Helping people with computers... one answer at a time.
•
Listen to the podcast: So what do we do
about spam?. 
Transcript
Hi everyone, this is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.
Last week I discussed Blue Security's going out of business. I got several comments in support of their methods, mostly born out of people's frustration with spam, and that even if unethical, Blue Security had been doing something about it.
So what are the ethical ways to stop spam?
There are two schools of thought.
School one says "educate the masses." That means making sure that everyone us running anti-spyware and anti-virus software, as well as staying up to date with software patches and so on. The goal here is to rob the spammers of one of their most powerful tools: bot nets. Machines that have been compromised and have been turned into spam-sending machines referred to as zombies.
That also means educating people that they should never, EVER, purchase from or respond to spam. That really is the bottom line - if spam didn't work, then there'd be no point in sending it. Sadly, enough people do buy, that it does work.
While educating everyone as mush as is possible is critical, I still believe relying on it as "the solution" is a technique doomed to failure. The education must be continuous as things change, and even the smallest percentage of folks who don't get the message are enough for spam to continue to flourish.
I believe that the answer lies in the technology. I believe that the fundamental tools and techniques used to transmit email across the internet need to be changed and/or modified. That modification? Absolute verification of the sender. It is email's fundamental anonymity and it's ability to be spoofed that allows spam to thrive. If I could, with certainly, say "accept only mail that is guaranteed to be from who it says it is from" 90% of my spam would disappear over night. And with accountability, the other 10% could be either tracked down and silenced, or legitimately opted out of.
There are several solutions out there already that attempt to do this already. Why isn't it working? Lack of widespread adoption and, to put it bluntly, politics. Companies are attempting to use various spam fighting solutions for competitive advantage rather than the betterment of the system as a whole. Company A pushing solution Z doesn't want to accept solution Y being supported by consortium B. Spam solution provide Q would go out of business if there were a single, effective solution, so they're not likely to play along either.
Until the playing field is level, and everyone adopts the same solution, spam will continue.
But as difficult as it sounds, I believe that's still more likely than educating the masses.
I'd love to hear what you think. Visit ask leo dot info, and enter 10327 in the go to article number box. Leave a comment, I read them all.
This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.
That's askleo.info.
Article C2666 - May 25, 2006
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I have to take issue with your suggestion that Blue Security's approach was unethical - if an advertiser sends out a large number of adverts and a percentage of the recipients respond asking not to receive any more adverts from them, one response per email received, how is that unethical? One email goes out, one response comes back - and it's targeted at the true originating source, not some poor spoofed return address. The advertiser is given the opportunity to remove the complainants from their distribution, reducing their costs and targetting their campaign away from non-purchasers. Six of the largest commercial spammers accepted the strategy and complied.
It was the subset of anti-social 'dark-side' criminal spammers who saw this as a threat and an opportunity to show their control of the internet mail system and the damage they can do. These are the unethical people, not Blue Security or the compliant commercial spammers. Their focus on making vast sums of money regardless of legality and their ability to bring down whole internet domains with illegal DOS attacks and other techniques indicates they have a true terrorist potential. I only hope their attack on Blue Security, its ISP and supporting DNS services has attracted the attention of governmental agencies with the ability to respond appropriately, but I fear it has not.
I agree with your analysis that only a change in the underlying email infrastructure will make spam fully controllable, but the response of the spammers suggests that the Blue Security approach can be effective if continued over a longer term and in a more distributed manner. I believe there are projects to attempt this currently in development.
Posted by: Domain Rider at May 27, 2006 3:04 AMLeo…
This Anti Spam topic is most interesting to me, and I suspect to millions of other Pc users around the world. And I should like to become involved to a small degree to hopefully help find …“The Final Solution” …
Unfortunately, it would appear that Pc users who have some knowledge of their machine use that knowledge for themselves and often do not partake in the discussions and forums debated around the planet ~ and who can blame them? After all, the reality of using a computer has become quite a chore over the past three years or so dealing with Spam…
And just to make the point, here I am on a Saturday afternoon, composing and putting my mind to this debate, when there is a whole load of wonderful sport to be viewed from the UK and around the world on my telly…! Aaaahh…!
I should like to come back to Blue in a moment, but for the mean time, I want to talk about ‘The Machinist’ who I found via your link to: http://www.secureyourcomputer.org/ and their page: Take Back the Net - Secure Your Computer and Sport the Grey Ribbon! And finally to: http://www.theinternetpatrol.com/take-back-the-net-secure-your-computer where there is an interesting Comment by machiner [http://www.madcarters.com] - 5/21/2006 @ 9:47 am
---------------------------------------------------------------------------------------------------------------------------
Tis all well and good making suggestions about what we can or can’t do towards keeping our Pc’s clean and stealthy ~ and I’m sure that Mr Machiner is quite correct in his suggestions, but we are not all computer geeks, and some of the suggestions would appear a bit flippant to lesser mortals who may well be a weenie bit scared of going into services mode or regedit etc
The machiner talks about, and I quote: “Your steps may seem like good ideas, and perhaps at one time they were. However in today’s malicious internet climate those steps will do nothing to protect you …Really
Posted by: Lou Gascon at May 27, 2006 7:32 AMInstead - on a Windows box, go to your Admin Tools in your Control Panel, then to Services… and start disabling the services:
? Server • Messenger • Computer Browser • Remote Registry • Web Client
There are more. There are some to set to Manual as well. You should also turn off that ridiculous media Player Licensing thing as well. That’s not what it’s called - but people will see what I mean in their services widget.”
Start disabling the services ~ God, what does that mean…?
