Forgot your password?
typodupeerror
Spam The Internet

ISP Operator Barry Shein Answers Spam Questions 373

Posted by Roblimo
Barry mentions his "sender pays" spamfighting plan more than once in his answers to your questions, and discuessed it at length in an InternetWeek.com article published on Feb. 20. Is Barry's plan workable? Do you have a better idea? Or should we all just get used to spam as part of the online experience, and learn to live with it and block it as best we can?

1) Back to the 90s
by gylz

If you had known back in the early 90s that spam was going to be the problem it is now, what steps would you have taken then to protect yourself and others from it?

For instance, what changes would you have advocated in the mail protocols and what standard procedures would you have told other ISPs to use to prevent spammers from getting a foothold in the first place?

Barry:

When The World began selling the first commercial dial-up internet accounts in 1989 one question we were frequently asked by the privileged few who had internet access was: How are you going to control them? To be honest, we never had a good answer other than developing what everyone thought was a pretty good AUP (Acceptable Use Policy) and promising to enforce it as best we could.

But even as the net developed, in the early-mid 90s, there were similar problems with system cracking and break-ins. Back then there were more open holes to just walk right through, get a privileged shell, or just cause mayhem. To a great extent spam can be viewed as a form of system compromise and similar to malicious cracking in many ways.

One of my pleas back then to other ISPs was to make some sincere effort to know to whom you were giving accounts. Many of the ISPs with big funding and marketing departments to match would just give out new accounts to anyone with a drink coaster and worry about it later, oftentimes much later only when the bill wasn't paid.

I think practices like these gave rise to the sense of anarchy and lawlessness on the net that came from the easy abuse of anonymity which persists today. At The World we were careful about not enabling new accounts until we were pretty sure we had valid information. Many ISPs did not do this and tracing problems back to an account on their service would lead to a dead end; the info they had on the account would turn out to be obviously fraudulent.

Also, and this isn't a regret but more of an observation, some early internet advocates wanted only end-to-end services which basically meant that every single computer on the net should be a mostly autonomous client and server. Dial-up made this impractical; you couldn't really run a web site or even a decent mail server over a part-time connection. But I think some of that ambivalence over goals contributed to inaction on issues which might have helped with problems we see today.

2) Acting Locally, Effecting Globally
by merlin_jim

Many posts talk about proposed changes to society, government, and technology to lessen the spam problem. However, an ISP has more insight into the problem than many others, and I thought I'd ask a question to tap that insight:

Given today's society, technology and infrastructure, what can an individual do that would be effective in reducing not only the personal strain of spam, but also lessen an ISP's burden.

What kind of strategies have you seen work. For instance, in particularly bad instances I'm prone to send an e-mail to spam@isp.net, abuse@isp.net, or admin@isp.net, but usually never even get a response. Is there a better thing to do? Are there things that are absolutely the wrong thing to do (such as replying to a spam)?

In short, what would you like to see users do in response to spam today?

Barry:

Pressure your legislators to enforce the laws already on the books! Hijacking others' systems, identity falsification, and fraud are already illegal. These aren't legitimate business people who send all this bulk mail, they're crooks.

Even if a spammer can sneak around the laws making it clear that the activity is illegal, this prevents a spammer from getting investors, incorporating, taking out bank loans, obtaining legal indemnification against liability, buying business insurance, registering with their state or owning intellectual property (e.g., trademarks), etc.

Something else everyone can do is install spam filters. And help others install spam filters. Ultimately, I believe it's an arms race between the filters and the spammers so other forces need to be put into play.

But my reasoning is that utilizing filters now will make the internet experience more pleasant and productive for many which is a good thing. Their wide-spread use will also serve as a wake-up call to those companies who are deluding themselves into thinking they're "white-hat" spammers so ought to be exempt. The filters throw their stuff away also.

The so-called legitimate advertisers need to get to the table with the ISPs and figure this thing out and stop thinking the status quo serves them.

At this point my thinking is that there isn't much difference, from the point of view of an ISP, between companies whose spam you don't hate and those whose spam you do hate.

When it's paper mail you have to put a stamp on a letter whether the intended recipient asked for the mail piece or not. I think we need to move in the same direction on the net with all bulk e-mailers. They need to start paying for the infrastructure they're exploiting.

The current situation is that people tend to define "spam" as e-mail which promotes products which they don't want others to think they want. We need to get beyond that because you're paying for any e-mail you receive, even if only indirectly.

3) why not whitelist?
by Aviancer

Why hasn't any large ISP or enterprise seriously considered whitelisting mail? The traditional blacklist idea -- when I see spammers I'll no longer accept their mail -- is so easily overcome that many spammers don't even wait one generation to change addresses. Instead, bounce all mail you don't recognize, with a note to the sender on how to inform the system that you are a real user. Nearly all spammers loose their incoming account immedately, so this seems the natural choice. There's some more detail on this method at the TMDA project.

Barry:

The easy answer is that the target moves too fast. How could we begin to keep up a whitelist at the ISP level on behalf of thousands or even millions of customers?

And how exactly do you propose to "inform the system that you are a real user"? Right there is the crux of the matter. What you're suggesting is one of those techniques which works pretty well for individuals but is unmanageable at the ISP level.

Something from the TMDA site I do agree with is:

Spam will not cease until it becomes prohibitively expensive for spammers to operate.
We just have slightly different approaches to making spam prohibitively expensive. Let a thousand flowers bloom!

4) Is there a reasonable solution?
by PincheGab

Given that junk mail in the regular mail is more acceptable (and I will mention that my wife (specially) does like to know when there's a sale on), and given that e-mail is the next big thing, what do you see as an acceptable solution/accord to spam?

I certainly am tired of deleting the penis enlargement and Nigerian bank deposit e-mails, but where is the balance and how do we attain it, if ever?

Barry:

I believe the only approach which will work is a "sender pays" model for bulk e-mail advertising. Such a model corrects the current situation on several levels:

a) Sender pays can provide an economy to enforce its own rules.

Most proposals I've seen to deal with spam are workable on paper but fail in this regard. If, when considering yet another spam proposal, you ask yourself who will pay for this or that solution, how will it be enforced (e.g., if it requires lawsuits who will pay the lawyers?) generally no answer comes to mind.

However, if we create a (bulk) sender pays model through some sort of trade association then that organization would have a revenue stream which can be tapped to enforce its revenue model, and a monied interest in defending that revenue model.

b) Sender pays creates a conduit of control between the sender and the ISPs.

Right now spammers can use an ISP's facilities to firehose any spam they want, to anyone and everyone they like, at almost zero cost. For example, kids' accounts are flooded with explicit pornographic come-ons. There's no ability to control that sort of thing.

What business allows its facilities to be used to offend its customers?

In a sender pays model one could also refuse to be paid and, hence, refuse the advertising. Spammers are trying to send their spam to the ISP's customers. I think the ISP has both a right and an interest in controlling that so as not to drive customers away. It's not reasonable that an ISP such as myself has no control over what sort of advertising is placed in my customers' mailboxes yet is left responsible for the quality of that experience.

c) Sender pays clarifies the legal situation without a need for new legislation.

Sending, and not paying, would become simple theft of service, wire fraud, etc.

5) ISP Tools
by feenberg

Do ISPs have the tools they need to prevent outgoing SPAM from their own customers? I look at Sendmail and don't see anything that would allow you to throttle mail volume, check outbound messages for SPAM, restrict new customers etc. There isn't even anything built in that would warn you about a customer sending a million messages. It would seem that a few tools like that would be a big help to an ISP too small to develop its own.

Barry:

I think the best tool is knowing who your customer is and having a clear and effective policy if a customer spams such as clean-up costs which should also include intangibles such as public relations costs.

But you're correct, better tools at that level might help if ISPs were inclined to use them. Many ISPs do use tools such as you describe, others obviously don't care.

6) RBL's
by sabri

One of the few measures that can be taken against spam is the use of blacklists (for instance via DNS). There are a lot of pro's and con's for the use of DNSBL's. How do you feel about these? Should DNSBL's be governmentally regulated? Do you use any DNSBL? Should an ISP enforce certain RBL's (let say, of open relay's) on its customers?

Barry:

I've always resisted using these blacklist services at the ISP level. There are several reasons why but the most important is control.

If the blacklist suddenly began blocking some site, such as a major university or corporation because it was the source of spam the night before, that might cause a big problem with our customers. Even if it could be worked around it'd be just another out of control detail which might send one into fire-fighting mode suddenly.

Another problem I've had with blacklists is that some have become rogue and gone power-mad, blacklisting addresses for reasons completely unrelated to their stated purpose such as personal politics.

Also, the blacklists I've looked into were volunteer efforts which meant the people involved often felt they could paper over any mistake or oversight or staff unresponsiveness with the excuse that they were unpaid volunteers so what do you expect? You can't have your ISP be dependent on organizations with that attitude. And what if I don't like a blacklist's policies or implementation of their policies? If I'm not paying them I can't vote with my wallet.

I suspect that anyone attempting to run a blacklist in a professional, paid manner would go broke; the service isn't worth what it'd have to charge to stay in business. The legal costs alone can be daunting. With legal issues even if you're right it can be expensive getting there. And customers of any service don't want to pay for your legal bills as the major cost of such a service. So we're back to problems with the economic models.

I don't think government regulation would help with blacklists, per se, except in very general ways (they can run the courts for the lawsuits!) The only analogy I can think of are credit bureaus but most of the government regulation in that area is to protect consumers. I don't think we want the government stepping in to protect spammers!

Finally, yes, just about all ISPs blacklist (block) offending sites. Doing it in-house gives them the control they need. It's not great to have to take this on but it's the only choice right now. Unfortunately it's becoming a major burden, and the results are not altogether predictable.

7) What would be the minimum actual cost?
by jamie

What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?

Let me explain...

I sometimes hear that spam has significant costs in bandwidth and storage but I don't believe it. As far as I can tell, SMTP traffic is at most 2-5% of net traffic. And a quick calculation shows that an ISP's costs for storing its users' spam are fractions of pennies on the dollar. (*)

You've likened spam to a DDoS attack on your mail servers. Stories about being flooded with traffic sound impressive but computers are so fast now, it's hard to put anecdotes into context. So I'm looking for dollar amounts. For a customers paying b dollars per unit time, an ISP like yours has to spend c dollars per unit time on servers that can handle those customers' incoming SMTP traffic. If this is significant, I'm looking for c over a times b :)

Obviously admins to run the servers are an important cost. But for purposes of this question, suppose you wanted to do the bare minimum. Say you set up the SMTP servers to use just a few of the less-intrusive DNSBL lists, like sbl.spamhaus, relays.ordb, or list.dsbl, and then ignored them as much as possible.

