Helping people with computers... one answer at a time.
Read the article that everyone's commenting on.
Leo, I agree with your conclusion. We must all lobby our respective service providers, politicians etc. to insist on a safe and secure email system for all. I Don't know enough about email specs to suggest a solution but as I understand it, emails are moved around the internet through a limited number of 'gateways'. Surely it is possible for the source and destination to be controlled and/or verified before being passed on. Or am I being too simplistic ?
You will never educate or even convince ALL computer users not to allow their machines to be co-oped to this use. Education should be continued but is doomed to failure as the ONLY solution. Computer technology is becomming so inexpensive it will become cost efective to build spam generating farms. Your possition on Blue's actions is correct. D.D.
Sadly, the financial incentive to sell products to reduce spam will most likely prevent awy real, total solution. Educating the masses is a concept akin to Utopia and equally unreachable
One argument that has been proposed to make education more effective is to fine people whose computers are turned into zombies. If it could be proved that your system had been compromised and used as part of a bot net, you'd be fined $500.
The possibility of losing $500 (more for repeat infections) would cause a lot of people to secure their computers. Sadly, it would cause even more to throw them out.
But it would also be a great marketing tool for anti-virus/anti-spyware vendors. "We're so confident that our program will keep your PC safe, we'll pay the fine if your system is compromised while running our software."
Nice idea to have 'verified sender'- but if it's verified that the sender is some guy in Russia, what then? Blue Frog found a way to go to the heart of the matter, and make it cost those actually paying the spammers. They were, predictably, counterattacked by similar methods. I can understand why they stopped, but I'd sure like someone to take up the cause and the tactic.
But who? Since it appears we're dealing with some Russian with who knows what government/KGB/mafia ties, and obviously with considerable technical expertise and resources, what company would/could risk these continuing counterattacks? If fighting spam were not their core business, how could a company make a business case for doing this?
If a company were solely in the antispam business, how many subscribers would they have to have at what subscription rate to assemble the resources to duplicate the Blue Frog approach, and deal with the subsequent attacks? Simpler to avoid the wrath of the spammers and do what's being done now- sell subscriptions to so-so filtering software that's constantly being circumvented by spammers and doesn't affect the companies who send spam one whit.
The core effectiveness of Blue Frog's techniques lies in making it uneconomical for a company to hire a spammer to send spam, making it too expensive in terms of wasted resources. It obviously works. The other side- the spammers- have simply used the same technique against Blue Frog. I hate bullies, and spammer bullies even more, but I couldn't justify using up my company assets 'for the good of the net' and because I hate spam. I really can't blame Blue Frog.
Maybe this is the sort of national security issue that our government should take up. Sure looks like a terrorist attack on our vital infrastructure to me.
Can't think of anyone with more resources and expertise in this sort of thing than the NSA. They'd have to make it clear that they were the ones protecting the privacy of US citizens by sending the opt-out floods, so attacks wouldn't be directed elsewhere, and there would have to be some protection for those who submitted their email addresses for opt-out to avoid reprisals directed at individuals. Maybe all the protected-address emails would have to pass through some big honkin' NSA server to prevent revenge. There would have to be national security-level antihacking and anti-DoS protections in place.
Big brother? Sure. Let big brother do something useful for me for once. This wouldn't require any domestic warrantless surveillance; the problematic spammers are not US based. If there are any US-based spammers, the FBI can take care of them. If I didn't want the NSA to have my email address, I wouldn't have to submit it for antispam protection.
It has been repeatedly stated that spam is a huge problem, sapping vital national resources. Blue Frog has found an effective way to stop it, but doesn't have the ability on its own to continue- altruism only goes so far when it's costing you your livelihood.
The government does many billions of dollars worth of things every year that are Constitutionally questionable. Defending US 'netizens' from foreign enemies seems very clear.
I have to take issue with your suggestion that Blue Security's approach was unethical - if an advertiser sends out a large number of adverts and a percentage of the recipients respond asking not to receive any more adverts from them, one response per email received, how is that unethical? One email goes out, one response comes back - and it's targeted at the true originating source, not some poor spoofed return address. The advertiser is given the opportunity to remove the complainants from their distribution, reducing their costs and targetting their campaign away from non-purchasers. Six of the largest commercial spammers accepted the strategy and complied.