No, I’m sorry Mr Machiner, or as I prefer to endearingly call you: Mr Machinist…
You must tailor your cloth according to the model, and in this case you are dealing with a variety of users who may not have gotten past the start button. I believe that “Start disabling the services” needs some explanation. And certainly over and above the Services (Local) description menu, so that the individual understands what he might be stopping and how that might affect the running of his machine ~ at least then, we will all be sure to be starting from a level playing field…
Mr Machinist, I very much appreciate your efforts in commenting about this issue, but please remember that there are many folk out there who do not have your ability and knowledge of the Pc, and need a little more explanation if they are to add to the worldwide forum of a collective serum for Antispam… I look forward to your essay on Ask Leo! ~ Soonest …
Incidentally, I couldn’t see anything about Media Player licensing, and if I’m going to do the job according to his worshipfulness Mr Machiner – then how about a proper directive…?
Congrats on debiantutorials.org by the way…
About Blue:
Think I’d better start a new post…
see u soon
Lou
Domain Rider: They were unethical because it was not one response per spam. My understanding is that once a spammer hit a threshold of sending out spam, Blue Security use their entire network of participants to snd unsubscribe requests, whether or not they had actually recieved the spam.
Posted by: Leo A. Notenboom at May 27, 2006 9:29 AMRelying on new technology to replace e-mail is a good idea, and although not entirely possible in the near future, is partly possible with current tools and the situation will surely improve as time goes by. There is an e-mail extension that checks if the mail actually originated at the address it says it's from and some major servers support it. The technology is coming, and as more users demand it, more providers will support it. (Unfortunately I don't know much about how the extension works; Search for DomainKeys or Sender Policy Framework if you want more info.)
That being said, let me concentrate on the other "school of thought".
I'm for educating people, but not necessarily the masses. If you do not want spam, get to know your computer and you won't get spam. Of course, having ALL e-mail users educated is not possible unless they're forced to, such as by a fine.
Having to pay a fine for having your system compromised is not a good solution: firstly it would promote nasty things like blackmail, but, perhaps more importantly, it would discourage people from using computers, or experimenting with them, without worrying about the consequences. If I didn't know anything about computers, I'd not want to start using them if there was a $500 fine for doing nothing (that is, not protecting it). And, of course, a fine would only work in the countries where that would be the law.
Here, I'd like to warn everybody about limiting others' rights on the Internet (such as the proposed fine). The Internet's based on the fact that anything is possible on it, and every limitation takes away more freedom than it's supposed to. To name a few lame examples, what's the difference between this site's newsletter and some types of spam? What's the difference between my helping my mother, who lives across the ocean, install a program over the Internet, and a hacker installing a spam-sending utility on your machine? Please don't support any legislation that limits Internet use unless you really, really know it won't hurt people with good intentions. Besides, we can't force spammers to stop spamming by creating laws. It's been tried with pirated computer games, ripped music, stolen videos, and it always failed. It just doesn't work, there will always be someone who break the laws.
Don't force others to not send their mail, even if it is spam. The possibility of sending a message instantly and for free is a privilege too valuable to be lost, even for a good cause.
My general solution to spam is similar to the free market economy theory: Don't try to prevent others from sending spam. Concentrate on yourself, on blocking the spam YOU *get, read and click.* If everybody does that, it reduces the spammers' profits, and once those are below the spamming costs, we win.
A first rule of thumb is obvious - never *click* on links in spam messages. Even if it says "unsubscribe", to the evil spammer it will just confirm that you are a real person, and a susceptible one at that. A perfect target for future attempts. (But don't be paranoid, if the message is not clearly spam, clicking links shouldn't hurt you.)
A second rule of thumb - don't *read* spam. If the subject line looks too spammy and you don't know the sender, don't even open the message. And if you do, make sure you at least have pictures blocked.
The third rule is about *getting* the spam. Just like you don't go hunting down virus writers but buy anti-virus software instead, don't hunt down spammers but get a spam filter instead.
My personal solution is simple but effective. I have a GMail account. Although I put my e-mail addres (encukou@gmail.com) everywhere, even in direct links where it just screams to be harvested, I get at most one spammy message a week. I report that message to GMail, and GMail updates their spam filter. Of course, thousands of other people do this, so GMail learns about thousands of kinds of spam every week and stops all their clones. That is the advantage of having a freemail account: lots of people are using it, and if the provider cares about its spam filters, it's very effective at blocking the spam. And GMail apparently does care.
Of course, as Leo says everywhere, free mail accounts are potentially dangerous as far as sending important information. Who knows who'll read it, who knows if it'll still be there tomorrow. To solve the first problem, I save my messages on my computer (GMail lets you do that). For the other problem, I have a private account with my ISP for sensitive information. But I only give my private address (as well as the sensitive information) to people I trust. I could also set up a policy of blocking all mail from all addresses except the ones I explicitly allow and allow only the people I trust, but I haven't had a problem with my current setup yet.
To sum it up: Educate yourself, educate the people around you, and give up forcing spammers to quit. They'll give up once spamming doesn't work.
Posted by: En-Cu-Kou at May 27, 2006 6:03 PMLeo: Blue frog offered some degree of relief from that "helpless" feeling. It upset spammers. It worked! We should continue.I have multiple accounts through comcast, four outlook express accounts and one outlook account(all as a result of listening to your How To's) spred over three home machines plus five online accounts.Your are right about where the spam settles, mystifing to be sure....? I placed an animated PNG., signature in the Outlook mail which seemed to foul the spy bots some, but I couldn't successfully configure similiar attempts in Outlook Express.
Posted by: Jesse at May 27, 2006 7:24 PMjess.