On Sat, 28 Feb 2004, Tom Petch wrote: > <extract> > *** Anonymous Bulk Email Software > > *** is a super fast bulk email software that sends out at speeds greater > than 1,000,000 emails per hour* on a dedicated mailing server. *** has the > capability to use Proxies and Relays and also to send directly. > > Some of the features include: > Anonymous Mailing using Proxies > Message Randomization to bypass Spam Filters > Speeds over 850-950K emails per hour on Turbo Mode > Up to 1000 Threads > Unlimited Email List Size (up to 100 Million per file) > HTML and Plain Text Emails > Tag Macros to personalize and randomize emails > Custom Headers ....... more on > </extract> > > Something along the lines of 'Know your enemy' comes to mind; get hold of > such a product, reverse engineer it, find its weaknesses and nullify it. I > am thinking that spam is and will remain a long-term battleground and it > needs serious effort to counter, perhaps a Cert-like organisation, and we > are just not putting in enough serious effort yet; perhaps the cost to us > is not yet high enough to stir us to action. I keep swearing that I'm not going to respond yet again, but I keep getting drawn into it as people miss a key point... such as the real point of this "extract". It has been pointed out several times that this sort of battle is one that you cannot "win" on the grounds of technology alone. At the same time you are reverse engineering their spam engine, they are reverse engineering your reverse-engineered anti-spam engine, and they have the distinct advantage that your anti-spam engine is quite likely to be open source while their spam engine is quite likely to be completely closed source. Every move you make to block them, they make a move to counter your block, and they can move faster. Look at the "features" list above -- what is it if not "moves" against blacklists (using proxies), keyword and bayesian spam filters (message randomization, tag macros), slow/blocking MTA's (lots of threads), browser and text based message review by the user (if they get in with a plausible tag-macro-generated subject line, the user HAS to see the actual message in order to do end stage rejection of material that makes it through their local filter, if any). Move-countermove. This is not a technology problem, it is a war, an exercise in practical biology. There are attackers and defenders and it is pointless to erect some expensive Maginot Line and pretend it will solve the problem. Adding encryption or signature simply causes spamware vendors to add an encryption and signature module to their code and mailing list database and address-grazing webbots. This in turn makes the people who sell spamware still more money selling their "new improved version", cheerfully payed by the spammer who continues to make all that lovely money and can easily afford the latest version. Add solving a "puzzle" and you might cut down on the peak throughput -- until they add puzzle solvers in a backing cluster, and of course that adds tremendous MATCHING expense to every legitimate MTA on the planet. Add a delay, and they add more threads where the MTA can wait out your delay but maintain net throughput in parallel connections up to the limits of the bandwidth of their MTA POP bottleneck (likely to be much lower than the capacity of their spamware in any event). In all cases they continue saturating their connection with outgoing messages, which is all they can afford to do anyway. SPAM is not a static problem, it is a dynamic problem, being developed and driven by Evil systems and software engineers every bit as talented and dedicated as their Good opponents. As long as spammers make money, they will find ways around and through any mere "algorithmic" defense, because the algorithmic defense has an unpassable boundary where false positives become an unacceptable barrier (whether or not they are rejected at the MTA or further downstream at the MUA), and plenty of email traffic related to legitimate commerce has a finite chance of being a false positive by an overaggressive filter. There is one and only one way to "stop spam" (as opposed to learning to live with it so that it doesn't bother you -- much -- as Vernon and I and many others do already). Change the fundamental rules of the game. When spamming is openly illegal and/or spammers stop making money (on average), spam will stop. Until then, history clearly shows that as long as there is a buck to be made, there will be those trying to make the buck, and they will route around every obstacle you are willing to put in their path because they can automate their attack and can scale expenses and find products that make them money even with a 0.001% response rate, while you have to defend one system and user at a time, some of whom BUY the products the spammers are selling. We are NOT going to stop spam with protocol, software, technology, as long as it legitimately makes money. We won't even slow it down. Spam as a problem is still actively growing, in SPITE of ever-more sophisticated defenses, driven by all that MONEY spammers are making. There are several ways that we as a society might try to stop them from making money. One is for everybody on the planet to refuse to buy anything sold via SPAM. Hmmm, not too likely that THIS is gonna happen, right? Lots of folks complain like hell about SPAM 90% of the time, but when they see the RIGHT piece of