The next most common argument I hear is that customers will abandon ISPs that don't fight spam. But every ISP has the same problem, so this is really a competitive advantage issue except for the small percentage of users who are actually driven off the internet by spam.

Then there's outgoing spam but I don't imagine that's too hard to recognize and stop quickly.

Let me know what I'm missing...

(*) Thumbnail calculations of spam storage follow. Let's say J. Average ISP Customer gets 20 spams a day at 10K each, and deletes them only every 30 days. That's an average of 20*10K*15 = 3 MB of storage. If the ISP replaces hard drives every two years on average and its total storage costs are ten times the actual medium costs (for labor, backup, redundancy, downtime), then at today's hard drive prices, that spam storage will cost the ISP 0.003 * 10 / 2 dollars, or about a penny and a half. Over that same year, J. Customer pays the ISP $100+.

Barry:

Your figures for the percentage of bandwidth which is spam are far too low. Others have put the numbers much higher. NewsFactor cites studies putting the figure somewhere between 17 and 38%. See http://www.ecommercetimes.com/perl/story/19803.html.

As to computers getting faster, that's not a primary issue in my mind. But addressing even that point, how rapidly should I have to amortize and replace my equipment just to accommodate spammers?

And what about the intangibles? They're becoming the major factor in all this. E-mail is the "killer app" on the net. Yet spam is fouling that e-mail experience.

People reading Slashdot might be sufficiently committed to e-mail that they'll wade through all the spam and tweak spam filters even if it takes hours per day and a clothes pin on their collective noses. But what about the many millions of people who aren't so committed to this technology?

As an ISP I can tell you they're giving up on the internet, to them the cost/benefit is just not worthwhile. That's not a good trend.

Another cost is that spam is undermining the standardization of protocols on the net, and thus introducing a pervasive chaos. Every ISP and many other sites are scrambling around implementing mostly different "solutions" to the spam problem. Some of these in-house solutions might be ok, others can be pretty bad.

One result is that e-mail is becoming less reliable as a communications tool. Your mail might get through, it might be kicked out or filtered as spam, you might be able to figure out why and get the message through on a slightly changed subsequent attempt, or maybe not.

Who needs this kind of craziness? How can this situation possibly be productive?

How productive is it to have millions of people installing and customizing spam filters? Or having really bright people writing spam filtering programs? And where is this all going?

In my opinion, if unchecked, I think the current trend is very destructive to the entire idea of a public network.

P.S. I realize in another answer I recommend installing spam filters, but I see that only as a temporary measure.

8) Collateral Damage
by aridhol

One of the greatest problems with spam-prevention techniques has to do with collateral damage. Can you see any solution to spam that either prevents or minimizes the damage to innocent bystanders, such as other users of a spammer's ISP?

Barry:

Yes, the solution I favor is going to a sender pays model aimed at bulk e-mailers.

Other approaches, in particular technical solutions, are prone to causing collateral damage. Inevitably as the arms race heats up, and spam filters have to take bigger and bigger risks to have any effect, collateral damage will become more common.

And it's already worse than you might imagine. Spam and similar are causing severe operational problems on the net and undermining standards as ISPs and others invent new ways to avoid the spew.

As one concrete example, right this minute there's a network provider who was just assigned most of the 69.0.0.0/8 IP address space. Unfortunately, this was formerly a spam and DOS (denial-of-service) cesspool so many sites out there just block the whole 69.* address space.

So the new owners are making appeals to firewall managers asking them to please remove their blocks in the 69.* space on the NANOG (North American Network Operators Group) list.

But NANOG is not a particularly big or influential mailing list. At best it's only aimed at North America while the blocking exists world-wide. But how do you communicate with so many sites and undo the problem? In a nutshell, you can't. I suspect their customers who get space in 69.* are going to find themselves blocked by many sites for many years to come.

See what a mess spam is causing? It's like asking how much can such a little tiny termite eat? And then the house falls down.

9) Spam Lawsuits
by ca1v1n

Do you think new laws that allow ISPs and end-users to collect damages from spammers on a per-message basis can be effective tools to reduce spam?

Barry:

Although it should be part of the picture I think this sort of litigation would be ineffective as a primary attack on the problem.

What we need to do first is stop the insanity!

To do that I say introduce sensible economics into e-mail advertising. You may find network TV commercials annoying, but imagine if just anyone could break into a station's signal at any time and insert advertising! That's what we have right now, and it's crazy.

If we were subjected to a few, well-paid and placed ads it might be annoying to some but others might even find it beneficial like the person in the previous message whose wife likes to know about the good sales. Or we could just pay a premium and not see another ad, analogous to premium cable TV. Or find ways to block them via our personal mail clients, analogous to what people do with PVRs. It'd just be a matter of economics and marketing and taste.

But right now it's complete anarchy, only the introduction of a viable economic model can tame the situation.

Also, I'm not optimistic about any legalistic approach so long as there's no scalable revenue stream associated with e-mail or its abuse.

Currently the general consensus on the net is that we don't even want sales taxes on e-commerce, which might be a reasonable point of view, but then we're going to ask that billions should be spent on courts and enforcement of new spam laws? Where is that money supposed to come from? Cut the fire dept? The schools? Not-growing corn subsidies? Without additional revenue something has to give.

Given a sender pays model money could be earmarked for private enforcement, such as investigation and litigation. And the case could be more realistically made as to the exact economic cost of spam. If an ISP was supposed to get paid for ads going through their system then anyone evading that is simply guilty of good old fashioned theft of service, no new laws needed. And legislators, who presumably would be getting their usual business tax cut of such revenue, could begin to see the logic in returning some tax money to defend these revenue streams.

There would still be challenges to be worked out internationally but it wouldn't be the first time a revenue model had to work on a global scale. Obviously international telephony and postal mail works well enough to combat fraud. But only with some sort of concomitant revenue stream attached to the activity could you possibly begin to tackle the problem, domestically or internationally.

10) Kill 'em all
by Lord_Slepnir

If you could meet a spammer, what would you say? What would you do? What caliber would you use? Would you want someone to do it for you? Is $10,000 a head too much?

Barry:

I would tell the spammer in no uncertain terms that spammers' days are numbered, just like junk faxers and other scam artists who exploited a brief window of vulnerability.

Situations like this don't last long.

Of course, then the spammer would laugh in my face because that's what sociopaths like to do when confronted. But, as the expression goes, we'll see who laughs last.

One thing is clear, however, spammers will not listen to reason. So any change in their behavior will have to be the result of force.

This discussion has been archived. No new comments can be posted.

ISP Operator Barry Shein Answers Spam Questions

Comments Filter:
  • by Noryungi (70322) on Monday March 03, 2003 @01:36PM (#5425049) Homepage Journal
    I have to say, this made me laugh:

    One thing is clear, however, spammers will not listen to reason. So any change in their behavior will have to be the result of force.

    Can I be the one who applies force? Pretty please?

    (Just joking, as I only dream of applying force to the skull of the spammer after one spam too many...) =)
  • by Joe the Lesser (533425) on Monday March 03, 2003 @01:37PM (#5425057) Homepage Journal
    One thing is clear, however, spammers will not listen to reason.

    Well, how can you refuse their great deals!?! They must think we're crazy.
  • Simple Solution (Score:4, Interesting)

    by Anonymous Coward on Monday March 03, 2003 @01:38PM (#5425062)
    There is a simple solution (or at least a starting point): Prosecute Forged Headers. If someone is going to send spam, sending it from someone elses account or server SHOULD BE illegal, and it should be prosecuted. This would cut down on large amounts of spam and make all other forms of combatting much easier.
    • Re:Simple Solution (Score:5, Interesting)

      by gilesjuk (604902) <.giles.jones. .at. .zen.co.uk.> on Monday March 03, 2003 @02:19PM (#5425386)
      Can't mail servers become more intelligent, after all who sends 100 emails a day in one big batch from a hotmail account?

      If a hotmail server for example looked at the age of an email address/account when deciding to accept an email then it might prevent some spam. If an email account is minutes or hours old and the user attempts to send 1000 emails from it then you know you're dealing with a spammer. Also if you check for replies to that message you also can validate if the mail was potentially a valid one.

      I personally receive very little spam since installing Popfile, in the the true tradition of networking and the internet it's free. Works hundreds of times better than any commercial tool I have used. Best thing is it's cross platform too, if you can run perl on an OS you can run popfile.
      • Re:Simple Solution (Score:3, Insightful)

        by malIgna (96942)

        Can't mail servers become more intelligent, after all who sends 100 emails a day in one big batch from a hotmail account?

        Unfortunately most if not all of the spam you receive marked as coming from hotmail never went within 100 miles of the actual hotmail servers. The distributed nature of the internet makes this virtually impossible.

      • Re:Simple Solution (Score:4, Insightful)

        by Shdwdrgn (162364) on Monday March 03, 2003 @04:35PM (#5426429)
        I was just thinking about something similar to this. What about a filter on the ISP side which looks at QUANTITY? For instance, say your ISP's normal email traffic is 1000 emails an hour. Then in a 5 minute period you get 100 messages, all coming from the same IP address, but being sent to multiple users. Sounds to me like a prime candidate for a spam attack. If your window period is 5 minutes then you will need to cache incoming messages for those 5 minutes, and if the alarm is sounded then purge everything in the queue which matches the incoming IP addres, and continue to purge until the traffic from that address subsides.

        Now obviously this won't work for individual cases. You need to monitor a large avergae traffic flow, and you need to monitor a single sender generating traffic for multiple recipients. But the implementation of this should be very easy on the cpu usage of an average server (but if you wanted to increase the reliability, you could also include the option to check the content of the incoming messages... a single source sending the same message to multiple users presents a much more likely candidate for spam filtering, but is also much more cpu-intensive).

        Can anyone comment on a technique such as this? Has it been tried before? It seems this would eliminate false-hits and stop a large number of mass-mailings.
        • Re:Simple Solution (Score:3, Insightful)

          by keyslammer (240231)
          This is a fix for a particular symptom of the problem. It handles only the case of one agent delivering lots of messages to the same server.

