revjim.net

October 29th, 2003:

Hurry up and look

In an event that has stumped the scientific world, my desk is clean!

SPAM: a solution?

Here’s an overly complicated idea. Everytime I sign up for a service, I give a randomly generated ID as my email address. I also register that randomly generated ID with my system and mark who is identified with it. The first time a message comes in to that address, the system takes note of the sender’s domain. Any mail to that address from that domain is authorized. Anything else is marked as SPAM. If this tends to be a problem, this SPAM classification can be removed and instead, the address can be removed as valid when SPAM is received. I have another address that I actually use for personal mail. This address is outfitted with your standard challenge response system and has a huge whitelist. This address is never used to sign up for services. I can proudly display it anywhere I’d like, as the challenge-response system will keep the SPAM out.

That’s it.

Any user that is allowed to send mail to prefixed or suffixed addresses can use it. And, unless spammers somehow get smart enough to respond to the Challenge Response, I don’t get any SPAM. If for some reason, one of the addresses that I’ve registered to use for getting mail from a service is used by a spammer, it must be because the address was GIVEN to them by the place I signed up at. Therefore, not only do I know WHO sold my address, but I can easily remove that ID and, therefore, stop the SPAM.

The only problem is that challenge response systems don’t work very well when the other end is a mobile device. It also doesn’t work very well for misconfigured email clients. Additionally, it could be perceived as unprofessional to send a challenge response to potential customers and/or existing clients. Also, it’s possible that the challenge response could be misunderstood or seen as spam by the recipient, and therefore ignored. And finally, if a spammer got a hold of my whitelist and my REAL email address, they could get SPAM through.

What do you think?

SPAM

Since yesterday afternoon, I’ve received 127 pieces of SPAM. 115 of them were caught by SpamAssassin. 4 messages were labeled as SPAM, when they actually weren’t. This is getting a bit annoying.

I’ve tried to lessen to blow of dealing with SPAM by dividing my SPAM into two sections. SpamAssassin marks it as SPAM if it scores above 2.8. Then my mail filters sort mail three ways. A) Not SPAM, score lower than 2.8. B) Maybe SPAM, score higher than 2.8 but lower than 5.0. C) SPAM, score higher than 5.0. The supposed benefit of this was that I would have less mail to go through looking for false SPAM identification because, chances are, if it were misclassified HAM, it would make it into the "Maybe SPAM" bucket, and not the "SPAM" bucket. In theory, this is only true about 80% of the time.

The problem is two fold. First, if I’m getting 127 pieces of SPAM in less than one day, that’s pretty excessive. Secondly, the only HAM that is misclassified are automated email messages from various sites (techies.com, slashdot.org, etc). I would consider instigating a "I think you sent me SPAM. If you didn’t, click here and the message will get through" type system for anything that scores over 5.0, but, in those cases, I’d lose the misclassified mail since it comes from automated systems.

I don’t currently use the RBL and other network based features of SpamAssassin, as it takes about 30 seconds per message to run its course, and that’s a bit long, I think. But, perhaps that is the answer to getting less SPAM classified as HAM. Or maybe I just need to lower my SPAM threshold from 2.8 to 2.0.

There has got to be a better way to deal with this. Every morning I spend about 30 minutes getting the SPAM out of my INBOX, getting the HAM out of my SPAM box, sorting through the Maybe SPAM box, training SpamAssassin, and deleting the messages. That’s 30 minutes a day I have to spend because some asshole wants me to buy his dick pills, some Viagra, or some new tool to make her cum juices flow.

The reason this problem exists is simple: PEOPLE CLICK ON, READ, AND ACTUALLY BUY PRODUCTS BASED ON SPAM!!! If we can’t stop the spammers from spamming, maybe we can stop the users from reading it. Did you know that just visiting a spammers site can generate revenue through advertising for its owner? Did you know that, even if all you do is look at the email, there are images in that email message that could possibly trigger a small payment to the spammer? Don’t read SPAM. Don’t click on SPAM, even if it’s funny. Don’t visit the sites of spammers. Don’t reply to spammers. Ignore them. Completely. Pretend you don’t exist. These same rules apply to the ever increasing blog comment SPAM and referrer SPAM. Visiting these sites or even acknowledging their existence generates revenue for them. And, with more revenue, they send more SPAM.

I’m not worried about the impact of receiving SPAM on my servers. I used to care. But, at this point, I’d be happy if I just didn’t have to see it.

Perhaps I need to take a different approach to SPAM. If, through technology, I make it simple enough to do so, I can create a whitelist entry for every new email address I see that isn’t sending me SPAM. This will drastically lessen the amount of misclassified HAM I get. It will also allow me to lower SpamAssassin’s SPAM threshold to almost 0. Hopefully, with this technique, I’ll get less SPAM in my INBOX and less HAM in my SPAM box. It’s a start, anyway.

Another option is to send so much traffic to the sites of spammers, that other people can’t get in. And, if other people can’t get in, the spammer’s site can’t generate revenue. And, if they don’t generate revenue, they’ll stop spamming me. Unfortunately, I don’t have the bandwidth nor the manpower to launch such an attack 127 times a day.

There are several new protocols coming forward for helping to reduce SPAM. One of them, recently announced, requires that all SPAM be PGP/SMIME signed. Another calls for a small fee to be paid per email sent. Another tries to classify which IP addresses are valid for sending mail from which domains. All of them fail in one way or another because they try to classify HAM, and invent ways of keeping spammers from classifying their mail as such. This would be great except it adds complication to the email system for users and administrators. And, in the end, some witty spammer will surely find a way around it.

There’s got to be a better way.