Back to previous post: Real emergency preparedness

Go to Making Light's front page.

Forward to next post: Har har

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

November 16, 2004

Die, spammers, die
Posted by Teresa at 07:58 AM *

Sore Eyes has shut down its comment threads in the face of an increasingly uncontrollable problem with comment spam:

Observant readers will note that entries at this weblog no longer accept comments. Since moving to Movable Type 3.11 I’ve found that MT-Blacklist no longer works on my system. [Technical discussion deleted.] …[F]or the last month or so I’ve found that when I check my site after any significant interval—such as in the morning or when I get in after work—I’ve spent anywhere from five to fifteen minutes deleting comment spam and (where appropriate) banning the IP addresses associated with particularly bad attacks.

An hour or so ago I got back home from a 36-hour work trip during which I didn’t have internet access. I logged in to MT and found that there were some 1,600 comment spams. Better yet, after I’d filtered the list on what looked to be the most frequently used IP address in the first screenful of entries and told MT to delete the comment spams, it responded with an error because the URL it built passing the numbers of the comments to be deleted was too long for MT to process.

At that point, I decided that, sad to say, the fuckwit spamming bastards have won.
It might technically be possible to block those spams; but as the blocking process becomes more demanding, or more frequently needs reconfiguration, some webloggers are going to decide that it’s simply not worth the trouble. I’m in no position to point the finger at them. Patrick has a zest for this kind of problem, much as I have for moderating discussions; so he keeps the software in trim for both of us.

Any politician who wants to curry favor with me should feel encouraged to address the issue of spam.

Comments on Die, spammers, die:
#1 ::: Jimcat Kasprzak ::: (view all by) ::: November 16, 2004, 09:33 AM:

In the pre-blog era, when spam was a problem infecting Usenet newsgroups and e-mail, I expressed an opinion in a fit of ire. It was that the best way to deal with spammers would be to track down their locations and do actual physical harm to their persons and property, and make it clear that this was being done as a consequence of their spamming actions.

It's illegal. It's immoral. It would get one arrested and quite possibly jailed if caught. And it's a completely non-constructive way to solve the problem at hand. But all of those statements are also true of spamming.

While I no longer seriously advocate this kind of solution, I still think it's the only language the bastards will understand.

#2 ::: Kel Brown ::: (view all by) ::: November 16, 2004, 09:33 AM:

I agree with the sentiment... all spammers should be smothered at birth.

Unfortunately politicians are the least well equiped to stop spam. Legislating large penalties for spammers will only net the top feeders, and not many of those.

It will be a while but soon enough our bandwidth will be metered and spammers will acquire overhead. To any normal user, the fee should be insignificant but spammers will suffer a death by volume.

Until then we'll have to deal with black and white lists and other barbaric forms of defense to deal with crapflooders and spammers.

#3 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 09:58 AM:

Teresa wrote:
Any politician who wants to curry favor with me should feel encouraged to address the issue of spam.

Been tried. Never works. Can't.

#4 ::: Greg London ::: (view all by) ::: November 16, 2004, 10:10 AM:

ya know, ever since I signed up for the national "Do Not Call" list, my telemarketing calls have dropped to near zero.

The one problem with computer spam is teh anonymity intrinsic to the channel. You could penalize whoever is getting advertised, the only thing you'd have to figure out is whether the spam was sent by them or whether it was sent by their competition to levy a big fat fine on them.

But, I think it is possible.

#5 ::: Andrew Willett ::: (view all by) ::: November 16, 2004, 10:13 AM:

Urrgh. I'd been thinking about finally making the jump to MT 3.x from 2.x—in large part because it would give me the new, improved MT-Blacklist. Should I read this as saying that I'd be better off where I am?

Anyone?

#6 ::: James Angove ::: (view all by) ::: November 16, 2004, 10:16 AM:

Teresa: As has been observed by others, spam isn't really ameniable to a polical solution. I'm an advocate of preposterously hash penalities, but thats a product of that fact that it pisses me off and I want revenge, not a serious attempt to address the issue.

Kel: I suppose metered bandwidth is possible, but a) its radically at odds with the trend over the last decade. Additionally, while metered email might have worked, maybe (it is at least not wildly unsound in principle) to stop spam without destroying the utility of email, I don't think the same is true of metering bandwidth at the consumer level. Unless the cost is trivial, its going to have a chilling effect on private uses of the internet, and if it is trival, it won't do anything at all.

(I also strongly suspect that it would be hard to implement with current tools; I don't think current netflow standards are quite up to the task).

#7 ::: Greg London ::: (view all by) ::: November 16, 2004, 10:20 AM:

Speaking of advertising, yesterday was the last day of my 4 week ad on nielsenhayden.com blog for my military SF book "Hunger Pangs". In that time, the ad got 150,000 views and all of 200 click-throughs. Out of the 200 click throughs, I got zero sales. I can only guess that people simply resist buying books online. If anyone here was one of those click throughs, I'd be interested to know what your thoughts were as you clicked through, looked around, and decided not to buy. Either I'm missing something, or people simply don't buy books online.

email@greglondon.com

Hopefully, Teresa doesn't consider this spam, but just in case and given the title of this thread, I just want to say in my defense...

Please don't kill me.

;)

#8 ::: Kel Brown ::: (view all by) ::: November 16, 2004, 10:35 AM:

James: Yes. I was thinking of exactly that; An almost unnoticed cost for bandwidth but I do see the problems with it.

My other solution is to have them pay you. Whenever my phone rings and someone other than a gov't employee is on the line wanting me to participate in a survey I ask them how much; How much are they going to pay me for my time and data? They always say zero and I always say "No Thankyou" and hang up. Forums like this could work on the same model. It would require an anonymous transaction (anonymous in the I would never be able to know your true identity). You would send a portion of a penny to me and I would let you post a message. After a given probationary period (x number of non-spam-like messages) you would graduate to a free account. Spammers would have to do the same thing but at least then:

1. They're paying for the privledge
2. Blackballing is easier but still anonymous (something that I still believe is essential to the success of the net).
3. You could increase their fee as the volume steps up.

#9 ::: David Weman ::: (view all by) ::: November 16, 2004, 10:48 AM:

There are hacks that

make people go to preview before posting,
type words or codes in an extra box before posting,
forces delays between posting two comments
(the method we use, has worked splendidly so far)
closes old comments after x days

renaming mt-comments.cgi is supposed to work too.

#10 ::: Alex Cohen ::: (view all by) ::: November 16, 2004, 10:50 AM:

There's a proposal floating around that encodes the pay-per-mail in a clever way. When a mail program attempts to deliver a mail message to a server, the server will pose a small, harmless, computational puzzle, possibly even providing the code to solve it.

So the local mail program solves the puzzle, gives the answer, and the server accepts delivery. Unnoticeable if you are delivering a small number of mails, of course, but makes the million per day computationally challenging.

#11 ::: Lisa Spangenberg ::: (view all by) ::: November 16, 2004, 11:02 AM:

We have the technology right now to do metered use; it's used on many campuses in the U.S. and metered use is not uncommon outside of North America.

MT Blacklist works quite well, but if you upgrade MT you must, of necessity, upgrade the Blacklist plug in and make sure that it's configured properly.

Changing the name of a .cgi is not to be undertaken lightly--you must make sure you change the name everywhere it is used, and that you do not use a variable that is used elsewhere in the script(s).

#12 ::: James Angove ::: (view all by) ::: November 16, 2004, 11:17 AM:

Lisa: I'm actually setting up a Flowscan server right now, so I'm well aware its possible. And I know metered bandwidth is common between carriers. I had been under the impression that what was common in Europe was metered connectivity, rather than genuine metered bandwidth. What I think is hard isn't collecting usage data (although I can see some challenges -- are there any metered DSL connections that you're aware of?) as that it would be hard to collect the kind of usage data that you'd need to defeat spammers, which as far as I can tell would either require that you meter on the backbone or that you close the internet to all unmetered connections.

#13 ::: Kevin J. Maroney ::: (view all by) ::: November 16, 2004, 11:24 AM:

Greg: I'm not in any way resistant to buying books online. However, I am resistant to clicking through on ads. Sorry about that.

#14 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 11:33 AM:

Alex Cohen wrote:
So the local mail program solves the puzzle, gives the answer, and the server accepts delivery. Unnoticeable if you are delivering a small number of mails, of course, but makes the million per day computationally challenging.

This would probably have been a good solution for last year's spam. Today, more and more spam comes from zombie networks -- ordinary people's home PCs corrupted by viruses and put under the spammer's control. The only result of the "hashcash" proposal would be to make spamming a slightly more interesting distributed computing problem, and spur the creation of bigger and bigger zombie farms.

Can this be fixed? Sure. People can be educated to keep their PCs secure, or (more likely) will eventually move to operating systems and network protocols that don't wave big "KICK ME" signs over the entire globe. But by the time that happens, SPF to positively verify e-mail senders ought to be global as well, which will put a big bite out of spam and phishing, and odds are good that we won't need hashcash anyway.

#15 ::: Richard Cobbett ::: (view all by) ::: November 16, 2004, 11:34 AM:

Even the attention my own small site gets makes me demand spammers. I can't even check my referral stats at the moment because it's drowned in patently fake links to non-existent Texas Hold-Em sites.

(Even so, I really dodged a bullet - I upgraded my site to the latest version of my CMS (Drupal, host-watchers) on Saturday, realised I should probably add spam filtering to the comment system on Sunday, and woke up on Monday to find some autofellating coprophage had flooded a couple of hundred referral-spam posts in random places. First time this particular site has ever been hit, and about four hours after finally taking precautions. Still annoyed, but grateful for serendipity...)

Sadly, political solutions is worthless. Excluding the basic fact that spammers aren't going to obey the law anyway, the pathetic CAN-SPAM situation shows how little they get it.

The old fashioned 2x4 Wooden Slab of Justice approach sounds mighty tempting though.

#16 ::: James D. Macdonald ::: (view all by) ::: November 16, 2004, 11:37 AM:

Large number of views, smaller number of click throughs, laughable number of sales, is what I've been observing for years now on my various Amazon links that I have scattered all over my web pages and sig lines.

#17 ::: Richard Cobbett ::: (view all by) ::: November 16, 2004, 11:39 AM:

"Even the attention my own small site gets makes me demand spammers"

Ahem.

"Even the attention my own small site gets makes me demand spammers' heads on poles"

#18 ::: Richard Cobbett ::: (view all by) ::: November 16, 2004, 11:44 AM:

"While I no longer seriously advocate this kind of solution, I still think it's the only language the bastards will understand."

Randomly, it's been tried. Alan Ralsky's address was 'accidentally' printed, and anti-spammers went about giving him a taste of his own medicine. With gusto.

http://www.freep.com/money/tech/mwend6_20021206.htm

Oddly, he wasn't amused.

#19 ::: Kel Brown ::: (view all by) ::: November 16, 2004, 11:44 AM:

James: Who can say how much your varied advertisments in sig lines, and on your pages has tranlated to online sales from people who just refuse to use a click through? I would like to think it all indirectly contributes to sales and it doesn't cost you a thing.

#20 ::: Kevin Marks ::: (view all by) ::: November 16, 2004, 11:49 AM:

I wrote on this over at Corante last week - Tragedy of the Comments.

The answer is finding ways to turn a Prisoners' Dilemma into an iterated one.

#21 ::: Graydon ::: (view all by) ::: November 16, 2004, 11:50 AM:

Political solutions to spam are quite simple; you hammer the backbone carriers for spam traffic through their network.

(This has side effects, but it's not a hard problem; there are machine-comprehensible definitions of spam that are relatively easy to calculate if you're on the backbone.)

The technical solution I like best is requiring stamps; there are stamping solutions that don't require absolutely everybody to be using them, which is something no other technical solution (of which I am aware) can say, and which is absolutely required.

#22 ::: James Angove ::: (view all by) ::: November 16, 2004, 11:54 AM:

For what its worth, I actually have a real aversion to purchasing stuff online; I certainly wouldn't purchase soemthing from an unknow author if I haven't been in a position to thumb through it in a book store. (And online samples don't help this. I'm not interesting in you picking the sample(s), I'm interested in me picking the sameple(s)).

Mostly I just like going and looking at the stuff in person vastly better.

#23 ::: Greg London ::: (view all by) ::: November 16, 2004, 11:57 AM:

Large number of views, smaller number of click throughs, laughable number of sales,

Hm, yeah. well, this was my first, and possibly last, attempt at paid online advertising. Live and learn, I suppose. I just started this two months ago, so I'm figuring it out as I go along.

Some blog ads were charging 12,000 dollars for a month. I can't even fathom it.

#24 ::: Kel Brown ::: (view all by) ::: November 16, 2004, 12:00 PM:

Oh, absolutely. I am a loyal and dedicated patron of my local specialty store (Bakka Books in Toronto) and there's nothing I like better than an hour browsing the shelves and getting my greasy fingers on the pages but when it comes to items (especially non-fiction) that are hard to get locally then I reach quickly and thankfully for my web browser and amazon.

And for known quantities it's hard to beat their price and service. I can't imagine what life would be like without amazon (and others) if I was living in a rural area in Newfoundland.

#25 ::: Richard Cobbett ::: (view all by) ::: November 16, 2004, 12:17 PM:

"Some blog ads were charging 12,000 dollars for a month. I can't even fathom it."

Bah! I'll do you an ad for half-that. Er..I can offer, maybe two readers? Except on Tuesday, when one of them goes to the cinema ;-)

I buy plenty of books online, but only ones I know I want. I'll quite often see something that makes me interested in a book online, but usually I make a mental note to take a look into it later on rather than instantly reaching for my credit card.

#26 ::: James Angove ::: (view all by) ::: November 16, 2004, 12:18 PM:

Graydon: Can you expand on the backbone portion of your statement? I can't see a way to do something like that that doesn't involve taking a much closer look at packets than I would like to do, but the world is full of things I don't know enough about. Optimally you don't even want to do much routing in the network core if you can possibly avoid it, much less detailed stateful examinations.

