who says that spam doesn"t cost the recipient money?

While I was in Japan, I needed to check my email and didn't have immediate
access to WiFi. So I hooked up my mobile phone to my laptop and connected
to the Internet that way.

There is a word in Japanese for what happens when you do that: "pake-shi",
meaning "death by packet". Mobile phone data charges are high in Japan.

A 30-minute email session resulted in over 11,000 yen, nearly US $100, in
packet charges.

Note that I didn't actually download the multiple 10s of megabytes of
spam, just the header information and spam scores. There weren't any
false positives (sometimes it does happen), but some false negatives got
downloaded (each cost me the equivalent of a dollar or so in packet
charges).

Normally, I avoid email access by mobile phone for this reason, but there
was some important business that had to be transacted.

Sadly, I have to agree with those who say that email is broken, and
nothing will fix it short of completely tearing the entire thing down and
rebuilding from the ground up. What was once a valuable tool has been a
sewer that costs more than it benefits.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: who says that spam doesn"t cost the recipient money?

>Sadly, I have to agree with those who say that email is broken, and
>nothing will fix it short of completely tearing the entire thing down and
>rebuilding from the ground up. What was once a valuable tool has been a
>sewer that costs more than it benefits.

I perfectly understand your frustration, but I disagree with your
conclusion that the entire thing should be teared down and rebuilt
from ground up. As long as there is a system where complete strangers
shall be able to contact you, it will be possible to abuse such a
system no matter how different from the existing protocols such a
system might be.

I think there will never be a final "solution" to the spam problem
unless you simply limit yourself to a fixed list of accepted senders.
The latter might be possilbe in a private envireonement but obviousely
is no solution in business scenarios.

As with other situations in live we have to change our way how we do
things and adapt ourselves to the situation wether we like it or not.
There were times where nobody required a door lock. These days we use
door locks, eventually burglar alert systems, keep our money on bank
accounts and so on. With e-mail we use anti spam filters, may maintain
e-mail accounts where we keep the audience to whom we comunicate this
address seperated and change it if abuse starts, use different web
contact methods than simply placing a href=mailto: statement into a
page, and so on.

By combyining such methods the problelm can be kept on a manageable
level. In your particular situation you could have comunicated a
dedicated fresh e-mail address to the party/parties whoes e-mail you
needed to get so urgently during your trip and only query your regular
e-mail accounts at times where acess would not be so expensive. Even
better you could add a rule to your regular account to foreward mail
from given senders to an account dedicated to this urgent/important
case and exclusivley have acessed this one etc etc. Don't get me
wrong, the subject of your post holds true cause obviousely doing all
this does cost money on behalf of the recipients.

Just my 2¢ of course.

Markus

Re: who says that spam doesn"t cost the recipient money?

In news:nmf4q2p1mkfs0gm457peljp3cm5khh9ulj@4ax.com,
Markus Zingg wrote:

>> Sadly, I have to agree with those who say that email is broken, and
>> nothing will fix it short of completely tearing the entire thing
>> down and rebuilding from the ground up. What was once a valuable
>> tool has been a sewer that costs more than it benefits.
>
> I perfectly understand your frustration, but I disagree with your
> conclusion that the entire thing should be teared down and rebuilt
> from ground up. As long as there is a system where complete strangers
> shall be able to contact you, it will be possible to abuse such a
> system no matter how different from the existing protocols such a
> system might be.

When it can be determined that the sender of an email is the person they
claim to be with a verified return route, then email abuse will be
substantially reduced.

Re: who says that spam doesn"t cost the recipient money?

[snip]
>When it can be determined that the sender of an email is the person they
>claim to be with a verified return route, then email abuse will be
>substantially reduced.

Shure, but that holds true for all internet protocols. It actually is
routable already from a protocol standpoint of view (headers). They
can be faked but so could every other "technology" used too. As long
as providers and all operators of all servers along the path are not
obliged to supress/report such abuse things will remain the way they
are.

I think we i.e. would see a lot less spam if providers finally would
start to firewall port 25 for their customers and force them to send
outgoing mail through their servers, applying monitoring for abuse at
the source, terminating violating customers etc. A lot remains to be
done on the legal/enforcing end of the issue, but actually not so much
on the technical side. Crime exists and is a reality in all parts of
our life. The problem with the internet is that law enforcement does
not yet work as it does in other areas of live.

Markus

Re: who says that spam doesn"t cost the recipient money?

Markus Zingg wrote:
[deleted]
> I think we i.e. would see a lot less spam if providers finally would
> start to firewall port 25 for their customers and force them to send
> outgoing mail through their servers,


My ISP is already doing this, but ...

> applying monitoring for abuse at
> the source, terminating violating customers etc.

*that* bit isn't implemented and IMO *cannot* be implemented with the
current technical standards.

I (have to) send all my mail through my ISP's mail servers, i.e. also
for my e-mail addresses, in *other* (than the ISP's) domains, which are
*not* known by my ISP. It is not practical to inform my ISP of every new
and obsolete e-mail address, and frankly it's none of their business
what my (other) e-mail addresses are. They are my *ISP*, nothing more,
nothing less.

So for all intents and purposes, they *cannot* "apply monitoring for
abuse", other than by *volume* (i.e. number of messages per unit of
time), and that (volume) is yet another can of worms.

> A lot remains to be done on the legal/enforcing end of the issue, but
> actually not so much on the technical side. Crime exists and is a
> reality in all parts of our life. The problem with the internet is
> that law enforcement does not yet work as it does in other areas of
> live.

If the involved countries *want*, a lot can be done on the legal side.

Our Dutch anti-spam laws are quite strict and are heavily enforced
with heavy penalties. Hence spam from Dutch origin has been reduced
drastically.

Now if other countries would follow in the same reign, the problem
would be much smaller. However I think that the influence of the
companies which sell anti-spam 'solutions'/'services' is way too big for
this to happen.

Re: who says that spam doesn"t cost the recipient money?

In article <45a26566$0$51364$dbd41001@news.wanadoo.nl>, Frank Slootweg writes:
>Markus Zingg wrote:
>[deleted]
>> I think we i.e. would see a lot less spam if providers finally would
>> start to firewall port 25 for their customers and force them to send
>> outgoing mail through their servers,
>
>
> My ISP is already doing this, but ...
>
>> applying monitoring for abuse at
>> the source, terminating violating customers etc.
>
>*that* bit isn't implemented and IMO *cannot* be implemented with the
>current technical standards.
>
> I (have to) send all my mail through my ISP's mail servers, i.e. also
>for my e-mail addresses, in *other* (than the ISP's) domains, which are
>*not* known by my ISP. It is not practical to inform my ISP of every new
>and obsolete e-mail address, and frankly it's none of their business
>what my (other) e-mail addresses are. They are my *ISP*, nothing more,
>nothing less.
>
> So for all intents and purposes, they *cannot* "apply monitoring for
>abuse", other than by *volume* (i.e. number of messages per unit of
>time), and that (volume) is yet another can of worms.
>
Well if SPF, or other similar proposals, ever really take off then you will no
longer be able to use your work's address (or any other address except the
one provided by the ISP) as the FROM address in mail you send via your ISP
unless you can convince the organisation owning the domain of the address you
want to use to add your ISP's outgoing mail servers into their SPF DNS record.
Which probably means you won't be able to do it unless you own that domain
and control it's DNS records.

The ISP should also know what IP address it has handed you and hence should
know who was sending any particular mail irrespective of what you had put in the
from field. For any mail you send through them from outside they should require
you to use SMTP AUTH possibly on the submission port rather than the normal mail
port so that you are authenticated. Some ISPs are already using SMTP
AUTH and the submission port for mail from their internal users as well.
(information on the real user who sent the mail can then be added into the logs
kept by the ISP and into the mail headers to allow easier reporting of abuse
back to the ISP).


>> A lot remains to be done on the legal/enforcing end of the issue, but
>> actually not so much on the technical side. Crime exists and is a
>> reality in all parts of our life. The problem with the internet is
>> that law enforcement does not yet work as it does in other areas of
>> live.
>

There are lots of technical solutions which would potentially help the
situation the problems are

1) More than one solution to the same problem

SPF, SenderID, Domainkeys - sender verification schemes

S/MIME, PGP - encryption/authentication schemes


with no consensus on which ones to adopt

2) Even schemes where there aren't multiple alternatives such as blocking
port 25 and using SMTP AUTH are not widely deployed


David Webb
Security team leader
CCSS
Middlesex University


> If the involved countries *want*, a lot can be done on the legal side.
>
> Our Dutch anti-spam laws are quite strict and are heavily enforced
>with heavy penalties. Hence spam from Dutch origin has been reduced
>drastically.
>
> Now if other countries would follow in the same reign, the problem
>would be much smaller. However I think that the influence of the
>companies which sell anti-spam 'solutions'/'services' is way too big for
>this to happen.

Re: who says that spam doesn"t cost the recipient money?

On Mon, 8 Jan 2007, patrick wrote:
> When it can be determined that the sender of an email is the person they
> claim to be with a verified return route, then email abuse will be
> substantially reduced.

When the sender of an email pays for the privilege, then email abuse will
be substantially reduced.