It was the subset of anti-social 'dark-side' criminal spammers who saw this as a threat and an opportunity to show their control of the internet mail system and the damage they can do. These are the unethical people, not Blue Security or the compliant commercial spammers. Their focus on making vast sums of money regardless of legality and their ability to bring down whole internet domains with illegal DOS attacks and other techniques indicates they have a true terrorist potential. I only hope their attack on Blue Security, its ISP and supporting DNS services has attracted the attention of governmental agencies with the ability to respond appropriately, but I fear it has not.
I agree with your analysis that only a change in the underlying email infrastructure will make spam fully controllable, but the response of the spammers suggests that the Blue Security approach can be effective if continued over a longer term and in a more distributed manner. I believe there are projects to attempt this currently in development.
This Anti Spam topic is most interesting to me, and I suspect to millions of other Pc users around the world. And I should like to become involved to a small degree to hopefully help find …“The Final Solution” …
Unfortunately, it would appear that Pc users who have some knowledge of their machine use that knowledge for themselves and often do not partake in the discussions and forums debated around the planet ~ and who can blame them? After all, the reality of using a computer has become quite a chore over the past three years or so dealing with Spam…
And just to make the point, here I am on a Saturday afternoon, composing and putting my mind to this debate, when there is a whole load of wonderful sport to be viewed from the UK and around the world on my telly…! Aaaahh…!
I should like to come back to Blue in a moment, but for the mean time, I want to talk about ‘The Machinist’ who I found via your link to: http://www.secureyourcomputer.org/ and their page: Take Back the Net - Secure Your Computer and Sport the Grey Ribbon! And finally to: http://www.theinternetpatrol.com/take-back-the-net-secure-your-computer where there is an interesting Comment by machiner [http://www.madcarters.com] - 5/21/2006 @ 9:47 am
Tis all well and good making suggestions about what we can or can’t do towards keeping our Pc’s clean and stealthy ~ and I’m sure that Mr Machiner is quite correct in his suggestions, but we are not all computer geeks, and some of the suggestions would appear a bit flippant to lesser mortals who may well be a weenie bit scared of going into services mode or regedit etc
The machiner talks about, and I quote: “Your steps may seem like good ideas, and perhaps at one time they were. However in today’s malicious internet climate those steps will do nothing to protect you …Really
Instead - on a Windows box, go to your Admin Tools in your Control Panel, then to Services… and start disabling the services:
? Server • Messenger • Computer Browser • Remote Registry • Web Client
There are more. There are some to set to Manual as well. You should also turn off that ridiculous media Player Licensing thing as well. That’s not what it’s called - but people will see what I mean in their services widget.”
Start disabling the services ~ God, what does that mean…?
No, I’m sorry Mr Machiner, or as I prefer to endearingly call you: Mr Machinist…
You must tailor your cloth according to the model, and in this case you are dealing with a variety of users who may not have gotten past the start button. I believe that “Start disabling the services” needs some explanation. And certainly over and above the Services (Local) description menu, so that the individual understands what he might be stopping and how that might affect the running of his machine ~ at least then, we will all be sure to be starting from a level playing field…
Mr Machinist, I very much appreciate your efforts in commenting about this issue, but please remember that there are many folk out there who do not have your ability and knowledge of the Pc, and need a little more explanation if they are to add to the worldwide forum of a collective serum for Antispam… I look forward to your essay on Ask Leo! ~ Soonest …
Incidentally, I couldn’t see anything about Media Player licensing, and if I’m going to do the job according to his worshipfulness Mr Machiner – then how about a proper directive…?
Congrats on debiantutorials.org by the way…
Think I’d better start a new post…
see u soon
Domain Rider: They were unethical because it was not one response per spam. My understanding is that once a spammer hit a threshold of sending out spam, Blue Security use their entire network of participants to snd unsubscribe requests, whether or not they had actually recieved the spam.
Relying on new technology to replace e-mail is a good idea, and although not entirely possible in the near future, is partly possible with current tools and the situation will surely improve as time goes by. There is an e-mail extension that checks if the mail actually originated at the address it says it's from and some major servers support it. The technology is coming, and as more users demand it, more providers will support it. (Unfortunately I don't know much about how the extension works; Search for DomainKeys or Sender Policy Framework if you want more info.)
That being said, let me concentrate on the other "school of thought".
I'm for educating people, but not necessarily the masses. If you do not want spam, get to know your computer and you won't get spam. Of course, having ALL e-mail users educated is not possible unless they're forced to, such as by a fine.
Having to pay a fine for having your system compromised is not a good solution: firstly it would promote nasty things like blackmail, but, perhaps more importantly, it would discourage people from using computers, or experimenting with them, without worrying about the consequences. If I didn't know anything about computers, I'd not want to start using them if there was a $500 fine for doing nothing (that is, not protecting it). And, of course, a fine would only work in the countries where that would be the law.
Here, I'd like to warn everybody about limiting others' rights on the Internet (such as the proposed fine). The Internet's based on the fact that anything is possible on it, and every limitation takes away more freedom than it's supposed to. To name a few lame examples, what's the difference between this site's newsletter and some types of spam? What's the difference between my helping my mother, who lives across the ocean, install a program over the Internet, and a hacker installing a spam-sending utility on your machine? Please don't support any legislation that limits Internet use unless you really, really know it won't hurt people with good intentions. Besides, we can't force spammers to stop spamming by creating laws. It's been tried with pirated computer games, ripped music, stolen videos, and it always failed. It just doesn't work, there will always be someone who break the laws.
Don't force others to not send their mail, even if it is spam. The possibility of sending a message instantly and for free is a privilege too valuable to be lost, even for a good cause.
My general solution to spam is similar to the free market economy theory: Don't try to prevent others from sending spam. Concentrate on yourself, on blocking the spam YOU *get, read and click.* If everybody does that, it reduces the spammers' profits, and once those are below the spamming costs, we win.
A first rule of thumb is obvious - never *click* on links in spam messages. Even if it says "unsubscribe", to the evil spammer it will just confirm that you are a real person, and a susceptible one at that. A perfect target for future attempts. (But don't be paranoid, if the message is not clearly spam, clicking links shouldn't hurt you.)
A second rule of thumb - don't *read* spam. If the subject line looks too spammy and you don't know the sender, don't even open the message. And if you do, make sure you at least have pictures blocked.
The third rule is about *getting* the spam. Just like you don't go hunting down virus writers but buy anti-virus software instead, don't hunt down spammers but get a spam filter instead.
My personal solution is simple but effective. I have a GMail account. Although I put my e-mail addres (firstname.lastname@example.org) everywhere, even in direct links where it just screams to be harvested, I get at most one spammy message a week. I report that message to GMail, and GMail updates their spam filter. Of course, thousands of other people do this, so GMail learns about thousands of kinds of spam every week and stops all their clones. That is the advantage of having a freemail account: lots of people are using it, and if the provider cares about its spam filters, it's very effective at blocking the spam. And GMail apparently does care.
Of course, as Leo says everywhere, free mail accounts are potentially dangerous as far as sending important information. Who knows who'll read it, who knows if it'll still be there tomorrow. To solve the first problem, I save my messages on my computer (GMail lets you do that). For the other problem, I have a private account with my ISP for sensitive information. But I only give my private address (as well as the sensitive information) to people I trust. I could also set up a policy of blocking all mail from all addresses except the ones I explicitly allow and allow only the people I trust, but I haven't had a problem with my current setup yet.
To sum it up: Educate yourself, educate the people around you, and give up forcing spammers to quit. They'll give up once spamming doesn't work.
Leo: Blue frog offered some degree of relief from that "helpless" feeling. It upset spammers. It worked! We should continue.I have multiple accounts through comcast, four outlook express accounts and one outlook account(all as a result of listening to your How To's) spred over three home machines plus five online accounts.Your are right about where the spam settles, mystifing to be sure....? I placed an animated PNG., signature in the Outlook mail which seemed to foul the spy bots some, but I couldn't successfully configure similiar attempts in Outlook Express.
To post a comment on "So what do we do about spam?", please return
to that article's main page.
Question? Ask Leo!
The Tip Jar: Buy Leo a Latte!
By Date |
Business Card |
Advertisements do not imply my endorsement of any product or service.
Copyright © 2003-2013 Puget Sound Software, LLC and Leo A. Notenboom
Ask Leo! is a registered trademark ® of Puget Sound Software, LLC
Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure