The Best Way To Stop Spam: Kill The Margins
from the But-You'll-Still-Get-Useless-Emails dept
The battle against spammers rages on, both in the tech and legal worlds, but sadly, with little success. Despite the advances in anti-spam technology and spammers getting sued, shutting down and having their service providers cut off their operations, the torrent of spam hitting email inboxes continues unabated. While there are several anti-spam tools that may be good enough for most users, it’s clear that a technological solution alone to stopping spam remains far off. But perhaps the biggest hope is to take aim at spammers’ profitability, as their margins look a little vulnerable. A BBC story cites some earlier research that says spammers sending out 350 million messages a month can earn roughly $100 per day, while the entire massive Storm botnet could generate around $2 million per year. Neither is a figure to sniff at, but nor are they really huge sums of money — suggesting that frustrating spammers by disrupting their services and raising costs, as well as trying to hold down responses even more, could diminish the profitability of spam to the point where it’s no longer attractive. Ironically, the rise in spam plays a part, too, since spammers are in essence competing with each other for users’ attention and clicks, so the more spam that gets sent, the worse the response rate for the individual message or campaign (for instance, the researchers’ response rate was less than 0.00001%). But the underlying issue remains the fact that people click on spam and buy stuff through it. Changing that might be even harder than developing the perfect spam filter.
Comments on “The Best Way To Stop Spam: Kill The Margins”
the real spam money trail
I tend to view spam as similar to the California gold rush.
Sure some people made money digging for gold, but most didn’t. The real money was made in being a seller of shovels, picks, and mining equipment.
If Spammers just set up shop and started blasting emails, that’s one thing. But me thinks pretty much all of them *buy* a package of emails from someone along with the software to send emails; or perhaps they buy the ability to send emails through a spam relay. Either way, the money maker is the seller of said service, not the spammer themselves.
So the ‘click through’ percentage matters even less as long as there are suckers who will keep buying thinking they will get rich. And as P.T. Barnum said…
Re: the real spam money trail
You have hit the nail on the head. People still buy into the whole medical transcriptionist scam.
They’re getting more inventive on click-throughs. I had one the other day that looked like some legit corporate marketing email with an ‘if you think you’ve received this mail in error, please click this link to un-subscribe’ at the bottom.
Of course, the link re-directed you to a store that sold manhood enhancing pills. ¬¬
Solution:
Charge everyone $0.05 per email. No more spam problem. Everybody wins…….. right?
Re: Solution:
Well, certainly whomever collects the $0.05 USD per e-mail does.
Re: Solution:
Yea, taxes and fees are the answer to every problem. You must be a Democrat.
Re: Re: Solution:
And you must be a retard.
Gas tax, sales tax, cable fees, FCC regulatory fees, Universal Lifeline fees, etc are not Democratic taxes and fees.
You sound like the ass hat that wants his taxes to be used on military proliferation and politicians’ salaries.
Re: $.05 surcharge per email
Your an idiot if you believe that. If that is true then why do I get alot of junk mail via snail mail where they have to pay to have it delivered. Cost does not matter to them, they will just steal to pay for it.
Re: Re: $.05 surcharge per email
Your an idiot if you believe that. If that is true then why do I get alot of junk mail via snail mail where they have to pay to have it delivered. Cost does not matter to them, they will just steal to pay for it.
Cost DOES matter to them. If it costs too much money or eats too far into the profits then it isn’t worth the effort. Your comparison of snail mail is appropriate, but completely misunderstood by you. I get about 2-3 pieces of junk snail-mail every day, even after “opting out.” Most of that is from companies that I already do business with, or things are are addressed to “Resident”. I get about 300 pieces of spam email every day, and I’m very careful about handing out my email address. Fortunately I have good filtering so I only get 1 or 2 of them in my inbox.
The reason that I get so few junk snail-mails is precisely because the cost is so high. At 37 cents a letter (or whatever the bulk rate is) junk mail is an expensive prospect. It usually only makes sense in the context of a targeted campaign. For example, after the remnants of Hurricane Ike went through central Ohio, we got mailers from roofing companies advertising specials for roof and siding repairs. While that was a fairly expensive mailing, it made sense in the context of being targeted to a specific time, place, and need.
Spam email, on the other hand, is mostly free. You need a program to send emails and a few mailing lists, but if you can steal bandwidth to send the emails (via a botnet) the cost per message is far, far, far less than a penny.
Re: Solution:
No, everybody loses.
The correct thing to do is find something that hurts spammers financially but only affects a very small percentage of legitimate users. Since spammers need domain names (to host websites and receive return e-mail), and they need a lot of them, raising the price charged for domains using some sort of exponential system would do the job nicely.
Basically, something like having the first 10 domains be the normal price, with the next 10 double, etc., should do the job.
Other possibilities include greatly reducing the time that you have to return a newly purchased domain for a full refund, or forcing all domain purchases to include a $100 bond that is refundable at the end of a period of time (one year, say), if there are less than N complaints about your domain.
