Go to previous post:
I thought you brought the potato salad.

Go to Electrolite's front page.

Go to next post:
Memory hole.

Our Admirable Sponsors

June 30, 2003

Not buying. Trying to post a comment to the weblog Writing in Orange, I get the following email:

I’m using http://www.spamarrest.com to filter my incoming email.

Please read this message before going through the approval process:

1.) If your name is Hattie Yuan, I am not buying from you. You are not my friend. Remove my name from your mailing list.

2.) If this is an invitation to launder your money using my bank account, know that if you let the email through, I will send the message with its full headers to the Federal Communications Commission and to Interpol. You will not interest me in the least, but I am sure they will be interested. Stop while you are ahead.

3.) If you are trying to sell me something, I am not interested. I won’t read it. Don’t bother. Take my name off the mailing list.

4.) If you are sending me something in a foreign language that I cannot understand, I won’t read it because I can’t.

5.) If you’re asking me a question based on my web sites or sending me a compliment or you are a friend who is checking up to see how I am, by all means get yourself approved!

To those who fall under categories 1 through 3: you may get through ONCE. But I have the power to override your approval and I will. I will delete your message unread and report you to your ISP for violation of your terms of service. Take me off your mailing list.

To those under number 5: fear not. I do want to hear from you. Just follow the instructions.

Just this once, click the link below so I can receive your emails. You won’t have to do this again.

Uh huh. You solicit comments on your weblog, then when you get them, you auto-send a form letter explaining the extra, unadvertised hoops your users have to jump through.

I’m as opposed to spam as anyone else. But I find that SpamAssassin, running on Panix’s well-maintained shell service, takes care of 99% of it, without any need to demand that innocent emailers “prove” themselves.

Any way you slice it, this amounts to an attempt to externalize the spam problem onto others. I can see an argument for the practice, where private email is concerned. But to set up a weblog, solicit comments, and then demand that commenters jump through hoops just because you can’t manage a better spam filter, seems to me the height of rudeness. I certainly won’t be checking into “Writing in Orange” again any time soon.

[UPDATE: Perhaps I was being a jerk; see the comments.] [12:19 AM]

Welcome to Electrolite's comments section.
Hard-Hitting Moderator: Teresa Nielsen Hayden.

Comments on Not buying.:

Stefan Jones ::: (view all by) ::: June 30, 2003, 01:51 AM:

It's rudeness born of frustration. She may simply not have the ability to run Spam Assassin. This clumsy vetting process may be her only recourse.

Spam Assassin certainly works well. My old io.com address, which comes with a shell account, was once virtually useless because of spam. Now it is efficiently swept into a spam directory.

Robert L ::: (view all by) ::: June 30, 2003, 01:58 AM:

Aw gee...it struck me more as an attempt at humor. (Perhaps I'm saying that because I just spent about 10 minutes deleting the usual attempts to sell me physiological enhancements, entertainment, and financial schemes from a "dump" account of mine. Jeez...what's with these people? Do they really think a message header entitled "godnjg9r4h9n945nga0" is going to interest me?) But seriously...I see your point, but it seems fairly innocuous to me.

Reimer Behrends ::: (view all by) ::: June 30, 2003, 02:27 AM:

Well, even though I find it understandable, too, it's not an effective way to communicate. Like Patrick, I'll simply drop any further attempt at communication if such a barrier is put in my way. Not to mention that one has to go through an elaborate rant to get to the information that one needs. At the most, the note should say something like: "Hi, to protect myself from spam, I am using a mail filter. Please click here so that I can see your mail. You won't have to do it again. Thank you." Everything else is wasted verbiage, because spammers simply won't read it, and it only scares normal people away.

It should also be noted that effective spam filtering these days is easy enough so that you don't have to burden your correspondents with such a measure (Mozilla Mail even has a filtering mechanism built in).

James D. Macdonald ::: (view all by) ::: June 30, 2003, 02:51 AM:

For people who don't have/can't get/can't run Spam Assassin, PopFile works very well. I like it a lot.


Barry ::: (view all by) ::: June 30, 2003, 07:15 AM:

As others have pointed out, perhaps there's a problem running Spam Assassin. Additionally, note the reference to a particular person. This blogger is probably being hassled by somebody, who's passing on their e-mail address to spammers. In that case, using the form is reasonable. IMHO, of course.

Patrick Nielsen Hayden ::: (view all by) ::: June 30, 2003, 07:58 AM:

And as still others have pointed out, there are more solutions to the spam problem than SpamAssassin.

I recognize the frustration, but I think this is the wrong way to go. And I think that right now, when we're all trying to figure out the etiquette of this stuff, is the time to say so.

Xopher ::: (view all by) ::: June 30, 2003, 08:26 AM:

I have a question for you, Patrick: if the message had been the one Reimer suggested, would you have reacted the same way? Would the difference have been enough that you would have gone ahead and commented?

I'm trying to figure out where the line is. Personally, I find Reimer's message dramatically less offensive, but probably wouldn't "click here."

Mike Kozlowski ::: (view all by) ::: June 30, 2003, 08:38 AM:

If you would like to read my comment, take the square root of 2783608612225, add dots in the appropriate places to convert it to an IP address, then guess the magic word I'm thinking of to get a full URL at which my comment can be seen.

Unless you name is Hattie Yuan, in which case, bugger off.

Ginger ::: (view all by) ::: June 30, 2003, 10:31 AM:

I got a challenge like that recently from an Earthlink user of my acquaintance. As it happened, she was looking for a dinner partner before a local blogger meet. I was suprised at how angry it made me to have my invitation to dinner greeted with the news that I'd been tossed in the spam hole!

The message I got was more polite, but it still bugged me enough that I blogged about it.

Kate Nepveu ::: (view all by) ::: June 30, 2003, 10:37 AM:

Re: spam filtering tools: I'm using Mailwasher (http://www.mailwasher.net/), which I really like: it's very easy to set up, and is wonderful if you're on dialup because it only downloads enough to categorize the e-mail. The free version works very well, in case you just want to try it out.

(Windows, POP3.)

Doc ::: (view all by) ::: June 30, 2003, 11:25 AM:

If Patrick Nielsen Hayden finds something to be the height of rudeness, Doc noted dryly, no living man dare contradict him.

Mr. Hayden is, of course, an expert, and in this court, his opinion is not considered speculation.

Personally, Doc continued, chewing on the earpiece to his eyeglasses thoughtfully, I found the person's anti-spam note humorous and charming, certainly understandable given that not every computer in the world is capable of running the latest and greatest anti-spamming software, and I most likely would have responded warmly. Thoughtful and funny people are just too rare to be snippy with, at least, right out of the gate, in my humble opinion. But then, that's most likely just more flailing, compounded with several historical errors and a few scientific sounding but ultimately meaningless generalizations. Pay no heed.

"Out of order!" shrieks the judge, vigorously beating her podium-top into ruins with her antique gavel. "You're being elliptical and broadcasting from the ozone! Shoot straight from the hip or we'll ban you from Dodge City, you cur!"

Heh. You can't handle the truth.

Jon Hansen ::: (view all by) ::: June 30, 2003, 11:55 AM:

Well, I do see that your comment posted, Patrick, so you either clicked the link or it posted anyhow. And I still don't see why Writing in Orange would run weblog comments through a spamfilter anyway. Seems like the two wouldn't have much to do with one another.

Joel ::: (view all by) ::: June 30, 2003, 11:56 AM:

First, I am not a she.

Second, I don't care. Spam is rude and I get people trying to run around it. The people who get offended by my spam filter are people I probably don't like knowing anyways. If you think you're so self-important that I should have seen you coming, then you're hardly important to me at all.

Funny thing is that he took minor offense about a comment indicating that this blog was something worth reading as a type -- "the pundit blog".

Patrick: I'm only here because you left a note on a blog that isn't even in the mainstream (a blog for Orange County, Calfornia writers). The only explanation that I can come up with for your finding it is that you went hunting for any mentions of you in Google. And that's laughable and pathetic.

Joel ::: (view all by) ::: June 30, 2003, 12:00 PM:

Oh and I don't use Spam Assassin, I use Spam Arrest. It's a different program and it's cut the spam effectively in my inbox to less than 1/2 of 1% of what it was. So before you go shooting off about what I do and don't know how to use (I've used both), do a little research.

Jon Hansen ::: (view all by) ::: June 30, 2003, 12:12 PM:

Joel, from glancing at your trackbacks, rather than vanity surfing, I'd say Patrick just followed Kathryn's link to your site. She is on his blogroll, after all.

Mary Kay ::: (view all by) ::: June 30, 2003, 12:12 PM:

Joel: Patrick is an editor; it is not at all odd for him to be looking at writers blog. Maybe you should do a little research yourself.

I'm with Patrick on this; I too will give it a miss if I have to jump through hoops to prove I'm not a spammer. My sister has something similar on her phone; if it doesn't recognize the number you're calling from, or if that number is blocked, you have to get 'authorized'. Which was a challenge, and an expensive one when I was calling from a phone booth in Ireland.


David Moles ::: (view all by) ::: June 30, 2003, 12:13 PM:

Okay, now we know that Mr. Sax isn’t only rude when he’s talking to people he’s categorized as potential spammers.

Patrick Nielsen Hayden ::: (view all by) ::: June 30, 2003, 12:18 PM:

David, in fairness, I was pretty rude to him.

Joel, actually, I found your weblog through Technorati, a web service that tells people who's linking to them. If being curious about who's linking to you is "laughable and pathetic," then most webloggers are laughable and pathetic. Understand, I would not immediately dismiss the idea that we are. On the other hand, maybe it's normal to be curious about who's reading you, and to want to extend the conversation.

I don't actually think I'm particularly important at all. And it may be that I'm just being an asshole. (Always a possibility.) Reflecting on it, I think I was probably snarkier than it merited. For what it's worth, though, I find that although I'm perfectly willing to satisfy "authentication" requirements that are spelled out up front, I tend to have a strong emotional reaction to having an authentication demand sprung on me after I've extended myself into a conversation. Specifically, I feel like Charlie Brown having the football yanked away.

Perhaps this an overreaction rooted in the fact that, at heart, I'm a prickly shy person. And, of course, there's the "asshole" hypothesis.

Kathryn Cramer ::: (view all by) ::: June 30, 2003, 12:21 PM:

Oh, Patrick. Calm down.

James D. Macdonald ::: (view all by) ::: June 30, 2003, 12:56 PM:

In other notes on Spam Arrest, see the note at http://samspade.org/ "SpamArrest is Spamming

"What SpamArrest is doing is similar to Microsoft spamming everyone who ever sent mail to your hotmail.com account, or AOL spamming everyone who emailed an aol.com account, and so on. But it's even worse because SpamArrest -- as a purported anti-spam service whose website warns users of the 'exponentially increasing problem of spam' -- should know better."

Ulrika O'Brien ::: (view all by) ::: June 30, 2003, 12:58 PM:

And, petty-minded creature that I am, I was struck by noticing that, for a guy running a web page for Orange County Writers, Joel doan write too good.

anders ::: (view all by) ::: June 30, 2003, 01:32 PM:

i used a CR-system until recently. i got rid of it because 1) the whole bayesian filtering idea came up and seems to work well enough that i can live with it and 2) i got tired of adding extra rules to my .procmailrc everytime i subscribed to a mailing list.

i used it because i felt that typical anti-spam techniques like SpamAssassin and others that work by analysing the content of emails are inherently flawed. you're doomed to an endless cat and mouse game with the spammers. you make your filters more sophisticated and they make their spam sneakier. there was no end in sight. at best, you (or your mail admins) spend hours updating an increasingly large file of filter rules. a simple whitelist + CR system (mine essentially just verified that the email had a valid reply-to address) takes you out of that loop. there just isn't a way for the spammers to get around it. checkmate. the extra 5 seconds that it takes for a stranger wishing to contact me out of the blue to authenticate themself is unfortunate, but worth it if it means that i never have to think about spam again.

i'm a programmer and amateur cryptographer, so i appreciate elegant solutions to difficult problems. CR systems to me, are an elegant solution to the problem of spam. if i'd had a better interface for adding exceptions than editting my .procmailrc by hand, i'd probably have stuck with it. ideally, i'd like to see CR systems integrated with a PGP style web of trust. so if Bob authenticates themself to Alice, and i trust Alice, Bob has implicitly authenticated himself to me as well.

in the meantime though, bayesian filtering is elegant enough and requires even less work on my part as a user, so i use that.

Erik V. Olson ::: (view all by) ::: June 30, 2003, 02:24 PM:

1) Bayesian filtering seems like a miracle. Until you screw up and poison your whitelist or blacklists. Then, you start again. It's still a nice bit of "Genius from Mars" technique.

2) Spamassassin uses Bayesian filtering. This doesn't mean other filtering techniques are useless -- indeed, Bayesian requires much more CPU to implement. This doesn't seem like a problem? How many mailboxes would you like to filter? It may be easy for, say, neilsenhayden.com. It's a real problem for, say, tor.com, it is a nightmare for google.com, and the scale of the problem is unbeliveable for ibm.com. Do the math. Multiply your total spamload, per month, time the number of email address you are trying to protect.

So, filtering on such things as forged Outlook headers is useful -- it's quick to do, and saves you from churning through the full "split, count, score, filter" that Bayesian filtering does. And, I consider this critical. I've been eriko@mvp.net/eriko@mo.net for over a decade. My personal spam load? (This is a monthly count)

Date: 06/29/03 11:55:01 pm
From: "Erik V. Olson"
To: eriko@mvp.net
Subject: Spam Count


That doesn't count ~ 700 messages in the spamfolder I just glanced at, then rm'd the folder, rather than running it through the reportspam script to deal with various problematicals (and keep the counts.)

Now. Multiply that load by 10 people. 100 people. IBM. This leads to...

3) Filtering is the wrong answer. It is also the only answer right now, but filtering is merley "Just Hit Delete", automated. I refuse to defend filtering as the proper answer for spam, even if it does work, because it doesn't fix the problem. 10,000 junk messages, including manly fraudlent ones, have been sent to eriko@mvp.net. Those messages -- well over 100 megabytes worth -- have traveled across the net, have come into mvp's mail server, have been held there for me, have been sent to my mail server, and have been churned over by a complex and rather CPU intensive program only to be declared unwanted crap.

This costs time. I and the MVP sysadmins have to deal with all the bounces that can't, because the spam lies about where it came from. Several of these are known frauds, duty requires I report them. When my DSL is churning down a mailspool full of spam, those are bits I can't use. Mvp.net has, oh, 3000 accounts. Where I'm eating 5-10MB a day of crap, they get 5-10MB&3000. 15-30 Gigabytes a day, for a little provider in the Midwest.

What does Panix get?

What does Earthlink cope with?

How is IBM even on the air?

Of course, when your wire is saturated with the crap, you have two choices. You can buy *more* wire, so that you can acutally do the things you want to do on the net, or you can disconnect and not pay for a wire and a sysadmin to winnow the grain. How many companies do you think are going to sign a purchase order for another T-1/OC-3 to cope with the spam load?

4) Spam is increasing, exponetially. I started Spamassassin in Feb, 2002. I got online as eriko@mvp.net in March, 1992. I've been hopping around the net since then. My address is known around the net, and trivial to find, and has been for a decade.

I didn't hit 100 spam a month until June, 2002. I hit 500 per month in September, 2002. I hit 1000 in November. I hit 5000, per month, in Feb. I just hit 10000 per month, in June. I expect 20000 per month by September.

Meanwhile, my mailbox fights the load. I'm not about to, and really can't afford, to buy more CPU and wire to handle this load.

When it starts falling over, Erik will do one of two things. I will either go to a whitelist-only system, with a "are you real?" email, much as Hattie Yuan has. Or, I will drop off email entirely. You build on the beach, don't argue when the tide sweeps your castle away.

I'm now spending around an hour a day dealing with crap. It's really not worth the time, anymore. Now, we're seeing IM spam and SMS spam. Two more useful communications technologies about to be wiped out.

Patrick, in particular, I point out the SEMP as a real world analog as to why Mr/Ms Yuan has given up on assuming that mail is innocent until proven spam, and gone the other way, and why I may end up doing the same.

Claude Muncey ::: (view all by) ::: June 30, 2003, 03:06 PM:

Eric: excellent post. As a fellow (sometime) sysadmin in the Microsoft world, I can definitely testify that it is getting that bad. My former employer had somewhere above 500 boxes, and spam was just starting to push us underwater when I left a year ago.

Patrick: The Asshole Hypothesis - could be a wonderful title for a novel (or for my unauthorized autobiography, for that matter). Just meditating on cover art has improved my day . . .

Patrick Nielsen Hayden ::: (view all by) ::: June 30, 2003, 03:13 PM:

Cover art by Kurt Vonnegut, of course.

Kevin J. Maroney ::: (view all by) ::: June 30, 2003, 03:39 PM:


Yonmei ::: (view all by) ::: June 30, 2003, 03:54 PM:

Before I got to the words ...again any time soon I thought "Isn't Patrick being a bit of a jerk?" Then I read the final sentence after UPDATE and thought, yes, but everyone is a bit of a jerk some of the time, and not everyone has the grace to say so.

Jeremy Leader ::: (view all by) ::: June 30, 2003, 04:00 PM:

Minor correction: Hattie Yuan is a spammer, NOT the blogger (Joel something-or-other) who's using an opt-in mechanism to cut down on spam. A Google search for her name shows her spamming various mailing lists (over and over and over...) to sell electronic gadgets.

I'm not so sure that the filtering approach is so bad (in theory) as Erik suggests. Assuming the filtering keeps getting better, eventually it will get to the point that most of what it lets through is stuff that I'm actually interested in. So spammers will be forced to think about what I'd be interested in, and how to provide it to me. I have no objection to more people devoting themselves to meeting my needs.

Also, the reason spammers spam is because it's cheap enough that even a fairly low response rate pays off. But if filtering gets good enough and installed widely enough, eventually the response rate to their spam will drop to the point that they can't afford a dial-up line (or to feed themselves). So it's important to convince everyone you can to block or filter spam. In fact, it's most urgent to convince stupid people to do so, as that will have the greatest impact on the response rate.

Of course, these wonderful economic incentives have one flaw - how long it may take to reach the end state, and what happens to the net in the meanwhile. As some economist said, just because the market is efficient on average doesn't keep it from deviating from efficiency long enough to exhaust your bankroll.

Graydon ::: (view all by) ::: June 30, 2003, 04:11 PM:

My take on this sort of thing is that I won't accept having to confirm my reality if I sent properly formed email. That's equivalent to giving up on the utility of email, and if I'm going to do that, I'm going to do it outright.

Erik V. Olson ::: (view all by) ::: June 30, 2003, 04:22 PM:

Jeremy: In the last three years, the amount of resources spent on fighting spam, and the effectivness of the tools to fight them, has increased dramatically.

If they were working, I'd expect spam to stop increasing exponetially.

And remember -- the only step in the spam theft chain filtering fixes is the user seeing spam. All the rest is still there. If filtering becomes universal, and only 1% of a spammers emails make it through -- the spammer *still wins*. Theoretically, if we applied perfect filters (never killing wanted email, always killing spam) across the entire internet, spam would stop.

Good luck.

Graydon: Your "utility of email" is posited on the asummption that the power for anyone to communicate with anyone at any time is a universal good.

James D. Macdonald ::: (view all by) ::: June 30, 2003, 04:53 PM:

Problems with challenge-response anti-spam methods include increasing the amount of stuff being shot across those wires.

I see a minimum of three messages where one would do.

Reimer Behrends ::: (view all by) ::: June 30, 2003, 05:32 PM:

James D. Macdonald wrote:

Problems with challenge-response anti-spam methods include increasing the amount of stuff being shot across those wires.

I see a minimum of three messages where one would do.

Not really, because you only have to do it once, even if you send hundreds of messages.

The real problem with challenge-response mechanisms is that they suck from a usability standpoint. The average human being will experience frustration, for the same reasons for which many people dislike phone system menus.

Raven ::: (view all by) ::: June 30, 2003, 06:33 PM:

What I find interesting is that no one has seen this situation for what it really is (other than totally blown out of proportion).

It's not a system to filter comments on a blog, people. You're not forced to jump through hoops in order to have your voice heard on an open forum someone has provided on their website. Joel is using MovableType (according to the link on his page). Within the configuration, you can have it email you all recent comments when they are posted on the site. THAT is what that SpamArrest email was in response to, NOT the actual comment being posted.

I commented once and got that email. I was mildly annoyed until I read his personal touch, and then I laughed. The message was lightly humorous, and I could only relate to his pain. I'd Try SpamArrest if it didn't cost. Now I just use SpamAssassin on my email accounts.

Jeremy Leader ::: (view all by) ::: June 30, 2003, 06:33 PM:

Erik, my point is that filtering doesn't have to be either universal or perfect to starve the spammers, because their costs, while very small (compared to something like sending junk mail via USPS) are not zero. Much discussion of spamming assumes that the spammer's costs are so small they're effectively zero, which would mean that filtering would have to be perfect to discourage them.

As I alluded to earlier, I'm not convinced that the efficiency*universality figure for filters will get high enough to drive the response rate to spam down low enough to make it uneconomical so fast that other approaches will be unnecessary, but all the other spam-fighting alternatives have drawbacks as well.

One problem with challenge-response mechanisms is that someone will eventually figure out how to automate the response, at which point the whole mess would start all over again.

I suspect having different people using different spam fighting techniques is important, as is combining them. For example, I could imagine a filtering system that sends a challenge to borderline cases (from previously unknown senders), while discarding obvious spam without interaction, and passing obvious non-spam through unobstructed.

I think any analysis that focuses on network load (bytes sent, number of round-trips, etc.) is probably missing the point. The one part of the system that isn't getting cheaper is human attention; in the long run, that's the dominant cost to society of spam. Thus usability (aka low attention cost) is very important.

Charles Dodgson ::: (view all by) ::: June 30, 2003, 06:34 PM:

An acquaintance of mine once posted to a very large quasi-work-related mailing list, and got back a challenge from one of these challenge-response systems, which had been installed by a subscriber to the list. If a hundred subscribers had installed one of these things, he would have been flooded. The guy who had installed the challenge-response system had absolutely no idea why anyone would consider that to be a problem...

lightnng ::: (view all by) ::: June 30, 2003, 06:35 PM:

Patrick, it looks like you're not alone in being irritated by challenge- response software.

In general, spam is starting to look less like underground advertising and more like a denial of service attack. Solutions are going to have to be a combination of political and technical; I don't see either Congress or ICANN having the nerve to do anything effective. Too many advertisers have visions of "legitimizing" spam and too many computer programs depend on the "brokenness" of current e-mail software.

So for now, it's filters or nothing. Personally, I use a combination of SpamAssassin (courtesy of my ISP) and the built-in filters in Mozilla. On average, I get one "sneak-thru" a day, plus about two "look at 'em anyway" (ie, a subject or author that might not be spam).

David Moles ::: (view all by) ::: June 30, 2003, 08:23 PM:

I like the idea — can’t remember where I first saw it proposed — of a mail system that requires an offer to make some very small micropayment, that the recipient might or might not choose to collect. High enough that a spammer couldn’t afford it over hundreds of thousands of messages, low enough that an individual could afford to send mail to strangers and not worry about it.

Unfortunately, SMTP is pretty entrenched.

SK Bubba ::: (view all by) ::: June 30, 2003, 08:37 PM:

Spam is a big problem. Challenge/response systems are not the answer. For example, in real life I have a business. My business has a website. I invite inquiries from prospective customers. If every one had to authenticate themselves, how many e-mail inquiries do you think I would miss? And these are large ticket, long cycle, very infrequent inquiries, so I can't afford to miss any.

My answer is a tax/levy/surcharge or whatever you want to call it on every outgoing e-mail, something like three cents.

Erik V. Olson ::: (view all by) ::: June 30, 2003, 09:09 PM:

Erik, my point is that filtering doesn't have to be either universal or perfect to starve the spammers, because their costs, while very small (compared to something like sending junk mail via USPS) are not zero.

And my point is while the costs are not, in fact, zero, they are so close to zero that treating them as zero is closer to correct than treating them as having a given fixed cost.

If you multiply the cost of sending one spam campaign to 30 million people by a factor of, say, ten thousand, you'll find you mkae little to no difference in the number of responses needed to break even. Considering the largest costs are 1) the software and initial mailing list, both of which are one-time costs that can be amortizied over multiple mailings and 2) the spammer's time, you need to multiply these costs by a factor of at least ten million before you can get those costs matching those of junk mail -- and look at how much junk mail you still get, despite those costs!

That's the problem. Spam is not cheap. Cheap implies that you are really paying a cost. Per piece, spam is effectivly free. Adding another hundred thousand pieces to junk mail is a serious investment in time and money. Adding another million emails is not, once you acquire the addresses. A 1% response rate on a direct mail campaign is a loss. A .001% response rate on a spam campaign is a huge, huge win. Even .00001% respons rate on a 50 million email list breaks even in the vast number of cases.

Reducing a 50 million list by 95% by filtering means the spammer gets 2.5 million messages through. If he has a response rate of .0001%, he still gets 2-3 replies. He does that 100 times. He gets around 250 responses. If the money he makes off those responses pays for the costs of his software and list (about $500 for the "quality) ones), anything after that is profit. The only questions are how long does it take him to send those messages, and how much does he make. To break even, he needs to make $2 off of every response -- and that means now he's paying no fixed costs. Spammers hardly ever pay for bandwidth, except the huge spam factories who got tired of stealing bandwidth, and have bought huge pipes to spam with. They pay more in fixed costs. They send out vastly more than 100 million emails. They make money.