          Like the man said, spammers vs. anti-spam solutions is an arms race - spammers will find a way to work around methods to keep them out. In the case that you have proposed, the work-around is simple: don't deliver all your messages to the same host in close proximity.

          A better solution based on a similar concept is Vipul's Razor [sourceforge.net]. This is based on the idea that spammers usually send the same message to thousands of recipients, so if the same message is received by a bunch of different and apparently unrelated accounts, it's probably spam. [and of course, the work-around for this is to vary your message slightly for each recipient]

          Another issue is that all of the solutions that are now in use (except possibly the Tarpit solution [martiansoftware.com]) only shield the end user from spam: they don't address the burden placed on the network infrastructure.

          So bottom line is, there's lots of little tricks like the one that you have suggested that can be used (separately and combined) to mitigate this problem, but (as you've indicated) they won't solve it.
        • Re:Simple Solution (Score:3, Informative)

          by gilesjuk (604902)
          Seems people are thinking about such things:

          http://www.martiansoftware.com/articles/spammerp ai n.html

          http://www.theregister.co.uk/content/6/29545.htm l
  • It wont stop spam. People are getting spam on their text based phones, I get full color spam in my mailbox. Bulk advertisers have no problem paying a few cents per spamee, when one gullible shmuck in 1000 orders the penis enlargement pills.

    It'll just kill e-mail. People and corporations wont be so eager to use it when it costs them a dime (or even a cent) per pop.
    • by dattaway (3088) on Monday March 03, 2003 @01:47PM (#5425112) Homepage Journal
      I know a better idea. And the reason why I love local ISPs. One our LUG mailing list got spammed. Within the hour, I got an address and it was from someone here in the city. Let's say it was an interesting experience getting to know this spammer and observing her habitat. Yes, it was a internet luser wanting to exploit the masses.

      Get to know your spammer. Field trips are more entertaining than sitting on the couch watching television.
    • by conner_bw (120497) on Monday March 03, 2003 @02:10PM (#5425295) Homepage Journal
      Here is what i think the ultimate solution.

      Reciever has the "right" to bill sender for unsolicited email - a processing fee as seen in many a sig.

      If the sender can't be found, then they have the right to bill the ISP. Which will get the lax ones off their ass and implement some actual policies and the spam house ones eliminated.

      International law in the way? No problem! The "Right to bill sender for processing fee" law has diplomatic status, and it clearly states that mobs, minimum of 10 people, have the right to use all means necessary to extract the fine either as money, property, or pain.

      Where anonymity fails, application of brutal force, stalking, and humilation by an organized group of angry citizens doesn't.

      Fight spammers with fire! Burn them to the ground.

    • by MacAndrew (463832) on Monday March 03, 2003 @02:34PM (#5425483) Homepage
      This plan sound kinda nice -- make the internet too expensive for spammers, we bankrupt them in a pseudo-free market way. But where the force to make everyone use this? As soon as some entities (i'm not assuming who this will be) try to impose fees, others will leap forward to say hey, we don't charge! Use us! And who wouldn't. This is capitalism. The system fails on a market level, and that without even addressing all the transactional problems in accounting for the fees, collection costs against deadbeats (spammers), and so on.

      The only alternative would be for large groups of ISP's to band to together to impose uniform fees, making the system the de facto standard. Um, can anyone spell antitrust?? The idea doesn't clear the laugh test.

      I think sender pays maybe would work in principle, but is entirely impractical. As a practical matter, it will just piss off a public that HATES being nickle-and-dimed to death. Notice the unpopularity of metered ISP access? Americans in particular like flat rate, whether it be email, telephones, or whatever.

      These are just a few problems off the top of my head, I'm sure I can think of more. But *please* don't ask me for the real solution. :) Of course self-help like filters will be a factor. And legislation as well; I think he's right when he says:
      Pressure your legislators to enforce the laws already on the books! Hijacking others' systems, identity falsification, and fraud are already illegal. These aren't legitimate business people who send all this bulk mail, they're crooks.


      Even if a spammer can sneak around the laws making it clear that the activity is illegal, this prevents a spammer from getting investors, incorporating, taking out bank loans, obtaining legal indemnification against liability, buying business insurance, registering with their state or owning intellectual property (e.g., trademarks), etc.

      Laws don't stop crime, but do make it hurt. And who among us wouldn't mind seeing a few spammers do some time? Even if they get to us because we fail to protect ourselves, what they're doing is wrong (fraud etc.) and should be punished. Let's not blame the victim.
    • I get full color spam in my mailbox. Bulk advertisers have no problem paying a few cents per spamee, when one gullible shmuck in 1000 orders

      You don't understand the economics of spam email. The response rate is much less than the 1 in 1000 that physical junk mail attracts, more like 1 in 10,000 or more. To make money, the spammer needs to send millions, not thousands, of emails. Currently that costs nothing (whether it's full color or not) per message. But charging even half a cent per message would completely destroy the spammer's business.
      Furthermore, the effectiveness of charging would not be in any way impaired if 1,000 free emails per month were included in every paid subscription to an ISP. 1000 emails is far too few to be of any interest to a spammer.
  • by tinla (120858) on Monday March 03, 2003 @01:41PM (#5425072) Homepage Journal
    "I look at Sendmail and don't see anything that would allow you to throttle mail volume"

    ISP's offering dialup services generally know the CLID and maybe the name & address of a caller.. but its too much hassle to do anything about bulk mailers that use the service. If I go and sign up with a free isp I can send a huge volume of spam before I get banned and there is a very low chance of any comeback.

    What tools are available for SMTP gateways (such as sendmail, exim etc) that let you trottle mail based on the sending address / user (maybe tied into radius)? So i can allow normall users to send thier 20 messages per connection by automatically make it unattractive to people sending 1000's. If each subsequent message from a user has a longer and longer transmission time (insert some arbitary delays etc) then they won't relay through the isp server.

    Any ideas? I was talking to a friend recently that works at a small isp and he has the exact problem above. They give out "free" accounts (earning off the call revenue) and spammers clog up the smtp server with really vast volumes of junk in the mail queues... after all - most addresses on spam lists are duds.
    • by cybermage (112274) on Monday March 03, 2003 @03:15PM (#5425754) Homepage Journal
      Keeping people from sending spam is substantially easier than keeping people from receiving spam.

      Mail coming in from outside your address space must be destined for your address space to be acceptible. Only relay messages originating within your address space. This functionality is now built into Sendmail, but I remember when it wasn't and had to add it myself.

      It is possible, despite the quote re: Sendmail, to track X messages sent per IP over Y time, and begin issuing errors to the sender if the volume is higher than proscribed. You can even allow for email lists, if they're know to you, to be exempt. This is not easy to implement in Sendmail (the rules took a long while to hash out) but now that you can link external programs into sendmail's processing of messages, a child could do it.

      The real issue, however, for ISPs is dealing with inbound SPAM. For that, there are no easy fixes. Much of it is no longer domestic in origin. With processors getting faster, it may be possible to implement a Bayesian filter [slashdot.org] at the ISP level, saving each individual user from the trouble. You could plant bogus addresses as spam traps in the path of spammers then assume that mail to those addresses are bad and assume messages to real accounts are good and then let the bayesian filter take over. You could also provide a mechanism to feed other messages into the bad portion of the filter (e.g., spam that slips through).

      For users that are concerned about the possibility of false positives (much higher with balcklists, BTW) give them the option to opt in or out at will (defaulting to in, I'd think.)

  • by j0nb0y (107699) <jonboy300@@@yahoo...com> on Monday March 03, 2003 @01:41PM (#5425077) Homepage
    The problem this has is that people don't want to pay to send email. I think the solution to this may be for each account to get so many free emails a day. For example, you can send ten free emails a day, but after that you pay 10c each. No spammer would get an account at such an ISP.


    Another solution may be to have a ten cent "deposit" every time you send an email. If it's legit, you get it back. If the end user rejects it, you lose your ten cents.


    The problem with the first approach is that it wouldn't work unless every ISP did it. It would make more sense to charge at the incoming mail server.

    • That's actually a really good idea. Perhaps each ISP could have a "tolerance meter" for various user accounts. In addition, each email send out collects a $0.10 charge.
      Now, the ISP would have a site area where people can forward spam messages - to be processed by a filter to make sure that it's not faked headers etc (however, I'm not sure how many programs send a copy of the original header). If 10+ (or whatever number you want) people send in SPAM complains, then the $0.10 charge applies per email. If not, the emails all go happily along.

      The trick is still, however, tracking the evil spammers to their source ISP (many just use hacked accounts elsewhere, no good there) and getting people used to the idea of antispam forwarding.

      Another trick might be to monitor mass outgoing mailings, and occasionally send a follow-up email from the server itself to various recipients. The recipient could respond to the follow-up saying "yes, this was unsolicited spam, please count my vote against this user".
    • Two comments on this:

      Pro: This could work with a much higher limit. Who besides spammers sends ten thousand emails a day?

      Con: It's all too easy for a spammer to bypass the ISP's SMTP server, so without high-level packet filtering it could not be easily enforced.
  • CAPTCHA'a (Score:2, Informative)

    by slug359 (533109)
    Unfortunately I didn't see the Q&A, else I would of asked something about CAPTCHA's [captcha.net], I believe these systems, implemented properly could have a real dent to spammers wallets, there was a website that used this system to allow legitimate mail through, I've lost the URL however (damned K-Meleon bookmark support!), but it's a really good idea.

    It worked something like this, legitimate sender sends mail, autoresponder sends back mail with 'Visit this URL, to confirm your address'. The legitimate sender visited the address, entered the obfuscated word and their mail was delivered (and address added to a white list for future correspondance).

    I wrote a simple CAPTCHA in PHP (yey gd!) in about 30 minutes, so why legitimise spam when this ideal solution has emerged? :)

    • Is a scheme like TMDA [sourceforge.net] that have the problem that you are confirming that your email address exist, only that with captcha you are using graphics instead of text.

      But, can't a TMDA scheme be used even before checking that the recipient exist? This way you server will check that all messages are having someone behind, without necessary confirming that the address exist. Of course, with this way you'll have a server-based whitelist, instead of user-based, but at least it will not say what addresses are valid alone.

    • Re:CAPTCHA'a (Score:2, Insightful)

      by Chris Hiner (4273)
      I see 2 problems with programs like CAPTCHA.
      What if both people trying to initially email each other use it?
      Does the email get stuck in a loop, or just never get seen as the address was never confirmed?