I've been a user and advocate of free email for over 30 years. However,
"free" email is not without cost; and the costs are now much greater than
if all my outgoing email has to have a government-sold stamp affixed to
it.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: who says that spam doesn"t cost the recipient money?

david20@alpha2.mdx.ac.uk wrote:
> In article <45a26566$0$51364$dbd41001@news.wanadoo.nl>, Frank Slootweg writes:
> >Markus Zingg wrote:
> >[deleted]
> >> I think we i.e. would see a lot less spam if providers finally would
> >> start to firewall port 25 for their customers and force them to send
> >> outgoing mail through their servers,
> >
> > My ISP is already doing this, but ...
> >
> >> applying monitoring for abuse at
> >> the source, terminating violating customers etc.
> >
> >*that* bit isn't implemented and IMO *cannot* be implemented with the
> >current technical standards.
> >
> > I (have to) send all my mail through my ISP's mail servers, i.e. also
> >for my e-mail addresses, in *other* (than the ISP's) domains, which are
> >*not* known by my ISP. It is not practical to inform my ISP of every new
> >and obsolete e-mail address, and frankly it's none of their business
> >what my (other) e-mail addresses are. They are my *ISP*, nothing more,
> >nothing less.
> >
> > So for all intents and purposes, they *cannot* "apply monitoring for
> >abuse", other than by *volume* (i.e. number of messages per unit of
> >time), and that (volume) is yet another can of worms.
> >
> Well if SPF, or other similar proposals, ever really take off then you
> will no longer be able to use your work's address (or any other
> address except the one provided by the ISP) as the FROM address in
> mail you send via your ISP unless you can convince the organisation
> owning the domain of the address you want to use to add your ISP's
> outgoing mail servers into their SPF DNS record. Which probably means
> you won't be able to do it unless you own that domain and control it's
> DNS records.

The "if" (in "if SPF ...") is a very big "if". I don't see it
happening anytime soon, because ISPs and MSPs will lose (too?) many
customers if these schemes are deployed and enforced. But time will
tell.

> The ISP should also know what IP address it has handed you and hence
> should know who was sending any particular mail irrespective of what
> you had put in the from field. For any mail you send through them
> from outside they should require you to use SMTP AUTH possibly on the
> submission port rather than the normal mail port so that you are
> authenticated. Some ISPs are already using SMTP AUTH and the
> submission port for mail from their internal users as well.
> (information on the real user who sent the mail can then be added into
> the logs kept by the ISP and into the mail headers to allow easier
> reporting of abuse back to the ISP).

Sorry, but they won't know "*who* was sending any particular mail"
(emphasis mine).

For your run-of-the-mill consumer ISP, this is more theory than
reality. I.e. I might be the *subscriber*, i.e. the one who pays the
monthly fee, but I'm not the only *user* and not, at least not fully,
responsible for what the other users (whether legit or illegit) do. I.e.
the ISP can cancel my subscription if their connection is abused, but
that's about it. If the subscription is cancelled, I can just go to the
next ISP, ad infinitum.

With the current state of affairs (including SPF at al), the premise
that one can somehow tie an IP address to a name and person which sent a
specific (set of) email message(s) and hold that person responsible, is
mainly faulty.

Analogy: My News server requires authentication (authinfo user/pass),
i.e. similar to the SMTP authentication you mentioned. Can my NSP/ISP be
sure that the *person* Frank Slootweg posted this article? No, not with
any sufficient degree of certainty. They can only determine that the
noted *IP address* was used, nothing more.

[deleted]

Re: who says that spam doesn"t cost the recipient money?

On Mon, 8 Jan 2007, Frank Slootweg wrote:
> With the current state of affairs (including SPF at al), the premise
> that one can somehow tie an IP address to a name and person which sent a
> specific (set of) email message(s) and hold that person responsible, is
> mainly faulty.

Hence my (reluctant) conclusion that the free email model is flawed. Spam
and other email abuse will always been with us until such time as we have
sender fees for email.

Not that this is easy to do, either technically or socially. There are
many negatives which I have glossed over. However, I've concluded that
email, as it presently is constituted, is no longer a benefit and has
become a burden.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: who says that spam doesn"t cost the recipient money?

Mark Crispin wrote:

> Sadly, I have to agree with those who say that email is broken, and
> nothing will fix it short of completely tearing the entire thing down and
> rebuilding from the ground up. What was once a valuable tool has been a
> sewer that costs more than it benefits.

It's quite distressing to hear an e-mail pioneer say that, because
I respect your opinion and give it great weight. However, I think you
are unduly pessimistic. Modern filters are pretty accurate; I still
find e-mail very useful. A filter that gives you a web-based way to
check a quarantine (and possibly e-mails a summary of trapped messages
when you ask for it) is a simple way to greatly reduce connection
charges while still letting you get at important mail.

It's not in the interest of spammers to kill of e-mail, so I think
things will settle into an uneasy balance like a predator/prey
ecology. Sure, every now and then the predators will increase to
beyond what the ecology can support, but the situation will correct
itself.

Regards,

David.

Re: who says that spam doesn"t cost the recipient money?

In article , Mark Crispin writes:
>On Mon, 8 Jan 2007, patrick wrote:
>> When it can be determined that the sender of an email is the person they
>> claim to be with a verified return route, then email abuse will be
>> substantially reduced.
>
>When the sender of an email pays for the privilege, then email abuse will
>be substantially reduced.
>
>I've been a user and advocate of free email for over 30 years. However,
>"free" email is not without cost; and the costs are now much greater than
>if all my outgoing email has to have a government-sold stamp affixed to
>it.
>
Well a "stamp" would require encryption to prevent someone forging the stamp
and some measure to prevent a stamp being reused on a different mail message.
The simplest means to do that would be to tie it to a hash of the message.
However then you have basically reinvented PGP or S/MIME.
The only difference being that you also require an infrastructure for producing
these stamps and paying for them (and some means of persuading everybody to
adopt this fee-paying alternative to the "free" email).


David Webb
Security team leader
CCSS
Middlesex University




>-- Mark --
>
>http://panda.com/mrc
>Democracy is two wolves and a sheep deciding what to eat for lunch.
>Liberty is a well-armed sheep contesting the vote.

Re: who says that spam doesn"t cost the recipient money?

In article <45a2a72b$0$49932$dbd4b001@news.wanadoo.nl>, Frank Slootweg writes:
>david20@alpha2.mdx.ac.uk wrote:
>> In article <45a26566$0$51364$dbd41001@news.wanadoo.nl>, Frank Slootweg writes:
>> >Markus Zingg wrote:
>> >[deleted]
>> >> I think we i.e. would see a lot less spam if providers finally would
>> >> start to firewall port 25 for their customers and force them to send
>> >> outgoing mail through their servers,
>> >
>> > My ISP is already doing this, but ...
>> >
>> >> applying monitoring for abuse at
>> >> the source, terminating violating customers etc.
>> >
>> >*that* bit isn't implemented and IMO *cannot* be implemented with the
>> >current technical standards.
>> >
>> > I (have to) send all my mail through my ISP's mail servers, i.e. also
>> >for my e-mail addresses, in *other* (than the ISP's) domains, which are
>> >*not* known by my ISP. It is not practical to inform my ISP of every new
>> >and obsolete e-mail address, and frankly it's none of their business
>> >what my (other) e-mail addresses are. They are my *ISP*, nothing more,
>> >nothing less.
>> >
>> > So for all intents and purposes, they *cannot* "apply monitoring for
>> >abuse", other than by *volume* (i.e. number of messages per unit of
>> >time), and that (volume) is yet another can of worms.
>> >
>> Well if SPF, or other similar proposals, ever really take off then you
>> will no longer be able to use your work's address (or any other
>> address except the one provided by the ISP) as the FROM address in
>> mail you send via your ISP unless you can convince the organisation
>> owning the domain of the address you want to use to add your ISP's
>> outgoing mail servers into their SPF DNS record. Which probably means
>> you won't be able to do it unless you own that domain and control it's
>> DNS records.
>
> The "if" (in "if SPF ...") is a very big "if". I don't see it
>happening anytime soon, because ISPs and MSPs will lose (too?) many
>customers if these schemes are deployed and enforced. But time will
>tell.
>
Which is pretty much what I was saying at the end of my posting.
There are too many equivalent solutions with no clear favourite and
even when there are simple things which could be done like blocking port 25
too few organisations are prepared to implement them.


>> The ISP should also know what IP address it has handed you and hence
>> should know who was sending any particular mail irrespective of what
>> you had put in the from field. For any mail you send through them
>> from outside they should require you to use SMTP AUTH possibly on the
>> submission port rather than the normal mail port so that you are
>> authenticated. Some ISPs are already using SMTP AUTH and the
>> submission port for mail from their internal users as well.
>> (information on the real user who sent the mail can then be added into
>> the logs kept by the ISP and into the mail headers to allow easier
>> reporting of abuse back to the ISP).
>
> Sorry, but they won't know "*who* was sending any particular mail"
>(emphasis mine).
>
> For your run-of-the-mill consumer ISP, this is more theory than
>reality. I.e. I might be the *subscriber*, i.e. the one who pays the
>monthly fee, but I'm not the only *user* and not, at least not fully,
>responsible for what the other users (whether legit or illegit) do. I.e.
>the ISP can cancel my subscription if their connection is abused, but
>that's about it. If the subscription is cancelled, I can just go to the
>next ISP, ad infinitum.
>
> With the current state of affairs (including SPF at al), the premise
>that one can somehow tie an IP address to a name and person which sent a
>specific (set of) email message(s) and hold that person responsible, is
>mainly faulty.
>
> Analogy: My News server requires authentication (authinfo user/pass),
>i.e. similar to the SMTP authentication you mentioned. Can my NSP/ISP be
>sure that the *person* Frank Slootweg posted this article? No, not with
>any sufficient degree of certainty. They can only determine that the
>noted *IP address* was used, nothing more.
>
That is the nature of reality. Unless you have a CCTV camera recording who uses
a computer and everything done on that computer you can only ever track use
back to that computer and at most what account was logged in at the time.
Users have always wandered away from computers leaving them logged in for
others to use - whether at work or at home.

The best you can do is say that the owner of the computer/account is
responsible for all use or abuse of that computer or account.


David Webb
Security team leader
CCSS
Middlesex University



>[deleted]

Re: who says that spam doesn"t cost the recipient money?

