You say that it would be hard to "update" SMTP. I agree. However, if there was a large enough push for it and enough publicity about the negatives of SMTP, it could get changed. A good example of a slowly-evolving new standard is IPv6. If there was a huge push for it and media coverage signalling that "internet addresses are almost gone" and that home users could have consequences, people would update. This is not easy, though. The other alternative is the expand SMTP servers through a new mail standard that runs on the same port, but uses a different initial protocol. SMTP servers would then (optionally) have to support both the old version and new protocol. Clients, likewise, would have to as well. This is not as hard as it seems, as most clients/servers already support multiple mail modes (SMTP, POP, IMAP, etc). The only major difference would be that both SMTP and the new set would run on the same port.

Overall, a nicely written article. Hopefully spammers will get even more hassles as time goes on.

Perhaps something will spark a discussion about current "anti spam" methods and why they are a solution or why they are part of the problem. Case in point (in my opinion of course) is the challenge-response system. It defies the way that email is supposed to work, adds confusion, and worst of all.. adds to the problem by sending even MORE mail. Yech! What about whitelist/blacklist?

Posted by: Ceph at April 19, 2004 01:59 AM

To echo Ceph, nicely written article.
As for whitelist/blacklist, I've found it doesn't work well enough *without* a challenge response for the whitelist as too many people change email addresses when they move, change companies etc. Generally, a friend a month changes addresses on me and without the challenge response, I'd simply lose touch with too many of these friends. As spammers generally don't use valid from addresses, blacklists seem rather worthless.
On the technical side of things, I have always wondered why incoming MX servers don't validate the IP of the incoming mail more often. If spammer claims mail is from an AOL IP, then verify it was sent from the AOL mail farm with a simple host of the IP. Major companies (Google, AOL, etc) probably can get each other's mail farm IPs to narrow the allowed IPs even further. This would only work for mail from larger domains (AOL etc) but would dump much spam on the server side. Perhaps the proccessing power is too large... I don't know...
The biggest problem I tend to see with spam, however, is the influx of internationally spammed mail. I would love to see some possible recourse to this, especially since I believe most spammers are domestic to the US. If we could trace to said country and back to the US more easily and then keep the legalese inside the US, perhaps we would see more prosecutions.
And the greatest thing I can see to help end spam is simply stop looking at anything sent. Don't buy from them. If you like the product spammed, then go to Google and find someone else selling it. If a comments field is provided, make sure you state that you bought from this new site because it wasn't spammed to you, thus encouraging companies not to invest in spamming. (But as the return on spam only needs to be something like 0.0000001% to make money, this won't work anytime soon: to many untrained surfers.)

Posted by: Codsmack at April 19, 2004 03:04 AM

About having a new SMTP protocol running on port 25 (as Eric mentioned), note that SMTP over SSL already runs on the same port 25. It's not such a big deal to have two protocols on the same port. And, there are already some proposed SMTP replacements.

My personal favorite is a radically different approach to email: send only the header to the end-recipient, and serve the message body from the originating server. It would make email a little less reliable for the end user, but it (1) vastly increases the costs for spammers, and makes them much easier to shut down, and (2) makes it cheaper to run your own mail server on the recieving end, reducing the cost of recieving spam (or anything else).

Too bad it wasn't done like that from the start, because now the cat's out of the bag.

Posted by: Peter Davis at April 19, 2004 03:27 AM

Remember the anti-drug commercials from about a year ago stating that by buying drugs, you're supporting terrorism?

Too bad we can't find a trace to someone with a tie to AlQuada so a similar message could be given for SPAM.

Picture a guy sitting at his computer paying his bills.. The "You've Got Mail" sound is heard. He opens the email and sees a viagra/mortgage/HGH/cable descrambler SPAM and clicks on it. He looks curious. He glances next to him at the stack of bills; cable bill, house payment, prescription bill... He looks thoughtful and then clicks on the "Buy Now!" button.

Fade to black.

White letters with the voice over: "When you buy from SPAMmers, you're supporting terrorism."

