The title says it all. The practice of programming spam filters in POP servers to take email that is classified as junk spam and to "return" it back to the supposed sending email address is incredibly stupid.
Have you ever gotten junk emails "returned" to you that you never sent in the first place? I get them all the time. My web sites have email contact addresses that get used in spammer emailings. The spammers do not use my pop server. They use other pop servers and just put one of my email addresses as a return address. Actually, they usually do not even do that. They use the @futurepundit.com domain and put some string in front of that domain to create what looks like an email address. Then they send out spam with a fake return address that uses a known legal registered domain.
Oh the irony. The spam filter POP servers that bounce the spammer emails are themselves generating spam by bouncing the spam messages back to email addresses that do not exist. My pop server routes those spams to my default email address and I get dozens or even hundreds of bounced emails on some days.
POP server administrators and spam filtering software developers should not configure filtering software to bounce spam. They should just delete it and stop contributing to the problem.
The new "Do Not Call" list in America for registering to not receive commercial solicitations by phone has numerous loopholes and may decrease junk calls by only 25%.
NO OBLIGATION. Moreover, the cessation of calls offering a free Disney vacation or a timeshare in the Poconos could embolden survey-takers and nonprofits to pump up their volume. "Historically, survey firms have a refusal rate of 35% to 45%. If the past is anything to judge by, they'll pick up the pace to fill the hole that fewer commercial solicitations will create," says Bob Bulmash, president of Private Citizen, a consumer group that opposes unchecked direct marketing. Bulmash estimates that the Do Not Call List will slash unsolicited calls by just 25% -- a long way from the dinnertime quiet that Americans crave.
The primary reason: a loophole for companies that you have a "preexisting business relationship" with. According to the new regulations, any company you do business with may call you for up to 18 months after your last purchase or delivery from it, or your last payment. So the bank, the phone company, and the utility suppliers that you do business with on a regular basis are under no obligation to leave you alone.
Pollers, non-profits, charities, and even radio and TV service providers have loopholes in this new law. Plus, the junk callers can still call businesses and therefore may turn their attention to doing more calls into businesses. As the cost of international calling continues to fall any type of junk calling that is still allowed seems set to grow in use. With the American Teleservices Association holding seminars on offshore call centers it is easy to see which way the wind is blowing.
It is still worth your time to go sign up on the Do Not Call Registry. Also, if you don't mind spending $20 per year the Private Citizen organization will send notifications to a couple of thousand entities not covered by the "Do Not Call" list to remove your name and phone number from a large number of other lists. Private Citizen's service may become more valuable in future years as the number of calls from types of organizations not covered by the Do Not Call" list continue to increase in number.
Karl A. Krueger has written an interesting article reviewing various spam fighting techniques entitled The Spam Battle 2002: A Tactical Update.
Vernon Schryver's DCC: Measuring Bulkiness
DCC, short for Distributed Checksum Clearinghouse, is a client/server system for the detection of bulk mail. (Schryver) A DCC client is usually an SMTP server, though it may also be a mail user agent (MUA -- a mail client). Whenever it receives a message, it calculates several checksums of that message, and transmits them to a server, which returns the number of times it has seen each of those checksums. If a message has been seen many times by DCC clients, these numbers will be high, indicating that the message is likely bulk mail. DCC servers can also exchange checksums with one another, forming a redundant server-network similar in structure to that of IRC.
As the above description should make clear, DCC does not attempt to judge whether a message is spam. Vernon Schryver, the system's creator, believes that it is not feasible for an unintelligent system to accurately discern whether a particular message is spam. What DCC judges is the "bulkiness" of the message -- how many copies of it have been transmitted. As a result, clients which reject mail on this basis must also maintain a whitelist of non-spam bulk mail senders, such as legitimate mailing lists. This imposes some overhead on DCC users, but presumably not as much as maintaining a local blacklist of every spam source.
The checksums that DCC uses are not the same kind of checksums used by cryptographic algorithms. A crypto checksum or message digest is designed to maximize the output change caused by a small input change. Since spammers usually add changing elements such as tracking numbers to spam messages, such a checksum would not work for spam. Instead, the DCC checksums are fuzzy checksums under which such small input changes do not change the output. These work by checksumming not the bits of the message, but the arrangement of meaningful elements such as letters and URLs.
The New Scientist reports on a new technique for fighting spam developed by AT&T researcher John Ioannidis. It involves the use of special encrypted email addresses.
The Single Purpose addresses consist of a few dozen characters before the @ sign. The reply conditions are encoded using a secret cryptographic key, so that a spammer cannot create fake addresses. The addresses might look like nonsense but could easily be processed by computers, Ioannidis says. They could be posted to the web or used to subscribe to a mailing list without fear of receiving a barrage of spam in return. A much simpler "unlimited use" address would kept for personal correspondence, he says.
This article really doesn't explain how this technique works. Does the sender make a public key available for reading the address so that receivers can know who it is from and that it really is a valid originating address? Does each receiver need to know the public decrypting key of each sender he gets email from? Or are the keys shared at the level of POP servers?
Is the purpose to allow only each receiver to be able to reply to a given sender with the customized response address? I don't think so. Or is the purpose to allow receivers to know that the original sender is really who he says he is?
Within a year or two more than half of all email will be spam junk mail. What do to about it? One approach is to use whitelists to exclude all email from people you do not know:
But the filters are running out of gas. The spammers keep multiplying, and they keep finding clever ways to fool the systems designed to stop them. Promising newcomers such as CloudMark, which taps the collective power of e-mail recipients to identify spam, may improve things for a while. But there will always be a trade-off between catching all the spam and ensuring that every piece of legitimate e-mail gets through.