On Tue, 9 Jan 2007, David F. Skoll wrote:
> It's quite distressing to hear an e-mail pioneer say that, because
> I respect your opinion and give it great weight.

Not as distressing as it is for me to say it! Trust me on that... :-(

> Modern filters are pretty accurate; I still
> find e-mail very useful. A filter that gives you a web-based way to
> check a quarantine (and possibly e-mails a summary of trapped messages
> when you ask for it) is a simple way to greatly reduce connection
> charges while still letting you get at important mail.

The problem is that I have experienced false positives on vitally
important messages. During a one week period it was particularly awful
until the filters were fixed. The spammers had successfully poisoned the
filters.

False negatives are far more common -- dozens each day -- but the false
positives force me to review the index of the filtered messages and
occasionally even open a filtered message to see if it might be a false
positive. That's what caused that $100 worth of packet charges.

> It's not in the interest of spammers to kill of e-mail, so I think
> things will settle into an uneasy balance like a predator/prey
> ecology. Sure, every now and then the predators will increase to
> beyond what the ecology can support, but the situation will correct
> itself.

I am not so confident. As a hunter, I am quite aware of the fact that
"natural balance" is a pleasant myth that humans come up with to avoid
facing the fact that Mother Nature is a bitch. In real life, predators
*do* exterminate their prey, and as a result go extinct themselves.

Where there is "natural balance" is when humans have artifically created
it, by selective hunting by humans of both predators and prey to keep the
populations of both in stable (what we call "sustainable") proportions.

Spammers are best seen as being like locusts. They'll devastate a region,
and when there is nothing left they will move on. Spam has no future; it
will die when free email dies. But the sort of individual who becomes a
spammer will always find some new scam.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: who says that spam doesn"t cost the recipient money?

On Tue, 9 Jan 2007, david20@alpha2.mdx.ac.uk wrote:
> Well a "stamp" would require encryption to prevent someone forging the stamp
> and some measure to prevent a stamp being reused on a different mail message.
> The simplest means to do that would be to tie it to a hash of the message.
> However then you have basically reinvented PGP or S/MIME.

Not quite. In order to make the service be worth the price of the stamp,
there will need to be delivery reliability and transport confidentiality,
neither of which the present SMTP infrastructure provides. PGP or S/MIME
merely signs/encrypts the contents.

> The only difference being that you also require an infrastructure for producing
> these stamps and paying for them (and some means of persuading everybody to
> adopt this fee-paying alternative to the "free" email).

Not with SMTP.

Ask yourself: what value is there to you of being able to shut down all
your individual and enterprise filters (not to mention the hardware
infrasture to support it) because they are no longer needed?

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: who says that spam doesn"t cost the recipient money?

david20@alpha2.mdx.ac.uk wrote:
> In article <45a2a72b$0$49932$dbd4b001@news.wanadoo.nl>, Frank Slootweg writes:
[deleted]

> > The "if" (in "if SPF ...") is a very big "if". I don't see it
> >happening anytime soon, because ISPs and MSPs will lose (too?) many
> >customers if these schemes are deployed and enforced. But time will
> >tell.
> >
> Which is pretty much what I was saying at the end of my posting.
> There are too many equivalent solutions with no clear favourite and
> even when there are simple things which could be done like blocking port 25
> too few organisations are prepared to implement them.

Yes, you said that and I totally missed (i.e. it didn't sink in) what
you said and, to add insult to injury, I even snipped it. My apologies.

Note to self: Don't (try to) participate in these threads when having
a severe cold! :-)

[deleted]

--
Frank "Hmmm! Egg! Nice!" :-) Slootweg

Re: who says that spam doesn"t cost the recipient money?

[snip]
>*that* bit isn't implemented and IMO *cannot* be implemented with the
>current technical standards.

An ISP could also spam filter outgoing mail. An ISP could run a
serious abuse desk and by combining both terminate spammers instanly.

> I (have to) send all my mail through my ISP's mail servers, i.e. also
>for my e-mail addresses, in *other* (than the ISP's) domains, which are
>*not* known by my ISP. It is not practical to inform my ISP of every new
>and obsolete e-mail address, and frankly it's none of their business
>what my (other) e-mail addresses are. They are my *ISP*, nothing more,
>nothing less.

That's not needed. if you have your local server log into the ISP one
using authentication.

Look, if all ISPs really would block outgoing port 25 on all other IPs
than their own mail servers at least we no longer would see spam from
trojaned PC's. The one russian stock spammer abuses currently a boot
net of 60'000 PCs. He's capable to fill each and every inbox out of
his target mail pool with several hundrets of such spams per day.
That's obviousely completely useless cause a single spam acutally
getting through the filters would do. However, aparently he does not
care or is having technical problems to do so. Anyways, such imense
abuse would immediately stop and no smal organisation would be hindred
to run their own server except for having it smart host through the
ISP's servers which really is not having negative impact. If I analyze
the spams which are trapped on those sites where I have control, I
clearly see that the vast majority of spam is originating from
trojaned PCs. So I repeat, consequently blocking outgoing port 25
would cut off at least 70% of all spam instantly.

> So for all intents and purposes, they *cannot* "apply monitoring for
>abuse", other than by *volume* (i.e. number of messages per unit of
>time), and that (volume) is yet another can of worms.

They probably don't even have to if they seriousely run an abuse desk
and act strictly if abuse happens.

>> A lot remains to be done on the legal/enforcing end of the issue, but
>> actually not so much on the technical side. Crime exists and is a
>> reality in all parts of our life. The problem with the internet is
>> that law enforcement does not yet work as it does in other areas of
>> live.
>
> If the involved countries *want*, a lot can be done on the legal side.
>
> Our Dutch anti-spam laws are quite strict and are heavily enforced
>with heavy penalties. Hence spam from Dutch origin has been reduced
>drastically.
>
> Now if other countries would follow in the same reign, the problem
>would be much smaller. However I think that the influence of the
>companies which sell anti-spam 'solutions'/'services' is way too big for
>this to happen.

We aparently fully agree here :-)

Markus

Re: who says that spam doesn"t cost the recipient money?

Mark Crispin wrote:

> The problem is that I have experienced false positives on vitally
> important messages. During a one week period it was particularly awful
> until the filters were fixed. The spammers had successfully poisoned the
> filters.

> False negatives are far more common -- dozens each day -- but the false
> positives force me to review the index of the filtered messages and
> occasionally even open a filtered message to see if it might be a false
> positive. That's what caused that $100 worth of packet charges.

OK; the filters you are using don't seem to be state-of-the-art. I
get about 2 to 4 false-negatives a week, on average, and anywhere from 1
to 8 false-positives a week, depending on the week. My average
legitimate mail volume is around 150/day. With numbers like that, I can
live with checking a trap occasionally.

[...]

> Spammers are best seen as being like locusts. They'll devastate a region,
> and when there is nothing left they will move on. Spam has no future; it
> will die when free email dies. But the sort of individual who becomes a
> spammer will always find some new scam.

But if they kill off free e-mail and move on, then conditions will be
right for free e-mail again. It's not like nature where once a
species is extinct, that's it. We'll always be able to resurrect
e-mail any time we like.

I don't think that kind of oscillatory behaviour will happen. I think
we'll just reach a kind of equilibrium where filters make e-mail
usable for enough people that it doesn't disappear, and spammers
(unfortunately) get enough of a response rate to keep their scams
going.

Regards,

David.

Re: who says that spam doesn"t cost the recipient money?

On Tue, 9 Jan 2007, David F. Skoll wrote:
> OK; the filters you are using don't seem to be state-of-the-art.

It's something called PureMessage from Sophos.

On top of that, I have Alpine set to mark as spam anything that's in a
character set that I do not read. I don't speak Greek, Hebrew, Arabic,
Russian, Chinese, Korean, etc.; so messages in those scripts are spam by
definition.

Of course, that causes a false positive if someone sends me a
bug report from one of those countries, and he has a signature in his
native script that causes the message charset to promote from US-ASCII to
that script... ;-(

Nor does that help with all the Japanese-language spam that I get, mostly
from Naninani-ko who has an embarassing problem with her husband being
unable to fufill her biological needs and can I help by signing up to her
pay chatline.............

Then, too, there is the sheer volume of traffic that hits UW. We have a
whole server farm dedicated to filtering, and it's at the point of
collapse under the load. And that's the messages which weren't blocked at
the SMTP level before ever getting to the filters.

> I
> get about 2 to 4 false-negatives a week, on average, and anywhere from 1
> to 8 false-positives a week, depending on the week.

8 false positives a week?!? That's way too high.

I've lost critical messages due to false positives, in spite of checking
for them. Any false positives are too many.

> My average
> legitimate mail volume is around 150/day.

My legitimate mail volume once was like that, but has plummeted like a
paralyzed falcon thanks to spam and the resulting unreliability of mail as
a communication medium. My legitimate mail volume is now firmly in
double-digit territory, and doesn't even approach triple-digit unless some
mailing list (lately, the Unicode related ones) gets frisky.

It's getting to be like panning for gold. The sluices help (a lot!) but
at some point someone has to go and check.

> > Spammers are best seen as being like locusts. They'll devastate a region,
> > and when there is nothing left they will move on. Spam has no future; it
> > will die when free email dies. But the sort of individual who becomes a
> > spammer will always find some new scam.
> But if they kill off free e-mail and move on, then conditions will be
> right for free e-mail again. It's not like nature where once a
> species is extinct, that's it. We'll always be able to resurrect
> e-mail any time we like.

I don't think so. Once fee-based email arrives, we're not likely to see
people want to go back to the many hassles of free email.

There's a huge pent-up demand for services that most of us do NOT want to
see happen, and that we've been able to block by claiming that it's too
technically difficult to do with free email. Imagine getting sued via
email. And worse.

> I don't think that kind of oscillatory behaviour will happen.