      This one affects a small group of online users: How does a blind person read the obfuscated word? Their normal screenreader/TTS won't handle it...
  • by $$$$$exyGal (638164) on Monday March 03, 2003 @01:42PM (#5425080) Homepage Journal
    That was an excellent interview! Here's a nitpick:

    But you're correct, better tools at that level might help if ISPs were inclined to use them. Many ISPs do use tools such as you describe, others obviously don't care.

    I would guess that the majority of these ISP's do care. The problem is that spamming issues are such a low priority for them when they are just trying to keep their heads above water (financially speaking).

    Another issue is that the ISP's will almost always be perceived as not caring, because there is no way they can possibly respond to every single person that claims to be spammed from such and such ISP.

  • Sure (Score:3, Insightful)

    by Junky191 (549088) on Monday March 03, 2003 @01:43PM (#5425084)
    God forbid we just stop buying the crap they are hocking in spam. If everyone just stopped giving spammers their money then the problem would be solved overnight. The simple fact of the matter is that enough people are interested in penis enlargements to keep spammers in business. Stop buying and they will stop selling.

    No new unenforcable laws or new bloated government agencies required.
    • Re:Sure (Score:2, Interesting)

      by AssFace (118098)
      To be fair, I'm not sure that is what drives spam revenue.

      It is true that television and print ads are driven by the desire to sell the product that they advertise.

      But I think spam has evolved to the point where it is not about what is being "sold" and instead about creating the address base.

      If you look at a large percentage of the ads, there is no real way to buy what they are referring to. If you click on the links, they bring you to a page that then lets them confirm the address that they sent to (yours - and by clicking on that link, they know that you exist and it is a live address). Can you actually buy anything on that page? Not usually - usually it is a way to unsubscribe, or it is a series of ads for other things, or it pops up a ton of other crap - eventually leading to porn.

      The point of spam might have initially started as an attempt to get people to buy crap - like an annoying informercial or a qvc that keeps coming back at you.

      But the money making part of it now is to generate a larger list of users with more real users in it and then sell that list to other spammers. As well as generate revenue from popups and click thrus.

      If you genuinely look at over 90% of the spam you get, you will see that were you to want to buy whatever it is that they are talking about - there isn't a way to get to it - you will be diverted many times along the way.
      There are obvious exceptions to the rule - Netflix, porn, and geroge foreman grills come to mind.

      I am down to about 100 spams a day now and I go through them frequently to try and think of more ways to get rid of them (I use the most recent spamassassin), and have come to notice this trend on my own.

      Regular web advertising failed because nobody was buying the product - banner ads and the like never really caught on - but they remain out there - people trying to get your attention.

      Whereas spam has grown the entire time - because they have found a different way to make money - not selling you the product, but by selling your address.
  • Money talks (Score:5, Insightful)

    by saphena (322272) on Monday March 03, 2003 @01:43PM (#5425087) Homepage
    As with any other commercial enterprise, the one thing guaranteed to stop it is that it just doesn't pay.

    If no-one ever responded to SPAM, it would die out pretty rapidly.

    If it's still with us it means one of two things:-

    1) It pays to send SPAM.
    2) There is an endless supply of spammers who have yet to realise that it doesn't pay.
    • Re:Money talks (Score:3, Insightful)

      by Detritus (11846)
      It doesn't matter if noone responds to the spam. Many spammers get paid for spamming on the behalf of others. As long as there are suckers who believe that you can "get rich quick" by advertising on the Internet, there will be spammers willing to take their money. Just think of all the money making scams that are advertised on late-night television. Those crooks have been selling the same snake-oil for years.
      • Re:Money talks (Score:3, Insightful)

        by dattaway (3088)
        Do spammers really make money? Do operators of pr0n websites really make money from banner ads? I am starting to believe the money is to be made convincing others that these trades are profitable and selling them starter packages for a price. Kind of like Amway, you can buy yourself into one of these leeching vices and sell a bit of your soul at the same time.

        Meanwhile, the con artists at the top don't have to deal with the carnage and destruction at the bottom, while skimming the cream at the top. That's the essence of business planning in a nutshell.
        • Re:Money talks (Score:5, Informative)

          by BadBrainDay (597533) on Monday March 03, 2003 @02:49PM (#5425596)
          Do spammers really make money?
          I once received a spam to buy some Viagra (I know, not exactly uncommon).

          At the time I was going through a major anti-spam kick, where I would thorougly investigate each piece of spam, contact the appropriate ISPs (often by phone), etc (I've since given up on this effort since most ISPs simply didn't care).

          Anyways, this one particular piece of SPAM had an order form built right in to the email, which submitted the details (unencrypted of course) to a CGI on the spammers "server" (connected via some throw-away dial-up account).

          As part of my "investigation", I just happened to cut and paste the URL of the CGI into my browser, but took off the filename (that is, I went to their cgi-bin directory). I couldn't believe it, but the cgi-bin directory was open to the world, including the flat files which were storing the user's names, email addresses, home addresses, and credit card information, etc.

          I refreshed the files once in a while over the next several hours, and just watched the list of orders build and build and build. I'd say in one evening this guy made several hundred dollars in profit. Multiply that by the number of days in the year, subtract the amount that they spent to send the email (nothing or almost nothing) and you've got your answer. Spammers make money. In some cases, lots and lots of money.

    • Re:Money talks (Score:2, Interesting)

      by Eric Savage (28245)
      Your message is somewhat of a contradiction:

      "If no-one ever responded to SPAM, it would die out pretty rapidly."

      "There is an endless supply of spammers who have yet to realise that it doesn't pay"

      The first is false. The second is true. What people don't realize is that spam is NOT about someone sending mail through an ISP's server! This is easy to stop, and most ISP's have had countermeasures in place for years. Unfortunately every hacker out there thinks he/she has the solution through limiting these things.

      Most spammers don't use open relays, and they don't use their ISP's mail server!

      So if we could please move on, the problem is that spammers are doing the same thing as many people on slashdot, they are running their own mail server off their cheap (often free thanks to parents, and yes I am asserting that much spam is from teenagers) broadband connections, or as Barry mentioned, setting up a colo and blasting out 10 or 20 megabit of spam until the place gets enough heat to shut you off (and rent the box to the next spammer).

      If we could start thinking about this problem in terms of 2003 and not 1998, we might make some progress.
      • Re:Money talks (Score:5, Informative)

        by Phroggy (441) <slashdot3 AT phroggy DOT com> on Monday March 03, 2003 @03:13PM (#5425739) Homepage
        Most spammers don't use open relays, and they don't use their ISP's mail server!

        Do you have any facts or specific experience to back this up, or are you talking out of your ass?

        I used to work with the abuse department of a broadband ISP. The majority of the spam complaints we received were due to our customers who were running SMTP servers and didn't realize they were configured as open relays. Spammers would scan blocks of IPs on our network, find somebody with port 25 open, see if it's an open relay, and if so, start sending spam. Over the next 24-72 hours we would receive complaints, mostly from SpamCop [spamcop.net]. We'd identify the customer and send them an e-mail notifying them of the problem. 24 hours later we'd suspend their service. Then the customer would call into Tech Support confused about why they can't get online, and we'd have to explain what was going on. Most of the time they had no idea. Some of these customers don't know what an SMTP server is, let alone an open relay - yet somehow they've got one set up. Others know, but just forgot to fix it.

        Of course, open SMTP servers is not the only problem - open proxy servers work too, usually to connect to an open relay somewhere else so the spammer's real IP doesn't show up in the headers.

        I do agree that most spammers don't use their ISP's mail server, although several do. Some ISPs such as Earthlink firewall port 25 so you can't send mail except through their servers (unless you exploit an open proxy; see above) - this helps Earthlink to greatly reduce the amount of spam coming out of their network, since customers with open relays are not a problem for them.

        So if we could please move on, the problem is that spammers are doing the same thing as many people on slashdot, they are running their own mail server off their cheap (often free thanks to parents, and yes I am asserting that much spam is from teenagers) broadband connections

        Spamming directly from your own broadband connection is retarded; that's why most spammers don't do it. Our policy was to suspend your service until you agree to quit spamming, then suspend it again until you agree to quit spamming again, then cancel your account and charge you a $250 early-termination fee for breaking your one-year contract. We've already got your credit card number, and it's in the service agreement.

        I think this is something that needs to happen more often: ISPs need to start making it really expensive for spammers to operate, by charging them large fines when they do. Don't just cancel their account, but make them pay.

        The biggest problem with this is, there are so many incompetent people with hacked/infected machines that it's often impossible to tell the difference between an innocent victim whose system was compromised and a die-hard spammer who's lying through his teeth. The latter you want to get rid of ASAP; the former may pay you a lot of money over the next several years (and refer all his friends) if you can help get this little issue resolved.
  • by mitherial (554418) on Monday March 03, 2003 @01:44PM (#5425089) Homepage
    He says: "To a great extent spam can be viewed as a form of system compromise and similar to malicious cracking in many ways. One of my pleas back then to other ISPs was to make some sincere effort to know to whom you were giving accounts. Many of the ISPs with big funding and marketing departments to match would just give out new accounts to anyone with a drink coaster and worry about it later, oftentimes much later only when the bill wasn't paid." Am I the only person the finds problems with this mentality? I mean, isn't anonimity (sp?) a huge part of what drives the internet? I mean this strikes me as comparable to the whole DRM approach. Spam is just one of the intractible problems of the modern world. Getting rid of "hotmail" style accounts and comparatively anonymous ISP's *isn't* the answer.
    • Interesting that he should use that line about drink coasters.

      A guy who Ive done some sysadmin and programing work for proudly clames to be personaly responsible for causing all of the ISPs in town to stop accepting cash for accounts. Every couple of weeks he would send down a different friend with $40 to signup for a new account, which he quickly spammed out. Rinse, lather, repeat.

      There is a difference beteween being anonymous on the internet and being anonymous getting connected to the internet. As for freedom of speech arguments; spam is like yelling fire in a crowded theather.

    • I think it is.

      Why do you want to be anonymous? What are you hiding?

      Back when I first got on the internet, there was relatively no anonymity. When you fucked up and did something obnoxious, you lost your internet account. It was virtually impossible to get back on the internet after that, unless you found some way to convince your network administrator that you had learned your lesson. Of course, there were always some jokers who could hack into whichever server they wanted, but those were rather rare.

      Anonymity changes the face of communications. When you can act as antisocial as you please, with no repurcussions, your behavior changes. This is basic psychology.

