Monday, October 15, 2007

A more intelligent SPAM discussion

I wish to start a more intelligent discussion of spam then my last post lead to (my fault). And YES, the story I pointed to was a hoax.

Is Spam a big problem? I contend that it is and that it is going to get worse. Some random thoughts, some of which are what to do about it.
  1. Make it illegal or make the penalties tougher. I don't know what the current legal status is, but even with tough laws this is hard to enforce because (1) What is spam? and (2) it would require international cooperation.
  2. We could try just making spam that is trying to rip you off illegal. I'm sure it is. But sometimes its hard to tell what is a rip off and what is not. The ``Nigerian Billionaire'' scam is clearly a ripoff (does anyone still fall for that?) but the ``you can get viagra at a cheap price'' might not be. The ``we can get you out of debt'' is much harder to judge since (from what I understand) they pay your debts, charge you an enormous interest, but let you pay it off over a much longer period of time. It may well be legal but unethical. It may even be legal and ethical.
  3. Keep designing better software to block spam. This is the current solution, and it works pretty well, but its getting harder, and too much real email is being blocked. Also, this is more of why I think its a big problem- we (as a society) spend an awful lot of time and effort on this.
  4. As more people know that these are scams and less people fall for them, will the scam-spams stop? Can we educate people so they know better?
  5. Fighting back- there was an article in the Atlantic Monthly about people who scam the scammers- with success. But there are not enough of them, and they are not that effective, to be a real deterrent.
So there are essentially legal, technical, and educational solutions. Are there others? (NOT including assasination.) Can they work? Who is winning this war? How can we tell?

13 comments:

  1. Meh, no matter what the system there will always be someone there to scam it. If you ask someone to regulate it then you give some governmental body a mandate to infringe on liberty. I suggest you take Don Knuth's approach and stop using email.

    ReplyDelete
  2. With respect to the previous comment:

    Just because someone will always try to circumvent something doesn't mean we can't work to curtail the behavior. We don't simply throw up our hands when it comes to murder, burglary, or insider trading.

    And sometimes when a government body does not intervene our liberty is curtailed. If the government didn't enforce the 25 mph speed limit on the street in front of my house, the liberty of those of us who live in this neighborhood would be curtailed. Of course you could claim that the liberty of the drivers who'd just as soon go 45 mph is curtailed, but I think for most people the scales of liberty lean toward the people who live here, use the sidewalks, and bike down the street.

    So imagine that -- government regulation can enhance personal liberty!

    ReplyDelete
  3. Keep designing better software to block spam. This is the current solution, and it works pretty well, but its getting harder, and too much real email is being blocked. Also, this is more of why I think its a big problem- we (as a society) spend an awful lot of time and effort on this.

    Gmail's spam filter works quite well for me. It filters out quite a lot of spam while keeping false positives very low.

    ReplyDelete
  4. This is actually something I've been following for a while. Part of the problem, structurally, is the decline of a production economy in favor of a (lower-wage) service economy, leading to more legal high-pressure selling (e.g., telemarketers) and more borderline and illegal activities (e.g., internet scams, but also over the radio, etc.)

    One concrete radio example:
    http://en.wikipedia.org/wiki/Blue_hippo

    One consequence is a rise in societal rage against telemarketers. No matter how PC you are, unless you don't have a phone, there's probably some part of you that thinks the following is funny, despite the poor guy who's the victim of the prank.

    http://www.youtube.com/watch?v=un_PjRXV5l8

    Logistically, it's hard to implement an international email/internet version of the Don't-Call List, especially when countries don't have/choose not to allocate resources toward enforcement of such things. The biggest bust of a foreign internet scammer I'm aware of is the following, a group that according to Russian police scammed $1.5 million in 3 years of operation:

    http://www.womenrussia.com/scammers_caught.htm

    That was a special situation, in which Vladimir Putin himself got involved. It is likely most cases are not investigated as energetically.

    With the potential rewards so high, I think this issue is very similar to the question, "How can we get drug dealing out of poor neighborhoods?" Any long-term answer must include ensuring there are more legal, societally beneficial, living-wage jobs available.

    ReplyDelete
  5. Lance, we want you back!

    ReplyDelete
  6. Or, at least, please give us a post on theory!

    ReplyDelete
  7. Do you think it is easy for our law makers to define Spam than to our technical leaders?

    I get a lot of spam in my snail mail. I guess this is the situation for decades and is not yet solved.

    On the otherhand I receive negligible email spam on all my email accounts except one.

    ReplyDelete
  8. For a local solution, there's always the option of a white list. Explicitly allow emails from friends and family, probably all .edu addresses, and require anyone else sending you an email to put some particular string in the subject line. Advertise on your homepage to put "Real Person" before sending you an email.
    Pros: Eliminates all (traditional) spam.
    Cons: You need to update the white list before buying from a new online store, etc. Also, this still doesn't stop annoying email forwards from your aunt.

    I think if spam became a serious issue for me, that would be my solution.

    ReplyDelete
  9. Typical template response below ... fill in as needed :-)

    ======================================

    Your post advocates a

    ( ) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    ( ) The police will not put up with it, anywhere other than Russia
    ( ) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    ( ) Asshats
    ( ) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    ( ) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    ( ) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, asshole! I'm going to find out where you live and burn your
    house down!
    ( ) THANK YOU! ONE DOWN. MANY MORE TO GO.

    ReplyDelete
  10. Wow. That was impressive, chato...
    Unlike snail-spam, the problem with e-mail spamming is that it costs the sender nothing (OK, log something) to add a recipient to the mailing list. If we could have each e-mail recipient require a small but non-negligible amount of computation (at least until you're on a whitelist, for legitimate mailing lists), spam could be defeated. To do this you'd have to have some kind of protocol that works in an SMTP world.
    Gi

    ReplyDelete
  11. Gi,

    What you're talking about is a "proof of work" system. It's a popular myth that these systems can solve the spam problem.

    One problem with this idea is that spammers are not using their own computers to send spam, so the extra computation has only a very small cost to them.

    Another reason has to do with the optimization problem of where to set the computational cost of sending a message so that legitimate senders don't mind paying, but spammers do. For an economic analysis of this problem, see Ben Laurie and Richard Claytons excellently titled paper "Proof of Work Proves Not to Work", linked in my name.

    ReplyDelete
  12. The absolute spam-blocker would be a software than can pass Turing test.

    ReplyDelete
  13. http://googleblog.blogspot.com/2007/10/its-not-about-spam.html

    ReplyDelete