#27 ::: James D. Macdonald ::: (view all by) ::: November 16, 2004, 12:49 PM:

Randomly, it's been tried. Alan Ralsky's address was 'accidentally' printed, and anti-spammers went about giving him a taste of his own medicine. With gusto.

Well, so far as I'm aware, the Violence Solution hasn't been tried. Signing someone up for a whole bunch of junk-mail lists isn't anywhere near the same thing as actual violence.

Not that I would ever do any such thing myself, or suggest that anyone else try it either.


#28 ::: Kate Nepveu ::: (view all by) ::: November 16, 2004, 12:56 PM:

Greg: I didn't even see it. I usually surf with images off (I use Opera, so it's single-key-toggle between images off, cached images only, and images on); I also don't actually "see" the ad space, even the text bits that are left without the image.

I don't resist buying books online, if I already know that I want the book. Advertisements rarely make me want a book.

#29 ::: Lydy Nickerson ::: (view all by) ::: November 16, 2004, 01:02 PM:

Greg London:

I'm not the least bit resistant to buying books on-line. I do sometimes click-through ads, as well. But I never buy on a click-through. I look at the info, poke around, and in a day or two, I might buy the book, but I wouldn't buy it immediately. I'd want to compare it to the other things that I was going to spend my leisure money on. I might buy it at Uncle Hugo's, or Amazon, or some other place that seemed convenient at the time. So at least my patterns of click-through really don't tell you anything.

#30 ::: Ben Lehman ::: (view all by) ::: November 16, 2004, 01:08 PM:

Greg -- I clicked through and read your samples. Actually, I quite liked them, and did what I often do when I see advertising for a book I might like "Hmm... I'll have to pick up something by this fellow next time I am at a bookstore."

Do you have books in bookstores? Any recommendations?

yrs--
--Ben

#31 ::: Julia ::: (view all by) ::: November 16, 2004, 01:21 PM:

I've still gotten comment spam with upgrading to MT 3.12, but definitely make sure you're using the MT-Plugin Pack Blacklist, not the one on Jay Allen's site. Took me a while to find it on MT's site, too. It should be on the front page, in LARGE TYPE.

I am wondering something, though. The reason we get spam in email is because it works. No, really...do you think someone would send out all those emails if it wasn't, in the end, profitable to them? SOMEONE is responding to them, and buying their stuff.

So my question is - is comment spam actually generating any profit for the spammers? Is it actually generating sales? And how does one go about finding out those facts?

#32 ::: Michelle ::: (view all by) ::: November 16, 2004, 01:44 PM:

Julia said:
The reason we get spam in email is because it works.

I think that we should find the people who buy things from spam, and take away their computers. Permamently. And ban them from computers at library and internet cafes etc.

#33 ::: Paula Lieberman ::: (view all by) ::: November 16, 2004, 01:48 PM:

Cost-benefit analysis: the effort and cost involved on the part of the spammer is minimal. They are not being inconvenienced by it, they're opporunistic parasites.

The protocols underlying the Internet were never designed for -commercial- use, never designed to deal with liars and spammers and sociopath virus/Trojan horse distributors, and the networking similarly doesn't have real "robustness" and anti-spoofing, anti-jamming, etc., support -designed- from the start in them. Those are the real problems--that the Internet wasn't designed... and wasn't designed to be resistant to intentional or accidental interference, mislabeled contents, false identification, etc.

====

I came up with the the term "malicemail" as a general category of email that includes spam and viruses and such--material emailed to unappreciative recipients who don't want computer viruses, Trojan horses, zombie mailing sites, unsolicited porn site advertising, misleading offers, etc., blasted down to their inboxes and onto their computer systems. The email is malicious--fraudulently attributed, deliberately misleading, operating parasitically, writing code to the victims' computers, overwriting file, destroying data... "spam" doesn't denote perfidious attachments or code in the email, while trojans and such can be in email someone wants if it's from a correspondent's infected system.... but it's all got malice involved.

#34 ::: Greg London ::: (view all by) ::: November 16, 2004, 01:48 PM:

well, its interesting what a random sampling can turn up. I didn't even know you could turn off images. I've always had a high-speed connection and a wide display though, so there was never a need.

I clicked through and read your samples. Actually, I quite liked them ... Do you have books in bookstores?

Ah, no. nothing on a shelf, which seems to be the make-or-break point. What I am learning is that people will buy a book with almost no resistance if its in their hands, but will tell me they'll order it online as soon as they get home and then never get around to it. It's very odd.

I had two copies in hand and went to meet two friends at a bar. One bought a copy, the other didn't show up. At the end of the night, I had a quick conversation with the bartender,

"Do you like sci-fi?"
"Uh, yea"
I hold up the book
"Wanna buy a book?"
"well, what's it about?"
"It's Star Wars, Blade Runner, and Apocalypse Now thrown into a blender"
Pause.
"How much is it?"
"fifteen bucks"
"Ok, I'll take it."

if only it were that easy with online sales.

anyway, thanks for all the replies everyone.


#35 ::: Jeremy Leader ::: (view all by) ::: November 16, 2004, 01:57 PM:

Julia, I think with comment spam the idea isn't to get people to click from the spammed site to the spammer's site. Instead, the idea is to have lots of links from reputable sites pointing to the spammer's site.

Search engines such as Google use links to evaluate the quality of web pages. The idea is that a good site is likely to link to other good sites. So the more good sites Google finds linking to your site, the higher Google will rank your pages.

One proposed solution is for bloggers to have some way of tagging links (or whole regions of pages) to be ignored by search engine spiders. Sort of a disclaimer tag: "I didn't make this link, there's no correlation between the quality of my page and the quality of the page pointed to by the following link". Then comment templates could be modified to apply the disclaimer tag to comment links.

The other thought that occurs to me is that things like spam don't actually have to work in order to continue, the perpetrators just have to think they work. Thus even if spam stops working, there will probably be some idiots who don't notice and just keep spamming because they once heard that it worked.

#36 ::: Dru ::: (view all by) ::: November 16, 2004, 02:18 PM:

On a spam related note, is there a permissible way to obfuscate the required email address for Making Light? I know some blog software does email Javascript obfuscation, so that the spammers cannot harvest your address as easily.

From the day I delurked I've had a huge surge of emails to the address I used in the forms... All from honorable genetlement who are the direct beneficiaries of some prince/famous figure. (I expect an Arafat beneficiary soon). Those and other less savory sales. The only place this address has been used is here, so I thought I would inquire...

#37 ::: Teresa Nielsen Hayden ::: (view all by) ::: November 16, 2004, 02:35 PM:

A quick word on spam, because it's a very hairy day today at work:

These guys aren't spamming us for the sheer spiritual joy of doing it. They make money off it. Where there's money, there's connection. The law ought to be able to get its hands on that, somewhere along the line.

#38 ::: Alex Cohen ::: (view all by) ::: November 16, 2004, 02:38 PM:

Just to gloss on Teresa's note: we don't need to outlaw spam, or make it impossible. We just need to make it unprofitable. That's why very small changes in system architectures might be largely effective.

#39 ::: Aiglet ::: (view all by) ::: November 16, 2004, 02:41 PM:

They did a study that shows that the spammer AOL just put away in VA was making $400K to $750K a MONTH from his spamming. (Of course, that was over 10M e-mail messages.)

The Spam Blog is a great resource for what's new in the sick, sad world of spam. (1 pt. reference)

#40 ::: Kel Brown ::: (view all by) ::: November 16, 2004, 02:42 PM:

The law has yet to successfully prosecute the Post for accepting money for delivering junk mail. It's a hard precedent to set.

Personally I would love to see it. Far more damage is done to the ecology because of snail mail spam than the electronic versions.

#41 ::: sean bosker ::: (view all by) ::: November 16, 2004, 03:07 PM:

Greg,
I used to be an an interactive ad copywriter. One of the big problems we had with clients was explaining the concept of conversion and return on investment. Because of the technology, a consumer can actually click on an ad and then buy online, and naturally marketers consider this a conversion. As you discovered, that is rarely the case in practice.

Branding, i.e. "impressions" each time a viewer sees your ad can also lead to a conversion. They see your ad, then they go to a bookstore, then they see your book, they get tired of browsing and buy yours because it's slightly more familiar. Advertisers think this is what happens, but nobody really knows. It makes sense to me, but it's also a good way to cover your ass as an adman when nobody bought what you got paid big bucks to advertise.

The fairest compromise that I saw was to make define the term conversion somewhere in between. Rather than try to get someone to buy a book straight from an ad online, try to get them to do something else. Most of us aren't shopping for books when we're reading this blog, and so even though we're a good audience for your book, we might be at work, or not in the mood. (I can browse the web at work, but if I pull out my credit card, then I'm obviously not working and will be assigned something really lame to do.)

You might want to drive people to a small site, where they can enter their email for a chance to win a copy of your book. Have an opt-in chance for them to recieve updates on your readings, or reviews of you book. Obviously, it must be opt-in and not shared or spammed etc.

The key is to spark their interest, then offer something they really want, then build a community. Think of an ad online as the envelope of the junkmail. It's not even the letter. You've got to offer something and then something and then something if you want them to give you money.

That said, I quit being a copywriter and took a HUGE pay cut because I felt I was using my powers for evil. Now I want to take a shower. I wish you the best of luck, and asking for a advice was a good marketing move, if I may be so cynical.

#42 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 03:34 PM:

Teresa wrote:
These guys aren't spamming us for the sheer spiritual joy of doing it. They make money off it. Where there's money, there's connection. The law ought to be able to get its hands on that, somewhere along the line.

But it's mostly going straight out of the country. So whose law?

#43 ::: Greg London ::: (view all by) ::: November 16, 2004, 03:52 PM:

if I may be so cynical.

I had no evil intent in asking. I did request that people email me directly rather than posting on Teresa's blog. If online advertising doesn't work, then blogging about online advertising probably won't do much either.

Rather than spend another 50$ for a blog ad, I'll probably put it towards a in-store book reading/signing or something that lets people hold the book in their hands.

I'm not much for contests and stuff like that. They don't give me a warm-fuzzy when I see them. I'm more for the simple approach of giving people some sort of value for their time/money. And I get that it's hard to convey that to a potential customer online. So, I think any future book related stuff will be in the physical world.

Thanks everyone. Please make any replies directly to me via email to take this off-topic discussion off of Teresa's blog.

email@greglondon.com


#44 ::: Paula Lieberman ::: (view all by) ::: November 16, 2004, 04:01 PM:

There's are differences between junk mail and spam--junk mailers rarely direct identity fraud, they don't use bogus spellings to defeat "filtering," they -pay- a fee per item that pays their resource consumption distribution system resources, and it's a -passive- product. Opening junk mail does not give you Twonk's Disease, fry your computer, destroy your library, or put you on the Concerned Women of America or Eagle Forum or Freeper spam lists or infect your home with noxious biological or software diseases. It doesn't put electronic peepholes into your home.

Spam does that sort of stuff.

Junk mail only comes inside someone's house if they have a mail slot in the door that dumps mail into the house.

Screening junk mail is a lot easier and faster to manually toss that spam is to identify and attempot to get rid of.

And spammers are parasites and freeloaders, clogging up the Internet without paying a fraction of the costs of the bandwidth and switching capacity that spam consumes, and cutting productivity of the recipients substantially.

Spam can enormously profitably because the costs for spamming and risks of being punished for it as so very low, and the opportunity for review on investment so high. If a spammer splatters 10,000,000 email addresses and one out of a hundred thousand recipients respond, that can be as many as 100 sales from a single broadside of spam.

Junk mailers in the USA purchase bulk mailing permits from the Posal Service and have to pay for the permit and a fee for each bulk mailing that's per item mailed. If they violate the permit rules they face loss of permit, fines, and possible legal action.

There is no such regulation and enforcement on spammers.

#45 ::: James Angove ::: (view all by) ::: November 16, 2004, 04:10 PM:

Greg: you never know. I picked up Matt Hughes latest (Black Brillion) because I know of him as an entertaining and valuable participant in another communications space that I follow. It wasn't just that --I wanted something to read and needed it right then, the jacket copy seemed okay and not especially cliche, and I rather liked the cover painting. But the knowing it was his book helped a lot.

(Although, to be fair, there are a few authors who've managed to be such complete asshats in online forums that I am unlikely to ever purchase a book of theirs again. But more authors have gotten my money by being interesting participants than have lost it by being irritating.)

#46 ::: Larry Brennan ::: (view all by) ::: November 16, 2004, 04:44 PM:

The only way to effectively address the issue of real spam is to get law enforcement involved. Unfortunately, most agencies are too busy waging the war on drugs, which has the added benefit of allowing them to seize (and keep) the property of the accused.

Pretty much the only source of hope comes from folks like Elliot Sptizer, the NYS Attorney General, and his payoff comes from increased popularity which is likely to propel him into the Governor's Mansion.

The only sort of anti-spam law that will work would be one that created an incentive for law enforcement agencies to do the legwork and get convictions. It's an unfortunate state of affairs, but it's where we are.

Also note that I used the phrase "real spam" to distinguish it from good faith, clearly identified, opt-in advertising. I get a fair amount of this, and I really do want to see most of it.

Paula, you mention postal regulation of mass mailings, which is the case but only part of the picture. The industry also self-regulates through the Direct Marketing Association. The DMA, which also functions as a lobbying group, provides one of the better examples of an industry responding constructively to a hostile public perception.

Upthread, someone mentioned using a micropayment technique for email, which I dislike. I'd rather see a system where I could set a refundable tariff for inbound email of say $0.37, which I could waive for known entities and easily rebate to advertisers whose messages I decide I want. This way they have to take a financial risk that's at least comparable to a paper mail piece if they want to contact me.

And bandwidth metering is evil. That would be throwing out the baby with the bathwater.

#47 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 05:10 PM:

Larry Brennan wrote:
The only way to effectively address the issue of real spam is to get law enforcement involved.

To do what? Even assuming it's possible to always know where spam is coming from (and while Teresa's right that the money trail's probably easier to follow with certainty than the IP trail, that doesn't make it easy), what are our cops going to do when it turns out the spammer's based on some dinky little island or former Soviet bloc country? Short of creating spam extradition treaties with every country on earth, what's the plan of action?

...Then again, given the current administration, I suppose we could invade every country that harbors spammers. From the sound of it, that might be the one action that could raise Bush's approval among the crowd here.

#48 ::: Larry Brennan ::: (view all by) ::: November 16, 2004, 05:23 PM:

Steve, even if the spam sender is offshore, it's still possible to track down the commercial entity that's paying for it. Sure, it'll do nothing about all the various wire fraud scams that rely on individual bank transfers, but the ones that lead to business that take credit cards can be attacked at the charge authorization point.

Or, we can just wring our hands and pout that it's all overseas and therefore untouchable. Just like we do in the so-called drug war. Oops, we do meddle in other countries and create incentives for local cooperation. But I guess spam is different.

#49 ::: Kathryn Cramer ::: (view all by) ::: November 16, 2004, 05:45 PM:

Changing the name of the comment cgi script does ultimately work, though you may have to do it as often as once a week. (Today's comment spammers don't actually look at your site at all. They only have relations with your comment cgi script. )

Also, back up everything (even templates) before you do it. You can really screw up your MT install messing with that sort of thing. (I won't bore you with the technical details, but I've done it.)

#50 ::: Marilee ::: (view all by) ::: November 16, 2004, 06:20 PM:

Greg, Quicken tells me I spend about $70/month on books, and I buy almost all of them online. I don't look at the ads, though, and if it says anything about military SF, I probably wouldn't click on it. (There are some authors whose milSF I like, but they're mostly women, and like James Angrove, I boycott some authors because of what they do and how they act online.)

#51 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 06:40 PM:

Larry Brennan wrote:
Steve, even if the spam sender is offshore, it's still possible to track down the commercial entity that's paying for it. Sure, it'll do nothing about all the various wire fraud scams that rely on individual bank transfers, but the ones that lead to business that take credit cards can be attacked at the charge authorization point.

Just to be clear: you're talking about the entity paying for the Internet connection that originated the spam, right? If so, I just see too many points at which it'd be easy to do business under a fraudulent name or address. And that's assuming that the ISP isn't complicit and cooking its customer logs. And that the foreign government cares and is also not complicit. (Consider the itty bitty countries making significant revenue now off of Internet gambling and phone hijacking scams.)

If you're talking about the charge point at which people are buying stuff that was solicited via spam, then you've just broadened the crime very dangerously. I'll assume that's not what you meant.


Or, we can just wring our hands and pout that it's all overseas and therefore untouchable. Just like we do in the so-called drug war. Oops, we do meddle in other countries and create incentives for local cooperation. But I guess spam is different.

Not to state the obvious, but spam is different. It doesn't kill or injure anybody. It's not a public health problem, and ruining one's blog is not the same as ruining one's life. The worst you can say about it is that it's annoying as hell and drains significant technical resources. For this, we're going to send out the special forces?

(And no, I don't support the way the War on Drugs is prosecuted either. But I don't see how you can be against it, yet in favor of similar tactics just because you're getting too many body enlargement offers in your inbox. The Internet's being crippled by spam, but I can see many good reasons for it not becoming an international diplomatic battleground.)

There are technical solutions that work. Many are being implemented now. They just don't always work quickly, and they don't work 100%. The major risk is that by the time they've reduced spam to manageable levels, the Internet will have been rendered largely useless for a lot of people. But we're not quite there yet. And if you think the technical solutions are too slow, inconvenient, or ineffective, it's amazing that you could have faith in the speed, ease, and efficiency of political solutions.

#52 ::: Mitch Wagner ::: (view all by) ::: November 16, 2004, 06:40 PM:

Kel Brown:

It will be a while but soon enough our bandwidth will be metered and spammers will acquire overhead. To any normal user, the fee should be insignificant but spammers will suffer a death by volume.

The problem with that solution is that it's also a great way to make dissent more difficult. Only people with money will be able to send bulk e-mail.

And the only way that metering bandwidth could be enforced is by law—in which case, why not come up with some more sensible anti-spam laws?

Andrew Willett:

Urrgh. I'd been thinking about finally making the jump to MT 3.x from 2.x—in large part because it would give me the new, improved MT-Blacklist. Should I read this as saying that I'd be better off where I am?

Anyone?

I made the jump a few weeks ago, and I highly recommend it.

Sore Eyes's problem, I think, is that MT 3.x is not compatible with any but the latest version of MB-Blacklist. That's not entirely clear in the documentation. Friends of Sore Eyes might want to point this out to him.

My workplace blog uses MT 2.6something, and we're not likely to upgrade soon, due to licensing issues. My attempts to block comment spam on that has, so far, resulted in spammers being the only people who can post comments. Legitimate comments are blocked, but the spam is still getting through. Sigh.

But at least the spam on that blog is not visible. Sigh.

Steve Eley:

Today, more and more spam comes from zombie networks -- ordinary people's home PCs corrupted by viruses and put under the spammer's control.

See, this is a kind of spam where metering is a solution, and I don't know why ISPs aren't doing it. Inertia, I guess.

Graydon:

The technical solution I like best is requiring stamps; there are stamping solutions that don't require absolutely everybody to be using them, which is something no other technical solution (of which I am aware) can say, and which is absolutely required.

The problem with stamping solutions I've seen is that they require a financial transaction network larger and more sophisticated than anything existing today.

Aiglet:

They did a study that shows that the spammer AOL just put away in VA was making $400K to $750K a MONTH from his spamming. (Of course, that was over 10M e-mail messages.)

That's only half the mind-boggling part. The other half is that he was only getting a response rate of 1 in 30,000.

By comparison, conventional direct marketing by snailmail gets a response rate measured in low-single-digit percentage points, and it's a thin-profit-margin business.

Larry Brennan:

Upthread, someone mentioned using a micropayment technique for email, which I dislike. I'd rather see a system where I could set a refundable tariff for inbound email of say $0.37, which I could waive for known entities and easily rebate to advertisers whose messages I decide I want. This way they have to take a financial risk that's at least comparable to a paper mail piece if they want to contact me.

Like I said, the infrastructure to set up such a payment scheme would be staggeringly huge, dwarfing the existing multinational financial network.

#53 ::: Steve Eley ::: (view all by) ::: November 16, 2004, 06:41 PM:

Larry Brennan wrote:
Steve, even if the spam sender is offshore, it's still possible to track down the commercial entity that's paying for it. Sure, it'll do nothing about all the various wire fraud scams that rely on individual bank transfers, but the ones that lead to business that take credit cards can be attacked at the charge authorization point.

Just to be clear: you're talking about the entity paying for the Internet connection that originated the spam, right? If so, I just see too many points at which it'd be easy to do business under a fraudulent name or address. And that's assuming that the ISP isn't complicit and cooking its customer logs. And that the foreign government cares and is also not complicit. (Consider the itty bitty countries making significant revenue now off of Internet gambling and phone hijacking scams.)

If you're talking about the charge point at which people are buying stuff that was solicited via spam, then you've just broadened the crime very dangerously. I'll assume that's not what you meant.


Or, we can just wring our hands and pout that it's all overseas and therefore untouchable. Just like we do in the so-called drug war. Oops, we do meddle in other countries and create incentives for local cooperation. But I guess spam is different.

Not to state the obvious, but spam is different. It doesn't kill or injure anybody. It's not a public health problem, and ruining one's blog is not the same as ruining one's life. The worst you can say about it is that it's annoying as hell and drains significant technical resources. For this, we're going to send out the special forces?

(And no, I don't support the way the War on Drugs is prosecuted either. But I don't see how you can be against it, yet in favor of similar tactics just because you're getting too many body enlargement offers in your inbox. The Internet's being crippled by spam, but I can see many good reasons for it not becoming an international diplomatic battleground.)

There are technical solutions that work. Many are being implemented now. They just don't always work quickly, and they don't work 100%. The major risk is that by the time they've reduced spam to manageable levels, the Internet will have been rendered largely useless for a lot of people. But we're not quite there yet. And if you think the technical solutions are too slow, inconvenient, or ineffective, I find it somewhat amazing that you could have faith in the speed, ease, and efficiency of political solutions.

#54 ::: Graydon ::: (view all by) ::: November 16, 2004, 07:27 PM:

Mitch --

The one I like requires work stamps, rather than money stamps. (I know precisely how horrible the problem of building a micropayment agregator is.)

The project is called "camram"; their list of frequent objections is here

#55 ::: Sean Bosker ::: (view all by) ::: November 16, 2004, 07:37 PM:

Sorry, Greg. I was really just trying to be helpful.

As for the topic, there is good news and bad news. The good news is a spammer is getting serious jail time. The bad news is that one out of every 30,000 people is a complete moron.

Here's an interesting news item about it.

#56 ::: xeger ::: (view all by) ::: November 16, 2004, 07:51 PM:

I know that I'm identifying myself as an Internet olde farte here...

... but most of these "solutions" have been beaten from dead horses into atomic particles already by profoundly smart (and clearly not at all smart) people in places like:

Spam-L -- spam-l list for spam prevention and discussion

Spam Tools -- spam tools list for software tools that detect spam

... and the unfortunate Usenet groups net.admin.net-abuse.email and net.admin.net-abuse.usenet

You can also find all sorts of FAQs at the net.admin.net-abuse.email home.

In the end, I think that this is a pithy but accurate overall summary.

#57 ::: Larry Brennan ::: (view all by) ::: November 16, 2004, 08:24 PM:

Steve - My thesis is not that we should invade anybody over spam, and I'm rather amazed that you would make such an assertion. All I'm trying to say is that we need to make spamming unprofitable, either by creating a direct cost for mass emailing or by attaching harsh penalties for violators at any point in the spam value chain.

If it takes invoking the justice system to do it, that's fine by me. There are times when it's appropriate to involve government, and this may very well be one.

My point about the so-called war on drugs is that it has warped our justice system by creating perverse financial incentives for all levels of government - which is off topic for this discussion except to say that law enforcement responds to financial stimuli as surely as business do, and that with sufficient incentive international cooperation can be created.

Do I think government is the answer to everything? Of course not. In fact, I think that it's a poor solution most of the time. But it's a great way to create disincentives for antisocial behavior, to reduce the problem of transaction costs and free-riding in buying public goods, and to create a social safety net that’s sufficient to encourage productive economic risk-taking. There aren't too many full-on Socialists with MBAs wandering around, after all.

#58 ::: novalis ::: (view all by) ::: November 16, 2004, 10:04 PM:

Auto-disenvoweler (doesn't handle sometimes y except at the end of a word).

I bet someone here already wrote one, but it was quicker to write my own than to check (Henry at Crooked Timber wanted it). So, maybe it does someone here some good.

#59 ::: Mitch Wagner ::: (view all by) ::: November 16, 2004, 10:17 PM:

Graydon: I took a look at camram. Thanks for bringing it to my attention.

If I read it correctly, the plan forces both the sender and and the recipient to do work. The sender has to create the stamp, but the recipient has to validate it. Seems to me that might make it impractical, although maybe I haven't thought it through or read the FAQ carefully enough.

#60 ::: mark shier ::: (view all by) ::: November 16, 2004, 10:28 PM:

You might wish to try this method:
http://www.elfonlyinn.net/beating.html
mark

#61 ::: Patrick Nielsen Hayden ::: (view all by) ::: November 16, 2004, 10:49 PM:

IJWTS that, so far, Steve Eley is entirely right on this issue, insofar as I understand it.

As to the original post, I would note that Jay Allen, author of the acclaimed "MT-Blacklist" anti-spam plugin for Movable Type, has been in the middle of moving his household from Europe to California for some weeks, so some bugs have gone uncorrected. I really wouldn't conclude from this that It's All Hopeless The Spammers Have Won Wah Wah Wah. Personally, I upgraded us to MT 3.121 earlier this month, and installed the latest MT-Blacklist beta, and aside from spitting out a bunch of alarming but ignorable error messages, it seems to work darn well. Come on, people, don't be so easily discouraged. Over the top! You wanna live forever?

#62 ::: Dave Luckett ::: (view all by) ::: November 16, 2004, 11:03 PM:

"you wanna live forever?"

Well, for a certain value of "live", actually, yes.

#63 ::: TJVM ::: (view all by) ::: November 16, 2004, 11:08 PM:

Like some others above, I think that law enforcement could make a serious dent in spam, if we had the political will to get serious about it. This means not only passing laws (and laws much better than CAN-SPAM) but also devoting substantial resources to enforcement.

I think that most people overestimate the anonymity of spam. Sure, the email itself may be untraceable, but if you're only looking at the email, you're missing the big picture. The ultimate purpose of spam is to do business, and doing business anonymously is a lot harder than sending emails anonymously. (and I don't just mean anonymous from Joe Consumer; I mean anonymous from federal law-enforcement agents with subpoena power).

As for the “offshore” factor: First, I've read repeatedly that most spam originates from within the US, in the sense that it's instigated and paid for here. I don't have a cite handy, but I feel pretty confident in saying that.

Second, even if you're outside the US, it's hard to stay “untouchable” if you're regularly doing business with people here. For instance, I think that if we got banks and credit card companies to cooperate (by asking nicely, or not-so-nicely) we could make it very hard for spammers to collect money through major credit cards. That could be a big monkey wrench in the works right there: it's going to be hard to sell many penis-enlargement pills if you have to tell all your potential customers to mail a personal check to a PO box in Lithuania.

“If you're talking about the charge point at which people are buying stuff that was solicited via spam, then you've just broadened the crime very dangerously. I'll assume that's not what you meant.”

I think that's exactly what you have to do: outlaw paying for spam. And not just fly-by-night businesses that intentionally pay for spam, but respectable businesses who try to avoid responsibility through a wink-and-a-nod, no-questions-asked arrangement. I think the law ought to provide that if you pay someone to promote your business – whether at a fixed rate, or on a commission, or based on hits to your web site, or whatever – then you're responsible for spam they send on your behalf. There probably ought to be an affirmative defense (i.e., the accused spammer has the burden of proof) that you took reasonable steps to avoid inadvertently paying for spam. Such steps might include doing business only with reputable people, and promptly investigating spam complaints. Anyway, that's how it would be if I was Law King For A Day.

Of course, all of this would take a lot more elbow grease than we're applying now, and I don't expect an effective law-enforcement effort in the near future. And, I don't think that law enforcement is the best long-term solution. But until we can figure out a way to make spam technically impossible or economically unattractive, I think there's a lot more we could be doing legally.

#64 ::: Paula Lieberman ::: (view all by) ::: November 16, 2004, 11:56 PM:

Not to state the obvious, but spam is different. It doesn't kill or injure anybody. It's not a public health problem, and ruining one's blog is not the same as ruining one's life. The worst you can say about it is that it's annoying as hell and drains significant technical resources. For this, we're going to send out the special forces?

It DOES "injure people" in wasting their time and energy, it can be viewed as harassment and graffitti--graffitti isn't legal, is it, written on private and public property without permission? Graffitti doesn't tend to "kill or injure anybody. It isn't a health problem..." but it is considered aesthetically objectionable and annoying and a crime, and cleaning up after it is expensive of people's time and energy and cuts their PRODUCTIVE time--it cuts into their income and increases their expenses, because instead of doing work which earns them money producing, they're having to spend teim and effort and attention deleting spam and and saying that they didn't spend email which fraudulently claimed to be from them...

For people who earn their livings who depend on email, spam IS injurious to their business and earning ability, because the filtering can delete legitimate business from customers, clients, and other business associates, and lock up their computer systems. That IS financially injurious. And again, the time and effort involved with spam handling--identifying it, deleting it, filtering it it--is wasted time for the vast majority of people.

#65 ::: Steve ::: (view all by) ::: November 17, 2004, 12:51 AM:

For people who earn their livings who depend on email, spam IS injurious to their business and earning ability, because the filtering can delete legitimate business from customers, clients, and other business associates, and lock up their computer systems. That IS financially injurious. And again, the time and effort involved with spam handling--identifying it, deleting it, filtering it it--is wasted time for the vast majority of people.

I have wasted hours of my life cleaning out comment spam, so I have sympathy with your desire to see the problem solved. And I'm generally sympathetic to the idea that the government is helpful with lots of stuff. But there's a weird and kind of creepy elision going on -- spam is irritating and costly to deal with, but it's not a violent crime, nor even one that tends to cost a single individual a great deal of harm from any one participant. I'm not capable of fleshing out my disquiet -- it has to do with Guiliani and the broken windows urban crimefighting methodology, I think -- but it's there nonetheless.

Steve Eley is entirely right about email spam; I'm not at all sure that comment spam is the same model of problem (nor am I at all sure that it's nearly as profitable for the spammers, but I've never seen any studies done).

And finally, sf-ish people: did any writers actually predict spam? It's such a universal complaint now, but I can't think of any near-future-type writers who seemed to think of the concept before it actually arrived with the Green Card Lawyers. Seems like the sort of thing that would have been right up Bruce Sterling's alley, but I think it might have just blindsided everyone (not least of which are the people who coded sendmail).

#66 ::: Jonathan Vos Post ::: (view all by) ::: November 17, 2004, 01:11 AM:

Steve:

"And finally, sf-ish people: did any writers actually predict spam?"

Yes. Myself, for one. Since I remember the early 1970s when the ARPANET was scientists and students swapping data, email, recipes, wine lists, jokes, and the like, with NO spam yet (spam was invented by lawyers) I had video-streaming-spam trying to get people to tune to ad-heavy "Channel Z" in my story:

"Skiing the Methane Snows of Pluto" [Focus, Magazine of the British Science Fiction Association, London, England, Vol.1, No.1, Autumn 1979]; also correctly predicted methane snow on Pluto, fortuitously correct prediction of volcano terrain on Jupiter's moon Io.

I also had email spam in my unpublished novel manuscript "T4: The Ten Teeth of Terra: The Decadents" which I wrote in High School and the summer of my frosh year in college, and for which I was offered a contract by Ace when I was 18, but which Pat LoBruto retracted said offer. I've thanked him since. It was a terribly novel, and would have started my SF career too soon and on the wrong foot.

The problem was: could writers explain spam so compellingly that editors believed them? Editors didn't believe me either in the 1960s that what we now call Virtual Reality would lead to confusion as to whether or not one was in a simulation; and idea so much a part of pop culture that kids don't realize that someone must have dreamed it up. Nobody, especially my thesis committee, believed that what we now call nanotechnology was possible, before Greg Bear wrote Bood Music and the Drexler-come-lately convinced myself and others not to publish on nanotechnology until we debated Gray Goo, but then he published first. Not to knock poor K. Eric Drexler, divorced, forced to the sidelines, and I'm glad that I introduced him to Stan Schmidt and helped his early visibility through Analog and Omni.

And nobody believed Ted Nelson either, when he predicted the Web in the 1960s.

There's nothing on Earth so powerful as an idea whose time has come; there's nothing so impotent as an idea who time has not yet come. Science Fiction is NOT prophecy. Bill Gibson points out that Neuromancer makes a lot less sense when you consider that nobody in it ever used a cell phone.

#67 ::: Bruce Baugh ::: (view all by) ::: November 17, 2004, 02:38 AM:

Steve, the volume of spam is difficult to overstate (more than half of all e-mail), and is routinely cited as a factor in the collapse of small ISPs and in decisions by folks who had been hosting their own domains to stop doing so. It is a genuinely serious burden on the network as a whole. It increases the rate of failure for legitimate communication, disrupting legitimate personal and commercial exchanges. That would be a problem even if there were no fraud or abuse in the nature of what spammers push for sale, and of course they do. Early on it was possible for some of them to say "I didn't realize..." and genuinely be clueless rather than malicious. It's not possible to do that any more. This is reckless disregard for consequences, that is a category of behavior the law rightly frowns on.

#68 ::: Lenny Bailes ::: (view all by) ::: November 17, 2004, 02:41 AM:

I think the s-f writer who should get the credit for predicting spam is PK Dick, who came up with the "Nitz Commercial" -- a walking, talking cybernetic ad that follows people on the street until they shoot it into inactivity:


“In the presence of strangers do you feel you don’t quite exist? Do they seem not to notice you, as if you were invisible? On a bus or spaceship do you sometimes look around you and discover that no one, absolutely no one, recognizes you or cares about you and quite possibly may even—”

With his carbon dioxide-powered pellet rifle, Maury Frauenzimmer carefully shot the Nitz commercial as it hung pressed against the far wall of his cluttered office. It had squeezed in during the night, had greeted him in the morning with its tinny harangue.

Broken, the commercial dropped to the floor. Maury crushed it with his solid, compacted weight and then returned the pellet rifle to its rack.
-- The Simulacra, 1964

#69 ::: Graydon ::: (view all by) ::: November 17, 2004, 05:36 AM:

Mitch --

Yes, work on both ends but not if the mail is from someone you know on the receiving end and the work is asymmetric.

Strikes me as the best thought out logistical attack on spam I've yet seen.

#70 ::: adamsj ::: (view all by) ::: November 17, 2004, 07:36 AM:

I think Heinlein may have anticipated Dick on this, though Dick carried out the concept more fully. In Podkayne of Mars, the taxis (and I believe other places) on Venus (that libertarian paradise, aka company town) are subject to intrusive holographic ads. The driver is then convinced with a little folding cash to turn down the ads to the point of near-nothingness.

Does this not sum up the differences between these two writers?

#71 ::: Paul ::: (view all by) ::: November 17, 2004, 07:42 AM:

Wow.. where to start.

First, Xeger is right. Almost all of the ideas suggested here have already been thrashed through many times elsewhere. The links he supplied should be a good start, although only a start.

'Work' payment - from what I understand, this wouldn't involve equal work on the behalf of the client and server. You'd use something hard to calculate but easy to verify. However, this wouldn't stop spam anyway, for the reasons Steve Eley gives, so...

(Steve, I think you may have misunderstood SPF - it's not designed to do anything much about spam, it's mainly so you can be sure the sender comes from the domain they say they do. That should kill phishing, at least.)

Attacking the points of injection is a waste of time - most of the spam these days comes via zombie networks. (This is also why bandwidth metering probably wouldn't help much.)

The only point you can attack is indeed the payment. However, I can see several problems with TJVM's proposals, not least of which is how does one become a reputable marketer when starting out? It also reverses the burden of proof, and makes it a crime to pay for something which has no real definition in the first place. Bad precedent IMO.

Finally (since this is getting long), I'd tend to agree with Steve Eley - comparing spam and drugs is somewhat out of proportion.

#72 ::: Graydon ::: (view all by) ::: November 17, 2004, 07:55 AM:

Paul --

The idea that there are reputable marketers is one that could do with challenging.

Drugs is a self-inflicted injury; a society that prefered results to moral assertions would not (and did not; check Victorian era drug usage stats sometime) have these problems.

Spam is an inevitable consequence of building a dumb network with smart edges, and while it's a different class of problem, it's actually more important than drugs, since having the dumb network with smart edges is absolutely essential to maintaining a means of rapid and reliable communication not centrally controlled by interests indifferent to individual welfare.

#73 ::: Jimcat Kasprzak ::: (view all by) ::: November 17, 2004, 08:42 AM:

Steve Eley wrote:

...Then again, given the current administration, I suppose we could invade every country that harbors spammers. From the sound of it, that might be the one action that could raise Bush's approval among the crowd here.

and then Larry Brennan wrote:

Oops, we do meddle in other countries and create incentives for local cooperation. But I guess spam is different.

I'd be much more willing to support a War on Spam than a War on Drugs. People want to abuse drugs, they're only messing up their own lives. People who spam are intruding into my well-being.


#74 ::: Paul ::: (view all by) ::: November 17, 2004, 08:43 AM:

Graydon - except that it *is* fundamentally controlled by interests etc. They just haven't realised they control it yet, or haven't worked out what to do with it.

(There are a few major backbone providers through which most internet traffic in to and out of the US goes. If you don't believe me, traceroute out through various different access points. I'd lay odds your packet will at some point pass through (say) Above.net. Can't remember the others.)

The drugs bit I'm going to leave alone as a whole other discussion, I think, although I can't work out what you're talking about WRT results.

However, I do want to be clear here - I wasn't suggesting that spam can just be left to it's own devices. This is why I used to spend a fair amount of time reporting spammers.

Incidentally - by smart edges, do you mean the humans who interact via the network?

#75 ::: Paul ::: (view all by) ::: November 17, 2004, 08:45 AM:

Oh yes:

The idea that there are reputable marketers is one that could do with challenging.

That we can agree on. :-)

#76 ::: Shane ::: (view all by) ::: November 17, 2004, 08:45 AM:

Here is a (technical, financial) solution I saw on Slashdot a while back. I've never seen it discredited (or even commented on) but I haven't seen it picked up either. I hope some of the very informed people here might see fit to comment.

A summary:
Spamming works because senders don't pay for the costs of sending all their email (usually, the recipient does).

Commercial spam needs to give interested buyers a way to follow up and actually make a purchase. Typically this is done with a link to a website, and typically the page owner _does_ pay each time that page is served.

So: for any email that has a web link, have your email program collect and cache that page plus subpages. This is expected for people who are interested in your product, and should be no problem for vendors who *target* the people they send to. But for folk who send to huge undifferentiated email lists relying on others to foot the bill, it will get pricy.

Upthread people mentioned the tight margins. It doesn't need to cost much per email to make spamming a losing concern, and concerned folks could start small by adding this type of script to their email program and spreading the word.

One malicious use I can see is to put an enemys web address in a spam you send (free DDOS) (Maybe only do this to weblinks in emails that I mark as spam). I don't see a way round it yet but the number of malicious attackers is perhaps less than the number of folks out for a quick unprincipled buck.

explanations? responses? flames?

#77 ::: Paul ::: (view all by) ::: November 17, 2004, 08:47 AM:

Jimcat - email spam, Usenet spam, SMS spam, comment spam, or all the other kinds of spam which haven't yet been thought up by some deranged and twisted mind?

(Yesyesyes, I'll stop posting comments for a while now. Three in a row is a bit much.)

#78 ::: Greg London ::: (view all by) ::: November 17, 2004, 09:03 AM:

Could we PLEASE stick to a strict definition of the word "injure" to mean "causing physical harm"?

If someone is about to cause you physical harm, then self-defense is justified, i.e. preemptive physical harm.

George W. Bush would be the kind of person who would define "injure" to include "inconvenience" and "cause extra expense" and "withold campaign donations" all of which he would then use to justify a preemptive strike.

If there is anything to learn from the last four years, it is that Humpty-Dumpty is in office and will use a word to mean whatever he wants it ot mean, and the only way to put and an end to such loose vocabulary is to start by not doing it ourselves.

#79 ::: Paul ::: (view all by) ::: November 17, 2004, 09:17 AM:

Shane - from what I remember, the zombie programs also include HTTP servers these days, as well as the SMTP server/client. The spammers managed to find some halfway competent programmers with no morals.

#80 ::: Mari ::: (view all by) ::: November 17, 2004, 10:06 AM:

As far as browsing without seeing ads, Mozilla goes one better -- the plug-in called "adblock" can specifically avoid certain strings (e.g., *.ads.*) and a right click can get rid of any specific problems the search strings miss. I really appreciate not seeing any ads, especially the animated/noisy ones but what do any website owners who read this think? Am I killing free Internet content?

