The Best Way To Stop Spam: Kill The Margins

from the But-You'll-Still-Get-Useless-Emails dept

The battle against spammers rages on, both in the tech and legal worlds, but sadly, with little success. Despite the advances in anti-spam technology and spammers getting sued, shutting down and having their service providers cut off their operations, the torrent of spam hitting email inboxes continues unabated. While there are several anti-spam tools that may be good enough for most users, it’s clear that a technological solution alone to stopping spam remains far off. But perhaps the biggest hope is to take aim at spammers’ profitability, as their margins look a little vulnerable. A BBC story cites some earlier research that says spammers sending out 350 million messages a month can earn roughly $100 per day, while the entire massive Storm botnet could generate around $2 million per year. Neither is a figure to sniff at, but nor are they really huge sums of money — suggesting that frustrating spammers by disrupting their services and raising costs, as well as trying to hold down responses even more, could diminish the profitability of spam to the point where it’s no longer attractive. Ironically, the rise in spam plays a part, too, since spammers are in essence competing with each other for users’ attention and clicks, so the more spam that gets sent, the worse the response rate for the individual message or campaign (for instance, the researchers’ response rate was less than 0.00001%). But the underlying issue remains the fact that people click on spam and buy stuff through it. Changing that might be even harder than developing the perfect spam filter.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The Best Way To Stop Spam: Kill The Margins”

Subscribe: RSS Leave a comment
PixelPusher220 says:

the real spam money trail

I tend to view spam as similar to the California gold rush.

Sure some people made money digging for gold, but most didn’t. The real money was made in being a seller of shovels, picks, and mining equipment.

If Spammers just set up shop and started blasting emails, that’s one thing. But me thinks pretty much all of them *buy* a package of emails from someone along with the software to send emails; or perhaps they buy the ability to send emails through a spam relay. Either way, the money maker is the seller of said service, not the spammer themselves.

So the ‘click through’ percentage matters even less as long as there are suckers who will keep buying thinking they will get rich. And as P.T. Barnum said…

Kevin says:

Re: Re: $.05 surcharge per email

Your an idiot if you believe that. If that is true then why do I get alot of junk mail via snail mail where they have to pay to have it delivered. Cost does not matter to them, they will just steal to pay for it.

Cost DOES matter to them. If it costs too much money or eats too far into the profits then it isn’t worth the effort. Your comparison of snail mail is appropriate, but completely misunderstood by you. I get about 2-3 pieces of junk snail-mail every day, even after “opting out.” Most of that is from companies that I already do business with, or things are are addressed to “Resident”. I get about 300 pieces of spam email every day, and I’m very careful about handing out my email address. Fortunately I have good filtering so I only get 1 or 2 of them in my inbox.

The reason that I get so few junk snail-mails is precisely because the cost is so high. At 37 cents a letter (or whatever the bulk rate is) junk mail is an expensive prospect. It usually only makes sense in the context of a targeted campaign. For example, after the remnants of Hurricane Ike went through central Ohio, we got mailers from roofing companies advertising specials for roof and siding repairs. While that was a fairly expensive mailing, it made sense in the context of being targeted to a specific time, place, and need.

Spam email, on the other hand, is mostly free. You need a program to send emails and a few mailing lists, but if you can steal bandwidth to send the emails (via a botnet) the cost per message is far, far, far less than a penny.

Jeff Rife says:

Re: Solution:

No, everybody loses.

The correct thing to do is find something that hurts spammers financially but only affects a very small percentage of legitimate users. Since spammers need domain names (to host websites and receive return e-mail), and they need a lot of them, raising the price charged for domains using some sort of exponential system would do the job nicely.

Basically, something like having the first 10 domains be the normal price, with the next 10 double, etc., should do the job.

Other possibilities include greatly reducing the time that you have to return a newly purchased domain for a full refund, or forcing all domain purchases to include a $100 bond that is refundable at the end of a period of time (one year, say), if there are less than N complaints about your domain.

Chuck (user link) says:

Re: Re: Solution:

The first is a good idea. Your second idea, the bond, won’t work for one simple reason. Porn sites would recieve constant complaints from right-wing religious groups and it would cost them dearly. For that matter, Exxon could convince 100 employees to file a complaint against a treehugger site or the NRA could request members to file complaints against the ACLU. Non-profit organizations, especially smaller ones, cannot afford to shell out an extra $90 willy-nilly because someone opposed to their views wants to screw them over.