      I have nothing to hide; neither does anyone else I know. I'm suspicious of anyone who doesn't want any way for his actions to be traceable. When you fuck up, you deserve to lose your access to the internet... plus have everyone else know that YOU were the one who fucked up. Public humiliation works wonders.
      • Why do you want to be anonymous? What are you hiding?

        I am hiding my personal information from those that will spam or telemarket or data mine me to death. I don't want my info in a "consumer dossier".

    • I think that's something we've brought along with us from the BBSing days. I can't see the university professors and military personnel that used the 'Net before commercial usage came along as the type of folks who would have needed any sort of anynomity.

  • it's interesting how in barry's answers he tries to push the responsibility of providing an effective communication mechanism from the provider (ISP) on to the spammer or system abuser.

    whitelisting, as many mailing lists use are an effective way to combat spam. i've subscribed to many mailing lists, and haven't seem much spam come through those channels. if whitelisting could be implemented by the ISP's (which I really think it could and barry does a bad job of skirting around the question), are there ways around the whitelisting? it would seem like too much work on the spammers behalf to circumvent that type of a system. have any ISP's tried this type of service?

    in short. barry, your idea of "making the bad guy pay for the spam" is a really crowd cheering idea and i'm sure there will be tons of supporters here from the /. crowd. but, if you taks a step back and look at it, there's no real solution proposed. are you suggesting all our SMTP traffic contains a valid CC number in the headers so all the servers that bounce the message can collect their toll for the message i send?

    would you pay an extra 1$ per month for an ISP that alows whitelisting email? if my spam were uncontrolable, i sure as hell would.
  • How about if people had 256 character email addresses? Or 512 bytes? Or 1k? You wouldn't care, as you`d be using your address book. A spammer can use a dictionary to create email addresses and spam them, and be sure a lot exist. But not this way - chances are it would be a non-existant one.
    • So how do you distribute that address to people that need it? A spammer can simply take advantage of that mechanism.
    • and give out your email address how? Sure, I can hand you a floppy disk, or even a CD. They're a dime a dozen. But then I would have to carry cd's or disks with me everywhere I went if I wanted the same degree of flexibility with regards to divulging my email address. I couldn't give it out over the phone, or fax it to anyone.

      I understand that increased securities result in decreased freedoms, there are better solutions out there. While I find the solution moderately attractive because it makes storing extremely large email lists a little more costly, anything that you gain from having large addresses is easily negated, by any modern advanced compression algorithm (such as bzip2, or even zip).

      Although dictionary attacks would be reduced, it doesn't completely disable spam. If it did, Compuserve would be in AOL's position right now; they pioneered the nonsensical email address.
  • by analog_line (465182) on Monday March 03, 2003 @01:47PM (#5425115)
    Limiting the "sender pays" model to only bulk e-mail will not work, plain and simple. The spammers will find a way to automate a way to utilize multiple individual free e-mail accounts to get their bulk mail out past any ISP installed trigger. Also, mailing lists would be affected by this as well, as they can easily have thousands of recipients, and they'd be flagged as bulk mail. I imagine this would put the kaibosh on all free internet mailing lists, because if you make an exception for them, spammers will start "subscribing" people to their "free informational mailing list" that they'll claim they asked for, like they already do.

    Unless everyone must pay for every e-mail sent, the letter of the law will be exploited to the spammers continued benefit. I don't necessarily advocate moving to a pay system, but if you're going to make anyone pay, you damned well better make everyone pay.
    • Of course it should be universal. But the brilliant part of sender pays is that you can set the payment low enough that it won't be much of a factor for ordinary users, but will be terrible for spammers. For instance, $0.01 per message is unlikely to break the bank for any ordinary net user, but it's enough to significantly raise costs for somebody who's depending on sending out millions of emails for results. An interesting twist on the basic concept that I've considered is the logical conclusion of the sender pays argument: sender pays and recipient gets paid. That way you'd be fine as long as you receive more emails than you send. As a practical matter, most ISPs would probably implement a policy that you wouldn't get a rebate if you received more mail than you sent, and they'd only pay you if they got payment from the original sender, but it would let the process trickle down to ordinary users without greatly inflating their monthly ISP charges.

      This would also potentially be able to save mailing lists. One obvious problem with sender pays is that it would make it prohibitively expensive to run an ordinary mailing list. By giving the money to the recipient, though, you could let the lists recoup most of their sending expenses; users would just return a blank message (or a return receipt) every time they got a message on the mailing list, which would send the penny that it cost the list to mail them back to the person running the list.

      • The biggest problem I see with the sender pays methodoligy is, what if your email address gets hijacked and used to send spam?
        Consider that a persons address could be used to send say 10,000 spam messages before the ISP closes it off. At $0.01 per message .01*10000 = $100. So a person is out $100 because the ISP's security was breached and/or the person chose an easy to guess password.
        And while I realize that I am about to get a dozen or so elitist, "they deserve it for picking a bad password" responses, that is absolute bullshit. Expecting people to use complex passwords, or even have the slightest clue about network security is simply ignoring the diverse range of people we have in the world. If you can't rebuild your car's engine, fabricate your own IC chips, and rebuild the laser your CD-ROM uses, then you have no business talking about other people using technology they don't know enough about.
        Back to the topic at hand, above, I assumed that the ISP would close off the account at 10,000 messages; however, in a sender pays model, the ISP might just assume that all traffic is now normal, and if the person really wants to send that much email and pay for it, then why stop them? The number of messages could easily be larger by a factor of 100, so we get a $10,000 charge.
        The obvious response would be that the person would be able to claim that they are not responsible, that they were hijacked. So how does the person prove this? The email account was accessed with the right password, sure it was remotely accessed, but this doesn't prove anything. And what is to keep spammers from setting up accounts a month or three in advance, then have them "hijacked"?
        All this system does is shift the burden around some. The average person is now going to be fighting fradulent charges, the ISPs are going to have to spend large amounts of resources trying to determine between real mass mailings and hijacked accounts, and the courts are probably going to be seeing their fair share of cases about this sort of thing. Just as much as every other system proposed, the Sender Pays model is unworkable.

      • For instance, $0.01 per message is unlikely to break the bank for any ordinary net user

        That's the problem, if I send a message to the Linux kernel mailing list, it's going to cost me a lot (a hundrer bucks?) if the cost is per recipient. And if it's per send message, then spammers will just setup huge mailing lists, that's all.
    • by Zathrus (232140) on Monday March 03, 2003 @02:17PM (#5425364) Homepage
      I haven't read any of his pontifications on sender-pays, but when has that stopped anyone from posting on /. ?

      It probably is a everyone pays system - although I suspect that ISPs will then say "x messages per y time period included!" - and either eat the cost or raise their rates to compensate.

      The real problem will be the same as it is for any microbilling setup - the overhead is a killer. It all looks well and good to stop the spammer that's hitting you with 100,000 emails, but when you realize that you also have to deal with the 10,000 accounts that are sending 10 emails each, the overhead eats you for lunch. Maybe he's proposed a solution for this - if so, then there's a whole lot of VC's that would like to talk to him.
    • The solution to this is simple.
      Each email has a "potential" cost. The person receiving the email decides if it's worth a "click" to collect the money.
      Most of us wouldn't click on mail from our family or friends and their accounts would not be debited. Many people would gladly run through their spam-filter folder clicking on all of them to collect the money. Even if it isn't much money (a cent or less) I would click on them just for the principle of it.

      So don't think of it as "sender pays", think of it as "sender offers to pay".

    • And if everyone has to pay some amount (per message? per kilobyte? details need to be worked out, but in principle this isn't totally unreasonable) but nobody wants to pay a lot ("what, you mean this digital nothing costs a dime when i could have sent a post card for a quarter?"), then all of a sudden the problem has been reduced to an well known & difficult one: micropayments.

      You can maybe peg some of these costs into a subscription scheme -- most people have to be subscribing somewhere to get access to email -- but that breaks down in a lot of ways. People using business email accounts aren't exactly paying now, but businesses are unlikely to [a] charge their own users for email throughput (are they?) or [b] restrict users from emailing to certain addresses (would they?). People using free webmail accounts aren't going to be interested in paying, but the companies providing the service if they had to handle a surcharge for each mail one of their users produced. There are obviously wrinkles in the subscription model, but the problems aren't quite as bad as they are for broader applications of that idea (subscribing to sites like Salon, for example). Still, the problems are there, and possibly a major impediment.

      So you're back to micropayments, a familiar issue to a lot of people at this point. Can they work? Can they make any money? Is the point, in this context, even to make money, or do we just want to prevent other people from being able to make money this way -- and if that's the case, this isn't exactly fair, is it? We'd be punishing everyone for the actions of a small group, because no one has managed to come up with a more imaginitive solution, perhaps with good reason, but hopefully with great reluctance as well.

    • The whole sender-pays email system has a lot of questions surrounding it. So can anyone point us in the direction of an RFC (informational/official/otherwise) which goes into detail describing it? The only thing that I could find is RFC 2753 [ietf.org] which talks about sender-pays network services in general and a slight mention of sender-pays email in RFC 1192 [ietf.org] which states that mailing list traffic is reduced in sender-pays situations like MCI-MAIL. It seems like an RFC would be the next logical step.
    • by lar3ry (10905) on Monday March 03, 2003 @04:19PM (#5426269)
      I've been reading the comments, and it seems like the biggest objection to "Sender Pays" goes like "The Linux Kernel Mailing List will disappear if this happens."

      But this objection is unnecessary: the truth is that mailing lists are no longer necessary!

      Why does anybody have to send emails to 100 or 200 people? This is the stuff of horrific waste!

      Instead, let's get the purveyors of email programs the ability to IMPORT messages into the mail queues. Simply connect to a server and download the latest stuff. Do it once a day, once an hour, or whatever. People with PDAs do this (think "AvantGo" and "Mazingo" and a few other services that hot-sync news from the web to a PDA for offline perusal). People with POP and IMAP accounts do this as well (connecting to a server on some regular basis to get email). It's not a big change from the current email GUI model.

      For instance, let's assume there's a "Slashdot Mailing List" that basically feeds all the stories that appear on Slashdot. Your mailer can connect via some "well known protocol" (ftp, http) to the server that provides the mailing list. The mailer then imports the messages into its message queue, augmenting the messages it has received via IMAP and POP3.