And that is with 95% effective filtering. The reason we're flooded with spam is simple. Spam Works Why are there massive spammers -- who put out this kind of volume a week? Because they are making money. Evidence is that some spams get around a .001% response rate -- which means the math works for them, assuming that the spammer only "sends" 250,000 messages -- the rest die or are killed by filters. That's 99.5% effective filtering or blocking. Get .001% through and it doesn't matter -- the spammer spams.

Mary Kay ::: (view all by) ::: June 30, 2003, 09:42 PM:

Patrick: Well, since I agreed with you wholeheartedly I guess that I could also be a snarkier than required asshole. I have definitely been In a Mood today, but I still think that asking for comments and then subjecting you to an authorization process sucks.


Raven ::: (view all by) ::: June 30, 2003, 11:26 PM:

Mary Kay,

You may be in a mood, but that mood doesn't include reading the entire thread of comments here, apparently.

Just because comments are enabled does not mean the site in question is ASKING for them. And, no one is subjecting anyone to an authorization process in order to have the comment posted.

Kevin J. Maroney ::: (view all by) ::: July 01, 2003, 12:30 AM:

SK: "My answer is a tax/levy/surcharge or whatever you want to call it on every outgoing e-mail, something like three cents."

Any legitimate ISP that could be in a position to enforce something like that probably already prohibits spamming. And there is no government agency which could enforce that if the spammer is sending hhis mail from a country which has shown no interest in stopping spam, or, worse, bouncing his mail off a poorly configured mail server installed by default on a machine that no one ever intended to use for e-mail.

There are ways to genuinely reduce spam at the source now. Many of them involve very nasty tools like DOS attacks against all open mail relays, or shooting spammers in the head. I'm not sure I want to live in a world where either of these approaches are common.

Robert L ::: (view all by) ::: July 01, 2003, 04:53 AM:

Erik-Very interesting posts. I'm struck by how similar you make the economics of spam sound to the reproductive strategies of say, fungi, that send out thousands and thousands of tiny spores, and win evolutionarily if only a few actually become new plants. And try wiping out fungi...

dsquared ::: (view all by) ::: July 01, 2003, 07:47 AM:

>>The only explanation that I can come up with for your finding it is that you went hunting for any mentions of you in Google. And that's laughable and pathetic.

What other uses does google have?

Erik V. Olson ::: (view all by) ::: July 01, 2003, 09:33 AM:

Robert L. -- apt comparison.

There are solutions to spam. All involve increasing the cost per piece (cpp) to rational levels. Or, to boil them down.

1) Technical -- making it impossible for spam to come through, while not affecting email you want. If this is universal, the cpp becomes effectivly infinite -- since no amount of money gets the spam through.

2) Legal -- outlaw spam, and punish those who do so, rasing the cpp to a $500 fine and 30 days.

3) Economic -- simply making email cost money to send would knock most spammers out of the loop. Even a cost of $.001 per email would mutliply the spammer's cpp by anywhere from 1 to 100 million. I'd think $.01 per email would be better -- even prolific email writers would be hard press to drop more than $50 a month, since that would be 5,000 messages.

It's "fun," however, to debate which is less likely to happen. All are fraught with danger, all have large technical hurdles, and most have a worse chance of acutally happening in a way that works than we have of seeing Game 7 of the Chicago Cubs/Boston Red Sox World Series.

Technical won't happen until we have enough competent sysadmins and a massivly popular operating system that isn't trivial to crack and abuse. Legal won't happen universally enough to matter. Economics won't happen, because people are used to it being free.

Bob Webber ::: (view all by) ::: July 01, 2003, 01:51 PM:

A further problem with the economic approach is that (as noted) cracked and abused third party systems are currently the spammer's best friend. Sure, the hapless individuals whose desktop systems are being used to pump spam into the network would have an incentive to change operating systems, but they'd have even more incentive to protest and roll back the per-piece e-mail charges.

An economic approach to spam is sort of like an economic approach to SUV fuel consumption: both the producers and consumers whose behaviour we need to change will fight like hell to the benefit of third parties (i.e. gasoline suppliers and spam senders) who are untouched by primary effects of the approach.

Jeremy Leader ::: (view all by) ::: July 01, 2003, 02:22 PM:

Erik, I suspect that filtering might get as good as 99.9% effective, in which case your example of a spammer sending out 50 million messages 100 times will result in 5 million messages getting thru. With your response rate of 0.0001%, that's 5 responses; at your profit figure of $2/response, he's just tied up his computer and net connection for several days to make $10.

Now obviously, if the response rate or the profit per response is higher, he'll make more money, but there's some level of filtering at which most spammers will give up and go back to mugging little old ladies (or running for president).

As you say, the other two approaches (legal and economic) aren't all that appealing either. That's why I suggest that we're going to need some combination of approaches. Upping the filtering reduces the pool of profit-making spammers; outlawing spamming eliminates most spammers in "civilized" countries; using challenge-and-response in some situations also cuts down on the response rate.

