Forum Moderators: skibum
[cnn.com...]
The IETF has set up The Anti-Spam Research Group to tackle the technical issues surrounding spam and to see if SMTP can be changed or replaced to eliminate spam.
I think The Anti-Spam Research Group is a poorly named group and the name will make it difficult for the group to operate effectively. The term Spam has no agreed upon definition so it covers every thing from "let's kill all commercial email and then let god sort it out" to I want to stop fraud and pornography.
The group should not have a negative as an objective. The group should have been formed to enhance email and part of that would naturally be to eliminate illegitimate email.
However, there are many stakeholders that have a legitimate right to send email and to have it reach the recipent. The first steps it would seem would be to clearly find out who should be able to send email and have it delivered properly and to make sure that the technology protects their rights.
Then the technical effort should be to block out ONLY those that don't have a legitimate right. The IETF is a well respected group and may in fact do this, but the naming of the group The Anti-Spam Research Group makes it sound like a lynch mob to me.
But businesses have the right to send bulk solicited commercial email. A businessperson has the right to approach another businessperson through individualized correspondence.
Businesses have the right to email newsletters where the receipient has opted-in. These newletters have the right to carry advertisements.
Any change to the email system needs to take care to preserve these rights.
A major problem today is spam-filtering that can not distinguish between legitimate and illegitimate emai.
The thing most people are against is bulk unsolicited commercial email. If that is the definition, then bulk must be defined and some method must be devised to see if an email is part of a bulk emailing.
If unsolicited is part of the definition, then a method of proving that it was solicited must be developed.
The problem is solvable, I feel. I point out that opted-in email that doesn't contain fraud or pornograph is legal even in the 26 states that have 'spam' laws.
The thing most people are against is bulk unsolicited commercial email. If that is the definition, then bulk must be defined and some method must be devised to see if an email is part of a bulk emailing.If unsolicited is part of the definition, then a method of proving that it was solicited must be developed.
Any ideas or suggestions to enhance or improve upon existing (or future) parameters discussed here could very well make their way into mainstream efforts to stem the flow of UCE/SPAM on the Internet.
Oh, then what of those such as Hotmail who change their own TOS (kinda without telling you) that unless you double check your preferences regularly, you may start receiving solicitations from....affiliates to whom HM has sold (or otherwise transferred) your addy so they may hound you with Unsolicited Junk Mail?
Pendanticist.
Spammers might simply be priced out of business if mail was fee based. (Should part of the fee be shared with the people that handle the mail like AOL or Hotmail; is another issue.)
IP's or IP clusters originating could be tracked for mail volume to determine bulk.
A MD5 certificate could be given by a person opting-in. Only mail carrying the correct certificate would be afforded opt-in status.
Newletters sent by email are the lifeblood of many, many small sites. My feeling is that a 1000 illegitimate Viagra ads should be let through in preferrence to screening out 1 legitimate email Newsletter.
I also have problems with any organization that wants to read my mail and decide if I can read it. That concept sounds like 1984!
If they really want to do the internet world a favour they should start by addressing the senders ability to be both anonymous and unaccountable.
I don't think we could honestly say that email addresses are public information like your mailing address. It needs a whole different set of rules than post.
Having said that,though, I think more responsibility needs to be put on the recipients too. I register for services, using my email address frequently, and after 13 years on the net I receive about 20-30 UCE a month. I look at a friend's email inbox and she has 650, over a course of three weeks.
Instead of whining, maybe individuals need to be a little bit more responsible. (That however does not apply to most business recipients, their email needs to be available in order to do business)
When they get UCE...the next step is delete, don't even open it. If its illegal, find the appropriate address and forward it, then forget about it.
If a UCE/SPAMer can forge header and spoof stuff...then who is to say they didn't forge the solicitation? I realize that is a tad on the extreme side.
Before I get an email I want my ISP to ask the originating IP address if they originated the message. A simple ISP-to-ISP query based on a secure checksum hash of the original message would do. All ISPs would need to keep a hash database of messages they originated for a couple of days.
I would treat all unverified (ie originator denies sending) email as trash and have it binned unread. That is my human right not to listen to or read stuff from anonymous strangers.
For stuff that is UCE I'd now have a workable set of choices because I'd know the originator -- or at least soemone who has taken responsibility for having sent it.