Posted by: Gromit at April 19, 2004 03:35 AM

couldnt we just fine the spammer's sponsor since they are being advertised and they are really the ones who are funding spam like terrorism while the spammers are the gunman

it would be much easier to find them cuz their contact info is neccessary for the spam to be productive

that would definitely take the profit outta spam and put the spammers themselves outta biz

Posted by: michael at April 19, 2004 03:45 AM

Nicely written article. What about using decoy pages like this one, to lower the net gain when the bots come thru:

http://www.trackpads.net/webcook/sscript.php and http://www.canada4life.ca/addresses.php

Posted by: haywood jahelpme at April 19, 2004 06:13 AM

There is a problem with going after the spammer's sponsor, having laws in place like that would allow people to spam for a company they don't like, just so they get fined, a good idea, but it can be abused far too easily. The best way IMHO is a big change in how SMTP is done, though I fully understand why that will also be a huge pain as well.

Posted by: Chris at April 19, 2004 06:40 AM

Whoa, lots of comments!
I got an e-mail letting me know I have been "Farked" - which as I understand is something like Slashdotted? I hope the server has held up okay.
While I must say that I have been to Fark in the past, I don't know much about it and I'm not a regular there.

I'll have to find where on Fark it was listed and read through the inevitable "that guy is an idiot because..." type talk that one usually sees on Fark and Slashdot in response to these things. Always good with morning coffee.

Anyway, to address a few of the points mentioned in the comments here on this thread so far:

1) SMTP redesign is generally considered inevitable, but the time it takes to solidify a standard is relatively long and involved in the first place, and then as you have mentioned the longest time is getting the clients to update to it (even if all of the mail clients changed today, they would have to remain backwards compatible with the old system and that means many end users would remain clueless and using it). Just because it takes time doesn't mean it shouldn't be done - but it shouldn't necessarily be thought of as the only way out.

2) The challenge/response mechanism is wonderful - for home users that have a low volume of mail that is nearly always from the same people. It is much less successful from a business standpoint. I admin a network (and mailserver with it unfortunately) for a company and I had considered switching to a challenge/response system for our mail. While on the surface the concept seems to be "so easy any idiot can figure it out" - but rest assured that idiots are far more powerfully stupid than you can imagine. Several of our clients didn't like/get it, and one of our owners didn't get it right either. It only takes one missed e-mail and/or frustrated client to potentially lose a deal, which can be literally millions of dollars... so that isn't going to fly for companies which rely on e-mail exchange for their business relations to clients (which as far as I know is nearly all business today).

3) The method of doing a lookup on the mail to see if it is really coming from the domain it claims is called "SPF" - there has been mention of it before on this site. A potential issue with that, aside from just the lack of domains complying so far, is that there are definitely times when users send through a server even though they aren't part of that domain. This needs to be taken into account when setting up the proper MX/DNS records for the mailserver - and it frequently isn't (since it may only be a temporary thing or at least frequently changing).
At our company, we have mail for the occasional client come through our server and then get forwarded to them in London. I don't particularly want them sending out through our server since it just increases the number of VPN headaches I have to worry about (every VPN connection represents one more potential virus/worm/trojan entry point if that computer coming in isn't secured to the same level of the rest of your network) - so I instead of the user configured to send out so that he goes through his own mail server, but it looks like he is sending from ours.

4) After taking a quick look over at Fark - sure enough there are those that said I'm a moron or behind the times. While they very well may be right on me being a moron, and perhaps I am behind the times - I in fact did discuss the history of how spammers sent mail starting from at home, then up through ISPs, and then on to the virus/worm/trojans clients.
To the credit of the person (people?) that posted that, my article was kind of long and likely boring - so perhaps they didn't make it all the way through to that part.
It is much easier just to read part of an article and start bashing once you get bored than it is to read the whole thing (I do it all of the time at Slashdot :) ).

Posted by: Eric at April 19, 2004 07:49 AM

About the decoy pages - yes, those do "help" in that they can tie up a bot for awhile and feed it bad data - but it doesn't resolve the problem.

When you write code to search for e-mail addresses, you have it fork off N number of times (where N would depend on the amount of RAM, number of processors, and speed of the processors - N increasing as those values increases) for each page that you are going to.
So while those pages would tie up the particular forked thread that is doing that bit of work, it isn't entirely tying up that machine.
And yes, it would partially add junk content to the database - but so would randomly brute forcing through domain namespaces as well - which they do as well.

To some extent it may even help them since they don't always tell clients (at least not honestly) that they have X number of "working" addresses, but just X number of addresses.
Once they send out a batch to them all and they get failure messages, they are automatically cleared out of the database anyway.

Posted by: Eric at April 19, 2004 07:54 AM

That's not true really. They don't automatically clear dead addresses since the NDNs seldom get back to the spammer anyway. I know cause I've killed off several highly poisoned (by spam) email addresses and years later, am still see stuff in the logs indicating spammers continue to try to send mail to it. The volume of activity on the non-existant accounts are actually going up, not down.

If they cleaned based on NDNs, the volume should be going down.

Posted by: weave at April 19, 2004 08:50 AM

While you raise what is perhaps a good point, you are stating your own experiences which aren't necessarily that which are standard.
You also mention that the accounts at one time existed. If the account was at one time working, then it is on a live list as of some date. The spam that you are getting could very well just be from a well distributed CD/database that was verified at some date (when your e-mail existed) and is now being sent out by clueless small time spammers whom have bought said CD/database.

Just to complicate the issue (but doesn't negate any usefulness of fake names that don't exist), is that many domains that are setup through ISPs (some of my own included) default to accepting all e-mail coming in.
So "spankmonkey@spamblogging.com" will likely get sent through to whatever the default account is for the domain unless the server is instructed to do otherwise.
As a result, the fake addresses are still getting through, therefore looking like a real address to the spammer, and then getting increased spam sent to it as it is propagated over "live address" lists. This increases the load on the servers that have this setup, but technically also increases the load on the spammer as well to some extent (I would argue fairly marginally) without any of the return.

It is important to keep in mind that there are the people that make money by spamming to feed the spam business (sending out crap to check valid lists, generating lists, etc), and then there are the spammers that buy those lists and barely know what they are doing.
They are not the only groups, and to an amusing extent they are not mutually exclusive either.

As for your e-mail on that post - no, I am not collecting addresses - too busy/lazy for such a thing, and I have no need for them. The only reason this site no longer allows anon posting is that it is to reduce the spam.
Sure - you would think that the post spamming bots would fill in the e-mail address fields - and many do. But apparently many more don't since I have fewer comment spams to delete now after making it non-anon (MT-Blaccklist of course helps even more).

Posted by: Eric at April 19, 2004 10:19 AM

You are making this too hard. Presure congress to allow suing the companies that advertise with spam. That will dry up the funds for most of it. Even the porn has to be hosted somewhere and someone needs to collect the money. Sue them.

The rest is confidence games. Those are already illegal. They will be easier to track when the rest of the noise diminishes.

We could get really silly and make it a crime to do busines with any company that advertises via email. That should do it.

Posted by: Alma at April 19, 2004 10:58 AM

I agree with going after the sponsors. But don't encourage people to sue spam sponsors; make advertising your product through spam a criminal offense (if it isn't already). Then, when a spam investigation begins, it starts with the sponsor company, which has to open its books to the investigators, disclosing all advertising expenses for the last five years. The investigators will proceed to grill the advertising companies, getting subpoenas for their books. If a link to a spammer is found, everyone up the chain gets fined an amount equal to twice the revenue the company has received through online purchases (or whatever purchase mechanism is given in the spam) from the date of the verified spam.

And why not make all mass-mail advertising illegal? Not only will it clear our inboxes, but it will substantially reduce the amount of wasted paper in landfills. (Even with recycling, a lot of paper is still buried.)

Posted by: geobeck at April 19, 2004 11:28 AM

Going after the sponsors is hard due to location. If a firm is legally located outside of the US, then it complicates going after them if the country that they are in doesn't care about their activities, or that doesn't feel that what they are doing is illegal.

For instance, say you had a company here in American that made books about fishing. That is entirely legal here in the US. Say some country in the world that doesn't even come up on our radar that often - say Belize - makes it illegal to produce books about fishing because it goes against their moral standards.
What if they then decided to prosecute anyone that makes such things - would they have any right to then prosecute you in the US for doing what you do there?
That example is easy because you would just stop shipping your product to their country - if you didn't, then they would stop it at their borders where it is coming in.
That translates to spam the same way it does now - we don't like spam, so we have to stop it as it is coming in.