#81 ::: Graydon ::: (view all by) ::: November 17, 2004, 10:40 AM:

Greg London --

"extra expense" can wind up at "starving under a bridge", if it's a large enough expense. Material harm counts. (By a number of conservative estimates, the anual global cost of spam is well up in the gigabucks.)

I don't think it's improper to define 'cause to wind up starving under a bridge' (or even 'cause to go out of business') as 'injure'.

Paul -

By smart edges I mean that all the applications that do stuff are independent of the traffic routing and transmission part of the network. (This is exactly backwards from a traditional circuit-switched telephone network, and one of the reasons large Telcos do not do well with the IP space.)

The demonstration of the 'pigeon protocol' for transmitting IP packets worked; if you were sufficiently stubborn about it, you could run a mail server -- a smart edge -- and put it on the network by using carrier pigeons.

This is a good indication that the network transmission layer and the apps that make the network useful are independent entities.

#82 ::: Mark Gritter ::: (view all by) ::: November 17, 2004, 11:05 AM:

Shane: one of the negatives with your idea is that any response whatsoever can be used to validate that the email reached a valid destination. (In the simplest case, imagine that one of the links in the email is a 'subscribe me'.)

I would be very worried about the potential as a platform for attacks, too, as you mention.

#83 ::: Mark Gritter ::: (view all by) ::: November 17, 2004, 11:27 AM:

Many "Internet people" (users, designers, academics) have an almost religious belief that the Internet should provide unlimited, anonymous, any-to-any communication. I think we are living through example after example of why this model is broken. Even the simplest Internet application needs to be able to identify its clients and expected client behavior (and enforce them!) or else become vulnerable to denial-of-service attacks and other misuse, including spam.

So, I don't hold much hope for the efficacy of additional laws unless there is a change in the services provided by the network architecture. A stronger notion of identity, greater network monitoring of client and server behavior, and "middleboxes" which mediate wide-area transactions are all helpful, but all three ideas are anathema to the currently popular conception of what the Internet is and should be.

The Internet's great success is the ability to deploy new applications. Unfortunately, experience has proved that some of the most popular applications are denial-of-service attacks and spam.

#84 ::: Greg London ::: (view all by) ::: November 17, 2004, 11:31 AM:

I don't think it's improper to define 'cause to wind up starving under a bridge' (or even 'cause to go out of business') as 'injure'.

Calling "added expense" an "injury" commits a number of logical fallacies:

Argument ad populum: This form of fallacy is often characterized by emotive language

http://www.infidels.org/news/atheism/logic.html#populum

Equivocation: a key word is used with two or more different meanings

http://www.infidels.org/news/atheism/logic.html#equivocation

There is no need to call the "added expense" of spam an "injury" unless you wish to make spam sound worse than it really is. Once "added expense" has been redefined as an "injury", then one can argue that we should be able to respond to spam the same way we would respond to someone causing physical injury.

Oh, and you did it again when you changed "spam" to the charged emotive phrase of "starving under a bridge".

No one ever starved under a bridge because of spam.

I don't care how much you hate it, I will not allow language to be twisted and misused and given arbitrary defintions to invoke someone's emotional triggers.


#85 ::: Guy Matthews ::: (view all by) ::: November 17, 2004, 12:44 PM:

Actually spammers can be tracked down and are on occasions fined and prosecuted under existing legislations, some people in this comment thread are seriously overdramatizing: http://www.theregister.co.uk/2004/11/17/icstis_fine/

"Another New York-based company - BW Telecom - was also fined £100,000 for continuing to run its online adult entertainment service even though it was barred last year. The US company had been fined £75,000 ($139,000) for spamming punters with porn emails that led to users racking up whopping phone bills. The spam sent by BW Telecom contained peak-rate dialler software which disconnected users from their ISP before reconnecting them to a service that charged them £1.50 a minute for Net access."

Yes ICSTIS took interest in these comapnies this time over dialers, not spam, but spam represents a significant portion of their dialer distribution methodology to begin with.

As regards solutions, there isn't one single solution to spam, the answer has to come from a combination of several new technologies as well as significant improvements to existing tech. As regards e-mail, one particularly potent factor in the propagation of spam is the ease with which spammers can completely falsify their e-mail address and other headers. The means to resolve this issue reside in the global implementation of a better mail protocol, our most common current protocols do not make any outstanding attempts to verify the validity of outgoing e-mail addresses simply because no one at the time thought that sort of verification would be necessary, many modern mailer services are now trying to compensate for this flaw, for example the verion of exim our server runs will refuse to send mail if the outgoing address specified doesn't correspond to an address already existing on said server, this is a restrictive measure but it serves as an excellent stopgap measure to prevent intruders or unscrupulous customers from sending spam directly off our servers. More advanced projects are looking into ways of implementing two way address authentication methods throughout all e-mail servers out there, in time one of these solutions will be implemented, it's just a matter of being patient.

#86 ::: John Hawkes-Reed ::: (view all by) ::: November 17, 2004, 12:59 PM:

As a medium-suffering mail admin, I fully endorse the use of the Cricket Bat of Righteous Justice applied firmly and lovingly across the backs of their spamming little paws. Or slamming their heads in the fridge door - whatever works best for you.

Technically, refusing connections from dial-up/DSL/cable IP ranges (where zombie botnets live) works for mail, but that's going to be suboptimal for comment spam.

What might work is piping comments through SpamAssassin and holding back the high-scorers for moderatorial action. Certainly, one of the bolt-ons for S-A 3.x will cross-check any embedded URLs against a list of 'spamvertised' websites and bump the score accordingly. That alone made a large difference to the accuracy of our anti-spam efforts at work.

#87 ::: Paul ::: (view all by) ::: November 17, 2004, 01:00 PM:

Guy - the way around your Exim hack is simply to spam with a username that exists on your systems. The effect of this is that the user who's spoofed gets deluged in bounces...

Two way authentication is a somewhat non-trivial problem, so it might be some time before that's implemented properly. :-)

In the article you sent, I must admit I found myself thinking - if you've only had 21 complaints, from people who say the dialler was installed "without their knowledge", I'd be looking at other members of the household rather than spam...

#88 ::: Stefan Jones ::: (view all by) ::: November 17, 2004, 01:26 PM:

I just got some charmingly polite spam from some furniture export business in Maylaysia:

* * *

"Dear Sir

We got your company's e-mail id from the section 'Worldwide Business Database' of a CD purchased from a local vendor. However, we do understand that not all the time - these e-mail ids are tested and verified by the vendors hence if you receive this e-mail by an error - we apologize for the inconvenience in advance."

* * *

Sure, their products are probably made from timber poached from dying rain forests, and three million other people probably got this mail, but they were polite about it. Kind of warms the heart. As does the name of the outfit, "Homerica," which sounds like a name that the head of the Simpson clan would give his home business.

#89 ::: Aiglet ::: (view all by) ::: November 17, 2004, 01:47 PM:

The problem is that a lot of the spammers are sending through compromised home machines on high-speed connections.

We could probably eliminate a lot of spam (or at least make it easier to trace and to block) if we could take up a massive educational campaign on two fronts.

First, we need to convince home users that they really ought to download all the patches available for their OSes right when they come out (and to download them only from reputable sources, like their manufacturer's website). We also need to convince them that you *can't* just download random things that come in e-mail from people you've never heard of, no matter what they're promising, and that anti-virus software and something like AdAware aren't optional but necessary. That should help prevent their machines from getting compromised.

The other educational campaign that needs to be done is on the ISP side. There is no reason why any ISP that gives out dynamic IP addresses and has a clause about "no servers" in its TOS needs to allow any machine on its network to make a port25 connection anywhere but to their mail servers. While I generally don't advocate ISPs getting involved in what kind of packets go out from anyone's machines, there's no reason for people who aren't allowed to run servers anyway to be sending SMTP packets anywhere but to their ISP's mail server. (On top of which, running a mail server on a dynamic IP address is just a bad idea, security- and privacy-wise.)

It won't stop the spam, but it might make a start towards getting all the spammers onto their own IPs and their own machines, which can be tracked, subpoenaed, and taken down.

#90 ::: Dave Weingart ::: (view all by) ::: November 17, 2004, 01:51 PM:

Not that I would ever do any such thing myself, or suggest that anyone else try it either.

Will no-one rid me of these turbulent spammers?

#91 ::: PZ Myers ::: (view all by) ::: November 17, 2004, 02:05 PM:

As one of those relatively rare non-MT bloggers, another issue is the growing blogware monoculture. One of the things that makes life easier for spammers is that they only have to target MovableType to slam the majority of sites. Not that MT is in any other way inferior, but I'm running one site that gets a fair amount of traffic on Expression Engine, and another with lesser traffic on MT...guess which one is a daily chore to prune out the crap? MT-Blacklist is a big help, but having a site with no familiar hooks for the spammers is even better.

#92 ::: Graydon ::: (view all by) ::: November 17, 2004, 02:18 PM:

Aiglet --

Even better would be legislation making the OS vendor liable for damages.

Greg London --

Spam costs money. If you are willing to accept an actuarial value of harm (and anybody in an industrial society should be), that's real physical harm to real people.

It's not the same thing as walking up to someone and breaking their kneecaps, but that's only because it's distributed.

This is rather like the issue of lead emissions -- those very rarely actually kill people, or even incapacitate them; they just make life less pleasant and more difficult.

Lead emissions (or DDT, or arsenic, or mercury ) nonetheless do real physical harm.

#93 ::: Paula Lieberman ::: (view all by) ::: November 17, 2004, 02:18 PM:

But there's a weird and kind of creepy elision going on -- spam is irritating and costly to deal with, but it's not a violent crime

Neither is graffitti on buildings and subway cars and walls, neither is embezzling, neither is what Enron did, neither is what the failed suicide did, neither is money laundering, neither is insider trading.... they are still criminal acts.


nor even one that tends to cost a single individual a great deal of harm from any one participant.

And you regard insider trading, skimming accounts, phishing, false advertising, etc., as mere nuisances and not crimes, too?!

#94 ::: Larry Brennan ::: (view all by) ::: November 17, 2004, 02:22 PM:

Greg London:
Could we PLEASE stick to a strict definition of the word "injure" to mean "causing physical harm"?

Umm, no. If you harm me financially through illegal means, I'd have a tort against you. Would I have been injured? Yes, but not physically.

[soapbox]
Graydon and Paul - There certainly are reputable marketers out there, and I like to think that I'm one of them. I would never recommend a spam campaign, and only ever do snail-mailings to lists rented from reputable sources. Good marketing is one of the things that enables our economy to grow and our standard of living to improve. Every day you use things that make your life better whose availablility you owe as much to marketing as you do to the people who invented them. That better mousetrap is only available to you if you know about it and know where to get it. Sure, nobody needs a Turnip Twaddler 3000, but I bet you like your Oxo vegetable peeler, or enjoy playing Doom or Myst, and might even be proud of your home theater, all of which you wouldn't have without marketing.
[/soapbox]

[rant]
And back to the topic of spam and its spyware handmaidens. I am so totally sick of having to have a hardware firewall, a software firewall, anti-virus programs and anti-spyware programs to prevent my property from being damaged by malicious actors. Again, the best way to stop this is to starve it to death by pulling the profit out of the system.

The other thing that makes me crazy is that I'm always helping friends disinfect and sometimes even rebuild their machines which have become totally infested with malware. I do it out of goodwill, but I'm pretty damned tired of it and would like to see some of those responsible locked up for a good long time. (And yes, this is an emotional response to crimes that have happened to my loved ones, as surely as if I had to fix their vandalized cars. Grrrr.)
[/rant]

#95 ::: James Angove ::: (view all by) ::: November 17, 2004, 02:39 PM:

Graydon: Bit hard on the open source folks, I'd imagine. (I can think of several different ways in which it might be hard, and I wouldn't like to guess which one(s) it would be, but I'm sure it would be hard).

Aiglet: I'm not at all sure I want to require people to get their email from only their ISP. I don't run a mail server, but I have a friend who does, and I send port 25 traffic to it all day long. In general I'm really nervous about requiring ISP's to inspect the contents of traffic across their network's. I don't want a small number of very large companies deciding what kind of traffic is acceptable and denying all else. Its not what would have to happen, but I'm fairly confident its what would happen if we create a situation in which they will be punished for allowing the wrong kind of traffic.

Aside, I note that the post that started us off dealt specifically with comment spam. None of the technical solutions I've seen proposed address that kind of spam. Spam is in the end a social (or anti-social) problem, and its not going to be solvable either through purely technical or purely political means.

#96 ::: Mitch Wagner ::: (view all by) ::: November 17, 2004, 02:42 PM:

Paul:

Attacking the points of injection is a waste of time - most of the spam these days comes via zombie networks. (This is also why bandwidth metering probably wouldn't help much.)

On the contrary, I would think that bandwidth metering wouldn't help at all with spam coming from fixed, dedicated, e-mail servers, but could easily kill zombie-driven spam.

Consider:

All you honest people running Internet service providers start charging on a per-message basis for e-mail. Senders can send up to, say, 200 messages per day for free, after that the charge is 0.01 cents per message.

Huzzah! The spam problem is solved!

For about a week. Then I come on the scene. I'm an unscrupulous sleazebag (ask anyone). I'm going to let anyone send unlimited e-mail messages for $1,000 a month. Want to send 10 million e-mail messages a day? No problemo!

And the spammers are back in business.

However, if the spam is sent by zombies, that's a different matter. Zombies are mostly home computers, with broadband connection. The ISP has no financial incentive to allow zombies to exist--indeed, the zombie costs the ISP money, by abusing bandwidth--so the ISP can simply put a 250 msg./day limit on every PC on his system, and be done with it.