Sadly, yes; but for a different reason. It'll swing to sender-pays email
and then stop.

> I think
> we'll just reach a kind of equilibrium where filters make e-mail
> usable for enough people that it doesn't disappear, and spammers
> (unfortunately) get enough of a response rate to keep their scams
> going.

I've heard that claim for nearly a decade now, and I have seen no sign of
this happening. If anything, the technological warfare has escalated at a
sharper rate than ever before.

What is particularly aggravating is that BOTH sides of the battle are
taking our money. It isn't just the spammers and virus-writers; it's
those who claim to protect us from such. Neither side has an interest in
the battle ending, since that would end their revenue stream.

Tragedy of the Commons.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

[...]

> Then, too, there is the sheer volume of traffic that hits UW. We have a
> whole server farm dedicated to filtering, and it's at the point of
> collapse under the load. And that's the messages which weren't blocked at
> the SMTP level before ever getting to the filters.

I feel your pain. :-(

Nevertheless, if you polled UW faculty and students and asked how many
would completely give up e-mail because it had become useless, I doubt
more than 10% would answer in the affirmative.

>> I
>> get about 2 to 4 false-negatives a week, on average, and anywhere from 1
>> to 8 false-positives a week, depending on the week.

> 8 false positives a week?!? That's way too high.

Not for me. I've tuned my filters to the way I like them; checking the
trap daily takes me around 2 minutes. I've lost maybe 2 messages
since 2002, and in both cases contacted the sender and apologized for
accidentally rejecting the mail -- in the end, no harm was done.

> I've lost critical messages due to false positives, in spite of checking
> for them. Any false positives are too many.

If you believe that, then I agree that no filter will be good enough.
It's impossible to write a content filter that catches most spam
without having it catch a little non-spam too.

[...]

> I don't think so. Once fee-based email arrives, we're not likely to see
> people want to go back to the many hassles of free email.

I run a few mailing lists, and fee-based e-mail would kill them. One
list I run has around 800 members and a daily volume of maybe 10
messages. I certainly couldn't afford to pay for sending 8,000
messages per day, even if each message cost 0.1 cents. I wouldn't pay
$240/month for the "privilege" of running a mailing list. And a cost
much below 0.1 cent/message would be too low to deter spammers anyway
(even if we naively believe they will pay for their spamming with
something other than a stolen credit card!)

> There's a huge pent-up demand for services that most of us do NOT want to
> see happen, and that we've been able to block by claiming that it's too
> technically difficult to do with free email. Imagine getting sued via
> email. And worse.

Fee-based e-mail won't happen. When the bad guys have access to
essentially unlimited bandwidth and computing resources, plus the
ability and willingness to lie, cheat and steal, all that fee-based
e-mail will bring is massive fraud and huge e-mail bills to
unsuspecting victims.

>> I think we'll just reach a kind of equilibrium where filters make
>> e-mail usable for enough people that it doesn't disappear, and
>> spammers (unfortunately) get enough of a response rate to keep
>> their scams going.

> I've heard that claim for nearly a decade now, and I have seen no sign of
> this happening. If anything, the technological warfare has escalated at a
> sharper rate than ever before.

Spam levels were reasonably stable for about a year until late last
year. I agree that there has been an increase lately, but it hasn't
become completely out-of-hand and I don't think it will. I think it
will continue to be an arms race.

> What is particularly aggravating is that BOTH sides of the battle
> are taking our money. It isn't just the spammers and virus-writers;
> it's those who claim to protect us from such. Neither side has an
> interest in the battle ending, since that would end their revenue
> stream.

:-) Well, we sell anti-spam software so I suppose we're considered
part of the problem. But believe me, if spam ended, I would be happy.
I'd just move on to write different kinds of software. There are
enough interesting software problems that there's plenty of
opportunity.

Regards,

David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Tue, 9 Jan 2007, David F. Skoll wrote:
> Nevertheless, if you polled UW faculty and students and asked how many
> would completely give up e-mail because it had become useless, I doubt
> more than 10% would answer in the affirmative.

It all depends. Techies are very different from, say, the Professors of
Classical Medieval Lower Slobbovian... ;-) Then there's the tribe that
thinks that
Exchange is the best thing since sliced bread.

> Not for me. I've tuned my filters to the way I like them; checking the
> trap daily takes me around 2 minutes.

Wow. I spend more like an hour. But then again, I have to check the trap
far more frequently since some traffic requires real-time action. I use a
30% score as the razor that seems to compromise best between false
positives and false negatives. It was once considered "far too
aggressive", now it's considered "weak"... ;-)

> > I've lost critical messages due to false positives, in spite of checking
> > for them. Any false positives are too many.
> If you believe that, then I agree that no filter will be good enough.
> It's impossible to write a content filter that catches most spam
> without having it catch a little non-spam too.

Yeah. It's a tough problem.

> I run a few mailing lists, and fee-based e-mail would kill them.

This is the standard argument for free mail, typically held as the final
trump card in the argument. "There are all these valuable mailing lists
out there that would have to shut down."

That's not necessarily true. Mailing lists could go to a subscription
fee model or perhaps one in which the members leave SASEs on file with the
mailing list system

> And a cost
> much below 0.1 cent/message would be too low to deter spammers anyway
> (even if we naively believe they will pay for their spamming with
> something other than a stolen credit card!)

I clearly understand that cost alone wouldn't be a deterrent to spammers.
What would change, however, is the current shotgun approach to spamming,
in which the spammer pays no attention to whether or not the spammed
address is valid.

> Fee-based e-mail won't happen. When the bad guys have access to
> essentially unlimited bandwidth and computing resources, plus the
> ability and willingness to lie, cheat and steal, all that fee-based
> e-mail will bring is massive fraud and huge e-mail bills to
> unsuspecting victims.

I wouldn't be so certain about that. Once governments get involved in the
e-postage business, there's a bit more concern about where the money comes
from and where it goes.

The main problem is hijacked PCs that have access to the user's e-stamp
bank. However, since this would be a new infrastructure, this problem
would be considered from the onset.

In theory, there's no reason why a hijacked PC can't use submission and
the user's submission authentication credentials. However, the bad guys
have to crack the software that uses it, and there are far more easy paths
using SMTP.

Then, too, with submission authentication credentials there is a direct
trail of accountability that doesn't exist with SMTP. Right now, tracking
down hijacked PCs by IP address is too much work to scale.

It's the lack of accountability that enables spam.

> Spam levels were reasonably stable for about a year until late last
> year. I agree that there has been an increase lately, but it hasn't
> become completely out-of-hand and I don't think it will.

Not just an increase, a substantial increase.

> I think it
> will continue to be an arms race.

That, we agree on.

However, in an arms race, eventually the peasants in the burned and
flattened villages get tired of the warlords tromping their way through.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

> That's not necessarily true. Mailing lists could go to a subscription
> fee model or perhaps one in which the members leave SASEs on file with the
> mailing list system

My mailing lists are for users of GPL'd software. I can't see many
people willing to pay. (Penalizing mailing lists would hit
open-source development teams particularly hard.)

> I clearly understand that cost alone wouldn't be a deterrent to spammers.
> What would change, however, is the current shotgun approach to spamming,
> in which the spammer pays no attention to whether or not the spammed
> address is valid.

Why would that change? A criminal won't care that he's wasting your money.

[...]

> I wouldn't be so certain about that. Once governments get involved in the
> e-postage business, there's a bit more concern about where the money comes
> from and where it goes.

The thing is, I don't think there's enough consensus on what to do to
get government involved. Besides, although spam is a problem, on the
scale of real problems facing the world (security, environmental
degradation, hunger, disease) it's pretty low. I just don't see any
governments seriously attempting to develop an alternative e-mail
system. Not for a decade or two at least.

> The main problem is hijacked PCs that have access to the user's e-stamp
> bank. However, since this would be a new infrastructure, this problem
> would be considered from the onset.

Would it? Technologists haven't had a good track record of predicting
the consequences of their technology. :-)

> In theory, there's no reason why a hijacked PC can't use submission and
> the user's submission authentication credentials. However, the bad guys
> have to crack the software that uses it, and there are far more easy paths
> using SMTP.

The curse of the Internet is that it takes one smart person to crack
the software, and a thousand dummies to purchase his simple-to-use exploit.

[...]

> However, in an arms race, eventually the peasants in the burned and
> flattened villages get tired of the warlords tromping their way through.

True. Possibly what will happen is that end-users whose providers don't
have good filters will migrate to gmail or other services with better
filters, and you'll see most e-mail going through a relatively small number
of providers with the resources to filter aggressively.

Regards,

David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Tue, 9 Jan 2007, David F. Skoll wrote:
> My mailing lists are for users of GPL'd software. I can't see many
> people willing to pay. (Penalizing mailing lists would hit
> open-source development teams particularly hard.)

Why do you say that? That seems to be saying that users of open source
software are freeloaders.

I'd pay to be on a mailing list for software that I care about. Maybe not
for the baby user mailing list ("what does CONTROL-C mean?") but probably
for announcements of new versions.

I might even pay a bit more than cost if I knew that sending a message to
the list would get back a more usable response than "RTFM."

I wouldn't pay for lists which are useless (the Macintosh lists being a
good example). But then again, I've unsubscribed from useless lists.

> > I clearly understand that cost alone wouldn't be a deterrent to spammers.
> > What would change, however, is the current shotgun approach to spamming,
> > in which the spammer pays no attention to whether or not the spammed
> > address is valid.
> Why would that change? A criminal won't care that he's wasting your money.

Since it is sender-pays, either the criminal is paying, or the criminal
has hijacked some legitimate user's payment means. Since the e-stamps are
government-issue, we're talking about something that is quite a bit more
tangible than computer time or network bandwidth.

The whole success of this rests upon security and integrity of the payment
means.

