On Tue, 10 Feb 2004, David Berman wrote: > Subject lines for emails should be required to have only words that > can be found in the dictionary. This eliminates any spam like vi@gr@ or > m0rtgage. This is not a sane idea. It also eliminates a stupendous volume of legitimate mail. Can I no longer send email with a subject line such as "node b10 down"? How about "Joe's email address is jpg@xxxxxxxxxxxxxxxxxxxx"? And then there are foreign languages. WHICH dictionary? How many dictionaries? And what about spam that comes with no subject line? Spam that comes with a innocuous subject line that has nothing to do with the message content? Remember, the spammer will simply alter their message again to penetrate any defenses you raise against it until you've closed down an entire channel to legitimate traffic. What about email between administrators and users ABOUT spam? "What do I do about vi@gr@ emails?" seems like a legitimate subject line. What about bad spelers? Or tpyos? This is not an acceptable protocol-level solution for stealth spam. Nor are variants such as passing the words found through a crack-like substition tree looking for 1337 phrases, as people might use those substitutions for legitimate reasons, or arbitrary regular expression rulesets as to what is non-spam. These are, however, perfectly fine anti-spam countermeasures in user-level tools such as spamassasin and procmail, where you can control it yourself and choose (at your own risk) just how much legitimate mail you are willing to risk blocking in order to reduce spam. The information-theoretic observations already made about signal channels and filters are entirely apropos here. The more tightly you control the noise, the more the signal itself degrades. > The real problem isn't from companies who send bulk email and allow > you to opt out. The problem comes from people that are trying not to > let you opt out. Not only don't they let you opt out, but they also try > to get around your filters. This statement is like saying "The real problem isn't the people who knock on your door to sell you something and go away when you open it to say no, it is the people who knock on your door to sell you something and when you open it come in and take your wallet, drink all your beer, and shoot your dog." At a very crude guess, over 50% of all spam that has an opt out uses the opt out only to verify that they've found a live email address with a human at the other end who reads the messages. This is a valuable commodity and can be (and is) repeatedly resold. Opting out is therefore much like opening the door to strangers when over half of them are likely to take your beer and shoot your dog. I opt out only when the opt out is the URL for a well-known company, the mail header is well-formed, and there is a decent chance that they are going to be semi-accountable to an internet acceptable use policy in the first place. Presuming that their SPAM made it through spamassasin and procmail, that is. In bad neighborhoods where the streets are rough and folks are on make, the only solution is lots of police and punishments that make evil behavior a poor risk for the bad guys. The internet makes every bad neighborhood in the world hyperdimensionally outside your front door. To mutilate a metaphor...:-) rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx