had to pay to send the fax.

Steve

No, I'm confident that e-mail won't die. It's become so very important in our lives and our businesses. We'll deal with it as we need to. And though it's at best annoying, and at worst disruptive, we'll "slug it out" and keep going. It's kind of like driving on the Los Angeles freeways -- a love / hate relationship.

Having said that, just maybe y'all could advise me on a spam issue which I'm currently struggling with. Last fall, I purchased an HP handheld computer, in large part to wirelessly send / receive e-mails while traveling. But because I receive about 1,200 spam message per day (that number has been stedily growing since March), it's absoultly impossible to delete on a handheld. Yes, I do have Pocket Spamfilter software. But I still need to slug my way through a message at a time on my handheld. It's overwhelming! On my desktop, by the way, I use Popfile which very successfully (over 99% accuracy) sends spam into the trash pile.

The only solution I can think of, to allow me to use the handheld for e-mail while traveling, is to subscribe to a service like Spam Arrest which requests authentication from first-time senders. While I've been reluctant to take this step because I don't want to hassle first-time e-mail senders (I'm a cousultant concerned about discouraging prospective clients), I"m eager for a solution. Specifically, I'd like to (1) send / receive e-mail while traveling, and (1) stop having to check 1,200 messages in the trash pile each day -- just in case one of 'em was ligitimate.

My sepcific questions:
(1) Should I sign up for the Spam Arrest service?
(2) Any other solutions you'd recommend?

Any advice much appreciated... thanks,

Bill

I use a C/R-white list software called Choice Mail One and I love it. You can turn off the Response part so that no one actually gets registration requests, thus confirming your email address, and glancing at a list of possible spam once a day and allowing the ones through that are from real people or newsletter (SO obvious, that you really can just scan) takes me all of 5 minutes a day.

Five minutes a day is worth not being infected by crap and it's kind of funny to see the total number of spam received add up. Since the beginning of the year, I've gotten 12926 pieces of mail designated as spam :roll:

What doesn't work well with it is when the sender spoofs my email address. I don't understand how they do that???? Can someone explain that low-tech for me? The problem is that I email stuff to myself all the time, and I can't be the only one. The way Choice Mail One deals with it is a setting where all email from yourself is DELETED. It's either that or put myself on the list of approved senders.

Em

What doesn't work well with it is when the sender spoofs my email address. I don't understand how they do that???? Can someone explain that low-tech for me?
I worked on a program which sent comments about a service to the service reps. It seems that, when you connect to a mail server, you just enter the E-mail address that you're "using". Many servers don't verify that that's even a real address, but even those that do won't know that you're not the person who really has the E-mail address.

Even in my E-mail client (Eudora), I think I could put any From or Reply To address that I wanted. E-mail headers would show where I really E-mailed from, but how many people check the headers? Even if they do, headers can be spoofed, but that requires a lower-level program than Eudora or Outlook Express. I'm not sure there's much of a legitimate reason to use a program like that other than hacking or spamming (maybe some sort of Internet testing, but that's not a general use).

Of course, I'm not really an Internet geek, so that's just my understanding of how it's done. It may be a lot more sophisticated.

Steve

Of course, I'm not really an Internet geek, so that's just my understanding of how it's done. It may be a lot more sophisticated.
You've basically got it right. SMTP is a very old protocol (20+ years), and the original designers never envisioned that SMTP would still be in use today for the scale and diversity of Internet nodes. Its biggest problem is the lack of authentication -- as long as you have a local relay, you can basically tell it anything you want and it'll take it for gospel. There's numerous proposals to fix this, but that's a long-term remedy.

--janak

Of course, I'm not really an Internet geek, so that's just my understanding of how it's done. It may be a lot more sophisticated.
You've basically got it right. SMTP is a very old protocol (20+ years), and the original designers never envisioned that SMTP would still be in use today for the scale and diversity of Internet nodes. Its biggest problem is the lack of authentication -- as long as you have a local relay, you can basically tell it anything you want and it'll take it for gospel. There's numerous proposals to fix this, but that's a long-term remedy.
If you believe this story (http://news.com.com/Spammers+can+be+beaten+in+2+years%2C+regulators+say/2100-1023_3-5258828.html?tag=st.pop), it's not so long-term. They claim spam can be beaten in two years. Of course, that assumes pretty much world-wide agreements on spam control. :lol:

Steve

If you believe this story (http://news.com.com/Spammers+can+be+beaten+in+2+years%2C+regulators+say/2100-1023_3-5258828.html?tag=st.pop), it's not so long-term. They claim spam can be beaten in two years. Of course, that assumes pretty much world-wide agreements on spam control. :lol:
That article says that up to 10% of recipients fall for the "update your bank info" spam. 8O

That article says that up to 10% of recipients fall for the "update your bank info" spam. 8O
I'm not surprised. :( Why would they know otherwise? We take all of our intuition for granted, but a lot of it is reinforced by knowledge that we've built up over the years.

That, and there are a lot of idiots on this planet. :P The saddest stories I've read are the ones who try to follow through on a Nigerian scam, even traveling to foreign countries, etc. :(

--janak

That article says that up to 10% of recipients fall for the "update your bank info" spam. 8O
I'm not surprised. :( Why would they know otherwise? We take all of our intuition for granted, but a lot of it is reinforced by knowledge that we've built up over the years.
I almost fell for a fake PayPal notice. I had clicked on the link but either noticed the address bar was fake or double-checked the URL in my E-mail client (the link looked like a PayPal link, but that was just the text between the anchor tags).

That, and there are a lot of idiots on this planet. :P The saddest stories I've read are the ones who try to follow through on a Nigerian scam, even traveling to foreign countries, etc. :(
Tech TV used to have a show called "Cyber Crime", and they had a story about someone who went to Africa and was held for ransom.

On the positive side, I've heard of someone who actually got a Nigerian scumbag to send him money for something (and didn't send the Nigerian any money). If I recall, the guy was kind of an Internet hero. :-D

Spammers are low-life losers, but phishers are much worse. At least most spammers won't siphon your life savings or steal your identity.

By the way, PC World had an interesting interview with alleged spammer Scott Richter (http://pcworld.com/news/article/0,aid,116807,00.asp) of OptInRealBig.

Steve

they probably would if given the chance