Graydon:

The idea that there are reputable marketers is one that could do with challenging.

Hey! Part of my responsibilities on my site are to market my site. Heck, part of our Blog Hosts' responsibilities are to market their books. There's nothing wrong with us.

Well, aside from my being an unscrupulous sleazebag. But we already covered that.

Drugs is a self-inflicted injury; a society that prefered results to moral assertions would not (and did not; check Victorian era drug usage stats sometime) have these problems.

Y'know, you remind me of John Barnes in that you drop these intriguing little conversational hooks, and then walk away. You're like the guy in Bladerunner who made the intricate little origami sculptures and then just left them behind whereever he was. What about the Victorian drug usage stats? What do they teach us?

Jimcat Kasprzak:

I'd be much more willing to support a War on Spam than a War on Drugs. People want to abuse drugs, they're only messing up their own lives. People who spam are intruding into my well-being.

On the contrary, sir, people who abuse drugs are funding a criminal cartel, creating a public health hazard, and creating suffering for the lives of the people who love them.

Look, I'm as opposed to the War On Some Drugs as the next liberal; it's been a colossal boondoggle. If you want to describe it as an atrocity, I wouldn't argue with you.

But I won't get sucked into the friction-free libertarian fantasy world where each of us is free to engage in our own behavior without ever effecting the people around us.

Shane:

So: for any email that has a web link, have your email program collect and cache that page plus subpages. This is expected for people who are interested in your product, and should be no problem for vendors who *target* the people they send to. But for folk who send to huge undifferentiated email lists relying on others to foot the bill, it will get pricy.

Shane, on my day job I edit an opt-in, 100% legitimate newsletter. It's a blub-and-link newsletter that links back to articles on Security Pipeline. Every newsletter has a couple of dozen links in it. My company runs several dozen newsletters of that type—all perfectly legitimate, all for people who actively subscribed to the newsletter.

If mail clients start routinely collecting and caching every page we link to, plus subpages, it's going to create a prohibitive workload on our servers.

And it's going to throw a hand-grenade in the advertising business model—advertisers routinely pay on clickthroughs, and how are we going to tell the actual human-driven clickthroughs from the robot-driven ones.

Greg London:

No one ever starved under a bridge because of spam.

Give a person a can of spam, and he eats for a day. Teach him to M!A!K!E M!O!N!E!Y F!A!S!T and he will be able to shoot porn-star quantities of ejaculate for a lifetime.

#97 ::: Greg London ::: (view all by) ::: November 17, 2004, 02:44 PM:

This is rather like the issue of lead emissions

No, it isn't, which is exactly my point.
Lead causes physical harm.
Spam doesn't.

#98 ::: Larry Brennan ::: (view all by) ::: November 17, 2004, 02:58 PM:

Greg, the definition of "injure" via dictionary.com. Please take note of definitions two through four.

in·jure Audio pronunciation of "injure" ( P ) Pronunciation Key (njr)
tr.v. in·jured, in·jur·ing, in·jures

1. To cause physical harm to; hurt.
2. To cause damage to; impair.
3. To cause distress to; wound: injured their feelings.
4. To commit an injustice or offense against; wrong.

#99 ::: Paul ::: (view all by) ::: November 17, 2004, 03:00 PM:

Graydon - which OS vendor? I'm using an OS without a vendor, so how does that work then?

Mitch - it would help, but only if providers started educating people about how to protect their computers. Otherwise, it's reducing the problem somewhat, not solving it.

I'm getting the feeling we've beaten this horse to the point of quadriplegia, so unless somsone's actually foolish enough to ask, I'll leave it there. I'm pretty sure you can all figure it out anyway. ;)

Larry - no offence was intended. Obviously I can't speak for Graydon, but I was joking. :) However, it's probably worth pointing out that if I want something, I start looking around for it; I can't actually think of something I've gone out and bought because of an advert. (I'm willing to accept there might be some cumulative effect, although given the amount of jingles I can remember without the company who made them I'm unsure...)

#100 ::: Steve Eley ::: (view all by) ::: November 17, 2004, 03:11 PM:

Guy Matthews wrote:
As regards e-mail, one particularly potent factor in the propagation of spam is the ease with which spammers can completely falsify their e-mail address and other headers. The means to resolve this issue reside in the global implementation of a better mail protocol...

A simple, effective solution to this exists and has already been implemented by Yahoo!, Hotmail, AOL and GMail. In a very brief nutshell, SPF puts an extra field in the domain's DNS record to specify which servers are allowed to send e-mail from that domain. It doesn't say a damn thing about the message's content, but if a message fails the check on an SPF-compliant domain then you can be pretty damn sure they're lying about where they came from.

I know SPF is already working, because GMail displays nice big warnings whenever it thinks an e-mail is spoofing. It's not a comprehensive solution -- it doesn't stop people from spamming or phishing, and relies on the ISP's security to stop spoofing inside the domain -- it just enforces a particular form of honesty. And like Graydon's cam ram solution, which has similar goals, it doesn't require 100% adoption before it's at all effective. Just having the top providers sign on helps a lot.

#101 ::: Larry Brennan ::: (view all by) ::: November 17, 2004, 03:33 PM:

Paul - absolutely no offense taken. By the way, there's a lot more to marketing than advertising. A lot of the experience of a product goes way beyond its physical attributes. Good products work well and make you feel good about having or consuming them. (For example, the iPod not only works really well as a music player, its owners get to enjoy good design and an air of superiority over the owners of lesser devices.) Marketing also extends to making sure that the product can be found where the prospective purchaser is when they’re ready to buy.

There's lots of abusive marketing out there too, especially for "vice" products like cigarettes, alcohol and fast food, and even for non-vice products like jewelry. (Those DeBeers ads throw me into a rage - how dare they tell me to buy diamonds in specific configurations to mark artificially created milestones! And the emotional payoff is that you don't feel inadequate. I'd like to think that love is less transactional than that.)

#102 ::: Steve Eley ::: (view all by) ::: November 17, 2004, 03:38 PM:

Mitch Wagner wrote:
Give a person a can of spam, and he eats for a day. Teach him to M!A!K!E M!O!N!E!Y F!A!S!T and he will be able to shoot porn-star quantities of ejaculate for a lifetime.

I have nothing to say about this. I just found it so amusing that I thought it ought to be posted here twice. >8->


Paul wrote:
Mitch - it would help, but only if providers started educating people about how to protect their computers. Otherwise, it's reducing the problem somewhat, not solving it.

Reducing the problem is solving the problem. If spammers can live on a 1/30,000 hit rate because they send 5 million messages a day, but you clamp down on their zombie nets so they can only send, say, 5,000 messages a day, then they can't make a living and they go away.

Or, from a sysadmin's perspective, if your key problem with spam is that the bandwidth is bringing down your network, choking off every zombie machine shortly after it starts to go wild solves the outgoing bandwidth problem. (Solving the incoming bandwidth problem is another matter, but other tactics can be applied to that.)

Or, from an OAS (Ordinary Annoyed Schmoe) perspective, if the amount of spam you got was reduced from dozens of messages a day to just a couple, it's probably not going to raise your blood pressure much. I use GMail in part because its spam filtering is very, very good. Maybe 2-3 messages a week slip past the filter and into my inbox. This is one reason I don't get so worked up about spam. I just don't see most of it.

As for comment spam in blogs, that's beyond my knowledge domain. I do observe that there are solutions for it, and that some blogs make you jump some hoops to authenticate before you can post comments. That makes a certain amount of sense to me. But again, I don't know much about it. (I don't even know why everybody uses Movable Type as opposed to the many other applications out there. I'm sure there's something wonderful about it, I just don't know what.)

#103 ::: Aiglet ::: (view all by) ::: November 17, 2004, 03:39 PM:

James A:

Point. I always forget that there are people who use secondary mail servers, and I'm not exactly the most trusting person about ISPs either (I worked for one, and I use my boyfriend as my ISP now).

A lot of ISPs require you to download their software to use their connectivity, perhaps something where you can request certain ports to be unblocked would work, if they guaranteed that they would unblock any port upon request? The average user doesn't need their port 25 open to everyone and anyone.

#104 ::: Greg London ::: (view all by) ::: November 17, 2004, 03:57 PM:

Larry,

You are killing* me.

If you use a word based on its last and weakest meaning when its first and primary defintion doesn't apply to the situation, and if you don't see that as loading the vocabulary, then we will simply have to agree to disagree.

Greg

*And by "killing" I mean the definition of "causing a great rolling of eyes and heavy sighing"

#105 ::: Greg London ::: (view all by) ::: November 17, 2004, 04:03 PM:

Two things need to happen to outlaw spam.

First, the definition of Spam has to somehow not include Microsoft from sending unrequested email to potential customers hawking their wares. The last time a big spam debate came up, Microsoft killed it because they want to be able to send unsolicited email. Either that or somehow Microsoft has to be stripped of its political influence (political campaign donations).

Second, spammers currently filter out any email address with a .gov extension. Once politicians have to deal with spam in their home accounts, and don't have interns to deal with the problem, then you'll see something happen.

#106 ::: Paul ::: (view all by) ::: November 17, 2004, 04:09 PM:

Larry - I'd argue that ease of use etc. is more good design, but it's a minor issue. ;-)

Steve - assume the average ISP has about 10,000 users. (Some more, some less, either way.) 250 messages/day/user == 2,500,000 messages per ISP, if you get 100% infection. Assume 50% infection. Four ISPs, he's back at 5million/day.

If you get a worm which is more infectious, but tries not to hit the user's mail cap, then odds are you're back at the current situation, where most people wouldn't even be too aware they've got something wrong.

(Obviously these numbers are all guesswork, and I'm aware of the 'assume' rule, but I'm using it to illustrate a point... :)

#107 ::: Steve Eley ::: (view all by) ::: November 17, 2004, 05:01 PM:

Greg London wrote:
Two things need to happen to outlaw spam.

You're way out of date. The majority of current spam is already outlawed in the U.S. under the CAN-SPAM Act of 2003. This act, which took effect on January 1 this year, places certain requirements on unsolicited e-mail. These requirements are ignored by most spam today; hence, most spam today is illegal.

The effect it's had on actual spammers is on a spectrum between 0 and hysterical laughter. It doesn't help that the specifics of the law are moronic, and explicitly nullified tougher state laws, but even if it was brilliant it wouldn't have made any difference. A few high-profile prosecutions against a few well-known assholes selling V1AGr4 to buy expensive houses in Virginia just means you're knocking out the easy targets.

The real problem spammers are outside the country, and are already doing so many other very illegal things (hijacking people's computers, hijacking phones, mail fraud, phishing for bank account numbers, kidnapping travelers to Nigeria) that a law against sending e-mail simply isn't going to intimidate them. The most you can do is drive them further underground and make them meaner.

#108 ::: Paul ::: (view all by) ::: November 17, 2004, 05:27 PM:

No, most of the problem spammers are still inside the US:

http://www.spamhaus.org/rokso/index.lasso

But as you say, they take no notice of the laws anyway, so one more makes no real difference.

#109 ::: Greg London ::: (view all by) ::: November 17, 2004, 06:04 PM:

You're way out of date

Wouldn't be the first time.

;/

Thanks for the quick update.

#110 ::: Michelle ::: (view all by) ::: November 17, 2004, 06:57 PM:

Paula,
neither is what the failed suicide did... they are still criminal acts.

If you're in the United States, committing suicide and attempting suicide are NOT criminal acts. Pennsylvania was the first state (well, colony) to decriminalize suicide in 1701. No states in the US consider suicide a criminal act. (See Supreme Court case Washington v. Glucksberg)

I'm writing a term paper on physician assisted suicide, so I just happen to have copies of court opinions and articles on the subject lying around.

#111 ::: jennie ::: (view all by) ::: November 17, 2004, 09:05 PM:

Among other things, Paul wrote if I want something, I start looking around for it; I can't actually think of something I've gone out and bought because of an advert.

Which, according to Greg London's stated preferred definition of the verb, just plain killed me.

It does so bother me when people conflate advertising and marketing. To advertise is to make public the qualities of something usually in order to increase sales. Advertising usually involves creating advertisements---specially created messages about a product. To market is simply to find a means of selling product. It involves far too many activities for me to list here (and I don't know what a lot of them are, anyway.)

If you've noticed a book that was face-out in a bookstore, picked it up and read the blurb, liked that enough to open the book, and bought the book based on what you read inside, then you've responded to marketing.

If you've bought a new type of coffee because your local cafe was offering free tastes in little paper cups, the contents of one of which you swallowed and found yummy, then you've responded to the cafe's or the coffeemaker's marketing strategy.

If you've googled "life insurance" because you wanted a life insurance policy, and found an insurance company's website, and it was well laid out, and clear, and gave you all the information you needed, and let you generate a quote online, then gone to your broker and bought your policy from that company, then you've responded to the life insurance company's marketing.

Now you won't catch me trying to argue that marketing is good. Firstly, that's not a useful term. Marketing is effective or ineffective, invasive or non-invasive, inexpensive or expensive. Good and bad are moral-type judgements, and I'm not going to get into that argument. But I will argue that it's not the same thing as advertising. Advertising is a subset of marketing---the one most people notice, and think of, to be sure. Spam, is, alas, another subset of marketing (and I won't hesitate to call it parasitic, evil, icky, and other morally loaded names), so are direct mail and telemarketing (I won't say anything even remotely nice about them, either.) And yes, a lot of marketing is invasive, obnoxious, and plain yucky, and a lot of marketing people spend a lot of their time lying and pestering people for a living.

But the core of marketing---the practice of informing the potential buyer of a product and making that product available and attractive to the buyer is something from which I don't think any of us can claim to be utterly immune.

OK...sorry for the tangent. I feel better having said all that.

