Readers speak out on spam
Mark Gibbs' Backspin columns "Fighting spam: Theory and practice" (www.nwfu sion.com, DocFinder: 1042), "Fighting spam: My theory" (DocFinder: 1043) and "Fighting spam: My theory (Part 2)" (DocFinder: 1044) have provoked an avalanche of reader responses. Here's a sampling of your ideas on how to stop spam.
Spam is unstoppable simply because the sender can remain anonymous. 1 propose to eliminate anonymity
If I get e-mail and the sender is known to me, I either accept or reject the message. If the sender is unknown to me, then I reply with instructions for a reply back to me. Spammers who require anonymity will never reply back.
These graylisted entries eventually resolve to either whitelist (successful reply) or blacklist (time limit expired). If and when spammers set up auto-reply servers, they are no longer anonymous and become subject to whatever political solution the world has devised. Additionally these auto-reply servers will become a known source from which the message is automatically blacklisted.
The problem of forging headers is more problematic but not insurmountable. We extend Simple Mail Transfer Protocol to verify some of what is taken for granted as truthful and further reduce anonymity.
Gibbs: This is essentially what I am suggesting - with sender authentication, forged headers are not an issue.
There is a simple and rather decentralized approach to limiting (not eliminating) spam.All U.S.-based and U.S.-registered ISPs should be required by law to provide both a whitelist and a blacklist capability to each of their customers. Failure to do so would get the ISP shut down.
Each ISP would then have the option of not only applying Bayesian processing to mark potential spam, but also merging the blacklists constructed by its customers. If more than, say, 80% of an ISP's customers identify a particular e-mail address as a spam source, the ISP doesn't forward e-mail from that address.
But regardless of what ISPs might otherwise do, with a whitelist capability customers can decide to include only the senders (or ISPs) they desire.
I give up
About two weeks ago, I threw in the towel on running filters on my mail server. I signed up with a paid spam-filtering service called SpamStops Here.com. For about $50 per month, it filters and forward all my company's e-mail. all I had to do was make some DNS changes. In the last two weeks, not counting a special quarantine account, I've had exactly two pieces of spam make it to my in-box.
In effect, my company now is paying for e-mail. However, we're saving money because my co-workers and I aren't spending hours each week touching up filters and going through spam.
Artbeats Digital Film Library
Myrtle Greek, Ore.
Gibbs: ISP-side filtering is an excellent choice. And you get your towel back, too.
Gibbs: "By law "... you better haue some serious lobbyists to get this one passed.
Here's an anti-spam idea that I bet would eliminate about 60% to 80% of spam after about six months.The premise: Almost all spam messages attempt to get you to go to a Web site, where they hope you'll buy something, whether it's bodypart enhancement junk, a mortgage, prescription meds of dubious provenance, or whatever.
The plan: ISPs and hosting companies agree to a firm policy that, upon their receipt of five verifiable spam complaints (verifiable by inclusion of the spam message containing a link to the Web site), they immediately delete the Web site from their server. (Five complaints instead of one,so people couldn't maliciously get a Web site cancelled by sending a fake complaint.)
Then, the ISP puts the credit card number to which the Web hosting was billed into a blacklist database and never lets someone set up hosting with that credit card number again.
Participating ISPs could query one another's databases when a credit card number is submitted for setting up new hosting. To prevent privacy issues regarding sharing credit card numbers, this would be set up so that the actual number is never accessed from the queried database; it just returns a "yes, it's here" or "no, it isn't."
The ISPs also could blacklist the domain name used by the canceled Web site, forcing the spammers to get a new domain name each time they want to set up a new Web site. Any ISP that declines to participate in this program would have its mail servers black-holed by the ISPs in the program.
What this accomplishes is to make it more difficult for a spammer to stay in operation without jumping through hoops such as using a different credit card number each time it sets up new hosting or going offshore. Lots of spammers would go to offshore hosting, but black-holing the servers of known spam hosts should help deal with that as well.
Why it will never happen: It would take real guts on the part of the ISPs, and they'd have to give up some income currently derived from hosting spam-promoted Web sites. Which is too bad, because it would work.
Take away the profitability of spamming by making it difficult to keep up a spampromoted Web site, and at least some of the spammers would give up and maybe get an actual job.
Gibbs: The problem of spam lies not with those people who have accounts at ISPs but with those who use open relays, offshore services and free accounts. And trying to get all ISPs to adhere to the same set of business rules would be like trying to herd cats.
Yes, digital certificates are the answer to most of the problems associated with spam. However, even with digital certs, there are still a few issues:
Legally how do you go about stopping spammers with digital certs? Would these be "legitimate spammers"?
Operationally, how do you handle the transition from SMTP to SMTP with digital certs?
Developmentally do you realize how many programs depend on SMTP as a communication method? There are probably hundreds of thousands of products that would need to be updated, indicating that the operational transition period could take many years, if not decades.
Cost-wise, all this work will take money, and are customers willing to foot the bill? The answer is yes as spam reaches critical mass and affects nearly everyone with an e-mail address - but how much are they willing to pay? ISP services are a very competitive market, and companies remain under tight IT budgets,so ISPs will need a marketing strategy that lets them increase prices.
Gibbs: "Legitimate"spammers would be visible, identifiable and easily blocked while regular spammers would simply be rejected. That's the point. SMTP with digital certificates would be much like good ol' PGPAnd SMTP proxies could handle the whole certificate-signing process so that any application that uses the standard would require no modifications. That was easy. Next!
It seems most people are under the false belief that charging for e-mail will eliminate or seriously reduce spam. I have proof that it will not.
Yesterday I deleted two pieces of spam from my e-mail. I threw away nine pieces of spam (junk mail) from my U.S. Postal Service box. The USPS charges money It doesn't seem to help.
Charging might eliminate bogus spam, but it will only legitimize e-mail as a form of advertising for business. Our spam will only change from a daily dose of bodypart enlargement offers to a daily dose of 4.9% credit card offers, which the CANSPAM bill allows.
Colorado Springs, Colo.
Gibbs: Right on, brother! This man has heard the word!