That said, perhaps there is a way to do this – a bounty system. If someone can forward enough SPAM messages to the domain registrar of a spammer, then that registrar would give the person who reported the domain a free domain. This would mean that every time someone wanted to start a new, legitimate site, they could simply look through their SPAM folder and get the domain for free. Since there is no monetary reward, the spammers themselves won’t try to game the system.

Rich Kulawiec says:

Re: the e-postage idea...

…is dead-on-arrival. It cannot be made to work, no matter how it’s structured, because it’s impossible to layer a viable economic system on a massively-compromised base. If this isn’t clear, then I strongly suggest reading the recent archives of the irtf-asrg mailing list (IRTF Anti-Spam Research Group) where you will find copious discussion of it, including input from a number of people who wrote the RFCs that describe mail system behavior.

PRMan (profile) says:


I would be thrilled if all the ISPs got together and required a payment of 1 cent to deliver an e-mail, the cost of which would be passed on to the sender.

Since ISPs are already billing the users and since they can easily count how many messages you are sending, they could then turn around and bill each other for the amount of the messages.

Meanwhile, I would pay about $2-$3 per year for a spam-free inbox.

Or, make it a crime to buy a product from a spam message. Even the threat and publicity of it would make the margins dry up.

Josh says:

Blue Frog

I think you forget one tool that spammers truly feared. Blue Frog. Until it was shut down by mistaken claims by people who didn’t understand what it really did. It did nothing the average person couldn’t do by themselves, it just made it much easier and automated. It was not a DDoS tool despite what uninformed people said.

Blue Frog went directly after the economic side of the spam business, instead of simply the tech or legal sides. It sent complaints to the companies whose products were being sold by spammers in addition to complaints of various trade/government bodies overseeing those companies, and also went after the spammers websites where they were selling the products by filling in complaints on their order forms.

Blue Frog has so far been the only tool I know about that spammers actually made a concerted public effort to kill off. Too bad they did.

RIch Kulawiec says:

Re: Blue Frog

This is utter nonsense, of course. The ignorant newbies that supported Blue Frog were, and apparently are, too stupid to grasp that what Blue Frog did was in-and-of-itself abusive — which is bad enough, but given that they knowingly targeted innocent third parties, it’s inexcusable.

There really was no difference between Blue Frog and spammers or DoS attackers or any of the other scum out there, other than Blue Frog did a better job than most of convincing the naive and gullible that they were somehow on the side of “good”.

Anonymous Coward says:

The forgotten product

I always hear about the click through rates needed to profit, but no one ever mentions the value of data collected. They can make continued profits off of customer data gathered long after a low margin sale. They already abuse data that was ill gotten to spam you, they have no problem selling everything they can gather about you to every bidder.

Anonymous Coward says:

Snail mail

“Your an idiot if you believe that. If that is true then why do I get alot of junk mail via snail mail where they have to pay to have it delivered. Cost does not matter to them, they will just steal to pay for it.”

you get snail mail from multi-billion dollar companies that that sell stuff you need every day.

Local ISPs send out snail mail because if they lock you in on $100 month for 2 years, that $1 was well spent.

Cell phone companies send snail mail for the same reason as ISPs

Local grocery stores send out snail mail because if they don’t sell their stock, it will go to waste and it costs A LOT of money to store food

Credit card companies get 3% of whatever you spend with their card. You spend $1000 on a new T.V. at Best Buy and they get $3 instantly. If you don’t pay that $1000 off right away, they now get more money every month

email spam is virtually free to send. and they only get click-through profit. it is not a reliable income on a per-person basis like everyone that sends snail mail.

spam works entirely on the law of averages. send 350mil emails at $0.01 a piece, and those emails are costing $3.5mil/month vs $20/month of a decent broadband connection to their bot-net.

Anonymous Coward says:

Who Sends the bill?

Email is sent via the mail server set up in your email client. A bot will either send directly, or via a any number of mail servers they have either compromised or set up as relays. There is no central system, if the ISP bills per email message, the botnet will avoid the ISP mail server. No outbound port 25, no problem, there are ways around that too, they already use them. The recieving side can’t bill the sender, they have been forging that for over a decade.

Snail mail is billable, because you cannot get your post into the system without paying first. And it is a felony to just put stuff in mailboxes.