Raven, I think the situation on "Writing in Orange" was that the comment form was configured (by Joel) to automatically email comments to Joel, in such a way that they seemed to come from the commenter. Joel then set up a challenge-response system in front of his mailbox. He should have either configured the CR system to let through comments from his comment system, or configured the comment system not to email him (or to send them to a different, non-CR'd mailbox), or at least said something like "I apologize, but I haven't been able to figure out how to let Writing in Orange comments through without also letting spam through."

I think a big part of what irritated Patrick is that Joel's CR form starts out by listing 4 forms of email he doesn't want, and only then saying "oh, yeah, you might be innocent of the above offences, in which case none of my ire applies to you." If you address all comers as the enemy, and only at the end mention that they might not be, some people are going to be offended.

Bill Woods ::: (view all by) ::: July 01, 2003, 02:38 PM:

"The reason we're flooded with spam is simple. Spam Works"

But why does it work? Even if I wanted generic Viagra or organ enhancement, I would't want more every day. And once you've seen a dozen Nigerian embezzlement schemes you've seen 'em all. Are there really enough people newly online to keep these things going? Unlike porn, for which there obviously is a market for repeat business.

Erik V. Olson ::: (view all by) ::: July 01, 2003, 04:21 PM:

"The reason we're flooded with spam is simple. Spam Works"

But why does it work?

I do not know. I know it does -- for somebody, and it works often enough that other want to jump in. I used to wonder the same thing about telemarketing. Everyone I know hates them with a passion, yet telemarketers spend millions calling you. They aren't doing so unless they make money.

Michelle ::: (view all by) ::: July 01, 2003, 04:45 PM:

I think that to combat spam, we need to modify Orin Hatch's program to remotely destroy the computer of anyone who buys an item from spam e-mail or from a pop-under window.

Kip W ::: (view all by) ::: July 01, 2003, 05:25 PM:

Yeah. Find that one sucker, and the system will fall from inside like a deck of rotten dominoes.

Lois Fundis ::: (view all by) ::: July 02, 2003, 12:57 AM:

Erik, I suspect that filtering might get as good as 99.9% effective

My ISP recently (mid-May) installed a spam filter called Postini. It blocks spam and virus-infected mail, but allows the me to look at the list of items blocked and unblock/whitelist ones I might actually want. Mailing-list mail often gets misinterpreted as "spam" by the filter, for example.

Today I got 38 spam messages and 2 virus-infected ones. But, for the first time in six weeks, *none* of the messages caught by the filter were ones I actually wanted!

It's still a hassle to check once a day to make sure there's nothing good lurking there, and having to look at the sometimes very rude language in the spam headers in the meantime, but it's a start. And it's a little better than being caught by surprise by something really gross.

(Meanwhile I signed up for the FTC list but have not received any e-mails from them. Maybe I should try again.)

Barry ::: (view all by) ::: July 02, 2003, 07:39 AM:

In terms of what's 'polite', many long-term e-mail users have to make what I'll call a 'small town to big city' change of mind. They started off in a situation where few people had e-mail, and fewer abused it. Sort of like being in a small town with a phone, if long distance was expensive. If the phone rang, either it was somebody local (whom you knew) calling, or a long distance call (and therefor important, and from somebody whom you knew, as well). If answering machines existed back then, people would consider it rude to use them to screen callers ('whatdya mean you were standing there while I was stammering into your machine?').

Move things up to the present, with lots of callers, the majority of whom are trying to sell you something, and what's practical changes. Our ideas of what is polite has to change.

A friend of mine told me a story of he and his parents visiting his sister, in the 1980's, when she lived in NYC. At one point, as they were walking through Times Square, he was jumping up and down, trying to get her attention. He was irritated, until she explained that she had learned to ignore people 'trying to get her atttention' in Times Square. Apparently, many of them were quite rude individuals, who were very willing to bother a stranger, frequently trying to say/show her things that she Was Not Interested In, and Really Didn't Need to See :)

dsquared ::: (view all by) ::: July 02, 2003, 09:10 AM:

>>If answering machines existed back then, people would consider it rude to use them to screen callers

errr ... that is rude.

Kevin J. Maroney ::: (view all by) ::: July 02, 2003, 12:14 PM:

It most emphatically is not rude to screen callers. No less an authority than Judith ("Miss Manners") Martin agrees on that. Paraphrasing her words: "You wouldn't leave your front door open, she says, so why is it wise to accept every call that comes in?"

Jeremy Leader ::: (view all by) ::: July 02, 2003, 01:03 PM:

dsquared, I disagree, unless you feel that _any_ use of an answering machine is rude.

If you're not home, is it OK to leave the answering machine on to take messages?

If you're busy doing something you don't want to (or can't) interrupt, is it OK to leave the answering machine on to take messages? What if you're asleep, or in your workshop using a table saw so loud you can't hear the ringer?

Suppose you return home, or wake up, or finish whatever was keeping you from answering the phone, as a caller is leaving a message. Is it rude to listen to the message as they're leaving it?

If they're leaving an informative message that doesn't require a response, is it better to just listen to the message, or to pick up the phone so they have to repeat whatever details they've already told the machine about?

In my opinion, using the machine to screen your calls is not any worse than refusing to pick up the phone if you're too busy; in fact, it's better, because at least the caller has a chance to convince you to take their call.

