Respectfully, I think micropayments in fact would effectively solve the problem – Right now, it’s difficult for an average person to know when their computer is part of a botnet, and not a whole lot of incentive for them to do anything about it. But when having your computer hijacked costs you money, people will I guarantee you do a better job of security.
(Not that transitioning to a micropayment would be easy, but I do think it would be an improvement. )
I run 3 email accounts.
One is on the domain name we own, and is only given to friends and relatives. It’s an incomplete version of my last name, and I seriously doubt there is anyone using this version as their real last name. I get zero spam on this. Only my SO and I have addresses on this domain, and we both give them out sparingly.
The second one I give to online acquaintances and accounts I plan on keeping around and trust. Like the SDMB. It’s on a free email service. It gets some spam.
The third is the one I give to places that need an email address, but I don’t plan on keeping much track of. I read it once every couple of weeks, and it gets spam up the wazoo. It’s also on a free service, and this one is my “ditchable” account. My impression here is that at least some of the spam is “shot in the dark” stuff. Someone took the entire dictionary, and tried every word @aol.com, and then for good measure, added the number 1-9999 after the word and ran those past @aol.com as well. Jenny1985@aol .com kind of stuff.
So yes, you can keep your spam down, but it involves being careful about who you give your address to, and using not easily guessed names.
Any decent modern filter is smarter than that. Words, phrases and other things about the message all add to a weighting number to determine the probability that the message is spam. That probability needs to hit a threshold before it ends up in the spam bucket or whereever. So … just mentioning Viagra probably wouldn’t trigger it.
I agree that Gmail’s filter is very good. I run a little web and mail server on a virtual server at hosting company. I was running Spamassassin mostly for one friend / user who was getting hammered with spam. I really didn’t have enough ram for Spamassassin so I eventually persuaded him to let me shut it down and forward his domain mail to a Gmail account. That instantly solved the problem. Somehow he couldn’t get Eudora to work with Gmail’s IMAP so he now forwards from Gmail back to a mailbox on my system with a silly name like zz6aakksjsd@hisdomain.com. That works perfectly. We’re using Gmail as a free “transparent” spam filter. If that mailbox ever picks up spam directly then we’ll just change it to something else.
For anyone running their own mail server for incoming mail:
I look after a Windows network for the office of a private school. We run MS Exchange with mail coming directly in via the DSL line on port 25. There we run ASSP. It takes a bit of configuration and monitoring but it works very well. Just the Greylisting by itself reduces a lot of spam.
Yeah, I’ve been frustrated with that at times but there are quite good reasons for blocking port 25 and forcing you to use their server. Apparently a lot of spam comes malware bots on people’s PCs so not letting them send seems like a good idea. Good ISP’s and web/mail hosts configure their servers so you can use another port. I haven’t tried it but I think Gmail lets you use 587 with smtp authentication.
This fact often worries people, so an analogy is perhaps in order. Using the good old-fashioned US Postal Service, I could also send you a letter in an envelope with the return address listed as 1600 Pennsylvania Ave., Washington, DC. The security in both cases is the same.
You shouldn’t get it at all, because such a message would be spam. The only difference between what you’d describing and the messages which regularly clutter my inbox is that you’ve met the spammer face-to-face before, and I can’t see how anyone could expect your e-mail system to know who all the people you’ve met face-to-face but haven’t e-mailed are.
With the current e-mail system, it appears basically impossible to stop spam. Through filtering algorithms it can be filtered to a Junk or Spam box, which is necessary because the algorithms aren’t 100% accurate. What one person calls spam another might actually want.
Like others, I think the only way spam will be somewhat/mostly controlled is if there’s some sort of financial cost to sending bulk e-mail.
Transitioning to micropayments would require authentication, which alone could be used to solve the spam problem - without the micropayments.
There was a working anti spam solution called Blue Frog details here: Blue Frog - Wikipedia
Basically it was an app that ran on your PC and respammed the spammers customers - the sites that the spammers were promoting. It worked. I used it.
The Blue Frog servers were compromised and attacked by a spam gang and closed down in 2006. There was talk of an open source replacement see www.okopipi.org but I think that is dead in the water.
Quercus: How would micropayments work internationally? Ideally, they would work fine, but in practice it would segment the network into countries that can easily exchange currency (US, UK, Canada, Japan, etc.) and countries that can’t (Pakistan, Iran, Zimbabwe, etc.). Don’t tell me those countries shouldn’t be able to send email to the ‘real world’: I’m liable to laugh at you and call you names.
This is a remarkably stupid idea, given that all spammers use phony return addresses. It also makes you a spammer and, if your ISP was on the ball, it should have gotten your account terminated.