      How would this work? The mailer sends the last received message id, and the server sends all messages on the list that appeared after that id. This could be either by generating a transaction on the fly from a database, or just concatenating all messages id's from the one that was last received. Add compression (which email doesn't provide) and you have now provided a benefit--less bandwidth required compared to bulk email.

      And the mailer KNOWS that it's not receiving SPAM, since the user has actually OPTED IN by definition by giving the email program the name of the mailing list that the user is interested in.

      (Some mailing lists do a lot of this processing already, by incorporating messages in a digest format that is emailed or posted to the web, so we're not asking for too much additional functionality from them.)

      Now, an ISP can intercept ALL DATA going across port 25, and examine the envelope. If there is more than a few recipients ("few" determined by the ISP's AUP), the ISP can generate a bounce ("Too many recipients") and drop the mail, or even save the mail, and in the bounce, give a URL that points the user to a "Click Through" agreement to pay the surcharge for sending email to multiple users.

      For Spammers that try to circumvent this by sending one message per recipient, the ISP, which now has the equivalent of a "taxi meter" on port 25, can detect this as well, simply by aggregating the number of emails that a single address is sending out (simple database application).

      Spammers that use open relays will get hit by the same problem, again assuming that the open relay's ISP has filtered port 25.

      This should cut down spam.

      The person whose wife wants to know about sales, simply OPTS IN to a server that will feed her the latest prices from the local grocery or the mall down the road. Advertisers are happy (they know how many people are downloading their bulk stuff), and the recipient is happy. If the mailing list isn't what the wife wanted, tell the email program to no longer download the stuff.

      The only problem I see with such a solution is the possible invasion of privacy that could happen if it wasn't just the envelope of the message that is inspected (think: Carnivore). I'd leave this up to the implementing parties to come up with safeguards against this.

      Any opinions?
      • Let me just say first off that I think that is a great idea for a solution to the dillema facing free e-mail mailing lists. The main problem with it, is that a solution would need to be developed quickly (as in, now, while people are discussing it) so there is something that people can move to before the proverbial hammer came down. Also, would this new system respond via e-mail, or a corresponding upload system. My preference would be the latter. An awful lot of people use mailman and its ilk, and while I think it's a great idea, the logistical hurdles are large and varied, the potential consequences are far greater than the Linux Kernel Mailing List goes away, and they need to be addressed.

        Also, this wouldn't save any resources...everyone would have to go download this e-mail from the remote server, possibly slashdotting the poor thing to death on lists with a large readership. This would merely reverse the burden proportion form what it is today...where the list holder would bear the brunt of the bandwidth charges, as opposed to being able to send one e-mail that gets forked to everyone on the list. And only have to deal with responses, not everyone who reads the list downloading every message. Perhaps some kind of free-net style distributed messaging server?

        Now, an ISP can intercept ALL DATA going across port 25, and examine the envelope. If there is more than a few recipients ("few" determined by the ISP's AUP), the ISP can generate a bounce ("Too many recipients") and drop the mail, or even save the mail, and in the bounce, give a URL that points the user to a "Click Through" agreement to pay the surcharge for sending email to multiple users.

        For Spammers that try to circumvent this by sending one message per recipient, the ISP, which now has the equivalent of a "taxi meter" on port 25, can detect this as well, simply by aggregating the number of emails that a single address is sending out (simple database application).


        Apologies on the long snip...

        This will not work. First of all, this can't stop a spammer that sets up his own "ISP" with it's own mail server that has an AUP of however many messages he wants to send. A potential spammer can always go up the chain to find access at the point where SMTP is not clamped down upon, and plug himself in there. It would be a logistical nightmare of Biblical proportions for every router on the planet to cross-check the credentials on every SMTP packed imaginable, which is what would be necessary in order for your system to truly be spammer-proof, and avoid the "cure is worse than the disease" solution of blacklisting.

        Secondly, even if you do somehow clamp down on every bit of SMTP traffic on the planet, if you leave any kind of number of free e-mails possible, the spammers WILL exploit it. They'll sign up as many free e-mail accounts as possible, all hard limited to a certain number of emails/day or recipeients/e-mail, and in no time flat one of them will find a way to script the bejeezus out of them and you'll have made the problem even worse because almost every e-mail source on the planet will have to be blacklisted to avoid the new wave of spam.

        it's a laudable idea to try to preserve some free e-mails for the little guy without big pockets, but if you give an inch, the spammers will turn it into a yard. If you're going to make it cost, the only way it will work is to make it cost everyone. Then there's nowhere for them to run.
  • by FyRE666 (263011)
    As one concrete example, right this minute there's a network provider who was just assigned most of the 69.0.0.0/8 IP address space. Unfortunately, this was formerly a spam and DOS (denial-of-service) cesspool so many sites out there just block the whole 69.* address space.

    So the new owners are making appeals to firewall managers asking them to please remove their blocks in the 69.* space on the NANOG (North American Network Operators Group) list.

    So what? An ISP has bought a netblock that they obviously knew was blocked by virtually everybody (or at least they should have), and now they're having to plead with everyone to unblock them. Call me cynical if you like, but I'm guessing they were fully aware of the problems, and this was a major factor in negatiating the price to buy this particular net block. It's like a real-estate firm paying bottom dollar for some slum neighbourhood, since they expect it to turn a tidy profit once they've cleaned it up.
    • Re:Ahhh, diddums... (Score:5, Informative)

      by paitre (32242) on Monday March 03, 2003 @02:16PM (#5425351) Journal
      You can't exactly request that you be given a given netblock.
      Seriously.
      ARIN probably came back and told them "This is the only /8 currently available for assignment right now. take it or leave it and come back in 6 months.

      This is why large ISPs and hosting companies (with multiple /16s or larger) tend to have IP addresses all over the place. YOu get what you can get, and you deal with it.
  • by leviramsey (248057) on Monday March 03, 2003 @01:50PM (#5425139) Journal

    Is how sender is defined. Is any mail of a commerical nature the definition? Would an email from my stockbroker (ie one I hire) suggesting that I sell MSFT qualify? If it's limited strictly to bulk, where is "bulk" defined.

    Yes, certain varieties of spam may be eradicated, but the spammers will simply move on to other varieties that aren't covered.

  • Putting a price on sending mail will make it difficult to get email from peoples who don't have similiar economies. It'll stratify the net based on the dollar value of the people. That's not a good thing.

    White lists would require a spammer to spend a small amount of his or her time to get a valid send-to address. But it wouldn't cost a penny. Just time. And if you don't send spam on that valid email, it'll be good for a long long time.

    Come on - Isn't this a good solution?
  • by Anonymous Coward on Monday March 03, 2003 @01:54PM (#5425173)
    Modern spambots can recognise and avoid honeypots, they also use advanced regular expressions to decode addresses like yourname [at] domain dot com into yourname@domain.com, Even addresses encoded in javascript can be converted into regular addresses, because spammers know that the harder you try to hide your address, the more likely it is valid. There are viruses going around to create open relays for spammers too. They use special syntax checkers to make sure their spam dosen't get *** tagged *** spam by balayesian classification. Their dirty tricks are always getting smarter, so prepare for it to get worse!

    If you are stupid enough to buy software from a spammer, beware it might contain a virus to turn your computer into an open relay, so be smart and install Linux.
  • by peptidbond (189705)
    If you could meet a spammer, what would you say? What would you do? What caliber would you use? Would you want someone to do it for you? Is $10,000 a head too much?

    Caliber? Why use a weapon when you can use your HANDS! Or even better, use the spammers hands against them. There is nothing better than beating a spammer to death that to do it with their own arms*.

    *NOTE: a spammer with broken arms would have trouble typing ;-)
  • by RabidMonkey (30447) <canadaboy.gmail@com> on Monday March 03, 2003 @01:56PM (#5425194) Homepage
    Even at 'our' level of knowledge, we all give out our email addresses every day. And we're not neophytes by any stretch.

    Every day thousands of people sign into various sites, drop their email addresses here and there, never thinking of the consequence of where thats going to go, and not seeing the connection to the increased levels of spam. I have one spam account that I use for any site I think is going to sell/lease/rent/whatever my email and I watch it to see when increases begin. I don't ever give out a regular account, because I KNOW I'm going to get spam.

    If we could educate the 'regular' masses of internet users that send emails to their family and friends, and surf for news, we'd be ahead already. If we could show them that by giving away your email address you ARE going to get spam, they might stop. The example that works for me is 'do you stop and give out your address to every single store you walk into? to the guys trying to 'give away' free newspapers?' If people learn to control their email address as they do the rest of their personal/private information, there will be less targets for spam.

    My 'theory' works in practice. I get about 5 spams a day on my main account, which I use for various mailing lists, websites etc. I selectively give out my 'good' account, and what crap I do get Cloudmark [cloudmark.com] gets rid of for me.

    So if we could educate our friends/family not to just give up their email address to every site that wants it, every program they install, every popup that comes up, they'd get a lot less immediately.
    • I run a small free mailing list that people can sign up for on my web site. I hardly ever send them a newsletter, maybe once every 6 months. A very strange thing happened, in the last year or so, I've had almost no new signups, compared to about 10 per day in the past. My page hits haven't went down that much during the same period either.

      Also, the first several newsletters I sent out had nearly no bounces, but this most recent time, I had something like 2000 bounces out of 4000 emails. People are getting a lot more wary of giving their email out, and they also are cancelling the email addresses they did give out freely in the past.

      It's to the detriment of a small site like mine that uses email lists for legitimate purposes.
  • one problem (Score:5, Insightful)

    by cr@ckwhore (165454) on Monday March 03, 2003 @01:57PM (#5425203) Homepage
    Good idea, but there is at least one fundamental problem with this proposal: (I'm not pro-spam or anything, just catching the obvious)

    From the horse's mouth himself when asked "If the ISPs were to band together to control spam, why shouldn't they just block it entirely?" - his answer: "it's too hard to identify."

    Its no secret that spam is hard to identify. If it were easy to identify, we wouldn't even have this duscussion. BUT, if you can't identify it well enough to filter effectively, HOW THE FUCK DO YOU EXPECT TO REGULATE IT?? You think the spammers are going to roll over and suddenly agree to play by the rules, especially since you're going to ask them to start paying $$? I don't think so!!

    Go ahead with your system and try to regulate the spammers. In order to do that, you'll have to license each bulk emailer and probably force them to comply with the system by putting a unique identifier in their spam so it can be properly "regulated". Go head... do it! That way, we can grab to licensee list and filter by that... in essence, you'll probably be making spam easier to identify and kill. Where's the economy in that?