Re: Re: Solution:
The first is a good idea. Your second idea, the bond, won’t work for one simple reason. Porn sites would recieve constant complaints from right-wing religious groups and it would cost them dearly. For that matter, Exxon could convince 100 employees to file a complaint against a treehugger site or the NRA could request members to file complaints against the ACLU. Non-profit organizations, especially smaller ones, cannot afford to shell out an extra $90 willy-nilly because someone opposed to their views wants to screw them over.
That said, perhaps there is a way to do this – a bounty system. If someone can forward enough SPAM messages to the domain registrar of a spammer, then that registrar would give the person who reported the domain a free domain. This would mean that every time someone wanted to start a new, legitimate site, they could simply look through their SPAM folder and get the domain for free. Since there is no monetary reward, the spammers themselves won’t try to game the system.
I agree. Spam will continue to exist as long as a profit margin exists. If email cost even a penny, spam would evaporate. Of course, there are numerous problems with this idea … micropayments haven’t gone over to that degree yet, etc.
Re: the e-postage idea...
…is dead-on-arrival. It cannot be made to work, no matter how it’s structured, because it’s impossible to layer a viable economic system on a massively-compromised base. If this isn’t clear, then I strongly suggest reading the recent archives of the irtf-asrg mailing list (IRTF Anti-Spam Research Group) where you will find copious discussion of it, including input from a number of people who wrote the RFCs that describe mail system behavior.
Re: Re: the e-postage idea...
You’re saying e-postage over SMTP is DOA, right? It would be nice to get off of SMTP, but that will probably take a while. Like decades.
The Best Way To Stop Spam: Kill The “spammers” … Yeah, and the margins.
stupid people
As long as there are stupid people buying into the spam emails, there will be spam.
So… there will always be spam.
Just get a good spam filter, create a thorough white list and deal with it. Gmail is awesome at keeping spam out of my inbox.
“Neither is a figure to sniff at”
Now how many of you actually sniffed while reading that? lol
Spam
I would be thrilled if all the ISPs got together and required a payment of 1 cent to deliver an e-mail, the cost of which would be passed on to the sender.
Since ISPs are already billing the users and since they can easily count how many messages you are sending, they could then turn around and bill each other for the amount of the messages.
Meanwhile, I would pay about $2-$3 per year for a spam-free inbox.
Or, make it a crime to buy a product from a spam message. Even the threat and publicity of it would make the margins dry up.
Re: With the added benefit
And when the bill for $80,000 usage fees from last month’s email arrived, you would be made aware that your computer was hijacked, thus reducing zombie and botnet contributions to the problem.
how bout a system that blocks all emails sent to a another email account unless it passes a human check eg random number box. and have the user getting the mail the opt to see if the email sent is from an active/human verified account.
Blue Frog
I think you forget one tool that spammers truly feared. Blue Frog. Until it was shut down by mistaken claims by people who didn’t understand what it really did. It did nothing the average person couldn’t do by themselves, it just made it much easier and automated. It was not a DDoS tool despite what uninformed people said.
Blue Frog went directly after the economic side of the spam business, instead of simply the tech or legal sides. It sent complaints to the companies whose products were being sold by spammers in addition to complaints of various trade/government bodies overseeing those companies, and also went after the spammers websites where they were selling the products by filling in complaints on their order forms.
Blue Frog has so far been the only tool I know about that spammers actually made a concerted public effort to kill off. Too bad they did.
Re: Blue Frog
They got rocked by their own idea. The spammers started to put a link to blue frog in their spams, causing Blue Frong’s system to turn on itself. I don’t think you can fight fire with fire when it comes to spam, you have to kill the money trail plain and simple.
Re: Blue Frog
This is utter nonsense, of course. The ignorant newbies that supported Blue Frog were, and apparently are, too stupid to grasp that what Blue Frog did was in-and-of-itself abusive — which is bad enough, but given that they knowingly targeted innocent third parties, it’s inexcusable.
There really was no difference between Blue Frog and spammers or DoS attackers or any of the other scum out there, other than Blue Frog did a better job than most of convincing the naive and gullible that they were somehow on the side of “good”.
Charge for email. What about the poor schmuck who has is email hijacked and 5 million emails get sent out? The best way to prevent spam is for spam firewalls at the major internet junctions. That and make it mandatory that somebody who wants to send bulk email to other than their own registered domains have to request a token.
The forgotten product
I always hear about the click through rates needed to profit, but no one ever mentions the value of data collected. They can make continued profits off of customer data gathered long after a low margin sale. They already abuse data that was ill gotten to spam you, they have no problem selling everything they can gather about you to every bidder.
Snail mail
“Your an idiot if you believe that. If that is true then why do I get alot of junk mail via snail mail where they have to pay to have it delivered. Cost does not matter to them, they will just steal to pay for it.”
you get snail mail from multi-billion dollar companies that that sell stuff you need every day.
Local ISPs send out snail mail because if they lock you in on $100 month for 2 years, that $1 was well spent.