If you are routing outgoing SMTP mail via server outside of your ISP, you should be using authenticated SMTP (port 587).
If you are just sending SMTP, you can request that your ISP give you a static IP address that is not in the residential block. Or forward the emails via a third party (I use DynDNS Outbound Mailhop, pretty cheap really). Otherwise, systems you attempt to send to will start blocking your emails anyhow, on a blanket “we don’t accept emails from residential IP addresses” basis. My mailserver spamfilter does this, as well as reverse DNS lookups. I don’t get much spam (well, lots is rejected before it hits our mailboxes).
The point is, no matter what you feel about how the internet and SMTP should work, common practice is changing in this regard, and everyone needs to adapt and adjust. SMTP has not worked on open relaying for years, and is moving rapidly to a verified and trusted mail server system of some sort. And residential IP addresses are not and probably never again will be first class internet citizens.
Si
It didn’t spam the return addresses - it spammed (well, sent automated complaints to) the site appearing in the spam message - the link the spammer wanted you to click.
Still not a good idea, because it could be manipulated to launch a DDoS attack upon an innocent site.
How do you implement micropayments? The only place that can track the email connection is the recipient. Would you trust the mail server in Uzbekistan that claims that you sent a million emails to them. Would you want your ISP to provide your real details in response to a request from that mail server with just a IP address. You do realise that spammers could still spoof the source IP address of the emails so that someone else has to pay.
Botnets are a problem, but ISPs are the best place to start dismantling them. ISPs can block port 25, and can detect machines using port 25 and investigate (preferably by disconnecting them). They can also block known botnet command and control servers, and scan for open command ports on residential IP addresses.
Si
Even if I can trust your employees, can I trust you to never get hacked?
Cecil may not decide to sell your email to Bob The Illegal Botnet Builder, but Bob’s friend Dmitri the unemployed computer scientist might hack Cecil’s box and take it…
I was hoping that there might be a solution, but, as far as I can tell from your replies, there isn’t. Hotmail and Google destroy some emails they consider to be blatant spamming, and send the rest to a junk folder. Other ISPs and anti spam programs just do the latter. So I’m exposed to all the spam that’s sent to me (because I feel I have to check for incorrectly marked mail). The only difference is that some of my mail is in a different folder.
Is that about it? If so - anyone got the number of a reputable witch doctor?
Your ISP probably deletes some blatant spam as well - it’s just that Googlemail/Hotmail see more spam, and so are better at detecting messages that are sent to thousands of users. So you don’t see all the spam sent to you, just the stuff your ISP has less confidence about.
Silver Bullets are hard to come by. Any real solution has to be technological (not social or legislative), and easy to implement without breaking the current systems. Eventually it will come down to backbone providers forcing ISPs to implement restrictive policies on (primarily) residential systems as a precursor to access, to break the botnets.
Si
The kind of emails I tend to see mistakenly marked as spam are mailing list newsletters. But usually there’s a way to create a whitelist to help eliminate situations like that.
Well, I’m no expert on this (my post pretty much covered what I know), but it strikes me that there seems to be a currently functioning way for Pakistanis to pay for snail mail to be delivered in the U.S., so presumably a solution for e-mail payments wouldn’t be impossible (at least on the level of international agreements and currency exchange).
Though Mangetout’s point is good : that an e-mail system that was authenticated enough for payments would be able to provide other tools for fighting spam as well.
I have a personal email address that is a domain name I purchased, which doesn’t receive any spam. However, if I were to give this email address to my aunt, who loves to send forwards to everybody, it wouldn’t be long before I started getting spammed. Basically, her forwards continue on and on and nobody who forwards bothers to use the BCC field, so anybody that receives her emails can see my address.
Eventually it could be forwarded to someone selling the addresses to spammers. What I do to be cordial is give her my gmail address and any websites that I must register with also get this same gmail address, which ensures my main one never gets on these spammers lists. Unfortunately, all it takes is one careless friend or relative for the spamming to start.
Authentication probably wouldn’t solve it, either. The spammers would just change tactics and hijack people’s accounts to send the spam. They would use viruses and/or phishing to steal login information.
This would be even worse with micropayments, because now all of the suffering is on the victims who have to prove they were hijacked and shouldn’t have to pay the fees.
If you are interested in checking out the current levels of reported spam, look at SpamCop.net - Statistics on Spam trends. Back in mid November, there was a major spam takedown but as expected, the spammers found new channels and ramped right back up.
Disclosure: I work for an anti-spam company, and before this I did mail server care and feeding. Postfix on FreeBSD with SpamAssassin, and what a learning experience that was.