That last option could be nicely backed up by an appropriate legal sanction. If I get another verified email from an originator 72 hours after I have asked to be removed from their list, I should be able to click a button and get a payment of USD10 from their credit card -- part of the "verified originator email protocol" requires a credit card number from the originating ISP. Indeed I might bin unread as spam any email whose originator is not signe up to the "USD10 if we spam you" pledge.
Of course, for a year or two while the new protocol is being implemented, old-style spammers will move more and more to the dwindling supply of old-protocol ISPs. So unverifiable emails will more and more be assumed to be spam. That should put a tremendous pressure on non-spamming ISPs to move to the new protocol.
The only people to lose from this would be ISPs who sign up dubious clients (they'd need clear TOS and professional indemnity insurance to cover potential huge costs) and spammers who hide their identity.
Spammers laugh at the anti-spammers. They believe that spam-rage will protect them. Spam will last as long as people put forth ideas that don't preserve civil liberties. Any law that infringes on civil liberties is bound to fail. When the law fails the spammer is back in business.
I think the IETF approach is a good starting point. However I worry about burdening the group with the anti-spam name. It seems to me that will make it a magnet for more spam-rage.
An electronic postmark has been working in Canada for some time to protect electonic funds transfers. The USPS has an electonic postmark backed by strong Federal laws. If used on a mailing piece, the piece enjoys all the rights and incurs all the limitations of postal mail.
The IETF should be able to build on this. If all it does is try to creat the mother of all spam filters, I feel it is doomed to failure.
As my or your spam is someone else's great deal, to those buying it is useful.
I find it annyoing, and I can delete it, as i can hang up on phone solicitors or shut my door on door to door salespeople.
I understand some are more offended than others, but I believe it is the right of any business to seek out leads, those that find their message annoying will not buy from them, the others will, it is a numbers game and this is the reason for the volume.
I guess my point is that it is a legitimate way for a business to seek sales and it is also easy to ignore.
There is only one solution, that is for people to stop responding to the offers.
Soooooooooooooooooo true! I've said that a thousand times. Then again, how do you account for the Nigerian Deposed Monarch scam that gobbles up millions of worldwide dollars? <-Rhetorical Question.
Pendanticst.
FEDERAL TRADE COMMISSION: Public Forum: Spam Email [ftc.gov]
Suggested reading, especially if you live in or near the Washington, D.C. area.
"April 30-May 2, 2003, from 8:30 a.m. to 5:30 p.m. at the Federal Trade Commission, 601 New Jersey Avenue, N.W., Washington, D.C."
Pendanticist.
Both are mail and from the civil liberties point of view identical.
Possibly true, but it's that very argument that has prevented any advancement in spam control. If there's to be a solution, people really need to think outside the mail box.
As for a postal fee....
Email users will not tolerate a postage rate on email....no matter how minimal. If we have to start paying for every joke we send to our best friend, we will soon be seeking out the Kazaa of email.
What so many people seem to miss is that UCE isn't actually a "problem". It is merely a side effect of a much larger problem. The Internet.
If you step back and look at the big picture, you can see that it's not restricting business practices that needs to be addressed. It's the sheer existance of these businesses themselves.
Anybody with a computer and an internet connection can start a business, most with good intentions. However it's the handful of flyby night, snake-oil salesmen that are sending out the UCE.
Until some brilliant minds can find a way to sort the good from the crooked,fairly, anything done about UCE is simply treating the symptom, not the cause.
I still believe that all the problems combined will one day lead to every user having to hold a certified, verified ID number.
The money can be dried up by changing the banking laws to make it a crime to employ deceptive practices or fraud in a sale involving credit cards.
These illegitimate companies can be attacked by extending the RICO statues which were originally written to deal with organized crime and the drug cartels to include any criminal enterprise that operates in multiple jurisdictions and under assumed names and uses multiple companies to commit fraud or engage in deceptive practices.
Rico allows for both criminal prosecution and civil suits.
However, one thing that can not succeed in the US is to attempt to abridge our civil liberties. The US is a country of laws so any solution must be acceptable within that framework.
Is it technologically feasible?
one thing that can not succeed in the US is to attempt to abridge our civil liberties. The US is a country of laws so any solution must be acceptable within that framework.