SPAM, the one that is selling something they actually want, they buy it. One person's SPAM is another's golden opportunity to enlarge this or that with safe herbal products or special exercises. In a large enough universe of people, somebody buys some of almost anything sold, and spam-sellers make money because spam is so cheap to send. One is add a direct and unreasonably nonlinear "expense" to sending SPAM. Lots of schemes have been proposed here that are either totally ineffective if one actually does the arithmetic or punish the innocent as much or more than the spammers -- adding "computational costs" per message, inserting delays of any sort, deliberately making expensive mail servers LESS efficient so we have to buy MORE of them to acheive the same degree of service (hmm, great idea that, sure to be very popular). Adding an up front "fee" for sending mail is certain to be similarly infinitely popular with the millions of users who are tired of living with the ever escalating price of paper mail. Also, look how effective real mail costs are at stopping PAPER spam. Direct mail advertising costs roughly $1 per piece (total cost) to send, yet the ratio of direct mail advertising to real mail in my mailbox remains 2 or 3 to 1, easily. A lousy 1% response rate makes the advertisers money, in most cases, for the kinds of products that are sold this way. As long as they make money, they will continue to fill my mailbox on the odd chance that I might eventually be part of that 1% and buy something they sell. One scheme alone puts additional expenses "only" on spammers and not the innocent (or rather, pays the cost out of tax revenues distributed relatively painlessly across the entire population). Pass laws prohibiting spam and fine the hell out of spammers. Fine the hell out of ISPs that are a point of origin for egregious spam -- get them to police their own network. Enforce the acceptable use agreements upon which the internet backbone is already based, again with real economic consequences -- disconnection of the ISP's network and all its clients from the backbone, for example -- unless and until they maintain a spam-to-legitimate traffic ratio less than 10%, 5%, 1% averaged over any month. It's not like spammers don't have an absolutely obvious network traffic signature -- who ELSE sends out "broadcasts" of thousands of nearly identical TCP port 25 messages per hour, up to order a million per day, from a generally unregistered address? It's just that the ISP makes a big chunk of MONEY from that high-bandwidth-purchasing client and isn't about to say oh YOU there, could you please stop spamming and paying us for all that bandwidth you are using while doing so? Direct email advertising being a form of interstate commerce, get the federal government to regulate it (as is their constitutional privilege and duty) by requiring interstate or international spammers to be "certified" as compliant with new, strict rules (including the setting of the IETF "evil bit" on all spam traffic;-). Get states to match the law for in-state traffic. Pass a right to privacy law making it illegal to sell lists of email addresses or anonymously collect them for use or for sale. Pass a privacy law permitting only "opt-in" collection of email addresses by corporations or other entities for their own, strictly limited, use. Or my favorite: TAX spam. If you want to but the fear of God into spammers (or anybody:-), sic the IRS on them. As far as I can tell, one can tax nearly anything, certainly any activity associated with commerce. Impose a 1 cent/message tax on SPAM (to be increased as necessary to keep spam unprofitable), and then do "lazy enforcement" starting with the biggest spammers and working your way down. Make the ISPs liable for delinquent taxes (they were sent on their lines, after all). Where mere law might fail to daunt spammers armed with lawyers defending their right to free speech and a "lack of seizable assets", the IRS has a reputation of being unrelenting and impossible to shake once they are on your tail, and don't let a little thing like no assets bother them at all -- they'll cheerfully settle for a chunk of any of your FUTURE assets and garnishee your income until 2104 if that's what it takes for you to pay them off. They have a whole different standard of proof, too -- much closer to spammers having to prove their INNOCENCE than the IRS having to prove they are guilty. Armed with a court order issued by a real judge and based on consumer complaints, they can easily snoop that megamessage-per-day traffic stream while working out what the spammer owes. Then they can just seize the spammer's house, dog, computer, car, and give them the choice between jail and bankruptcy and a lifetime of indentured servitude. On the other hand, perhaps this is too cruel even for spammers...;-) Perhaps this wouldn't work. Who knows. Control by law has worked unbelievably well for phone-spam, though -- I get vanishingly close to ZERO phone-spam calls since I put my number on the national DNC list, and I will personally phone my government representatives every day (right around dinner) to let them know just how I feel if they do not defend it tooth and nail against the perfectly understandable desperate attempt of the now-dying phone-spam industry to have the law thrown out. Seems worth it to give it a try. rgb -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx