Tipping Point for Spam?

Here's a few quotes from an article just posted on Yahoo! News about the US FTC's three-day forum on "spam."


Article: Spam E-Mail Problem Worse Than Imagined

Have a personal opinion on what can or should be done?

There's no way to stop it...

I use Popfile, a free cross-platform bayesian spam filter written in perl, and it's 97% (97.02% actually) accurate classifying my mail. It's more accurate for my brother, who gets A LOT of spam and my wife, as well.

I see very little spam nowadays. I realize this isn't net-wide or a permanent solution, but it works amazingly well for me.

http://popfile.sf.net

My university has an excellent filter written by the cs folks. It's still in development, but it only lets about three or four spam messages into my inbox, while it filters out about 110 messages a day.

Still though, it angers me when I see the size of my junk mail folder. It varies between 600-900 messages in size...spam is kept for one week before being deleted.

Well, the Common Wealth of Virginia has set the pace to put an end to spam once and for all - so I am pleased. It should cross the border over to here pretty soon. The great thing about it is that they have already challenged spammers to push the button and they will indeed be prosecuted - from experience, Virginia law is no joke, they mean business.

As John already said, there is no way to stop it.

The only reason for all the fuss by anyone important is because they don't make any money from it. Otherwise it's just motionless fuss by people like ourselves and there is nothing we can do except employ preventatives.

Think about how much junk mail you get through your door each day, how many people complain about that apart from you the person receiving it? Not many, and why? Because people profit from it. If there was a way for a company to control a monopoly over e-mail then no one would complain except for the people getting it.

As far as any laws, they will all be a waste of time because as we already know, technology grows at a much faster rate than the people who sit around writing laws. By time they have written one law there is already a way to get around it.

I hate spam just like the rest of you, but I think rather than teaching people how to read and complain we should be teaching them the purpose behind a frigin delete button which all mail apps have.

Well, good point, it's not just spam email. I don't even open 80% of the real mail I get, I just tear it up and toss it. I also pay $2/month for my phone company to screen my calls, which works very well.

But, email spam is an entirely different beast. I get a much higher volume of it, and it will probably get worse since in the end, it's so easy and cheap to send. There's virtually no overhead in it, so even the most miniscule profit generation is still profit.

The spam itself though, doesn't irk me. It's the privacy issues that piss me off. I have several email addresses plastered all over the internet, and none of them get hit with any serious amount of spam. Why? Because they're not registered with any companies, they aren't supplied by an isp, a workplace or anything. They belong to me, at domains I own, on servers I pay money for. The reality of it is, spam doesn't come from robots mining email addresses from the web. At least not for me, I've had four year old addresses that hadn't seen a single spam message in their lifetime, and you could have found the address plastered in hundreds of different pages on the internet, some with decent rankings too. It's my work address (university) though, that gets hit because sponsors have mined data and sold it, or the university itself has and sold it to make money, or the university fails to properly enforce the legal use policy on their directories.

Same thing happened at the previous university I attended. And the previous one, though not to the same extent, it was also quite a while ago.

Same thing with my phone company too. I'll never forget this one:

When I moved into my current appartment, like always, I needed to change my phone number. Within 10 minutes of plugging the phone in for the first time, a solicitor called and asked for me by name. By the end of the day, I had a few other solicitor calls (I got about 5 a day before I started filtering). No big deal, happens all the time, right? After all, you give your phone number out regularly when applying for video store cards, or almost anything now.

Turns out though, when I called the company to move my service, the phone number they assigned me, and the phone number they told me I was getting were different. So, for a week before I moved in, and about a week after I moved in, I never knew my phone number, and all the places I re-registered my new number with had the wrong number. They couldn't have been responsible for selling the info.

The only company/person/institution that knew my number was my phone company, which means they must have been the ones that sold my info. Sold it out to so many companies so quickly, that solicitors were asking for me by name within minutes of the phone being plugged into the wall.

I bitched like I've never bitched before to the company, but they of course denied everything, saying something to the effect of it was my doing, one of the institutions I gave my phone number to must have sold the info. But I never even knew the bloody number, how could I have given it out? Gah, it was like pulling teeth from the people at the other end of the line...I gave up.

</rant>

The two biggest blunders of the internet:

1. TCP/IP headers can be spoofed, and 99% of the routers and switches on the internet never force a packet to verify it's original source.

2. Email headers can be spoofed, and probably 100% of the email relays on the web never force an email to verify it's sending address. There is almost no spam anymore that actually comes from the address in the headers, much less the "Reply to" field.

If those two architectural flaws can be fixed, 99% of the security problems and 99% of the spam on the web can be removed.

The problem is that it would take a major revamping of the internet to accomplish this, because those who built the internet in the first place never stopped to consider these two possibilities. As Steve Gibson says "If ISPs would begin adopting the practice of preventing the escape of fraudulently addressed packets from within their controlled networks, this potent attack, and its many cousins, would die overnight." (In reference to DDOS attacks)

With email, I believe the problem could be solved at the mail server level, though. If servers/relays were set up so that there was some sort of authentication key to check for the origin of every email, then all spam would have to come from a legitimate source, and thus could be easily filtered, and culprits quickly found and punished.

Then, on a "social-engineering" level, I think it would make perfect sense for email to be a metered service, costing something like a penny per email, with special bulk packages for legitimate mailing lists (and we could offset the cost of email by lowering the "regular" monthly cost of ISP service). This would make spam the most un-rewarding business in existence, while still not drastically changing life for the rest of us. But, I think in order for this to work we would still need origin authentication for email, or the wrong person would end up getting the bill for the spam.

Hah... check it out. Someone else agrees with my approach.

Of course, there are difficulties with this approach also, but at the core, what is needed is still a way to authenticate emails against the sender.

As another poster in the Slashdot thread noted, a similar approach is possible right now, if everyone would use PGP. It would simply take up too many CPU resources for spammers to sign every single message with a PGP signature. If they tried to use the same signature for 1 million emails, they could easily be filtered out.

So, if all major email clients were designed to automatically integrate PGP, and require a PGP sig before sending an email, again the problem could be solved. Even better yet, all email clients should require encryption for all emails. Eventually, mail servers could be set up to only pass PGP-encrypted email, which would be best for all concerned anyway. Of course, our friends in the NSA or IAO would have a coniption at not being able to sort through everyone's email.

Enforcing a tax on email (world wide) is impossible. But I would definitely support an internet service that lets members return spam to any confirmed guilty spammers.
"Scavenger hunters" could track down the authors real email addresses (using the links on their spam messages as a starting point) and take a share of the sites advertising revenue.