> > I wouldn't be so certain about that. Once governments get involved in the
> > e-postage business, there's a bit more concern about where the money comes
> > from and where it goes.
> The thing is, I don't think there's enough consensus on what to do to
> get government involved.

Trust me, the power of taxation (which in effect is what this is) is
incentive enough for governments. All we have to do is stop fighting them
from taxing us.

> I just don't see any
> governments seriously attempting to develop an alternative e-mail
> system. Not for a decade or two at least.

That's probably true. This is at least a 10-year project, more likely a
20-year project, and governments doing it mean that it will take longer.
The last attempt (X.400) failed miserably; although we were actively
sabotaging it at every opportunity.

> > The main problem is hijacked PCs that have access to the user's e-stamp
> > bank. However, since this would be a new infrastructure, this problem
> > would be considered from the onset.
> Would it? Technologists haven't had a good track record of predicting
> the consequences of their technology. :-)

The Law of Unintended Consequences always applies. No matter how secure
a mechanism may be, there will be those who fall to phishing (and worse,
who disregard all those security certificate warnings...). Unicode DNS
names have rendered DNS name based security checking worthless.

I don't think that cracked software giving up e-stamps will be the
problem. It's more likely to be social attacks.

> > In theory, there's no reason why a hijacked PC can't use submission and
> > the user's submission authentication credentials. However, the bad guys
> > have to crack the software that uses it, and there are far more easy paths
> > using SMTP.
> The curse of the Internet is that it takes one smart person to crack
> the software, and a thousand dummies to purchase his simple-to-use exploit.

True; but when someone cracks Outlook security, Microsoft gets annoyed.
When someone cracks government payment security, a government gets
annoyed.

Microsoft (well, other than a few fellow gun-nuts I know who work there)
doesn't have guns. Governments do; and unlike private entities
governments can (and do!) use their guns whenever they damn well want.

> > However, in an arms race, eventually the peasants in the burned and
> > flattened villages get tired of the warlords tromping their way through.
> True. Possibly what will happen is that end-users whose providers don't
> have good filters will migrate to gmail or other services with better
> filters, and you'll see most e-mail going through a relatively small number
> of providers with the resources to filter aggressively.

That's "the peasants will move to the walled cities" argument. It works
to a limited extent, but it isn't a solution.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: who says that spam doesn"t cost the recipient money?

On 08 Jan 2007 20:18:51 GMT, Frank Slootweg
wrote:

>> Well if SPF, or other similar proposals, ever really take off then you
>> will no longer be able to use your work's address (or any other
>> address except the one provided by the ISP) as the FROM address in
>> mail you send via your ISP unless you can convince the organisation
>> owning the domain of the address you want to use to add your ISP's
>> outgoing mail servers into their SPF DNS record. Which probably means
>> you won't be able to do it unless you own that domain and control it's
>> DNS records.
>
> The "if" (in "if SPF ...") is a very big "if". I don't see it
>happening anytime soon, because ISPs and MSPs will lose (too?) many
>customers if these schemes are deployed and enforced. But time will
>tell.

The only ones really controlling everything from nameserver up to the
sending mailclients are the big spamgangs. They already use SPF to
circumvent checks.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

Re: who says that spam doesn"t cost the recipient money?

On Mon, 8 Jan 2007 12:16:04 -0800, Mark Crispin
wrote:

>On Mon, 8 Jan 2007, patrick wrote:
>> When it can be determined that the sender of an email is the person they
>> claim to be with a verified return route, then email abuse will be
>> substantially reduced.
>
>When the sender of an email pays for the privilege, then email abuse will
>be substantially reduced.

If a trojan is sending out spam the owner of the PC would get billed.
But if he can make it clear he wasn't the one sending out the spam he
probably will not pay. And a lot of consumer laws gives him the
privilege not to pay.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

Re: who says that spam doesn"t cost the recipient money?

On Tue, 09 Jan 2007 17:34:09 -0500, "David F. Skoll"
wrote:

>OK; the filters you are using don't seem to be state-of-the-art. I
>get about 2 to 4 false-negatives a week, on average, and anywhere from 1
>to 8 false-positives a week, depending on the week. My average
>legitimate mail volume is around 150/day. With numbers like that, I can
>live with checking a trap occasionally.

Hmm. I don't see what your filters are gaining for you, except that you
can choose when to wade through all your spam. You still have to wade
through all of it, right?

--
Steve Baker

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

>I clearly understand that cost alone wouldn't be a deterrent to spammers.
>What would change, however, is the current shotgun approach to spamming,
>in which the spammer pays no attention to whether or not the spammed
>address is valid.
Australia Post offers cheap postage to anyone who sends bulk mail but
charges significantly more than the standard postage for undeliverable
bulk mail. Perhaps a similar model of free or very cheap email,
regardless of quantity, and a large fee for undeliverable or
"unwanted" mail would be effective. Unwanted would be defined by
registration at a web site. Of course, the cost would be borne by the
sender.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

"David F. Skoll" wrote:

>Mark Crispin wrote:
>
>[...]
>
>> Then, too, there is the sheer volume of traffic that hits UW. We have a
>> whole server farm dedicated to filtering, and it's at the point of
>> collapse under the load. And that's the messages which weren't blocked at
>> the SMTP level before ever getting to the filters.
>
>I feel your pain. :-(
>
>Nevertheless, if you polled UW faculty and students and asked how many
>would completely give up e-mail because it had become useless, I doubt
>more than 10% would answer in the affirmative.
>
>>> I
>>> get about 2 to 4 false-negatives a week, on average, and anywhere from 1
>>> to 8 false-positives a week, depending on the week.
>
>> 8 false positives a week?!? That's way too high.
>
>Not for me. I've tuned my filters to the way I like them; checking the
>trap daily takes me around 2 minutes. I've lost maybe 2 messages
>since 2002, and in both cases contacted the sender and apologized for
>accidentally rejecting the mail -- in the end, no harm was done.
>
>> I've lost critical messages due to false positives, in spite of checking
>> for them. Any false positives are too many.
>
>If you believe that, then I agree that no filter will be good enough.
>It's impossible to write a content filter that catches most spam
>without having it catch a little non-spam too.
>
>[...]
>
>> I don't think so. Once fee-based email arrives, we're not likely to see
>> people want to go back to the many hassles of free email.
>
>I run a few mailing lists, and fee-based e-mail would kill them. One
>list I run has around 800 members and a daily volume of maybe 10
>messages. I certainly couldn't afford to pay for sending 8,000
>messages per day, even if each message cost 0.1 cents. I wouldn't pay
>$240/month for the "privilege" of running a mailing list. And a cost
>much below 0.1 cent/message would be too low to deter spammers anyway
>(even if we naively believe they will pay for their spamming with
>something other than a stolen credit card!)
>
>> There's a huge pent-up demand for services that most of us do NOT want to
>> see happen, and that we've been able to block by claiming that it's too
>> technically difficult to do with free email. Imagine getting sued via
>> email. And worse.
>
>Fee-based e-mail won't happen. When the bad guys have access to
>essentially unlimited bandwidth and computing resources, plus the
>ability and willingness to lie, cheat and steal, all that fee-based
>e-mail will bring is massive fraud and huge e-mail bills to
>unsuspecting victims.
>
>>> I think we'll just reach a kind of equilibrium where filters make
>>> e-mail usable for enough people that it doesn't disappear, and
>>> spammers (unfortunately) get enough of a response rate to keep
>>> their scams going.
>
>> I've heard that claim for nearly a decade now, and I have seen no sign of
>> this happening. If anything, the technological warfare has escalated at a
>> sharper rate than ever before.
>
>Spam levels were reasonably stable for about a year until late last
>year. I agree that there has been an increase lately, but it hasn't
>become completely out-of-hand and I don't think it will. I think it
>will continue to be an arms race.
>
>> What is particularly aggravating is that BOTH sides of the battle
>> are taking our money. It isn't just the spammers and virus-writers;
>> it's those who claim to protect us from such. Neither side has an
>> interest in the battle ending, since that would end their revenue
>> stream.
>
>:-) Well, we sell anti-spam software so I suppose we're considered
>part of the problem. But believe me, if spam ended, I would be happy.
>I'd just move on to write different kinds of software. There are
>enough interesting software problems that there's plenty of
>opportunity.
>
>Regards,
>
>David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

"David F. Skoll" wrote:

>I run a few mailing lists, and fee-based e-mail would kill them. One
>list I run has around 800 members and a daily volume of maybe 10
>messages. I certainly couldn't afford to pay for sending 8,000
>messages per day, even if each message cost 0.1 cents.
It is grossly off-topic but why does anyone use a mailing list? A
Usenet group allows people to download the posts on topics they are
interested in without being inundated with emails. A web based
discussion group has similar advantages and the better ones allow you
to request an email if there is a post in a thread you are following.

Re: who says that spam doesn"t cost the recipient money?

Markus Zingg wrote:
> [snip]
> >*that* bit isn't implemented and IMO *cannot* be implemented with the
> >current technical standards.
>
> An ISP could also spam filter outgoing mail.

I don't think many people would like that. I think I wouldn't like it.

If the presumed spam is *rejected* during submission, then it might be
acceptable in most (but not all) cases. But if it *bounces* *later*, I
think it's unacceptable, because that means one would have to check each
and every sent e-mail for a possible bounce, which might come *much*
later.

> An ISP could run a serious abuse desk and by combining both terminate
> spammers instanly.

But they could only do so if they limit the number of sent messages
per unit of time. If they don't, they can only react after the fact,
when the spammer is long gone (Note: The spammer is not necessarily the
(legit) owner/user/ of the (client) machine, but most likely
someone who hijacke/trojaned it.)

> > I (have to) send all my mail through my ISP's mail servers, i.e. also
> >for my e-mail addresses, in *other* (than the ISP's) domains, which are
> >*not* known by my ISP. It is not practical to inform my ISP of every new
> >and obsolete e-mail address, and frankly it's none of their business
> >what my (other) e-mail addresses are. They are my *ISP*, nothing more,
> >nothing less.
>
> That's not needed. if you have your local server log into the ISP one
> using authentication.

"authentication" is an ambiguous term. If you mean SMTP
authentication, i.e. with a logon/password, then you're right. But as
far as I know the use of *both* blocking outgoing port 25 *and* SMTP
authentication is uncommon. I.e. most ISPs use one *or* the other. Mine
uses the former (blocking outgoing port 25). They don't do SMTP
authentication, 'because' they do authentication on IP (i.e. if it comes
from one of their IPs it's assume to be OK).

> Look, if all ISPs really would block outgoing port 25 on all other IPs
> than their own mail servers at least we no longer would see spam from
> trojaned PC's.

Sorry, but I think this assumption is false.

There was a time when certain viruses used the infected PC's default
mailserver by getting the SMTP server name from the registry [1]. Yes
that was about viruses and infected PC's, but there's no real difference
between virus-infected PC's and trojaned PC's. I do not know *if*
spammers currently use this technique (or have used it), but they
*could* use it. So blocking outgoing port 25 *by itself* does not help
at all.

I don't know if SMTP authentication prevents the above mentioned
trojaned spamming technique. I think the (SMTP authentication)
login/password is also in the registry, but I don't know whether it can
be exploited by spamware. (From looking at the POP login/password
information, it *looks* like it is exploitable, but I don't *know*.)

> The one russian stock spammer abuses currently a boot
> net of 60'000 PCs. He's capable to fill each and every inbox out of
> his target mail pool with several hundrets of such spams per day.
> That's obviousely completely useless cause a single spam acutally
> getting through the filters would do. However, aparently he does not
> care or is having technical problems to do so. Anyways, such imense
> abuse would immediately stop and no smal organisation would be hindred
> to run their own server except for having it smart host through the
> ISP's servers which really is not having negative impact. If I analyze
> the spams which are trapped on those sites where I have control, I
> clearly see that the vast majority of spam is originating from
> trojaned PCs. So I repeat, consequently blocking outgoing port 25
> would cut off at least 70% of all spam instantly.

I don't think so. See above.

> > So for all intents and purposes, they *cannot* "apply monitoring for
> >abuse", other than by *volume* (i.e. number of messages per unit of
> >time), and that (volume) is yet another can of worms.
>
> They probably don't even have to if they seriousely run an abuse desk
> and act strictly if abuse happens.

I don't think so. See above. I.e. the spammer just switches to another
trojaned PC and the whole mess starts all over again.

[agreed upon stuff deleted]

[1] I don't know if this key is the one which the virus/spamware writers
use, but this registry key contains my default SMTP server name:

HKEY_USERS\S-...\Software\Microsoft\Internet Account Manager\
Accounts\00000001\SMTP Server

Probably the account number of the default account (00000001 in my
example) is available from some other key.

Re: who says that spam doesn"t cost the recipient money?

On Wed, 10 Jan 2007, Peter Peters wrote:
> >When the sender of an email pays for the privilege, then email abuse will
> >be substantially reduced.
> If a trojan is sending out spam the owner of the PC would get billed.
> But if he can make it clear he wasn't the one sending out the spam he
> probably will not pay. And a lot of consumer laws gives him the
> privilege not to pay.

Under a postage system, it isn't a question of whether or not he pays; but
rather a question of whether or not he gets a refund for the stolen stamps
that he already paid for.

If you have a prepay mobile phone, and someone steals your SIM card and
uses it to spam, how easy is it for you to get a refund for that stolen
time?

The other limiting factor is that, since the stamps are prepaid, there is
a limit to how much spam can be sent before the account runs out of
stamps. Few private individuals need the capability to send millions of
emails a day. The entities that legitimately need that capability (those
who send "ham" as opposed to "spam") are generally not private individuals
and can afford to pay for the privilege.

What's more, I think that the senders of "ham" would be pleased to pay in
an environment where their ham is not blocked as spam.

Of course, what constitutes ham vs. spam is up to some debate; but I'm
considerably more willing to consider a communication to be ham if I know
that the sender paid for me to look at it.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Wed, 10 Jan 2007, David Segall wrote:
> Australia Post offers cheap postage to anyone who sends bulk mail but
> charges significantly more than the standard postage for undeliverable
> bulk mail.

That's a great idea. In the US, it just gets discarded or delivered to
whomever is at that address today.

Huge amounts of mail still arrive on a daily basis for addresses at the
World Trade Center, more than 5 years after it was destroyed.

Of course, in the US, bulk mail is what they put under the tires of the
mail trucks when they are stuck in the snow...

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Wed, 10 Jan 2007, David Segall wrote:
> It is grossly off-topic but why does anyone use a mailing list? A
> Usenet group allows people to download the posts on topics they are
> interested in without being inundated with emails. A web based
> discussion group has similar advantages and the better ones allow you
> to request an email if there is a post in a thread you are following.

Mailing lists are quite useful for "ham", and universities generate a lot
of it. Every class has its own mailing list.

Mailing lists are very useful for closed communities. Web based groups
can do the same thing, but require logging into the web page.

I agree that there are a lot of mailing lists which are relics of the
past, and being open communities probably should be migrated to newsgroups
or web based groups.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: who says that spam doesn"t cost the recipient money?

Steve Baker wrote:

> Hmm. I don't see what your filters are gaining for you, except that you
> can choose when to wade through all your spam. You still have to wade
> through all of it, right?

No. I have an auto-reject threshold that nukes a lot of stuff I never
see. That threshold is safe enough that I have never had a false-positive.

For the held messages, my filters sort by spam score. All the
questionable ones tend to have a score near the hold threshold.
Beyond a certain score, it takes literally one second to glance at the
subject and sender to know for sure that it's spam. In particular,
because our filters tempfail suspect mail, a lot of spambots try again
with the same bizarre sender address but a mutated subject. These
stick out like sore thumbs, and I can reject handfuls of those per
second.

I also use greylisting, which stops a lot of stuff that I never
have to look at.

In the end, what I gain is a clean inbox, and much less likelihood of
missing a ham in all the spam.

Regards,

David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

>> My mailing lists are for users of GPL'd software. I can't see many
>> people willing to pay. (Penalizing mailing lists would hit
>> open-source development teams particularly hard.)

> Why do you say that? That seems to be saying that users of open source
> software are freeloaders.

They may not be freeloaders, but I know from experience that it's very
hard to get money from people who use open-source software. (I have nothing
against that: My company runs entirely on open-source software. And we
don't pay anyone for support, so I guess we're typical. :-))

> I'd pay to be on a mailing list for software that I care about. Maybe not
> for the baby user mailing list ("what does CONTROL-C mean?") but probably
> for announcements of new versions.

There are 800 people on my list. I suspect fewer than 80 would pay to be
on it, and having such a reduced community would have a negative effect on
the software's development.

[...]

> The whole success of this rests upon security and integrity of the payment
> means.

And there's the rub.

>> The thing is, I don't think there's enough consensus on what to do to
>> get government involved.

> Trust me, the power of taxation (which in effect is what this is) is
> incentive enough for governments. All we have to do is stop fighting them
> from taxing us.

Framing the problem that way is unlikely to garner support from most
e-mail users or Internet advocates.

>> I just don't see any
>> governments seriously attempting to develop an alternative e-mail
>> system. Not for a decade or two at least.

> That's probably true. This is at least a 10-year project, more likely a
> 20-year project, and governments doing it mean that it will take longer.
> The last attempt (X.400) failed miserably; although we were actively
> sabotaging it at every opportunity.

OK.

[...]

> I don't think that cracked software giving up e-stamps will be the
> problem. It's more likely to be social attacks.

Given the state of PC security today (and for the forseeable future),
I think the only way to secure the system would be to have
special-purpose, secure, closed-hardware devices for sending e-mail,
and not allow any other devices to send e-mail. I don't see people
accepting that.

> True; but when someone cracks Outlook security, Microsoft gets annoyed.
> When someone cracks government payment security, a government gets
> annoyed.

And what can/will the government do about it? Heck, they can't even get
e-voting secured. (Of course, maybe there's less incentive to try
to protect democracy than to raise taxes.)

> Microsoft (well, other than a few fellow gun-nuts I know who work there)
> doesn't have guns. Governments do; and unlike private entities
> governments can (and do!) use their guns whenever they damn well want.

So the US government determines that some Russian criminal gang has
committed mass fraud. What then? Even government power runs into
limits at some point. I would think that would be particularly
obvious nowadays.

[...]

>> True. Possibly what will happen is that end-users whose providers don't
>> have good filters will migrate to gmail or other services with better
>> filters, and you'll see most e-mail going through a relatively small
>> number of providers with the resources to filter aggressively.

> That's "the peasants will move to the walled cities" argument. It works
> to a limited extent, but it isn't a solution.

I didn't propose it as a solution, just a possible outcome.

Regards,

David.

Why mailing lists (was Re: Fee-based e-mail (was Re: who says that spam doesn"t cost...))

David Segall wrote:

> It is grossly off-topic but why does anyone use a mailing list? A
> Usenet group allows people to download the posts on topics they are
> interested in without being inundated with emails. A web based
> discussion group has similar advantages and the better ones allow you
> to request an email if there is a post in a thread you are following.

Most Web based discussion-group software is crap (pardon the language.)

Usenet groups are better, but some people (like me) like to archive
mailing list traffic, and the tools to do that are more easily available
for e-mail than Usenet. In fact, there are many tools for sorting out
your e-mail so the end-user experience is similar to Usenet anyway.

An e-mail list is also useful if you're disconnected from the Internet,
but have a local copy of your mail folders.