  • by AwesomeJT (525759) on Monday March 03, 2003 @02:00PM (#5425227) Homepage
    Well, could someone open a modified sendmail relay that only logs connections and attempts to send spam -- that way you'll have a good idea who is sending the spam (at least the ones dumb enough not cover their tracks before it gets relayed). Then you could DOS or hack that system and disable it. Or at least find the owner or ISP of the IP address. Could be a fun experiment.
  • Sender pays (Score:3, Interesting)

    by DonkeyJimmy (599788) on Monday March 03, 2003 @02:00PM (#5425228)
    I'm not so sure I trust this idea. Who are we paying? If the sender pays, then I want the receiver to get paid. Either by everyone getting reduced ISP rates, or just getting to send a free email for each one they receive.

    Then, for someone to spam 50,000 people, they'll want to find away to get 50,000 e-mails sent to them, probably from other spammers, and spammer will be fighting spammer in the arena of the web, while us "innocent bystandards" will be making money. More likely, spam will just stop and everyone will send about as many emails as they receive.
  • by brkello (642429) on Monday March 03, 2003 @02:01PM (#5425239)
    Having the sender pay for bulk e-mail to stop spam is a nice idea, but I don't see how it can work. First, this will just encourage spammer to hack in to others accounts and e-mail from there. So poor grand ma is stuck with a bill for mail she didn't send (even if she gets her money back because it was hacked in to, it would take a lot of time and money for the ISP to actually investigate that). Second, how do you define bulk? Mail that goes out to more than 20 recipients? If that were the case, they would just generate messages that had 19 recipients and move on to the next chunk. Maybe it can be done by the number of messages per hour. In any case, this would need to be defined, and I am sure wherever that bar is set, the spammers will go right under it. Last, how do your protect legitimate bulk mailers. My mother runs a non-profit dance club with 800 or so members. Everyone on her list has requested to be sent the mail, would she still have to pay the bill?

    Overall interesting, I just would like more info on the details...or if the details can't answer those questions, start thinking now.
  • by MCZapf (218870) on Monday March 03, 2003 @02:01PM (#5425240)
    This guy talks about how great a "sender pays" scheme would be because it creates revenue and "clarifies the legal situation." But he doesn't give any details as to how it would be implimented. I don't think it can be implimented. You'd have to set up Email2, with authenticated users, payment methods, billing, accounts, etc. AT ALL ISPs. It seems to me that it would be easier to try to get people to stop spamming voluntarily. That is, I don't think it'd be very easy!
    • If you're going to try a system that only works if everybody does it (on pain of being blackholed out of the community of people who do use it), then there's no need for sender-pays. A simple regulator throttle on outgoing e-mail (e.g. anybody who's sent to more than 100 addresses today has mail delayed 2 seconds per additional address, escalating upwards from there) would suffice.

      Sender-pays is at best a poorly thought-out concept, at worst a cynical ploy for more money.

    • by Tackhead (54550) on Monday March 03, 2003 @03:29PM (#5425861)
      > You'd have to set up Email2, with authenticated users, payment methods, billing, accounts, etc. AT ALL ISPs. It seems to me that it would be easier to try to get people to stop spamming voluntarily. That is, I don't think it'd be very easy!

      I agree.

      If you give me the choice between "SMTP without spam", and "SMTP-Barry, with only the spam that someone has paid my ISP to send me", I'm all for it.

      That is, I'll continue to use SMTP, and block all SMTP-Barry traffic because I'm not interested in anything Barry's clients have to say, no matter how much they paid my ISP to get past the filter.

      Unfortunately, if you give a spammer a choice between "SMTP where it costs $19.99 per disposable account to spam a million people and get $100 in responses" and "STMP-Barry, where it costs me $100K to spam a million people"...

      ...the spammers will also continue to use SMTP.

      So don't give us the choice? Drop SMTP altogether for SMTP-Barry? Great. Now instead of getting 10 spams a day for Viagra, I get 10 spams a day for DaimlerChrysler. How am I better off?

      (No, I'm not making that up about Chrysler - got a fucking turdlet for Chrysler products from Eddy Marin's "optin-subscription" spamhaus just a few days ago. Looks like Eddy's working his way up - he's also scammed Gonzaga University into working with him. Way to check references on your fucking marketing partners, Chrysler.)

  • by DanielRavenNest (107550) on Monday March 03, 2003 @02:03PM (#5425253)
    A simple way to handle spammers and rogue ISPs
    is for reputable ISPs to start charging for
    net email traffic. Thus if a peering ISP is
    sending you more email than you are sending them,
    you charge them for the service of transporting
    their mail to your users.

    ISPs that provide service to spammers will then
    be paying for their outgoing email, and will have
    every reason to charge the spammers for the
    extra traffic.

    ISPs on the receiving end of excess traffic
    will either have a new revenue stream, or will
    have a legitimate reason to blacklist an ISP:
    they haven't paid for the service they are
    getting.

    Daniel
  • There has been much discussion of white lists, spammer list, RBLs, simulated 550 bounces, bayesian analysis, etc.

    On Linux, these solutions either exist, or are being built, and on Windows there is Spam Sleuth [bluesquirrel.com] for individuals with ISP accounts, or an Enterprise version for companies, ISPs and schools.

    The proposed solutions are not mutually exclusive. Most proponents of Bayesian analysis recommend also using a white list. Add RBLs, Profanity Filter, Bad Word Filter, Valid Sender tests, etc. and it really works great. Keep the spam for a "short time" to train the Bayesian Analyzer, and just-in-case an important message slips through.

    These are not solutions where everyone has to comply, or it doesn't work. These tools will stop the spam immediately for those who use them. They instantly have an effect, although probably minor, on the spammers.

  • by WNight (23683) on Monday March 03, 2003 @02:07PM (#5425285) Homepage
    I advocate simple responsibility and ostrasizing offenders.

    We need to sign backbone providers up for a blackhole systems. Then blackhole open relays and spam-friendly ISPs.

    If an ISP's client's email doesn't reach 5% of the net, the client's going to blame the target systems. If that client can't email anyone who isn't on his ISP, he's going to blame his ISP. This is why we need a large percentage of backbone providers signed up. We need to make it look like a serious problem, not a normal glitch.

    ISPs would probably want to have an account type of people who send more than 100 messages per day, or more than ten copies (non-CCs) of a single message. People with these accounts can be more closely monitored and if someone with a regular account sends out a few hundred spam before being caught, it's not that big of a deal.

    We've shown that companies won't disconnect a paying customer until everyone else complains. We need a way to make complaints heard, and an above-reproach spam-listing service to direct the complaints. The service needs to be run by a wide sampling of people and all spam submitted needs to be publicly visible. Anything less opens it up to charges of discrimination. Also, having a strictly documented procedure helps if they're sued by a spammer for defamation.

    It needs to be established that while you paid for the pipe for the ability to send data, I am free to choose if I want to listen to you. It's not censorship if everyone decides to ignore you.
  • by xtheunknown (174416) on Monday March 03, 2003 @02:09PM (#5425293)
    I am not one to take sides with the spammers, but I have one question? How is e-mail different then snail mail?

    Recently I moved to a town where there is no home mail delivery. I had to get a PO box. After a few weeks, I found that I was getting more direct mail then mail addressed to me. I asked the post office not to deliver this mail, but they refused saying that those companies paid to have mail delivered to me and therefore they couldn't stop delivery of junk mail. The only way I could get them to stop was to write each junk mailer and request them to stop sending me unsolicited mail.

    Well, I don't think I am going to send each one a letter so I just put up with it. How is this any different than spam?

    • Quote:
      How is e-mail different then snail mail?
      Money. It costs $$ to send snail mail. That money goes to the USPO, who use it to beef-up staffing and pay for the resources needed to deliver said mail. On the other hand, a spammer can send 10 or a million emails a day for the same flat rate. But ISPs don't receive any $$ for the extra resources needed to deliver said mail.
  • by ashitaka (27544) on Monday March 03, 2003 @02:10PM (#5425298) Homepage
    Another problem I've had with blacklists is that some have become rogue and gone power-mad, blacklisting addresses for reasons completely unrelated to their stated purpose such as personal politics.

    Check out the answers to requests to SPEWS for delisting in news.admin.net-abuse.email. They tend to be along the lines of:

    "What? You actually purchased a netblock from that evil, scum-sucking ISP who hosted a website that pointed to another website that somehow gathered email addresses that found their way into some spammers list?" We don't think they'll stop having something to do with spam so forget about them ever being de-listed!!! Serves you right you moronic spam supporting fool for not checking first!! MUWAHAHAHAHAHAHA!!"

    I think he's describing SPEWS quite well.

  • ISP Control? (Score:3, Insightful)

    by n-baxley (103975) <nate@@@baxleys...org> on Monday March 03, 2003 @02:13PM (#5425324) Homepage Journal
    In question 4, Mr. Shein says: ...It's not reasonable that an ISP such as myself has no control over what sort of advertising is placed in my customers' mailboxes yet is left responsible for the quality of that experience. ...

    I think that's kind of a slippery slope. When the ISP begins deciding what email you get and don't get, where do you draw the line. I would certainly want a system like this to be opt-in so that I can deal with all the email I get (good and bad) and not have that decision made for me by someone else.
    • That's only an issue if you don't know the ISP's policies. If they publish their policies and you sign up knowing them, then presumably you don't disagree with them too much. If you want an ISP that allows everything through, you wouldn't sign up with one with a draconian filtering policy.

      For myself, I'm happy my ISP applies some fairly extensive filtering to remove spam, applies more that flags messages in the headers so I can drop it myself if I want, and has a setup where I can do my own filtering on top of that. I'd be rather annoyed if someone tried to tell me my chosen ISP couldn't do the things that convinced me to go with them in the first place.

  • Mailing lists? (Score:2, Interesting)

    by pdawson (89236)
    Here's one I didn't see an answer to: How would a sended-pays system handle mailing lists such as majordomo or yahoo/egroups setups? Any ideas?
  • Spammer pays... (Score:5, Interesting)

    by YrWrstNtmr (564987) on Monday March 03, 2003 @02:21PM (#5425402)
    ...who? The ISP? Nice revenue stream. Some would actively solicit spammers for the increased revenue.
    And then some ISP's would simply put it on a flat rate. Or advertise "Send free emails!", and charge an extra dollar on the base price.