Legally that option sounds great in text, but it is hard to implement on a global basis. While the spammer very well may live in Iowa, they can setup their company in other countries which complicates the matter.

Companies have the right to advertise in general, but if we argue that they should no longer have the right to advertise over mass e-mail, then it becomes a matter of enforcement. Again sounding good on paper, but extremely costly to enforce and implement.

I like that approach and I think it would work if all companies that used spam to advertise were big names like Johnson and Johnson, but they aren't. They are small mom and pop "companies" that are hard to track down and hold accountable for their actions (and they have no shareholder backing to use to threaten the company as a whole).
Smaller entities like that can move very quickly against the bureaucratic nightmare that the enforcement of that law would be.

I do like the idea of blocking all mass mail in general - when I lived in the States I hated getting physical junk mail as well. I would tear it up and send it back in the postage paid envelopes - careful not to put in any "real" information in there.

Unfortunately, just making something illegal doesn't solve the problems. Heroin manufacture and distribution is currently illegal and I haven't heard anything about that industry drying up.

Posted by: Eric at April 19, 2004 12:06 PM

Greylisting is the way to go... Here's a description of how it works. And, it does work. I built my own implementation and I haven't recieved a spam from anyone but Yahoo, AOL or Hotmail.

Also useful: Se up a filter to automatically can any email from india.com, *.ru, *.kr, *.de, *.cn etc..

Posted by: Ernie at April 19, 2004 12:40 PM

And here's the link to the description of Greylisting.... http://projects.puremagic.com/greylisting/

Sorry I left it out last post.

Posted by: Ernie at April 19, 2004 12:41 PM

The main issue with the greylisting method is listed on that site:

"Reception of mails from legitimate hosts that either do not pay attention to the temporary failure nature of the rejections, or never attempt any retries will be adversely affected by this system. Hopefully, any mailers that have these problems will be quickly fixed once Greylisting has been implemented at a significant number of sites."

It is similar to challenge/response in that respect.

That is one great thing about things like this - if you are an individual user, there are many things you can do to truly limit the amount of spam that you get. If you accidentally block a piece of your mail, no big deal since it is highly unlikely that it was so important that it would result in your death.

BUT - where spam and the resultant spam blocking is such an issue is in company use. Missing even one message in company e-mail can literally be enough to lose a deal (whether it be from missing contact, losing information, delay, or irritation of the client or potential client).
Companies get much more mail, and each piece is potentially far more important than pretty much any home user.

As a result, many of the absolute solutions available are great options for home users, but unfortunately harder for all businesses to use (fortunately there are many that can, and in those cases the more people that do start using them, the more it can help).

This is all getting to the crux of why spam is so hard to stop. We can attack it from the receiving end, but it is never 100% effective in a way that also is entirely transparent to the users/administrator.
We can attack it from the sending end (although if analysis, we run the risk of blocking legitimate mail as well), but then it becomes a legal issue at best and this runs into geographic issues.

So it seems that it largely falls into either removing the money that is available (which goes along with getting people to stop buying things from spam, as well as stop paying for spam to be sent), and/or changing the process by which spam is sent - a very complicated endeavor (but not impossible) as we have already discussed.

Posted by: Eric at April 19, 2004 01:11 PM

A no doubt impossible suggestion: how about the big email sites, hotmail, yahoo, etc., replying to identified spam with, say, a thousand replies per spammed in-box? Jam the spam, and continue to do so, and maybe, just maybe, they'd get the idea.

Posted by: Norm at April 19, 2004 01:11 PM

Norm - I love that!

There have been numerous attempts to flood the e-mail inboxes of spammers via the outraged public in the past (or the denial of service via pings and whatnot). Traditionally the spammers whine that they are being abused, failing to see the irony in what they are complaining about.

That said, in doing that, it would be sinking to the same level as the spammers. Now, perhaps that shouldn't matter - after all, in war the saying is that you don't come to play fair, you come to win.
But if there are legal implications in sending out unwanted mass mailings, then responding to those that break the law by spamming them back will then technically bring that law against you as well.
You could then made an amendment that says that you are allowed to respond in such a way, but that then opens up a loophole for spammers to use.

Posted by: Eric at April 19, 2004 01:43 PM

I think I finally figured out why people send those chain letters. The ones that say you have to send one copy back to the sender. They are collecting addresses for spamming , right?