Regards,

David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Wed, 10 Jan 2007, David F. Skoll wrote:
> They may not be freeloaders, but I know from experience that it's very
> hard to get money from people who use open-source software.

I agree; asking for voluntary donations is an exercise in futility. On
the other hand, charging for value-added services (as opposed to software)
sometimes gets results. That is, after all, the business model used by
the various Linux vendors.

> > I'd pay to be on a mailing list for software that I care about. Maybe not
> > for the baby user mailing list ("what does CONTROL-C mean?") but probably
> > for announcements of new versions.
> There are 800 people on my list. I suspect fewer than 80 would pay to be
> on it, and having such a reduced community would have a negative effect on
> the software's development.

Maybe, maybe not. There's no way of knowing without trying. I suspect
that the people who actually care enough about the software would pay a
modest fee to be part of the community.

> > Trust me, the power of taxation (which in effect is what this is) is
> > incentive enough for governments. All we have to do is stop fighting them
> > from taxing us.
> Framing the problem that way is unlikely to garner support from most
> e-mail users or Internet advocates.

I agree with the latter. The former is a different matter. I observe the
usage of email declining over time as it becomes more of a sewer and less
of a useful mechanism.

I also observe that many of the kids prefer texting and IM over email; to
them, email is old clanky technology that their parents use.

> Given the state of PC security today (and for the forseeable future),
> I think the only way to secure the system would be to have
> special-purpose, secure, closed-hardware devices for sending e-mail,
> and not allow any other devices to send e-mail. I don't see people
> accepting that.

I think that you're too pessimistic.

Most PC security issues were directly brought on by the environment in
which PCs originated. The whole "PC Revolution" mindset of the 1980s was
very anti-security; people wanted to have a machine in which you could do
whatever you wanted without those fascist-pig sysadmins imposing that
nasty security on you. This all predates Microsoft by quite a while.

In hindsight, this mindset was foolish; and certainly Microsoft, Apple,
Netscape, SUN, etc. were inexcusibly slow in deploying security solutions
and cocky about being "good enough." But the mindset today that "it's all
Microsoft's fault" is equally foolish; there's plenty of blame to go
around.

Looking at things objectively, Windows XP SP2 is pretty good for security,
and Vista should be much better. So are modern Mac OS X and Linux. Most
successful attacks today are social, and involve tricking the user into
doing something detrimental. User education is, to my mind, the single
most important security task for the coming decade.

> > True; but when someone cracks Outlook security, Microsoft gets
> > annoyed. When someone cracks government payment security, a government
> > gets annoyed.
> And what can/will the government do about it? Heck, they can't even get
> e-voting secured. (Of course, maybe there's less incentive to try
> to protect democracy than to raise taxes.)

Voting is a cost to the government. The government makes money on taxes,
and on the sales of various sorts of stamps. Cheat on a few thousand
votes, and they largely shrug their shoulders; fail to buy the proper tax
stamps, and they're all over you.

> So the US government determines that some Russian criminal gang has
> committed mass fraud. What then? Even government power runs into
> limits at some point. I would think that would be particularly
> obvious nowadays.

Who said that the US government would enforce email stamp fees on Russian
criminal gangs? That's not how it works for posts.

Governments figured it for posts out a long time ago. They do it quite
well, even when the two countries don't like each other very well.

International fraud is a different (and more difficult) matter; but we're
not talking about that. We're talking about making senders pay for
email transmission and delivery.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

[A lot deleted, to get to the essential point:]

> We're talking about making senders pay for email transmission and delivery.

How can you *make* senders pay? You would have to prevent people from
using SMTP and force them to use NewSMTP to enforce payment. You'd
have to actively go after and (presumably) prosecute those who dare to
run SMTP servers that accept free e-mail. Or you'd have to impose
massive control on the Internet to monitor e-mail traffic and know who
to charge, or impose on ISPs the duty to ensure no free e-mail traffic
flows.

Unless a significant number of people voluntarily agree to stop using
SMTP for receiving e-mail and insist that senders use NewSMTP, it won't
happen. If the government tries to force it on people, they'll revolt.

I'll wager that we'll all be using IPv6 before a viable sender-pays e-mail
system is in common use.

Regards,

David.

OT: Making money on open-source (was Re: Fee-based e-mail (was Re: who says ...))

Mark Crispin wrote:

> I agree; asking for voluntary donations is an exercise in futility. On
> the other hand, charging for value-added services (as opposed to software)
> sometimes gets results. That is, after all, the business model used by
> the various Linux vendors.

It's an extremely difficult business model. Very few companies can do it.

I used to be a consultant doing value-added work using free software.
I made a pretty good living for a one-person shop. But it wouldn't
have been enough to build a bigger business around.

> Maybe, maybe not. There's no way of knowing without trying. I suspect
> that the people who actually care enough about the software would pay a
> modest fee to be part of the community.

Back in March, 2002, I posted on the MIMEDefang list (the list I run)
that I had a cool idea for an anti-spam system, and asked if anyone
wanted to sponsor development, after which I'd GPL the result. No-one
showed any interest. So I quit consulting and sat in my basement
programming for six months. We now have a commercial product based on
MIMEDefang that has grown our company to 10 people. It's a
traditional proprietary software product, although you do get the
source code and are allowed to modify it for your own use.

We found that people are *much* more comfortable with the traditional
software model and that it's far easier to build a business around
that model, even if you keep the core engine GPL'd and give source to
your customers.

Regards,

David.

Re: OT: Making money on open-source (was Re: Fee-based e-mail (wasRe: who says ...))

On Wed, 10 Jan 2007, David F. Skoll wrote:
> We now have a commercial product based on
> MIMEDefang that has grown our company to 10 people. It's a
> traditional proprietary software product, although you do get the
> source code and are allowed to modify it for your own use.

That's what I was talking about. There are fanatics who think that if it
isn't GPL, it's evil; but I am not one of those.

> We found that people are *much* more comfortable with the traditional
> software model and that it's far easier to build a business around
> that model, even if you keep the core engine GPL'd and give source to
> your customers.

Indeed.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Wed, 10 Jan 2007, David F. Skoll wrote:
> How can you *make* senders pay? You would have to prevent people from
> using SMTP and force them to use NewSMTP to enforce payment.

I fully expect that SMTP will die. It's not a matter of "if", but rather
"when". We've gotten over 24 years of service out of SMTP (I wrote one of
the first SMTP implementations), but the time to retire it is at hand.

Sadly, there's nothing waiting in the wings to replace it; and many people
still feel that, somehow, SMTP will weather the current crisis. Will it
take another order of magnitude increase in spam volume (which is what
happened last year)?

> You'd
> have to actively go after and (presumably) prosecute those who dare to
> run SMTP servers that accept free e-mail. Or you'd have to impose
> massive control on the Internet to monitor e-mail traffic and know who
> to charge, or impose on ISPs the duty to ensure no free e-mail traffic
> flows.

I propose neither; although a mass shutdown of a protocol has happened in
the past.

You are thinking on the lines of "the freeway has no tolls, so why would
anyone want to use the turnpike?" I am thinking on the lines of "the
freeway has stop and go traffic for miles; it'll take an hour for me to
get there. If I pay $1 for the turnpike, I'll be there in 5 minutes."

What is also overlooked is that the freeway isn't really free; we're
paying the same fees (if not more) as for the turnpike. It's just that
the freeway fees are indirect.

The flaw in my argument is that it skates awfully close to the thin ice
against network neutrality. To get towards safer ice, let me make clear
that I support network neutrality in terms of equal access from clients to
content providers; I do not want my ISP to dictate how well a content
provider is allowed to serve me.

How well someone else is allowed to access my services (including the
service of sending me email) is another matter entirely. Of course,
neither side of the network neutrality argument sees it that way. To
quote Treebeard the ent in "The Lord of the Rings": "I am not altogether
of anyone's side, since nobody is altogether on my side."

I agree that there is no simple, "magic bullet" answer. It will be a
long, protracted process with many pitfalls and detours on the way.

On the other hand, the lack of an easy answer shouldn't stop us from
seeking an answer. Continuing with early 1980s technology that was
designed for a 2-digit node ARPAnet (with scaling to a 4-digit node count)
is not that answer.

> Unless a significant number of people voluntarily agree to stop using
> SMTP for receiving e-mail and insist that senders use NewSMTP, it won't
> happen. If the government tries to force it on people, they'll revolt.

I don't see much sign of revolt in countries such as China, Cuba, Iran,
Saudi Arabia, etc. where there are extensive controls over Internet.

> I'll wager that we'll all be using IPv6 before a viable sender-pays e-mail
> system is in common use.

I won't take that wager; you're probably right. On the other hand, IPv6
is happening a lot faster than anyone is willing to believe.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

Mark Crispin wrote:

> I fully expect that SMTP will die. It's not a matter of "if", but rather
> "when". We've gotten over 24 years of service out of SMTP (I wrote one of
> the first SMTP implementations), but the time to retire it is at hand.

> Sadly, there's nothing waiting in the wings to replace it; and many people
> still feel that, somehow, SMTP will weather the current crisis. Will it
> take another order of magnitude increase in spam volume (which is what
> happened last year)?

People were predicting the death of Usenet due to spam, also, and
Usenet is older than SMTP. I expect you're right, and that SMTP will
eventually go away. But I don't think that non-free e-mail is as
useful as free e-mail, and that if whatever replaces SMTP requires
fees to send e-mail, then someone will come up with another protocol
that permits free e-mail.

> I propose neither; although a mass shutdown of a protocol has happened in
> the past.

The last time a massive shutdown of a protocol happened on the Internet
was 24 years ago, I believe, when it transitioned from NCP to TCP/IP.
The Internet was very different then, making such a transition feasible.

