h a l f b a k e r yBirth of a Notion.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
One of the best ways to stop spam is to make it uneconomical. The economics of spam are based on a simple formula involving the ratio of sent messages to responded messages, adjusted by a number of factors such as filtering ratio, cost of bandwith, profit per response, lawsuit risks, etc.
My half-baked
idea is primarily concerned with attacking the top number in the spam economics equation: forcing the cost of sent messages to grow larger while keeping the number of respondents constant (assume the same idiots will continue forever to turn off their spam filtering and will continue to buy spamvertised products, and although we can't do much about it, their growth hopefully will not outpace population trends!).
What I'm proposing is going to require three significant elements:
1) Low-Cost Spam Acceptance And Disposal,
2) Higher Cost Per Spam Sent, and
3) Massive Poisoning of Spammer's Email Address Lists
I explain them in detail below:
1) The community at large needs to establish what I'll call "Hollow Email Address" technology. This is different from disposable email addresses (DEAs) and spam-traps, which are not optimized to reduce the cost of receiving and ignoring a spam message. Large numbers of people need to be given the ability to create non-bouncing email addresses that destroy spam quickly and cheaply. Domain admins can do this today using procmail, ASSP, or custom MTA configuration - but those are all geeks-only tools not accessible to the general public. Some DEA systems can be tweaked to fit the bill also, but most out-of-the-box still store the spam, which is expensive to do on a large scale. These email addresses capable of disposing of spam very cheaply (no heavy computation, no storage, no human intervention) are what I'll refer to as "hollow" addresses from here on.
2) The cost of sending one spam message needs to be higher than the cost of receiving it. In the future, when DKIM is in widespread use, this will be true for hollow addresses as defined above. Signing (which is a form of encryption) and sending a spam message is going to cost more than accepting and discarding that message without validating (decrypting) the signature, provided that you have some means to identify the spam from its envelope (such as, the recipient's address).
With the above two pieces of infrastructure well in place, then comes the "killer app", which is the core of my idea:
3) Once we have widespread use of "high cost to send" AND "low cost to discard" technologies, we (the community at large) can start relentlessly, systematically "poisoning" spammers address lists with hollow email addresses in a MASSIVE scale.
That's it. Sounds simple huh? The three elements, even #3 above, already exist in some form today (who hasn't used a disposable address to signup for a spam-prone service, therefore causing an infinitesimal increase in the spammer's cost without a corresponding increase in return?). But what I'm proposing is to massively scale this up, to the point where spammers' lists are filled with BILLIONS or even TRILLIONS of hollow email addresses. This number of hollow addresses circulating on the Internet could be made so large, that no one spammer would even own the entire list.
Think about it:
- The cost of a spam run would go up dramatically. Today it may cost something like $100 to send enough spams to reach 1 million spam-reading humans (rough guess). Imagine increasing this cost to $100,000 or more!
- Certain types of spam runs would become computationally untractable. The DKIM signatures alone, when you have BILLIONS of email addresses, would require more computing capacity than even the largest spambot networks.
- Instead of getting 1 response for every 10 million emails sent (wild guess), spammers would have to send 1000 times more spam (10 billion messages for 1 response).
Best of all, poisoning the spammers' lists can be a distributed, community effort:
- Webmasters, especially those who care for parked domains, can post hollow addresses by the ton, for web harvesting spammers to pickup.
- Open Source enthusiasts could create generic website packages to help with the above.
- People who post to mailing lists can add hollow addresses to their signatures. Utility software could generate them on the fly. Mailing list admins could periodically post an ever-shifting list of hollow addresses as part of their FAQ or other announcements.
- Volunteers can obtain free lists of hollow addresses to submit into "opt-out" and "unsubscribe" requests in their spare time (for the uninitiated, opt-out and unsubscribe are sure-fire ways of getting ON to spammer's lists).
If every webmaster out there today would go out and post a list of 10,000 hollow email addresses somewhere on their site, email harvesting from websites would be dead in a few months! Imagine volunteer webmasters could do this on just one million of their sites. That would instantly generate TEN BILLION EMAIL ADDRESSES - larger than any spammer's list today and probably enough to break some poorly written spamware already!
DomainKeys Identified Mail (DKIM)
http://www.dkim.org/ [jutta, Jun 08 2008]
Register: Some spam response rates
http://www.theregis...am_response_survey/ 1:20 for porn? Let's hope that's an old number and has declined since. Sheesh. [jutta, Jun 09 2008]
hashcash.org
http://www.hashcash.org/ Make an email sender do work. [jutta, Jun 09 2008]
[link]
|
|
I don't know enough, but this sounds like it would work to me. |
|
|
// But what I'm proposing is to massively scale this up, |
|
|
That's called a "let's all" in the help file. If we could have *anything* happen on a massive scale, spam would have gone away and died years ago, because we'd all be signing our messages, or using hashcash as postage, or any of a large number of schemes that would work great if everybody just cooperated. |
|
|
Chaff email addresses depend on ruses that cooperating humans detect (so they don't waste time with the frauds), but spammers and their software are fooled by. That looks like an arms race to me - the good guys come up with new tricks, the bad guys learn to find them and rewrite their software to avoid them. The amount of time needed to avoid the traps does not depend on the number of email addresses you'd falsely harvest if you fell into them. |
|
|
You never explained what a "hollow" e-mail address is, except that it involves a technology to filter spam. (delete without storing.)
Signing mail has been proposed countless times as a method of spam control.It doesn't work because people need to be able to recieve e-mail from addresses they haven't whitelisted.
Number three: huh? You're going to give spammers real e-mail addresses because the proposed (undescribed) filtering methos is so good? How would this be better than giving spammers e-mail addresses that aren't real, as is done by several e-mail address listing honeypots? |
|
|
Voice, I think the author means the same by "hollow addresses" as is implemented by honeypots. |
|
|
You seem to be forgetting that the real spammers today mostly use zombies. So, computation be damned, it's just a few hundred thousand grandma's hijacked PC's that are used. |
|
|
Make sure to have the hollow email system (before it discards it), look for 1x1 pixels & fetch them randomly & often in a separate thread. That way, the spammers get false-positives of open-tracking, so they don't clean their list easily of those hollow emails. |
|
|
That said, neither DK/DKIM is widely adopted yet, by legit & illegit systems. And, if DKIM is done properly, it'd be hard for a spammer to use it anyway. (So, fighting back against DKIM users is likely going after the whiter-shade-of gray in this ongoing battle.) How do you fight those who hijacked & created all those zombies? I don't see it here. |
|
|
You're asking me, the email administrator, to create a few thousand extra email address, send them to spammers and then accept whatever traffic that generates and donate my bandwidth costs to the project? No. |
|
|
And to go along with [sophocles], what it takes for a spammer to push an extra 10,000,000,000 messages isn't that huge because they're offloading it anyway. |
|
|
This idea just seems to add too much overhead to everything, start to finish. Except for the spammers, they just hijack a few more machines and keep chugging. |
|
|
Step 1. gather spam programmers and their clients |
|
|
Step 2. Stuff into rusty cage suspended above bio-hazardous, viral infected pungi pit |
|
|
Step 3. Light the cage supporting rope on fire |
|
|
Step 4. Find the jerks that keep the botnets propagating by not doing good system maintenance and throw them on the fire as well. |
|
|
Its only the rope that's on fire. I believe the best way to punish the slower admins would be to reply to every single email with a trojan using an exploit found about 6 months ago. This trojan would make random 1 bit alterations to the hard drive carefully avoiding system files and executables so when it was eventually discovered the admin would have no backups. |
|
|
And line 'em up against the wall and shoot 'em. |
|
|
Why waste time lining them up ? |
|
|
How about, for senders not already on the safe list, an auto-response with a CAPTCHA? |
|
|
That was tried, Mr. Nerd, but no one wanted to do extra work just to get their e-mail read, and too many e-mails got lost because the sender wasn't reading the bounced "please read this captcha to prove you're not a spammer" |
|
|
Maybe the CAPTCHA thing should be put into the protocol so Outlook can bring up a big "prove you're not a spammer" messagebox. |
|
|
As for not wanting to do the extra work, remember they did type the email. What's so hard about 4-6 extra keystrokes? |
|
|
Bad Jim, you're going to force everyone to use Outlook? Kinda makes the plan even worse. |
|
|
// Volunteers can obtain free lists of hollow addresses to submit into "opt-out" and "unsubscribe" requests in their spare time //
What stops spammers from getting these lists and removing them from their database? |
|
|
I almost never get spam to my gmail but get tons of it
to my paid service (bezeq international). Wonder
why. |
|
|
e-mail harvesters now search for "strong" emails that are found in more than one location. They also use commercially purchased e-mail lists and aggregate "known live" addresses. Since a cold spam is almost as effective as a cold call most criminals and "enterprises" focus on a few addresses that they have key information about "your name, age, interests, location". Information is mined using soft scams that do not ask users for any private information but instead build a profile for future spamming. If you ever use an email address for anything remotely "you may have already won!" consider that address to be scam and spam positive. |
|
|
[Pashute] Partly luck, perhaps. I had an email address with a very small local provider - so small that everyone's inbox resided on a single machine - that got exactly zero items of spam over its several year lifespan. |
|
|
And yes, [Bad Jim]' suggestion using Outlook is like having al-Qaeda open all postal parcels to check them for bombs before forwarding them to their destinations. |
|
| |