Posted by: whyso youcanspamme at April 19, 2004 01:45 PM

" It is common to be able to get a range of home network connection speeds of 256kbps (DSL) to 1mbps (cable). (Using the same math as above, we can now look and see that 256/8 = 32KB and 1000/8 = 125KB. So we are looking at roughtly 32-125 emails sent out per second from the user's machine. Again, non-exact numbers here, but close enough.)"

incorrect, that. you are talking about downstream caps. 1.5mbps or 3.0mbps upstream connections are incredibly expensive. most cable connections come with 128 or 256kbps upload. and downstream don't help at all, sending things out.

Posted by: zonk at April 19, 2004 01:56 PM

They very well may be used as methods of collecting e-mail addresses, but they have been around long before spam ever showed-up (spam was vaguely around 1995 and chain letters have been a concept all the way back into snail-mail days).

Obvious examples of e-mail harvesting are bots that scan web pages and newsgroups (discussion boards are also key places to scan). Other ones are web pages that will send out e-mails telling you that someone you know has a crush on you and then you have to go to the website and enter e-mails of the person that you think it might be. It will continue to tell you that you are wrong, and you will continue to enter e-mails - which it will then e-mail and continue the process.
There are many like this.

Point being that it is already so easy for them to get e-mail addresses (although it is fortunately getting harder), I'm not sure that they would bother with the chain mail which wouldn't harvest as many e-mails as you might think (then again, there are many idiots out there that respond to them and forward them on). Spyware is another way that they get e-mail addresses.
If anything, those chain letters are closer to the concept of a worm or virus than they are spam harvesting issues. They don't do anything specifically malicious to your machine so perhaps they are less a virus, but they take up network resources, replicate out to other people (via you), and are essentially useless - which is what the definition of a worm is.

(Incidentally, if you look at the source of MovableType pages - such as this one that you are on - the e-mail that you enter in is a non-standard type so it is harder for bots to grab e-mails from it. Not impossible, but not as easy as plaintext e-mails.)

Posted by: Eric at April 19, 2004 01:59 PM

zonk - good point.
Upstream is much more likely to be 128kbps-250kbps, which limits you to 15-30KB per second - which assuming a 1KB spam e-mail would be 15-30 e-mails per second per internet connection.

There have been many articles in the past written that interview spammers and if they have home accounts like that, they have multiple connections (upwards of 10).
That doesn't really matter too much since the ones that are doing quite well (just check out SpamHaus for a list of the top ones), they have T1s into their homes with a network of rackmounted machines available for sending out mail.

None of that even matters when you consider what is going on in Eastern Europe and China - they are modifying existing worms/viruses/trojans that are going around the net and using them to install open SMTP relays on home machines that get the payload.
It then broadcasts a "here is my IP address" - usually to an IRC channel, and then they can route spam through that.

That is essentially free bandwidth for the spammers - paid by the person that has the malware on their machine.

The press would have you believe that it is organized crime running the virus mods like that, but the very nature of the issue makes it hard to say who is really doing it and how prevalent it is (we know that the viruses are very prevalent - that is easy to determine - but it is harder to determine how many people actually have them and how many people are actually relaying SMTP traffic).

Posted by: Eric at April 19, 2004 02:12 PM

great, thanks for spelling it out as a reference to more would-be spammers. good thinking...

Posted by: greg at April 19, 2004 04:09 PM

PEKERPEKER

PECKER

PECKERWOOD!

Posted by: ECKER at April 19, 2004 04:20 PM

quote:
Posted by: Gromit at April 19, 2004 03:35 AM
couldnt we just fine the spammer's sponsor....
----------------------------------------------

If you can find 'em. They generally hide behind a front company, which is open for about two weeks. After the initial spamming has done its duty, they close up shop, take the money, close all the accounts (that were open under a fake name with stolen social security #s), and RUN.

Also, this would open companies up to "joe jobs" where they didn't really issue the spam, but they end up taking the heat for it. So, that's no good either....

Posted by: x at April 19, 2004 05:53 PM

I think we can all learn a very special lesson today from ECKER up there... well said.

Posted by: Eric at April 19, 2004 06:03 PM

If you were to die the world would be a better place.

Posted by: negro at April 19, 2004 07:22 PM

"If you were to die the world would be a better place."

I guess this is a sign that this thread is dying down when my mom posts.

Posted by: Eric at April 19, 2004 08:43 PM

Eric - great blog.

Ernie - about Greylisting - as an intellectual concept, I like it. For small scale implementation it might be okay. But it has a significant problems that would prevent widespread adoption especially by large companies and ISPs: it increases the processing load on a genuine sending MTA; it would require additional storage space to cope with the queue; it would slow down delivery when some of the "important" people who rely on email the most for business reasons want it to be as close to real-time as possible. I've been an email admin in a large company, and I don't think it would fly. I can just imagine troubleshooting on fault calls where "I've never had any trouble getting email from joe@example.com but fred@example.com sent me one and it hasn't come through" - shudder. On the other hand, people who implement it are "only" inconveniencing other people, not themselves, so maybe it could happen.

Posted by: LRW at April 20, 2004 12:44 AM

Good thoughts, but upgrading SMPT isn't going to happen anytime soon. People still living in the dark ages wouldn't upgrade. Yes, this has been said before, but it's still true.

Posted by: TQ at April 20, 2004 01:19 AM

A small technical detail: With SMTP you don't send out a copy of each email for each recipient. You send out the email body and give the server a list of addresses to send that body to. Because of this you can send a lot more email through a dialup than you'd initially think, by a factor of anywhere from 50 to 200.

That's a significant piece of information because a lot of spammers (used to, at least) use throw-away AOL accounts and other free dial-up trials to psam through open relay servers, making them really hard to catch.

Posted by: Chris at April 20, 2004 07:28 PM

I thought spam was a meat.

Posted by: Luke at April 21, 2004 09:18 AM

Spam isn't a meat -- it´s a pseudo-food product made from animal stuff...

But seriously folks, currently my GOOD/spam ratio is at 2100/3700 every 5 days.

I use an access.db of almost 5000 addresses/IP's which includes comcast, rr, genuity, and a ton of dsl and ppp addresses.

The point is the spammers recycle their addresses. I receive mail for users that closed accounts five years ago!

I think mandatory jail terms is the solution

Posted by: Dave at April 22, 2004 10:29 PM

Nice site... very interesting.
Please feel free to visit my web site to download my new web email cloaking utility which allows web masters to cloak email address on their web sites. Go to the following URL for more info www.clariondeveloper.com/webemailcloak.htm
The utility is free.

Posted by: Ben E. Brady at April 24, 2004 02:05 AM

Free web email cloaking utility! Click here!

Posted by: Ben E. Brady at April 24, 2004 02:07 AM

I still don't get why they don't outlaw spam. Most heard argument is that it is difficult to outlaw spam in every part of the world... that is correct. However, a lot of spammers use techniques to let other accounts and open relays do lots of the sending for them. Imho, that IS theft of bandwith. Are there really that much places in the world where theft is legal ? Nail them for theft, I say... in the end they got Capone for avoiding taxes.

Posted by: Jaz at April 24, 2004 09:16 AM

As in any other issue, I think we need to follow the money here. If we agree that the spammer exists in cyberspace and can effectively mask themselves, then there are 2 places where they meet the real world:
1. the guy that is hosting them
2. the guy that is paying them

Why couldn't the mail provider (Hotmail, Yahoo) have a spider that automatically clicks the URL link on incoming spam? Would this not have the effect of:
1. pissing off the foreign ISP that the spammer uses, and make them deactivate the spammer's account? The ISP in Vanautu would now know that the incremental revenue he gets from hosting a spammer is not worth the hassle of pissing off his legitimate customers (such as the porn guys. Of course I am making an assumption here that the revenue the ISP receives from hosting spammers is a small percentage of his total revenue. But what if it is not, and the ISP gets 100% of his revenue from spammers? The ISP in turn is accessing the Internet through a Tier 2 or Tier 1 provider, for whom again spamming makes a small percentage of total revenue; this higher-tier ISP will now have a strong incentive to disconnect the spam-accepting ISP.

2. if the spammer is getting paid on click throughs, then his client has to now fork over serious moolah for business that never came through.

Posted by: capncrunch at April 24, 2004 11:34 AM