#112 ::: Mitch Wagner ::: (view all by) ::: November 18, 2004, 12:44 AM:

Larry Brennan:

By the way, there's a lot more to marketing than advertising ... For example, the iPod not only works really well as a music player, its owners get to enjoy good design and an air of superiority over the owners of lesser devices.

Actually, that's where I think advertising starts becoming evil, by encouraging people to believe that their identities are somehow tied in with what they buy, as opposed to what they create, or do, or their beliefs.

It gets ridiculous whenever I see an ad urging someone to demonstrate their individuality, or rebel nature, by buying some kind of mass-produced product.

(signed) Satisifed iPod Owner

jennie:

direct mail and telemarketing (I won't say anything even remotely nice about them, either.

I used to rail against direct mail in my days as an angry young man, but now I'm getting kind of fond of it. I keep a stack of catalogs in the smallest room of the house, and leaf through them while I'm taking care of business.

#113 ::: Tina ::: (view all by) ::: November 18, 2004, 02:48 AM:

Honestly, if owning specific brands of products gave me an air of superiority, I would have to hope my friends would stick a pin in my over-inflated head.

But that's just me.

I could do without ever seeing another ad, in any format, ever again. Ads mislead people on a regular basis. Many of them are intended to make people believe that life would be perfect if you just Owned This Product. It feeds zombie consumerism and irritates me, and I can't believe I actually chose to major in advertising in the one semester of college I made it through.

Having said that, I find spam several multitudes of evil worse than just plain old generic 'ads', not because they're commercial, but because they do, in fact, take up time, bandwidth, and disk space I would prefer to be devoting to other things. During the commercial break on TV, I can go to the bathroom, make a cup of coffee, read a dozen pages of a book, knit, or write a couple paragraphs, i.e., I can multi-task with TV ads. I cannot simultaneously delete spam and do something else online, however. (I have not tried combining knitting with spam-deletion.)

While blogspam has not yet (for most people) become as dense as email spam, it's certainly doing a fine job of trying to catch up.

A friend of mine was discussing email spam a while back and noted that there are a number of people who believe that email is going to become virtually unusable in the next few years because of the signal:noise (or perhaps I mean the noise:signal) ratio.

I wish there were a magic button that would make it all go away, but neither technical solutions nor legislative ones are having any real effect.

Even on my most heavily spam-filtered email account, I receive approximately 25-30 times as much spam as I do regular email on a typical day. Luckily, it comes in small doses, but I shudder to think what that inbox would look like if I were away for a couple weeks.

#114 ::: Paul ::: (view all by) ::: November 18, 2004, 04:45 AM:

Jennie - yes, fair point. Can I plead guilty to loose use of language? :)

Tina - the spam filtering built into Mozilla Thunderbird (and Mozilla main) is very effective these days. If you can't/don't want to use those, SpamBayes is also very good, I find. http://spambayes.sourceforge.net/

Regarding the superiority/mass-produced stuff, there are a number of times I find myself reminded of "The Life of Brian".

The spam wars are about rendering email useless for unsolicited advertising before unsolicited advertising renders email useless for communication. -- Walter Dnes/Jeff Wynn

#115 ::: Jules ::: (view all by) ::: November 18, 2004, 06:53 AM:

A few comments on suggestions above:

Steve Eley suggests that the best way to eliminate spam is by prosecuting the companies that it advertises. This has 2 serious drawbacks:

1. It enables anonymous attacks on a company -- if I wanted to cause serious harm to a company, I would just have to send a few million spams in their name advertising their products. Who would believe that they hadn't done it themselves? And if anyone would, then what's to stop them actually doing it themselves then claiming they didn't?

2. A lot of spam is sent by scam mongers on behalf of well-meaning companies that don't understand what service they're getting. An example: my company works in IT consultancy and web site design. Last year we started receiving complaints about spam from one of our clients. We investigated, and they sent the material they had received from the company who sent it for them. The company had claimed that they would send the advert to "500,000 UK opt-in addresses". Actually, it turned out they'd sent it to about 5 million harvested addresses throughout the world, mainly in China. They'd provided a different service to what my client had paid for, but this fact wouldn't really help my client in the environment you recommend. They were hopelessly naive about the entire thing. Who has a 500,000 strong opt-in UK-only mail list? I seriously doubt such a thing exists.

Shane suggests the 'page cacheing' idea I'd also seen suggested on slashdot. This suffers from the 'zombie relay' problem already described, and also the first of the objections to Steve's solution.

Somebody above linked to the spam solution objection checklist. This contains options for all of these potention problems. I know it's supposed to be a joke, but it really does work for 99% of the suggestions made, and most of its objections are realistic, too.

Somebody else cites a case of ICSTIS fining a spammer. This is actually not related to the spam part of the business method used by these people; ICSTIS has no powers to deal with spam in and of itself, they are a regulator who have authority only over operators of UK premium-rate phone lines, and enforce the regulations that state that all advertisements for such lines must contain complete and accurate rate information and non-premium-rate contact information for the company that operates them. While this does lead to potentially unfair situations for the operator (e.g., them being held liable for mistakes made by their ad agency), it is one of the conditions you must agree to in order to be allowed to operate a premium rate line in the UK.

#116 ::: Steve Eley ::: (view all by) ::: November 18, 2004, 10:16 AM:

Jules wrote:
Steve Eley suggests that the best way to eliminate spam is by prosecuting the companies that it advertises.

No. I don't. I've never said anything even vaguely like that. I don't know who you're confusing me with, but since Comment 3 in this thread I've been trying to hammer home that legal solutions are not the answer.

Been tried. Never works. Can't.

#117 ::: Greg London ::: (view all by) ::: November 18, 2004, 11:33 AM:

Hey, speaking of spam, Bill Gates get 4 million emails a day, most of it spam. He has an entire department at Microsoft whose sole job is to wade through his email.

http://news.yahoo.com/news?tmpl=story&u=/ap/20041118/ap_on_fe_st/bill_gates_spam_2

#118 ::: Guy Matthews ::: (view all by) ::: November 18, 2004, 11:58 AM:

"Guy - the way around your Exim hack is simply to spam with a username that exists on your systems. The effect of this is that the user who's spoofed gets deluged in bounces..."

Paul, that's gonna be a pretty good trick seeing the server also won't relay without a valid username and password on the system ;).

#119 ::: Dave Weingart ::: (view all by) ::: November 18, 2004, 12:00 PM:

Even better would be legislation making the OS vendor liable for damages.

Graydon: I think this is tricky. Among other things, it doesn't cover the people who use Linux or FreeBSD. And, second, I don't see how it can be a good thing to sue the makers of a tool for misuse of that tool.

Do we sue egg farmers because kids throw them at cars on Hallowe'en?


#120 ::: Guy Matthews ::: (view all by) ::: November 18, 2004, 12:06 PM:

Steve, I did read about SPF before but the implementation was quite primitive at the time, I'll have another looksee through to the site later on and see if it there's a practical implementation path for it that can be applied to our servers, thanks.

#121 ::: Graydon ::: (view all by) ::: November 18, 2004, 12:33 PM:

Dave --

No, we don't, but we sure do if the eggs have salmonella.

Similarly, car manufacturers aren't on the hook for reckless driving, but they sure are if the thing explodes or catches fire or tips with unjustifiable ease.

Malicious email isn't a manufacturer liability; the ease of creating botnets certainly is. (One for the broadband providers, too; there's nothing that keeps them from providing hardware firewalls in the 'modems', frex, but many do not.)

#122 ::: Steve Eley ::: (view all by) ::: November 18, 2004, 12:50 PM:

Guy Matthews wrote:
Steve, I did read about SPF before but the implementation was quite primitive at the time, I'll have another looksee through to the site later on and see if it there's a practical implementation path for it that can be applied to our servers, thanks.

There are patches or plugins available for Sendmail, Postfix, Qmail, Exim, Courier, and Exchange, and client code available in Perl, C, Java and Python. There's a wizard, too, that gives you the IN field text to add to your DNS record.

The implementation is still "primitive" in the sense that it's simple. It's a very basic check, with no encryption or digital signing involved, and can produce false failures in certain forwarding cases. But as one component of an anti-spam filtering solution, it's very useful. Various other mechanisms have been proposed that would add further authentication, but the one with the biggest noise behind it (Microsoft's PRA, or Sender ID) recently went down in flames because of all the patent and license encumbrances Microsoft wanted to add.

#123 ::: Greg London ::: (view all by) ::: November 18, 2004, 01:22 PM:

Do we sue egg farmers because kids throw them at cars on Hallowe'en?

Unless I'm out of date on my information again, I'm pretty sure that almost all software is sold on an "as is" basis, meaning if it doesn't work, tough cookies. I know this is how Open Source stuff works, which I can understand because the code is being given away for free (at least that's how I license my open source software). It's a lot harder to justify for Microsoft, given that their CEO is the richest man on planet earth.

But, as long as microsoft is donating millions of dollars every year to campaign contributions and spending tons of money on lobbying efforts, you probably won't see the "as is" thing go away.

Personally, I can see suing the manufacturer for defects, which would probably cover Microsoft if it weren't "as-is" software. I don't like the idea of suing gun manufacturers for what amounts to illegal use of their product versus product defects. But that's a whole other can of worms.


#124 ::: Clark E Myers ::: (view all by) ::: November 18, 2004, 04:48 PM:

Similarly, car manufacturers aren't on the hook for reckless driving, but they sure are if the thing explodes or catches fire or tips with unjustifiable ease.
In this country (U.S. of A.) GM has paid for induced or invited reckless (!wreckless) driving when done by a youth in a Pontiac Firebird - said behavior allegedly caused by the influence of Smokey and the Bandit - this may have been a misapplication of the general principle that an intervening illegal act breaks causality because legal behavior is or by rights ought to be a safe harbor assumption.

Then again consider also the attractive nuisance notion so often spoken of in connection with Microsoft products.

Similarly Ford paid for selling a car which would quite handily maintain sustained speeds well beyond the safe limits on the furnished tires. The tires proved to be good for only 150% of the speed limit. Reckless driving or unjustifiable ease of failure?

I sort of thought raw eggs to be an assumed risk kind of thing myself.

Notice the now died away tremendous fuss (which I think of as recent, you may think of as ancient history) about efforts to redo Article 2 of the Uniform Commercial Code - again in the U.S. of A..

I have no general solutions, my filters mostly work with news letters whitelisted. Seems to me in the common law jurisdictions some combination of a political solution embodied in new legislation and interpreted by the courts in light of history will work better than choosing the best analogy and applying the same rules.

In the non-common law jurisdictions the rules and safe harbors will I think have to change so drastically and so quickly (Internet time) as to mean no lasting safe harbor - a bad thing but hard cases make bad law.

What we see of course is severity of punishment inversely proportional to the odds of getting caught - or pickpockets always worked the crowds watching pickpockets get hanged.

#125 ::: Greg London ::: (view all by) ::: November 18, 2004, 05:22 PM:

phishing is alive and well too

http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=18&u=/washpost/20041118/tc_washpost/a59347_2004nov18

Here's one I was surprised to hear was a common approach: con artists set up fake website storefronts, selling nonexistent stuff solely to get credit card information.

#126 ::: Paula Lieberman ::: (view all by) ::: November 19, 2004, 03:33 AM:

At least one of the local supermarkets had a sign up before Halloween that it was not selling eggs or some other stuff to minors due to Halloween, in the days before Halloween and on Halloween.

#127 ::: Tina ::: (view all by) ::: November 19, 2004, 05:09 AM:

Paul, my primary non-public email account is on a Unix box with SpamAssassin rules written by long-term net veterans, and it still doesn't keep me from getting dozens of pieces of spam daily. Bayesian spam solutions do help, but even they're getting overwhelmed lately. I know you can 'teach' the filter to ignore more and more but unfortunately, the spamming software gets more and more sophisticated to counter as well.

(I don't actually get any of my mail via IMAP or POP, so I don't have direct experience with the products you recommend, but what I do know suggests they work similarly.)

#128 ::: Dave Luckett ::: (view all by) ::: November 19, 2004, 06:01 AM:

Reading the comments here about anti-spamming devices vs the cleverness of the spammers makes me think that I am witnessing a classic arms race. All the arms races I can think of were eventually ended when the entry of new, radically different technologies made the old ones obsolete. (Another way of ending an arms race was the virtual elimination of one of the competitors, but I'm not sure how that's relevant here.)

Come to think of it, I don't know how the first is relevant either. Forget I spoke.

#129 ::: Graydon ::: (view all by) ::: November 19, 2004, 07:25 AM:

Tina --

It matters very much how current the SpamAssassin is; 3.0.0 is a big improvement over the most recent 2.foo

But yes, classic arms race; the most amusing suggestion I've seen is that this is how true AI is going to evolve, since the real problem is one of natural language recognition.

#130 ::: Steve Eley ::: (view all by) ::: November 19, 2004, 09:40 AM:

Graydon wrote:
But yes, classic arms race; the most amusing suggestion I've seen is that this is how true AI is going to evolve, since the real problem is one of natural language recognition.

Which in turn leads to troubling (but story-laden) speculations about which side it'll evolve on first...

#131 ::: Jonathan Vos Post ::: (view all by) ::: November 19, 2004, 11:15 AM:

Greg London:

"surprised ... was a common... : con artists set up fake website storefronts, selling nonexistent stuff solely to get credit card information."

Equivalent, called "false front" in Intelligence operations, setting up a complete false embassy, producing false documents, to get information from a specific target person or persons.

Equivalent in the corporate espionage world: setting up false negotiations, never intended to be consumated, to extract data from a competitor. Favorite tactic of Micro$oft. Similarly, negotiating a large purchase of products or services from a vendor, in order to get data on pricing. Equivalent: a false job interview. This cuts both ways. The company may want to pick the individual's mind, and the individual may want to know things about the company that can't be found on their website or in their annual report.

All the above are analyzed in the "Disinformation Theory" developed and published by Professor Philip Fellman, Southern New Hampshire University, sometimes in coauthorship with myself.