So, sophisticated Internet users are turning to a new approach. Instead of trying to block spam while allowing everything else, these users employ software that blocks everything except messages from already known, accepted senders. These systems, called "whitelists," change e-mail from an open system to a closed one.
There are practical problems with whitemail lists. Among the reasons why legitimate email could be filtered out:
- People have more than one email address. So, for instance, you might have a home address for someone on your list but then they can try to send you email thru a a work address.
- People change their email addresses when they change internet service providers.
- Someone could get your emal address from, for instance, classmates.com in order to contact you for legitimate reasons. Well, that's a new email address for the recipient the first time the email comes in.
- Automated tools could send email to notify about some problem (eg a list admin demon could send a warning that some email being sent to your account is bouncing due to conventional junk mail filtering done by an ISP). The sending address would be a new address from your standpoint.
- A public figure (commentator, politician, etc) might want to make an email address public in order to get comments from the larger public. A whitelist is not a realistic option for such email addresses.
- A large variety of email addresses are used for reporting problems (eg web site main admin addresses and some tech support email addresses) from users who are often totally unknown to an organization before they first send in a message.
The basic problem is that there are a variety of legitimate reasons for why email gets sent from addresses which wouldn't already be in the receiver's address book. Another problem is that junk mail senders can fake the originating email address. So junk mail that pretends to be from an address on a whitelist could get thru.
There are a few methods proposed for dealing with this problem of legitimate email that isn't already on a whitelist. One could put it in a folder that the user would occasionally glance thru to look for what might be legitimate email. Many of us do that with existing email that our filters route to junk mail folders. Another option would be to have automated software that would respond to the suspect mail asking that the originator read some GIF to identify a keywork embedded in a thatched pattern. Then the user would either go to a web page that the response mail would provide a link to or would respond with an email that contained the keyword. Basically, the idea is to ensure that a human cares enough about getting the email thru to look at a response to it and do something to get one registered as a real human sender of individual email messages.
The sharing of whitelists has been proposed. That way, for instance, everyone in a company that deals with some other set of companies could use the whitelists for those other companies. One problem with these shared whitelists would become valuable for junk mailers to acquire. After all, the bulk of their entries would tend to be real used email addresses that could be added to lists of email addresses to email to. Plus, by analysing whitelists the junk mailers can choose originating addresses to fake. It is easy for spammers to put a fake value in the From address field. This would up the odds that a junk mail message will get thru.
One response to the problem of spammers using whitelists as part of their toolbox would be to encrypt the email addresses in the whitelists. Dan Brickley has proposed using an RDF format file to allow sharing of whitelists. He calls this approach FOAF for Friend Of A Friend. He proposes the use of encryption to hide the addresses:
This is an experiment based on the idea of sharing lists of garbled email addresses, ie instead of sharing 'mailto:danbri@w3.org' we might share '357fdd378d61684762ed88277192cfdf001189af', which is what we get when we feed that address to the sha1 algorithm. Consumers of this data can do the same thing with addresses from incoming mail, and then check to see if the resulting value is on the (garbled) whitelist.
One problem with encrypted shared whitelists is that if someone was to give you one you'd have no way of knowing who you are opening yourself up to receiving email from. Another problem with it is that a junk emailer who has a huge database of email addresses could get a copy of a whitelist and then run all of their email addresses thru the encrypting algorithm and compare the output to the entries in the whitelist. The irony here is that the junk emailers, because they have such large numbers of email addresses in their databases, are in a better position to figure out what the encrypted values are in the whitelists.
It might be possible to prevent spammers from faking at least some From addresses by creating a group of trusted POP servers that know about what From domains each POP server is allowed to originate email with those domains in the From field. The sending POP servers would have to enforce on senders that they can only send email with the specific From addresses that have been assigned to them. The receiving POP servers would have to know what domains each sending POP server can legally use to send to them and if an email gets sent by an untrusted POP server and that email contains a domain in the From field that is a domain that is "owned" by a trusted POP server then the receiving POP server would know to reject the email.
At this rate Spam is going to become more than half of all Email within a couple of years. Perhaps spammers should be put on US State Department terrorist organization lists.
The amount of junk e-mail in inboxes has risen by over 80% since the beginning of the year.
According to a monthly report from filtering firm MessageLabs, one in six e-mails is now spam, an alarming 64% increase on September and up a massive 81% since January.
Evil Spammers have found a new way to be The Spawn Of Satan. They are spamming blogger web site referral logs. You can find a blog discussion of it here at Blogroots
Go read the rest of this article in Wired for more on what new kind of evil The Spawn Of Satan have thought up:
Referral logs, intended to collect information on who visited a website and how they happened to arrive there, are being stuffed with bogus links. Curious bloggers who click on a logged link to see who visited their site are instead led to pornography or advertising sites.
Some bloggers publish a list that automatically updates links to sites that have linked to them. So visitors to spammed blogs who explore the link lists also find those sites full of porn and sales pitches.
In most cases the link spam appears to have been added to logs by one of several companies that are selling a service they describe as "referral marketing."
This page is a list of domains that are the known sources (at least so far) of the sites known to generate referral log spam. They do it by going around and reading pages many times for each web log and passing in a referral URL that is for porn or some other advertisement. You can tell this guy Philip Pearson if you see other domains showing up as the sources of web log spam and he will add new domains to his list.