Fog Creek Software
Discussion Board




A solution to spam?

I've been wondering recently whether there really is a way that spam can be solved.  I've seen many systems proposed and although none ever seem perfect, the common theme that does seem to have promise is to make it more expensive for the spammers.  I saw an idea a while ago that there should be a 'stamp' fee for sending email - if it was made small then it wouldn't be a significant impediment to your average user, but it might deter companies from sending spam as the costs would soon multiply up.  Unfortunately, there are real downsides to this - what about all of those free email lists and newsletters that can be really useful - who would pay for them?  Also, it wouldn't cut out spam completely - we all get junk mail at home even though stamps have to be paid for, right?  So I'm wondering if some kind of deposit system could work.  What if we had a system so that when we sent an email we entered into a kind of contract with the addressee so that if the addressee decided that the email was unsolicited they could claim the deposit that the sender had left.  That way, it would cost a fortune to send unsolicited email, but normal email wouldn't be affected.  Obviously, the system would be open to abuse, but it's based on a contract so abusers would be punishable by courts.  Maybe the idea could be extended to include whitelists - email could be accepted without the need for a deposit from recognised (and authenticated?) senders.  Is this a stupid idea, or does anyone here think that it could work?  Maybe even if the system itself could work getting the infrastructure in place would make it unfeasible.

r1ch
Sunday, October 12, 2003

Taxing email won't work because you'd only be able to tax emai loriginating in the country wehre the legislation passes. THe result would be that people in other countries would be able to send all the email you want at no cost, all the spammers would move their servers offshore, or just switch to distributing mail through trojan'd servers. (In which case, you would be personally liable to pay your the spam originating from your compromised computer).

Result: no change in spam, but you'd stop getting email from people you want to hear from.

Dennis Atkins
Sunday, October 12, 2003

Yes, taxing e-mail will work.

Why? Because the recipient can filter:

if (the sender hasn't made a 10 cents deposit) AND (the sender isn't in the white list) then
      reject_email_without_even_showing_it_to_the_user

JX
Sunday, October 12, 2003

* With popular and highly useful lists, it's possible that advertisers pays for them.
A soft plug is all it takes.

* And also, stamps can be made slightly cheaper based on reputation. It could be a sliding scale. In a database you could have a 4 field table like this:


Verisign-Key-Hex64, Company-Name-English, Campaign-Name-English, Rating

And various campaigns from various companies can earn their rating. The better ones will always have a 7 out of 10 on average (the rating answers will have to come from direct subscribers).

The lower the rating the more closer the price matches the price of the consumers. The higher the rating the closer to paying say 1% of the price.

So if a vendor has two salesman.. one sells in a honorable way.. sending out emails that's basically 5% soft plugs and 95% useful helpful information .. then he'll probably earn a 7 or higher rating.

Another salesman will send out a campaign that 50% hard sell and 50% useful information.. and earns a lower rating of 3 out of 10..

The idea is the first salesman is associated with a campaign name.. so that the second salesman's crap doesn't affect the receptivity of the first salesman. That way if you have a few bad apples in a company, it won't ruin it for the entire company.

For example.. DoubleClick has many email marketers working with the DCLK dartmail system. Anyone of these could be banned from all servers even though they were sending out permission-based helpful emails, because they all share the same source IP in the dartmail email deployment system. But with proposed changes, dartmail will assign a unique source id to each email marketers--hoping to keep the good apples from the bad.

For this to work it will have to be possible to build a digest from the

Verisign-Key-Hex64,
Company-Name-English,
Campaign-Name-English

fields, and have users vote on them.

When users vote they send packets like

Verisign-Key-Hex64,
Company-Name-English,
Campaign-Name-English,
Encryted(UserID),
Rating

and a central voting poll will forward a list of UserIds
to each of the companys (by looking up a webservices://www.Company-Name-English/Campaign-Name-English/userverify.asp web services for example)

and get back a valid userid check..

when a UserID is determined to be valid.. their votes will affect the outcome of the salesman's rating and the pricing of future campaigns.

So the better your campaign is seem to the consumers, the cheaper it gets. The crappier it is the more expensive it gets.

If you target your consumers properly. Don't send crap to them if they don't ask for it. Send things they actually want to read. You do it cheap. Otherwise, sellers beware.

Li-fan Chen
Sunday, October 12, 2003

Cloudmark.

pb
Sunday, October 12, 2003

You might enjoy reading Paul Graham's website: http://www.paulgraham.com

I've been using a spam filter based on his algorithm for a while now. I've had thousands of e-mails since I installed it, about half of them spam, and only four of the spam messages slipped through. There were zero false positives during the first couple of weeks; after that I started to trust the filter so much that I don't bother to check anymore. :)

Adam Spitz
Sunday, October 12, 2003

I don't agree with Paul Graham's solution to retaliate -- all it'll do is nicely validate your email address -- a better form of retaliation is to report the spammers; a good service for this is SpamCop ( http://www.spamcop.net/ ) -- I have noticed that at least one commercial anti spam program actually makes the worst mistake when it comes to reporting spam -- it trusts the hostnames in headers (and doesn't check against the IP addresses) which results in false positives -- I know, because a couple of my domains were used a while back...

Ironically the whole issue revolves around that you'd mostly likely want to get email from people who won;t pay to send email (E.g. Joel on Software updates, friends, family, etc.)

And of course, anyone with enought advertising pounds/dollars/euros/rupees/[insert favorite currency here] can still swamp you (*cough* BESCO *cough*)

So, the solution.
There will be no magic bullet -- each magic bullet will have a magic bulletproof vest on the other side.
Most solutions revolve around bayesian filtering - my personal favorite is SpamAssassin ( http://www.spamassassin.org/ ) which is nice and free -- Between Fri, 10 Oct 2003 08:43:35 +0100 (BST) and Mon, 13 Oct 2003 09:09:08 +0100 (BST) it's correctly stopped all 272 spams aimed at my inbox -- and that figure doesn't include the 150ish a day I reject from open relays, etc.

This really goes to show that a well configured system stops spam, and there is no magic bullet.

Oh, one last hint -- ever wondered where people get your email address from? if you have an entire domain (or subdomain) to play with, you can play with it so companya only ever knows you as companya@example.com and companyb only knows you as companyb@exampl.com. Of course, trusted friends know you as [firstname]@example.com etc.

My limited research shows that most spam email addresses are picked off websites and usenet -- there are hacks to obfuscate them on websites (URI encoding is the most popular) - but it won't be long until even these are worked around by the spiders...

Rowland Shaw
Monday, October 13, 2003

http://www.google.co.uk/search?hl=en&ie=UTF-8&oe=UTF-8&q=stamplets+spam&meta=

sadly their website is no more

Not a new idea
Monday, October 13, 2003

Roland,
  I think that the difference with the scheme that I am suggesting is that it wouldn't cost the people that you'd want to receive email from anything - just the people who send spam.  I think that the deposit could probably be set high enough that bulk mailing of unsolicited email would become prohibitively expensive without affecting others.

I myself implement your unique email address scheme using www.spamgourmet.com (which is excellent).  I have already moved my car insurance (from elephant.co.uk) to another provider because I started receiving spam via the email address that I gave them.  I told them why I was leaving as well, and of course the added bonus is that I can now cancel that address as I should never receive any legitimate email from it.

I don't think that there is any magic bullet that will solve the problem completely, but I am an optimist, so I think that there must be a better way than the filtering that is employed at present.  Another thread on this forum mentioned that spammers are already inserting unrelated text into their messages to avoid bayesian filtering mechanisms - I think that a better approach would be to find a way of avoiding the mails being sent in the first place - think of all of the bandwidth that could be saved, especially if you beleive the spammers-writing-viruses-to-create-open-proxies rumours....

R1ch
Monday, October 13, 2003

We just started using a new service that is great:  http://www.spamstopshere.com

This service would only be helpful to people who run small companies or organizations, so have control over an entire domain. If so, the service works great and is easy to set up.

The only hard part is figuring out how to change the MX (dns) record so all mail going to us at mail.graphpad.com goes instead to spamstopshere servers. They do a fantastic job of filtering out the crap and forward the good stuff to our regular server. They can either eliminate the spam, or forward it to a mail address we provide (we still do the latter).

The primary criterion they use is brilliant. They figure that the spam is designed to make you click on a link or call a phone number, so they look at all the links and phone numbers within the message to identify spam. Why didn't I think of that? They have other criteria as well.

The only problem we've had is that not all our mail in fact goes through their service. Our MX record includes three pointers to their server and one to our own (what they recommend, so mail still gets to us if their servers are down). But it seems that some spammers use smart logic to figure out which mail server to use, so direct the mail right to us. We may just take our own server out of the list and have all mail, always, go through their server.

This is a new web service, but it comes from the company that created VEdit. So they have a long track record. Their web site is impressive in that it clearly explains what they do and how it all works -- in plain English with no jargon. The first month is free.

I have no connection to spamstopshere.com except as a very satisfied customer.

Harvey Motulsky
Monday, October 13, 2003

The idea of "taxing" e-mail has been around for a while now and is a bad idea for several reasons. 

In order for an e-mail tax to work, you have to be able to correctly and accurately identify the true identity of the sender of each and every piece of e-mail.  So I just forge the "from" header on all my spam so that it says it's from "Joel@Forgcreek.com" and route it through an open relay in Korea.

Maytag Repairman
Monday, October 13, 2003

Maytag Repairman: If email servers could refuse to accept email that wasn't on your whitelist if it didn't have a deposit, wouldn't that avoid the forged headers problem?

R1ch
Monday, October 13, 2003

No one's going to pay per email because there will be viable free or lower cost models that pople will migrate to.

pb
Monday, October 13, 2003

There's some work being done on combining tools such as CAPTCHAs, hashcash, encryption, and the like at:

http://www.lothar.com/tech/spam/index.html

Personally, I'm afraid that CAPTCHAs are going to be a never-ending escalation process of hacks and fixes, just like spam itself.

Phillip J. Eby
Monday, October 13, 2003

Yeah... the tax need not be monetary, capta itself can be a tax.

Li-fan Chen
Tuesday, October 14, 2003

*  Recent Topics

*  Fog Creek Home