Cell phone companies send snail mail for the same reason as ISPs
Local grocery stores send out snail mail because if they don’t sell their stock, it will go to waste and it costs A LOT of money to store food
Credit card companies get 3% of whatever you spend with their card. You spend $1000 on a new T.V. at Best Buy and they get $3 instantly. If you don’t pay that $1000 off right away, they now get more money every month
email spam is virtually free to send. and they only get click-through profit. it is not a reliable income on a per-person basis like everyone that sends snail mail.
spam works entirely on the law of averages. send 350mil emails at $0.01 a piece, and those emails are costing $3.5mil/month vs $20/month of a decent broadband connection to their bot-net.
Re: Snail mail
$30, using your example.
Who Sends the bill?
Email is sent via the mail server set up in your email client. A bot will either send directly, or via a any number of mail servers they have either compromised or set up as relays. There is no central system, if the ISP bills per email message, the botnet will avoid the ISP mail server. No outbound port 25, no problem, there are ways around that too, they already use them. The recieving side can’t bill the sender, they have been forging that for over a decade.
Snail mail is billable, because you cannot get your post into the system without paying first. And it is a felony to just put stuff in mailboxes.
Re: Who Sends the bill?
The solution is that you setup an “encrypted token” along with your e-mail account. You then enter the token info in your e-mail program and when any message is sent, your token is sent along with it. The receiving mail server gets the e-mail along with your token and a check sum and notifies a centralized entity that keeps tracks of billing, security tokens, and usage stats.
In essence, just like you buy a SSL Certificate, you’d buy an e-mail address token.
The best part of this is that you can just charge $10 a year for an account that sends less then 1,000 e-mails per year and so on. You can create plans that make sense. You also get pretty reliable ID checking via e-mail.
Since every e-mail would be required to have a token, black lists would be meaningful. Abuses would quickly be identified by the token holders who would be forced to not ignore the condition that their machines are infected like they currently do.
Another possible solution is to require ISPs to track stats on each users and actively deal with any users that have a high amount of SMTP or similar outbound traffic. For me, I love the idea of requiring every e-mail account to have an SSL Certificate or similar and for $10 a year it is enough to upset the balance of spam but not be on the radar as a cost.
Freedom
Re: Re: Who Sends the bill?
There are a number of things wrong with this proposal, but perhaps the most significant is that it’s already been defeated by spammers. The same spammers who either have or can readily acquire control of any of the 10e8 fully-compromised systems out there have or will have (at will) access to EVERYTHING on those systems, which includes any encryption keys, certificates, etc. They can therefore use these to render the proposed system moot.
Gmail is the way to go. I get like one spam message in my inbox per two months. Brilliant.
One premise is incorrect
We *have* in fact had a quite viable solution to the problem for decades — the difficulty is that we don’t use it. Blacklisting spam sources (more broadly, blacklisting abuse sources) works beautifully on the tactical and strategic levels, by squelching the immediate problem and providing motivation to the keepers of its source network(s) to address the situation.
Our present difficulties stem, in large part, from the steadfast refusal of many to deploy this solution and to instead waste time with thoroughly-discredited nonsense (e.g. SPF, SAV, C/R) that either does nothing to solve the problem or makes it worse. I have some hope that recent incidents (e.g. the McColo case) will make it plain to holdouts that the proper response to inbound abuse is revocation of access for the abuser — because as we saw in that case, it spurred quick action, in marked contrast to other cases where spam/spyware/abuse operations have remained in place for years at a time.
No doubt next year yet another purported “solution” for spam will be touted by someone eager to make a quick buck from gullible VCs, and no doubt it will fail completely. Meanwhile, we have an immediately-deployable mitigation tactic available that’s been conclusively proven to work.
Easy Solutions
I am a paralegal by day but I do system maintenance and repair work at night and in my free time, and would be a server sysadmin if the job presented itself, so I have the unique position of seeing both the legal and technical solutions to this problem. Let me start by saying that ALL the legal solutions are much harder than ANY of the technical ones to implement.
Some easy technical solutions…
1) Open source the GMail SPAM filtering system and make it available as both a proxy and a module for popular mail server systems (QMAIL, IIS, Dovecot, etc.) Given a choice, I don’t see why any mail server admin would turn this down.
2) Add a very, very simple email filter rule to all popular clients that checks URLs for a “referer=” or “rid=” and removes it. This would easily remove a large enough chunk of profit to stop many spammers, and could just as easily be done server-side.
3) Require every person to watch a short, 2 to 5 minute video when signing up for a webmail account. A shockingly large number of people open SPAM and click the links because they’re just uninformed about SPAM. Of course, some method to bypass the video would be a good idea too, for tech-savy people who already understand SPAM.
Any of these solutions would cut profit margins enough to put most spammers out of business. All of them combined would wipe most SPAM out overnight. All can be implemented by the big 3 email providers – Hotmail, Yahoo Mail, and GMail – in a matter of minutes and at very little cost.
Re: Easy Solutions
First, the term is “spam”. “SPAM” is a product of the Hormel company, and never refers to unsolicited bulk email.
Now on to the proposed solutions:
1) can be discarded, as gmail’s anti-spam filters are of low quality, certainly not good enough for general use.
2) is trivially defeated by spammers via obfuscation.
3) will not happen, nor would it make any difference in the behavior of users if it did. “Trying to educate users” about spam has been a lost cause for 15 years.