What is an ambush, in these terms? A pawn sacrifice? A faked throw to first base?

There are things -- dark things -- going on all around you. Philip K. Dick was a genius at conveying this impression. The only question is: are you paranoid enough?

#132 ::: Andrew case ::: (view all by) ::: November 19, 2004, 02:13 PM:

Seems to me that the answer is technical: If every mt installation shared its blacklist with a master mt blacklist that was automatically updated we'd only see the spams that hadn't yet been seen and flagged by somebody else. In practice you'd probably want to have some sort of voting scheme so that multiple blacklistings were needed before the url was permanently added, just to avoid malicious abuse of the system. A similar approach ought to work for email spam - share the blacklist. The objective isn't to eliminate every single spam - there's always going to be some false positives and false negatives, and IMO it's better to let a few spams through than to falsely flag a site or person as a spammer, so I prefer to err on the side of more false negatives, but that's just me. The false positive problem could easily be handled with a setting in the cgi script which allows the user to set the degree of defensiveness.

#133 ::: Dave Weingart ::: (view all by) ::: November 19, 2004, 02:52 PM:

Paula, stores have been doing that here for ages.

Which doesn't stop the kids who go to the fridge. It's still a trivial misuse of a tool, and I don't think that going after the manufacturer is going to help much.

#134 ::: Greg London ::: (view all by) ::: November 19, 2004, 03:09 PM:

There are things -- dark things -- going on all around you

well, I wasn't surprised that they existed. Ever since I saw the movie The Sting, I was aware of the false-front gambit. I was surprised they were so common. But the web has the advantage that you don't need to rent a physical store, dress it up with fake goods, hire actors to come in and pretend to shop, etc, etc.

The only question is

No, I am not paranoid enough....


#135 ::: xeger ::: (view all by) ::: November 19, 2004, 03:19 PM:

Andrew case mused:

Seems to me that the answer is technical:

I can assure you that spam is a social problem, and technical solutions to social problems are rarely successful.

If every mt installation shared its blacklist with a master mt blacklist that was automatically updated we'd only see the spams that hadn't yet been seen and flagged by somebody else. In practice you'd probably want to have some sort of voting scheme so that multiple blacklistings were needed before the url was permanently added, just to avoid malicious abuse of the system. A similar approach ought to work for email spam - share the blacklist.

There's actually been a fair amount of research done on this type of trust network, and (barring certain specific criteria), they're quite easy to game. Using your example, what's stopping me from having multiple apparently different identities that all vote to agree that something is/not spam that is/not?.

#136 ::: Paula Lieberman ::: (view all by) ::: November 19, 2004, 10:00 PM:

Dave, most homes don't have dozens of eggs in them. And eggs disappearing from the family refrigerator is likely to cause unpleasant questions later.

#137 ::: Jonathan Vos Post ::: (view all by) ::: November 20, 2004, 12:57 AM:

Paula Lieberman and Clark Meyers:

I'm an oldest son. The second boy, Andy, invented a game based on his throwing raw eggs from the refrigerator onto the linoleum floor, putting a piece of cardboard on the gloop, running, leaping onto the cardboard, and skidding on egg-lubricant.

"I sort of thought raw eggs to be an assumed risk kind of thing myself."

My mother didn't like that much, but it was worse when Andy and I threw blackberries at each other and stained the white walls.

So, if he'd skidded into the wall and broken a limb, would we have sued the egg distributors for failing to warn against this particular mis-use? Just wondering.

Not that this has much to do with Bill Gates, who we all appreciate is The Most Spammed Man in America. Har har.

#138 ::: Paul ::: (view all by) ::: November 20, 2004, 08:44 AM:

Andrew - what you've proposed sounds basically like Vipul's Razor.

I used that for a while, and never saw it catch a single spam.

#139 ::: ChrisM ::: (view all by) ::: November 20, 2004, 12:30 PM:

Over the last couple of weeks there's been a new development on Blogger. I call them spamblogs.

They had names like "Fred Nerk's Blog" and addresses like http://frednerk1234.com. Their contents were pretty much just a set of short ads with links to whatever the site(s) was/were. I've seen ones for drugs & web services, mostly in English, one in Spanish.

It's possible there were some in different languages or a different format that I didn't pick up. I sent a list & warning - probably one of many - on to Blogger Tech Support when I first found them.

An hour or more ago I originally wrote this post, then disaster struck & it's taken me that long to get everything working again. Now I can't find the two examples I had then, so they may be gone, meaning the blogwarriors may be doing well, though I guess there'll be the usual evolutionary arms race.

Anyway, I hope this might add to your sum of useful information. Back to the quiet calm of the outer darkness now.

#140 ::: Mitch Wagner ::: (view all by) ::: November 20, 2004, 08:30 PM:

Heh. I just clicked through on not one, but two of the ads on this blog. One of them was for a media analysis blog. The ad contained a still photo of the controversial Nicolette Sheridan football ad. I finally got to see the whole, so-called controversial promo. I was underwhelmed.

The other one was for this. I not only clicked, I bought. Two.

#141 ::: Paula Lieberman ::: (view all by) ::: November 21, 2004, 12:51 AM:

It was a store that had the no sales to minors for Halloween policy, not the egg distributors. The way things are today, someone under 18 might not be even allowed in the door at a distributor--a lot of trade shows prohibit minors/anyone under 18 from attending--let alone be allowed to buy eggs from one [wholesalers restricting sales to retailers only sorts of things].

As for Children from Hell.... my friend who with her sibling went building tunnels, and Sir Richard Burton and his siblings, and Red Chief, probably come under the "acts of God" exemption!

#142 ::: MD² ::: (view all by) ::: December 02, 2004, 08:35 AM:

Just a quick jump here to give you this link, Which I think you people might find interesting.
Too bad I don't have enough time on my hands to read the whole of the 32nd iteration of Open Thread (from the quick scan I made, I'm yet again missing quite some pleasurable moments).

#143 ::: John Houghton finds ironic comment spam ::: (view all by) ::: October 07, 2006, 12:49 PM:

And apparently comments are no longer blocked on old threads.

#144 ::: cd sees even more comment spam ::: (view all by) ::: October 08, 2006, 05:23 AM:

Yet again...

#145 ::: Bernard Yeh sees three more comment spam ::: (view all by) ::: October 09, 2006, 07:01 AM:

#147, 148, 149

#146 ::: Bryan ::: (view all by) ::: October 10, 2006, 07:03 AM:

I think this is the place to start selling what I got.

#147 ::: Xopher finds comment spam ::: (view all by) ::: October 10, 2006, 02:44 PM:

#151. I'm not sure about #152, because View All By doesn't work.

#148 ::: abi ::: (view all by) ::: October 10, 2006, 03:52 PM:

No, Xopher, Bryan is real (previous comment on the blackwhite newspeak thread - I did a "find" on the last 400 comments and compared email addresses.)

Bryan, what have you got, and what's the price? And remember, this is for posterity, so be interesting...

#149 ::: bryan ::: (view all by) ::: October 10, 2006, 05:27 PM:

What have I got for you here ladies and gents
and split toed herbivores?
Well nothing but the cure of everlasting glory, life eternal, and good days full of sweet sunshine!

All in Dr. Booboo's thickumish extract for 99 cents and no regrets ever but maybe feeling a bit smarter for having gotten in on a good deal. you can't beat that like you can't beat your stepchild no matter how much you'd like it. And you can't beat Dr. Booboo!

I see you there is nodding in the back row. You sir, you have the look of a man with the hand of the good deal and the poker face of a swindling jackass. Dr. Booboo was made for you. you were made for him. It is a marriage made in the best medicinal distillery of this fair nation. Thirsty heathens with bedsores and abnormal appetites from underdeveloped nations of Europe and Great Britain have long hungered for a shot of thickumish extract to ease their suffering. But I am not offering it to them. I am offering it to you, for the measly price of 99 cents a single heaven granting bottle.

You madam, peel that freckle faced brat from your red splotchety bosom and listen up. For I can make him unfreckled with one wonderous cureall that cures everything with a potion of utmost potency as though made from the gods, of the gods, by the gods and for the gods of ancient Olympum. And what is the cost to you sister? 99 cents. how can you afford not to have some thickumish extract in you?
Why, Doctor Booboo couldn't be better prescribed for putting inside you then if he made house calls and I do indeed, I do indeed.


and the cost, why 99 cents o yes indeed yes indeed....

#150 ::: Lis Riba ::: (view all by) ::: October 10, 2006, 07:18 PM:

The subject of this entry, whenever I see it in the sidebar, always reminds me of the Simpsons episode exchange:

Lawyer: But what about that tattoo on your chest? Doesn't it say, "Die, Bart, Die?"
Sideshow Bob: No, that's German for "The, Bart, The."

#151 ::: cd spots even more comments spam ::: (view all by) ::: October 11, 2006, 08:13 AM:

Time, methinks, to close this one.

#152 ::: abi ::: (view all by) ::: October 11, 2006, 04:57 PM:

bryan,

Booboo's thickumish extract
sells for ninety-nine cent
With such mangled text? Wracked
with earache, I am content.

(In other words, I did ask for it.)

#153 ::: Rob Rusick ::: (view all by) ::: October 11, 2006, 08:35 PM:

I like the numbered comments, but the problem is, when the “infernal machinery” is cranked up and the comment spam goes away, the comments about the spam no longer point to the spam.

Maybe the rule should be, that when the spam goes away, the comments about the spam are also removed.

#154 ::: joann ::: (view all by) ::: October 11, 2006, 10:04 PM:

Rob #153:

I think you mean that the comment numbers are no longer the right numbers? I too am somewhat bemused by the sight of Xopher, in what is now #147, talking about the spamminess(or not) of #152. Maybe we could sell this as time travel.

#155 ::: Xopher ::: (view all by) ::: October 11, 2006, 10:07 PM:

Spam forward, fall back?

#156 ::: Dave Luckett sees more spam ::: (view all by) ::: October 12, 2006, 10:15 AM:

Can this site be blacklisted, or are they using zombienet?

#157 ::: Carrie S. sees yet MORE spam ::: (view all by) ::: October 12, 2006, 10:47 AM:

In the comment currently numbered 158.

#158 ::: Raven ::: (view all by) ::: October 12, 2006, 11:49 AM:

Actually, from the Spamhaus ruling, it looks more like the US legal system is working in favor of the spammers.

Interesting jurisdictional question: when did US courts get authority to order UK companies to do anything like go out of business, give up their URL or IP address, etc.?

#159 ::: Howard Peirce ::: (view all by) ::: October 12, 2006, 12:58 PM:

I'm really tempted to start posting here pseudonymously as various 19th-century patent medicines.

#160 ::: Burdock Blood Bitters ::: (view all by) ::: October 12, 2006, 01:04 PM:

There are thousands of females in America who suffer untold miseries from chronic diseases common to their sex...To all such whose hollow cheeks, pale faces, sunken eyes and feeble footsteps indicate nervous and general debility bordering on consumption, we would earnestly recommend that grand system-renovating tonic, Burdock Blood Bitters. It makes pure, healthy blood, and regulates all the organs to a proper action, cures constipation, liver and kidney complaint, female weakness, nervous and general debility, and all the distressing miseries from which two-thirds of the women of America are suffering. All invalid ladies should send for our special circular addressed to ladies only, which treats on a subject of vital importance.

#161 ::: Fragano Ledgister ::: (view all by) ::: October 12, 2006, 01:07 PM:

Burdock Blood Bitters #162: What in the name of Lydia Pinkham's is 'female weakness'?

#162 ::: P J Evans ::: (view all by) ::: October 12, 2006, 01:09 PM:

Burdock Blood Bitters

Anything like 'Aunt Granny's Bitter Brittle Root'?

#163 ::: Dr. Hunter's Family Medicines ::: (view all by) ::: October 12, 2006, 01:16 PM:

Dr. Hunter's Expectorant will cure a Cough or Cold quicker and better than anything else. If taken in time it will nip Consumption in the bud...

Dr. Hunter's Worm Chocolates will save the lives of the little ones from violent convulsions, and probably death, by removing all kinds of worms that congregate in the intestinal canal...

Dr. Hunter's Compund Fluid Extract of Sarsaprilla, the old reliable Blood Purifier, has been used for years with the utmost success in all Affections of the Blood and Eruptions of the Skin. Its virtues as a Blood Tonic, Alterative and Life Renewer cannot be too highly extolled...

Dr. Hunter's Liver Pills are used expressly for the cure of Biliousness, Constipation, Torpidity of the Liver, and all derangements of the system at large, arising either from functional disorders of the internal organs or a sluggish condition of the body...

Dolorine, the greatest medical discovery of the age. It is truly called the magic Headache and Neuralgia Cure. It will instantly remove any pain, no matter how severe or where located. Toothache, Earache, Sciatica, Pleurisy, Cramps, Backache, Dog Bites, Stings of the Insects, Bruises, Scalds, Burns, Sunburn, immediately disappear before its magic touch...

#164 ::: Howard Peirce ::: (view all by) ::: October 12, 2006, 01:42 PM:

Gentlemen~~

Does your Steampunk Literary Pastiche lack a certain credulity? Is your period prose betrayed by Anachronisms and innapropriate Directness? Do you suffer from a rigorous consistency of Spelling and Capitalisation? Try UCLA Library's Digital Collection of Patent Medicine Trade Cards. Guaranteed to purge your prose of Moderniste Vigour, and capture the Wonder of Possibilities characteristic of the Age of Miracles.

UCLA Library's Digital Collection of Patent Medicine Trade Cards is the scourge of Workplace Productivity, and restores and promotes a sense of Refinement, Elucidation, and Astonishment.

#165 ::: Mary Aileen spots very persistant comment spam ::: (view all by) ::: October 12, 2006, 01:59 PM:

Those 8th Street Latinas want to make sure we don't miss them, don't they?

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.