    The recipient? hmmm.....there would end up being some kind of reciprocal agreement between spammers. "I pay you, you pay me."

    The poor user whose box gets cracked and becomes the sender of a million emails is in for a fight getting his money back or account reinstated.

    And then of course the valid bulk email senders would wither and die.

    Who pays, and who gets 'paid'?

    Sorry, but there are far too many loopholes and traps for paid email to actually work.
  • No Way! (Score:3, Insightful)

    by mark_space2001 (570644) on Monday March 03, 2003 @02:27PM (#5425438)
    ISP Head Floats Plan To Legalize Spam

    Banning spam is an impossible task, and instead a mechanism must be developed to control bulk commercial e-mail and make the senders pay for the infrastructure costs of distribution, according to an Internet service provider president.

    "It could be a legitimate business," said Barry Shein

    This I object to a lot. There's no way I want to support any initiative that puts more spam in my mail box. The national "don't call" list is a step in the right direction towards re-gaining control over our telephones. Now we should support the same thing for email.

    Don't give up the fight!

    Here's my suggestions:

    1. Make it illegal to use an email list for spam unless you are the primary seller to a customer. Let's put all these knot-heads who do nothing but collect email address and re-sell them out of business. Amazon.com can hold on to my email because I purchase stuff from them, but not anyone I don't have a business relationship with.

    2. Primary sellers may sell one-time use email addresses. One time use. Period. Holding onto that email falls under 1. and will land your butt in jail.

    3. The primary seller MUST maintain a "don't email" service. Failure to do this accurately is a big no-no. Addresses on the "don't email" list can't be sold or even used internally for advertising.

    Now that will take care of all the domestic spam. To finish the job, we should:

    4. Require that the mail relay is responsible for anything transmitted. Yup, run an open relay and you could go to prison. Sucks to be you. Maybe you should put some reasonable controls on that open relay, like only accepting email from IPs from a country with reasonable SPAM law. China is obviously right out ^_^.

    That's it. We could do it. "Don't email" lists won't work because foreign coutnries won't respect them. But close those relays and the problem becomes local. Some well meaning yet technically challenged IT people go to prison? Good. The technically challenged have no business operating a computer anyway.

    Think how much better the world would be if no one was getting bilked by 419. If everyone could use the internet with fear of unwanted porn or receiving literally hundreds of scams each month. Hey, we might even see some growth in the industry! More use of websites, legitmate use of email advertising, and the jobs that follow, it all flows from taking control of the internet from people that are basically common criminals.

    Mr. Shein's plan does one thing and one thing only, and that's put money in his pocket, while the rest of us can go hang.

  • I'm getting quite fed up with all the anti-spam rhetoric around the 'Net. All kinds of figures fly around as to the cost and magnitude of the spam problem, but most of them are obviously biased and the methodology by which they are obtained is genrally fuzzy at best. It reminds one of the figures quoted by the BSA for software piracy, or the figures quoted by the RIAA for music piracy: that is, they factor in all kinds of "intangible" costs, are based on questionable assumptions, and are impossible to verify.

    It is clear that spam is a nuisance. But spam filters work miracles, and they don't have to be fashionable Bayesian classifiers either. Simple treshold or trigger based filters work extremely well for individual mail accounts. Such as junkfilter [zer0.org], or SpamAssassin [spamassassin.org].

    Now some people will argue that filters don't solve the problem: by the time the mail arrives in somebody's inbox, the damage has been done, the network resources have been wasted and the CPU time has been spent. But that argument is meaningless without a means to quantify the costs. And again, where are the figures? How can we even reliably estimate the figures?

    It stands to reason that many people benefit from inflating the costs of spam. Meanwhile nobody questions the figures because everybody hates spam. Notice how Barry manages to almost, but not quite, evade question #7 in this interview.

    Spam: the non-issue that everyone loves to hate.
  • You want spammers to stop sending spam, start here.
    1. Make it illegal to give out free accounts. Having an internet account should cost money.(in otherwords abolish Hotmail, Yahoo, and other such accounts.
    2. Require verification and lots of it for establishing an account
    3. Mail servers should only accept email for sending out from verified accounts on their own domain, within restricted subnets, if your not on the subnet list you can't send mail.
  • Preach on! (Score:5, Interesting)

    by The Bungi (221687) <thebungi@gmail.com> on Monday March 03, 2003 @02:35PM (#5425498) Homepage
    Another problem I've had with blacklists is that some have become rogue and gone power-mad, blacklisting addresses for reasons completely unrelated to their stated purpose such as personal politics.

    Those of you who run one or more domains from which spam NEVER generates, and who's had some asshole wacko submit said domain(s) to a RTBL, raise your hand.

    If you think RTBLs are great, wait until you get on one of them. It's almost Orwellian. Amazingly simple to be in one, incredibly difficult to get out.

    Granted, some RTBLs are run responsibly. But a few are nothing more than power trips for the operators - people who've become essentially hysterical about spam and are quite glad to condemn anyone with minimum proof. An IP address in a forged header, fer fuck's sake.

    Police, prosecutor, judge, jury and executioner, all rolled up in a wonderful little bundle of joy.

    • Actually, a couple of years ago, I got email from a sales rep's home account. The person who emailed the rep couldn't email their the rep's company account. Apparently we had managed to make it onto either RBL or ORBS (I don't remember). After having a laughing fit (so apropos... at the time one of our marketing guys was trying to figure out the best way to spam our potential customers), I did some research. Sure enough, open relay. Nice to see the better-than-thou corporate IT doing such a good job. Anyhow, I got ahold of someone, made them fix it. Re-submitted it to the RBL, and two days later it worked.

      Oddly enough, our people weren't willing to fix it until I told them that the vast majority of our clients were probably subscribed (via their schools), and so our customers couldn't reach our sales slugs.

      So, NBD to get off of one, at least over here.
  • by phorm (591458) on Monday March 03, 2003 @02:41PM (#5425543) Journal
    How about if ISP's had some way of tracking those that respond to SPAM-sent offers, and had a clause making those customers liable. After all, it's the 1 in 1000 users who respond to spam that make it profitable.
  • by jamie (78724) <jamie@slashdot.org> on Monday March 03, 2003 @02:50PM (#5425606) Journal

    Hi Barry,

    Thanks for doing this interview :)

    I'm not really satisfied with your answer to my question about dollar cost of spam, but that's OK, you don't have to satisfy me :)

    I did want to clear one thing up. I had written:

    "As far as I can tell, SMTP traffic is at most 2-5% of net traffic."

    And you responded:

    "Your figures for the percentage of bandwidth which is spam are far too low. Others have put the numbers much higher. NewsFactor cites studies putting the figure somewhere between 17 and 38%."

    I totally accept that spam is about 17-38% of SMTP traffic, that sounds roughly correct to me.

    My point there was that SMTP traffic is a very small fraction of total net traffic.

    I haven't found any recent statistics on this -- partly because I don't think anyone publishes these numbers anymore, and partly because it's a real pain to try to find with Google. (Do a search on "SMTP NNTP HTTP bandwidth backbone" and you turn up a zillion ISPs bragging about all the protocols they support and how many backbones they're connected to.)

    Here's one example of the crappy data out there, a six-year-old report from a link near a backbone showing that SMTP traffic totaled 2.2% of all network traffic:

    http://www.nlanr.net/NA/Learn/popular.html [nlanr.net]

    Here's another survey of a backbone, this one five years old, showing SMTP traffic as 3.3% of all network traffic:

    http://traffic.caida.org/Reading/Papers/Inet98/ [caida.org]

    My point was just that if we're trying to assign a dollar figure to what spam costs an ISP, we might as well ignore connectivity charges, because SMTP itself uses so little bandwidth.

    As for what all the other costs add up to... I still don't know.


  • What would be your actual dollar cost of spam, if you didn't spend much time and effort fighting it?


    He didn't actually answer the question. It's too bad that we don't see more actual analysis rather than opinions. Are we really concerned about people in our society who are "on the fence" about e-mail and might decide not to use it, at all, because of spam?

    Like the poster of question #7, I am also skeptical of the actual cost.

    PS: I don't like spam

  • by sulli (195030) on Monday March 03, 2003 @03:04PM (#5425683) Journal
    did the spam filter eat the dept. contents?
  • people are giving up on the internet because it's too much trouble to "wade through" spam? This guy should stop being a whiny businessman and start whining for a living as a lobbyist. I would mod him Troll if possible.
  • by mjh (57755) <mark.hornclan@com> on Monday March 03, 2003 @03:38PM (#5425942) Homepage Journal
    I think this guy really understands TMDA [tmda.net] when he answered question #3 like this:

    And how exactly do you propose to "inform the system that you are a real user"?

    The answer to his question is, "By using TMDA, of course!". TMDA is an automated whitelist management program. I agree that manually managing whitelists is next to impossible, even at the individual level. But that's why TMDA exists, to automate that process.

    And it's currently being tested on a large scale. GMANE [gmane.org] is using TMDA [gmane.org] as a mechanism of blocking spam for some 3500 mailing lists.

    I wish I could rewrite the original question so that it was more clear that TMDA is an automated whitelist management program. Cuz I don't think the guy understood that. And he answered as if the question were suggesting that the ISP manage all their user's whitelists.

    $.02

  • by MattW (97290) <matt@ender.com> on Monday March 03, 2003 @05:12PM (#5426739) Homepage
    Basically, the way to go is to go with a combination of manual and automatic whitelisting. Here's how:
    • When you get an email, check black and whitelist. Blacklist: delete (or bounce). Whitelist: deliver.
    • If email is not in either list, send an automatic response back to sender. Force them to visit website to confirm their humanity using a character recognition system where they look at an image and type in the word/characters/etc pictured.
    • If they respond, add them to the whitelist and deliver queued mail
    • Mail not handled by either list or verified queues up for a certain amount of time, during which the mail user can go and flag specific addresses as whitelisted (allowing them to pass through things when they do things like sign up for mailing lists or accounts or other things which generate automatic email)
    • After a certain number of days queued up, drop/reject queued email.


    This means that the vast majority of a typical person's email -- communicating with people they know -- is unaffected at all. Giving their email out to new people is risk-free.

    Using the commercial version of this service that I know of -- Spam Arrest [spamarrest.com] -- is $3/mo if you pay for a year. Only about $2.25 if you pay for 2. If I was looking for an ISP that I used for email, I'd expect this to be part of their mail system (albeit perhaps optional).

A failure will not appear until a unit has passed final inspection.

Working...