I envy US citizens.
All it needs (this is a typical handwaving argument) is a different email protocol.
ISPs who can't (or won't) accept emails under the new protocol will continue to use the old one -- until user pressure forces them to join everyone else.
There'd be other benefits too:
The USD10 if you get spammed part might be a bit harder to get agreement on :)
>>There is only one solution, that is for people to stop responding to the offers
Exactly, when spam ceases to be profitable, it will stop, or at least stop to an extent where it is no longer such an everyday concern. However, I don't think it is the above is the "only one solution".
>>I think you will find the major problem with illegitimate business mail is being caused by a relatively small number of very large operations.
The spamhaus's and their otherwise 'legitimate' business partners continue to thrive. Although sending bulk email is not difficult from a technical point of view, on a large scale and over a long time scale it is not so easy.
I think the solution lies in developing a system whereby:
Consumers are well informed about the economic viabiliyt behind spammers mass mailings.
Businesses who are one of the biggest victims of spam by virtue of their connectivity develop 'opt-in' systems on a contact by contact basis backed up by pro-active spam filtering (including validation of known recipients?).
Spammers who break the law are shut down quickly and effectively.
Open relays are shutdown - they are a major source of spam.
I guess this would need the involvement of an outside agency (the ASRG?) As far as I am concerned it is possible to shutdown large numbers of spammers without infringing on important rights of civil liberty and freedom of speech. If the problem is reduced to a reasonable extent, Joe Spammer can email me, and I will block him ;)
As a result of information .htaccess control I had since used that file with the both a short deny list for blocking by specific ip number then the section followed by a list of user agents and referers to send many bad visitors to the 404.
Regarding the deny list using ip numbers.
Can regex be used in that portion to specify a range? Or must it be as I presently have such as
210.
123.456.
123.45.6.789
In the example, I have actually blocked a couple of big blocks and a few are specific.
In my rewrite portion I actually have ranges specified.
Previously I was getting many hits from Fast which was also harvesting my images. Having attempted them to stop, they did not. As a result they got blocked, unfortunately.
Most harvesters are blocked too and a couple that linked without permission causing bandwidth loading were blocked. All now seems fine.
As for sources of spam, I have found most originate from APNIC souces, as a result where my site(s) don't have a needed audience there, big chunks are blocked for website access. Now much less spam comes in.
Not sure if anyone is familiar with Cpanel 6 which is via my provider. It allows email blocking via from, to, subject, body, and header matching. Most of my blocking is via IP number in header matching using regex.
Question: With Cpanel 6, have attemped to block in the body references to redirector urls contained in html text. Often most use [rd.yahoo.com...] etc/*http:/realurl.
So far I can not get it to work by blocking a rd.yahoo url in the html message portion. Anyone have any knowledge or tips? This would kill many more specific spam.
As for opinion on spam: I feel spam should only be via opt-in of any first parties. No affiliates or partners allowed to send. International senders should be bound by any US laws against spam.
Some say its the right of a business to solicit, my though is that only if they pay fees to do so. Where an email program is within my computer, is in my home, and is my property, no one should be able to stomp on it without my permission. It is private property and is under my control. To spam or solicit without permission is alike banging on my door and leans toward trespass and violation of my rights.
Where some say business has a right to solicit, yes, but not if they violate the rights of another in doing so. Thus the rights of the recipient "must" come first who have a right to privacy and no harm.
Last question.... in using my rewrite list in .htaccess
I had previously had a problem with one site which had an unauthorized link. Cured that one, but now found another. In each case they were links from groups.msn.com and msn will not control their groups even though they are hosting. I tried using for referer in rewrite
[www\.groups\.msn\.com...]
but that did not work, blocked my own domain! which puzzled me. Tried just groups\.msn\.com same problem, blocked my own domain too (even if I clicked from within my browser). Finally I just had to use the group name etc
following following the .com/ thus having just the group name
as the blocking part That works fine for now.
How can I properly just specify the referer to include any and all groups.msn.com as referer -- I had thought that the first or second try where it was with http or just groups\.msn\.com would have done it successfully? I have no need to have any links from any msn groups to my domains.
Thanks much. Sorry if wordy.