On the other hand, if you _always_ answer the phone whenever it rings, no matter what else you might be doing, then I'd feel rude if I called you for anything but the most urgent matter, since I have no way of knowing what I might be interrupting.

Bill Woods ::: (view all by) ::: July 02, 2003, 02:00 PM:

" Anybody who works and lives in the same place should take control of all means of ingress, deciding whom to let in and when. The answering machine and the door peephole are the poor person's receptionist."

" Miss Manners can assure you that the strictest rules of Victorian mourning etiquette had nothing whatsoever to say about answering machines. "

Doc ::: (view all by) ::: July 02, 2003, 04:20 PM:

Hey. I run Google ego-searches on myself all the time.

But then, wait... I am laughable and pathetic.

But... I kinda like it. Beats being a bully.

Oh, yeah, I won't be posting here any more. I'm sure no one cares, but I just thought i'd note that. Too many people noting far too frequently how laughable and pathetic I am. I can get that everywhere I go in real life; when I read and comment on a liberal blog, I generally hope for tolerance and compassion.

Laughable, pathetic, and stupid! Three great tastes in one candy bar!

by the way, I have SEVEN UNPUBLISHED SF/FANTASY NOVELS at the URL I keep listing when I post here. In case PNH gets really really bored with California writers' blogs and wants to read something else. I'm an ass, but the NOVELS are... well... if not good... then at least, commercial and marketable. I can't judge whether I really write well or not, but I'm sure as hell at least as potentially salable as Dennis McKiernan.

Xopher ::: (view all by) ::: July 02, 2003, 04:37 PM:

Doc: physician, heal thyself. Or get thee to a doctory.

Jon Hansen ::: (view all by) ::: July 02, 2003, 04:53 PM:

Considering the title for this post (subject? thread?), Doc's message is quite ironic. Now if you'll excuse me, I'm off to pack my bags for Hell.

J Greely ::: (view all by) ::: July 02, 2003, 08:02 PM:

The first time I got hit with a challenge-response system (specifically, TMDA), it was because someone sent email to me that anticipated a reply. Unfortunately, the address I responded from wasn't identical to the address he'd sent to, so I was treated as a "new caller" and given the form-letter. There are ways to configure TMDA to work around this, but they require some small effort.

Filtering simply treats the symptom while ignoring the disease. If a spammer has to send ten times as many messages as last month to get the same number of responses, that's precisely what he'll do. Meanwhile, your ISP has to deal with ten times as much incoming email without raising your monthly fees to pay for the resources required.

We have over 700,000 paying customers, and I can guarantee you that an email address ending in "@webtv.net" will shine out like a beacon of hope to countless spammers. We have the best filtering we can buy, running on an ever-increasing pool of dedicated servers, and it just keeps getting worse. Filtering just dulls the pain while someone works on an actual cure.

Legislative solutions won't work unless they include the equivalent of the old Usenet Death Penalty: if the ISPs in your country export large quantities of spam, we'll block all traffic from your networks. Ditto on the state and local level. What I think we'd actually end up with instead is something like the current US Postal bulk-mail system, which rewards companies who fill my mailbox with crap.

All of the technical solutions I've seen so far would fix email the way you fix a cat. "So, with respect, sir, what's in it for the cat?"

And of course there's the AOL/Yahoo/Hotmail/etc connection on the source side. The "find the words in this picture" challenge-response schemes for creating accounts seemed like a great idea for discriminating between people and spam-scripts, but they just created a new industry: "will solve CAPTCHAs to view free porn". Sigh.


Vicki ::: (view all by) ::: July 02, 2003, 11:23 PM:

Using an answering machine to screen callers is no more rude than having a relative or secretary say "May I ask who's calling, please?" after which s/he may say "She's not available right now, may I take a message" or "Just a moment" or "Please hang on, he'll be with you in a moment."

Answering machines let people who don't have secretaries or compliant relatives decide who they want to talk to, and when.

There have been days when I've been willing to talk to exactly one specific person, if she called; the machine spares me numerous conversations in which I explain "sorry, this isn't a good time", that being more polite than "I'm only at home to Specific Person, call back later."

Patrick Nielsen Hayden ::: (view all by) ::: July 02, 2003, 11:39 PM:

I want to say that, despite the esteem in which I hold the estimable dsquared, he's comprehensively full of crap about answering machines.

As Vicki said: "Answering machines let people who don't have secretaries or compliant relatives decide who they want to talk to, and when." They're an equalizer.

A certain portion of the human race will always and forever find it incomprehensible that some of us need a measure of control over "who we want to talk to, and when." These are the people who are convinced that any measure of social shyness is just some kind of put-up job, and that if the rest of us really wanted to, we could be hail-fellow-well-met backslappers just like them. Hey, people who think that. Guess what. Bite me.

Laura ::: (view all by) ::: July 22, 2003, 07:49 AM:

The essential problem with challege response is that 1. you might not know if you want the email in the first place and 2. if it is a corporation then you personally don't get to choose. Spam unfortunately has personal distinctions

May I suggest the InBoxer approach, a Bayesian filter that learns what you want to keep or what you dont want to see. InBoxer, at http://www.inboxer.com is based on Bayesian statistics and other language technologies to provide a custom experience. The open source work that the commercial product is based on can be found at spambayes.org.