Otaku, Cedric's weblog

Before anyone does it, lemme fill in the Slashdot Spam Solution Form (SSSF):

Your post advocates a

(*) technical ( ) legislative (*) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(*) Dishonesty on the part of spammers themselves
(*) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(*) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Unfortunately spammers have an easy workaround; wait 2 months + 1 day before using the domain for the mailout. A serious spam shop will simply buy and hold domains on a regular basis, they can easily register enough new domains each month to handle the number of campaigns they expect to deliver 2 months down the road.

Interesting idea -- at the very least it could be incorporated into the learning ruleset and weighted against appropriately. It'd be interesting to see how strongly correlated it is.

One interesting wrinkle is that existing spam corpuses will all feature spam from old domains (by virtue of the contents of the corpus itself being old) -- training will have to be using fresh spam.

Hello,

What I am going to do is:

- If you are not in my address book, you are considered as spam,
- If you want to get in touch with me, fill a form on my web site, filling in an alphanumeric value from a non-OCR-recognisable image randomly generated: then I may add you in my address book.

Thierry

Thierry, this just a bad idea. First, it ruins usability, and second, how do you manage mailing lists?

* Usability: may be, but I do prefer that instead of the 100 spams I receive per day.

* Mailing list: you register the mailing list 'agent' in your address book and usually forward emails to a specific folder (I am using this to manage 6 mailing lists - works nicely).

Ideally, there is only one thing that is going to work: cryptography and signed-messages. But this will not happen soon.

THierry

can't recognize a diffrence..

Hi - I was looking for some political sites with articles on the recent US election and found your nice site. The comments from others on here are pretty good so I just thought I'd add my thoughts also!

Elaine Cooper

I like Thierry's form/OCR idea. In fact some ISP's like Earhlink already have that but they do not provide an Email only account.

Anyway, spam may be about to become extinct. The spammers themselves are commiting such fradulent activities that soon no one will trust anything that comes via Email unless it is from a "known" address.

The reason I say this is that scammers have left the well known bank / cre dit c ard / ebay Phishing scams and now use regular websites to Phish account numbers. Example is a crook from Brazil that set up several Phising sites: jfdsioe.info, abscissae.com, wqeryty.info, nrknvt.info, colinread.com, etc. and because he is in Brazil he cannot be prosecuted !

Once word gets out who will check out any offer made over email ?

See: http://groups.yahoo.com/group/Lawmen/message/261

This con artist has expanded his domain name registration. As of today these are the SCAM sites I know of:

abscissae.com, informacoesonline.com, maioresinformacoes.com, bixkla4.info, radewq54sd.info, lmnc84s.info, b u s i n e s s - b r . c o m, jfdsioe.info, wqeryty.info, nrknvt.info, vendasvip.com, colinread.com, festinhasbrasil.com, s e x o f i l m e s . c o m, webgatas.com, vipfilmes.com, glsfilmes.com, and videosgls.com

This type of scam is very easy to setup. Copy pictures from legitimate sites and offer "bait" products at a great price. Who could resist ?

BOTTOM LINE: when it is too good to be true then it must be a scammer phising for your cedit or bank number!

PS: why is mt-cedricqwerty.cgi so pickey ?
It complains about words like: c a r d, s e x, b u s i n e s s, etc.
This makes it very hard for people to comment your blog. I will not bother next time.

Yet more domain name registrations under [200.211.4.189] owned by SPAM FRIENDLY ISP
embratel.net.br WHICH IGNORES ANY EMAILS TO: abuse@embratel.net.br mail-abuse@nic.br !!!
(cannot be l;isted here because they are "questionable content")

2112121