Introduction of the DNS also happened when the Internet was pretty small
and centrally-controlled.

> You are thinking on the lines of "the freeway has no tolls, so why would
> anyone want to use the turnpike?" I am thinking on the lines of "the
> freeway has stop and go traffic for miles; it'll take an hour for me to
> get there. If I pay $1 for the turnpike, I'll be there in 5 minutes."

> What is also overlooked is that the freeway isn't really free; we're
> paying the same fees (if not more) as for the turnpike. It's just that
> the freeway fees are indirect.

Freeways and toll roads coexist. If free-email and sender-paid e-mail
coexisted, that would be fine. If you only wanted to accept e-mail
that arrived on the toll road, that would be your choice and would be
fine.

> On the other hand, the lack of an easy answer shouldn't stop us from
> seeking an answer. Continuing with early 1980s technology that was
> designed for a 2-digit node ARPAnet (with scaling to a 4-digit node count)
> is not that answer.

I don't think the technology is the issue. It's a matter of
philosophy. Do you think it's a good thing to be able to send e-mail
without paying per-message and without strong authentication? I
happen to think it is, and any protocol that permits those two things
will (unfortunately) be open to abuse.

>> Unless a significant number of people voluntarily agree to stop using
>> SMTP for receiving e-mail and insist that senders use NewSMTP, it won't
>> happen. If the government tries to force it on people, they'll revolt.

> I don't see much sign of revolt in countries such as China, Cuba, Iran,
> Saudi Arabia, etc. where there are extensive controls over Internet.

I don't really want to live in a society like China, Cuba, Iran or
Saudi Arabia, thanks. Those countries have plenty of sinister reasons
for opposing non-authenticated e-mail. In my opinion, that makes it
all the more important to ensure that free and non-authenticated
e-mail can flow.

Regards,

David.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost therecipient money?)

On Wed, 10 Jan 2007, David F. Skoll wrote:
> People were predicting the death of Usenet due to spam, also, and
> Usenet is older than SMTP.

Yes, but a lot of people who once participated on USENET have given up on
it.

Some people say "people are still going downtown to shop", ignoring the
full parking lots at the suburban malls (and Wal-Mart). [There's the
counter argument that downtown has parking meters that are enforced by
meter maids...]

> The last time a massive shutdown of a protocol happened on the Internet
> was 24 years ago, I believe, when it transitioned from NCP to TCP/IP.

Actually, there've been a few major changes to routing protocols since
then...

> The Internet was very different then, making such a transition feasible.

Indeed; but we still act as if there was a benevolent dictatorship that
will take care of things, and we're wandering around stunned that it isn't
be taken care of.

> Freeways and toll roads coexist. If free-email and sender-paid e-mail
> coexisted, that would be fine. If you only wanted to accept e-mail
> that arrived on the toll road, that would be your choice and would be
> fine.

I want to go a bit beyond that; to create a toll road that is so
attractive that the freeway is abandoned.

> Do you think it's a good thing to be able to send e-mail
> without paying per-message and without strong authentication?

I once did. I no longer do.

Instead of paying to send the relatively small number of messages that I
send, I currently pay a much larger fee to receive the huge volume of
incoming messages, more than 95% of which is spam.

Some of that latter fee is in direct cash cost (the anecdote which started
this thread). The other part is in my time, which as I age is becoming
ever more valuable to me.

> I don't really want to live in a society like China, Cuba, Iran or
> Saudi Arabia, thanks.

Nor do I; although there seem to be an awful lot of people in this part of
the world who think that Cuba is a paradise on earth. [If you really want
to offend someone here, wear a T-shirt with Che's picture in a target.]

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: Fee-based e-mail (was Re: who says that spam doesn"t cost the recipient money?)

> On Wed, 10 Jan 2007, David F. Skoll wrote:
>> People were predicting the death of Usenet due to spam, also, and
>> Usenet is older than SMTP.
>
> Yes, but a lot of people who once participated on USENET have given up
> on it.
>
> Some people say "people are still going downtown to shop", ignoring
> the full parking lots at the suburban malls (and Wal-Mart). [There's
> the counter argument that downtown has parking meters that are
> enforced by meter maids...]

I'm rusty on my USENET, but as I understand it there are decentralized
methods for cancelling spam. A lot of this is automated now, so newsgroups
with active participation are actively policed by members and ISPs to keep
the spam out of it. In fact I believe there are some 'blackhat' tools used
by many whitehats to cancel spam posts, and keep groups clean. See
Breidbart index, cancelbot, etc.

Email seems to be a more hostile environment though for various reasons.

--
Jem Berkes
www.sysdesign.ca

Re: who says that spam doesn"t cost the recipient money?

On 10 Jan 2007 15:52:23 GMT, Frank Slootweg
wrote:

> There was a time when certain viruses used the infected PC's default
>mailserver by getting the SMTP server name from the registry [1]. Yes
>that was about viruses and infected PC's, but there's no real difference
>between virus-infected PC's and trojaned PC's. I do not know *if*
>spammers currently use this technique (or have used it), but they
>*could* use it. So blocking outgoing port 25 *by itself* does not help
>at all.

There are new spam trojans that try to use smtp. and
mx(#). addresses to send out their spam. We have had a number of
these. Our monitoring system detects spam runs on our system. If
possible we stop the offending machine and clean out the queues. But
sometimes (in the middle of the night) spam can get out.

Sometimes resulting in blacklisting of our mailservers.

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

Re: who says that spam doesn"t cost the recipient money?

On Wed, 10 Jan 2007 10:54:07 -0800, Mark Crispin
wrote:

>On Wed, 10 Jan 2007, Peter Peters wrote:
>> >When the sender of an email pays for the privilege, then email abuse will
>> >be substantially reduced.
>> If a trojan is sending out spam the owner of the PC would get billed.
>> But if he can make it clear he wasn't the one sending out the spam he
>> probably will not pay. And a lot of consumer laws gives him the
>> privilege not to pay.
>
>Under a postage system, it isn't a question of whether or not he pays; but
>rather a question of whether or not he gets a refund for the stolen stamps
>that he already paid for.
>
>If you have a prepay mobile phone, and someone steals your SIM card and
>uses it to spam, how easy is it for you to get a refund for that stolen
>time?

You can warn the provider if your card gets stolen. Most people don't
know their stamps are being stolen.

>The other limiting factor is that, since the stamps are prepaid, there is
>a limit to how much spam can be sent before the account runs out of
>stamps. Few private individuals need the capability to send millions of
>emails a day. The entities that legitimately need that capability (those
>who send "ham" as opposed to "spam") are generally not private individuals
>and can afford to pay for the privilege.

It isn't necessary to have a milion stamps. Only a few hundred thousand
trojaned pc's. And if necessary spammers buy the stamps themselves. With
stolen cc information.

>What's more, I think that the senders of "ham" would be pleased to pay in
>an environment where their ham is not blocked as spam.

They won't start to pay before a large portion of the recipients use
this system. And large portions of recipients won't start using these
kinds of filters before a large portion of sender start to pay for
stamps. And keep in mind that there needs a whole lot of administration
going on to keep track of all the bought and used stamps.

Who get's to payed btw?

>Of course, what constitutes ham vs. spam is up to some debate; but I'm
>considerably more willing to consider a communication to be ham if I know
>that the sender paid for me to look at it.

Did he pay you or his provider of your provider or some fallback
mailserver provider or some big company?

--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe

Re: who says that spam doesn"t cost the recipient money?

On Thu, 11 Jan 2007, Peter Peters wrote:
> >If you have a prepay mobile phone, and someone steals your SIM card and
> >uses it to spam, how easy is it for you to get a refund for that stolen
> >time?
> You can warn the provider if your card gets stolen. Most people don't
> know their stamps are being stolen.

How do you know that your card got stolen but not your stamps?

The reason why spam from hijacked PCs works is that, unlike the owner of a
SIM card, the owner of a hijacked PC doesn't have a particular reason to
care.

> It isn't necessary to have a milion stamps. Only a few hundred thousand
> trojaned pc's. And if necessary spammers buy the stamps themselves. With
> stolen cc information.

Oh? Are you claiming that postal spammers buy millions of stamps from the
government using stolen cc information?

If not, what is different? [Hint: the seller is the government, or rather
its national postal authority. Hint: governments don't like being
defrauded. Hint: governments have guns. Hint: governments use their guns
against people they don't like.]

> They won't start to pay before a large portion of the recipients use
> this system. And large portions of recipients won't start using these
> kinds of filters before a large portion of sender start to pay for
> stamps.

Nobody will use those new-fangled automobiles before there are paved
roads. Horses are good enough.

Nobody will pay for cable or satellite TV, when you can get it for free
over the air.

You fell into the trap of the same fallacious thinking. If there is
sufficient value added, people will use it. The issue is not "will people
use it", but rather "what needs to be done so that people will use it."

> And keep in mind that there needs a whole lot of administration
> going on to keep track of all the bought and used stamps.

Governments have that in place right now. Believe me, the postal
authorities would *love* to get into the e-stamp business. They've lost
revenue due to email, and now can get it back.

They've been fighting to get this for years. That's part of the reason
why governments aren't particularly interested in addressing spam. They
*want* SMTP based email to collapse. And they are getting exactly what
they want.

> Who get's to payed btw?

The various national postal authorities of the world. They're the ones
who have hundreds of years of experience in doing this.

> >Of course, what constitutes ham vs. spam is up to some debate; but I'm
> >considerably more willing to consider a communication to be ham if I know
> >that the sender paid for me to look at it.
> Did he pay you or his provider of your provider or some fallback
> mailserver provider or some big company?

As I said above, none of the above.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: who says that spam doesn"t cost the recipient money?

What's wrong with minting Hashcash based on the recipients' addresses?
SpamAssassin already supports it, though in need of minor improvement.

Regards

Echeloff