Freedom says:

Re: Who Sends the bill?

The solution is that you setup an “encrypted token” along with your e-mail account. You then enter the token info in your e-mail program and when any message is sent, your token is sent along with it. The receiving mail server gets the e-mail along with your token and a check sum and notifies a centralized entity that keeps tracks of billing, security tokens, and usage stats.

In essence, just like you buy a SSL Certificate, you’d buy an e-mail address token.

The best part of this is that you can just charge $10 a year for an account that sends less then 1,000 e-mails per year and so on. You can create plans that make sense. You also get pretty reliable ID checking via e-mail.

Since every e-mail would be required to have a token, black lists would be meaningful. Abuses would quickly be identified by the token holders who would be forced to not ignore the condition that their machines are infected like they currently do.

Another possible solution is to require ISPs to track stats on each users and actively deal with any users that have a high amount of SMTP or similar outbound traffic. For me, I love the idea of requiring every e-mail account to have an SSL Certificate or similar and for $10 a year it is enough to upset the balance of spam but not be on the radar as a cost.


Rich Kulawiec says:

Re: Re: Who Sends the bill?

There are a number of things wrong with this proposal, but perhaps the most significant is that it’s already been defeated by spammers. The same spammers who either have or can readily acquire control of any of the 10e8 fully-compromised systems out there have or will have (at will) access to EVERYTHING on those systems, which includes any encryption keys, certificates, etc. They can therefore use these to render the proposed system moot.

Rich Kulawiec says:

One premise is incorrect

We *have* in fact had a quite viable solution to the problem for decades — the difficulty is that we don’t use it. Blacklisting spam sources (more broadly, blacklisting abuse sources) works beautifully on the tactical and strategic levels, by squelching the immediate problem and providing motivation to the keepers of its source network(s) to address the situation.

Our present difficulties stem, in large part, from the steadfast refusal of many to deploy this solution and to instead waste time with thoroughly-discredited nonsense (e.g. SPF, SAV, C/R) that either does nothing to solve the problem or makes it worse. I have some hope that recent incidents (e.g. the McColo case) will make it plain to holdouts that the proper response to inbound abuse is revocation of access for the abuser — because as we saw in that case, it spurred quick action, in marked contrast to other cases where spam/spyware/abuse operations have remained in place for years at a time.

No doubt next year yet another purported “solution” for spam will be touted by someone eager to make a quick buck from gullible VCs, and no doubt it will fail completely. Meanwhile, we have an immediately-deployable mitigation tactic available that’s been conclusively proven to work.

Chuck (user link) says:

Easy Solutions

I am a paralegal by day but I do system maintenance and repair work at night and in my free time, and would be a server sysadmin if the job presented itself, so I have the unique position of seeing both the legal and technical solutions to this problem. Let me start by saying that ALL the legal solutions are much harder than ANY of the technical ones to implement.

Some easy technical solutions…

1) Open source the GMail SPAM filtering system and make it available as both a proxy and a module for popular mail server systems (QMAIL, IIS, Dovecot, etc.) Given a choice, I don’t see why any mail server admin would turn this down.

2) Add a very, very simple email filter rule to all popular clients that checks URLs for a “referer=” or “rid=” and removes it. This would easily remove a large enough chunk of profit to stop many spammers, and could just as easily be done server-side.

3) Require every person to watch a short, 2 to 5 minute video when signing up for a webmail account. A shockingly large number of people open SPAM and click the links because they’re just uninformed about SPAM. Of course, some method to bypass the video would be a good idea too, for tech-savy people who already understand SPAM.

Any of these solutions would cut profit margins enough to put most spammers out of business. All of them combined would wipe most SPAM out overnight. All can be implemented by the big 3 email providers – Hotmail, Yahoo Mail, and GMail – in a matter of minutes and at very little cost.

Rich Kulawiec says:

Re: Easy Solutions

First, the term is “spam”. “SPAM” is a product of the Hormel company, and never refers to unsolicited bulk email.

Now on to the proposed solutions:

1) can be discarded, as gmail’s anti-spam filters are of low quality, certainly not good enough for general use.

2) is trivially defeated by spammers via obfuscation.

3) will not happen, nor would it make any difference in the behavior of users if it did. “Trying to educate users” about spam has been a lost cause for 15 years.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...