CSC 379:Week 1, Group 1

Techniques against spam

• Block domains or possibly top-level domans "known" to be large senders of spam.

• • Slashdot discussion of top-level domain Although the link is a public forum, the readers and participants of slashdot tend to be those more familiar with computer systems. As such, many interesting perspectives are voiced, from email server administrators to the "power user." The discussion in this particular slashdot article does not resolve the issue at hand, it does however provide a better understanding of the current situation regarding spam.

• • The Selective SMTP Rejection (S25R) System This study provides an overview of spam countermeasures currently used and their success rates. The author then presents his methodology of countermeasure using a system of filters based on regular expression and Postfix to a claimed "99% Block Rate" of spam. Under the S25R System, he claims one could filter something as specific as a single reverse lookup or IP address to something as broad as a top-level domain. It could be argued that this is not so much a "system" as it is more of a "HowTo" implementing regular expression (like Perl) with Postfix to filter out spam.

• • HowTo: Block Incoming Mail Using MS Exchange 2000 This HowTo shows how to use the built-in filters of Microsoft Exchange 2000 to block unwanted senders. Senders can be blocked on a single basis or with the use of wild cards, block domains.

• Require users to request permission to send you e-mail (i.e. Earthlink spam blocker)
  • The Challenge of Permission Email By obtaining permission in some form before emailing offers, it is thought that the overall feel of email marketing would be improved. Response rates for senders would increase, due to the fact that they have been given explicit permission to contact their recipients. While it may be costly on some levels to implement this type of system, the end result would produce a more focused system that will not instill anger amongst anyone in the system. Overall, this author feels that it would be worth the time and money investment to implement this type of system, due to the fact that senders can expect a higher rate of return on their correspondence, and the overall trust level of the situation would be improved.

Ed's note: At least insofar as the Earthlink spam blocker is concerned, I strongly disagree. The user you are trying to contact will never even know that you are trying to contact him unless you successfully navigate the challenge page (which often tells you it is expired). Sending to a large mailing list for the first time inevitably gets you several challenges. It can be maddening to try to contact someone. On the other side, deploying such a spam blocker will inevitably cause you to miss out on important contacts.

• Charge for e-mail sent
  • It is believed that charging people for every e-mail sent would virtually eliminate spam all together. E-mail would become much like the postal service in which a fee is charge for every message sent, like a stamp. The idea being that bulk e-mails would be no more economical than direct mail and would eliminate e-mail as a free form of advertising. Charging to send messages makes the costs far too high for spammers to make any profit. Many people feel however that this goes against the libertarian ideas and freedom the internet was based on. Ultimately it could be a burden to ordinary citizens and companies who rely on e-mail in every day life.
    • Is it Time to Charge for E-mail?

• Opt-in commercial e-mail

• • FTC's CAN-SPAM Act The Federal Trade Commission's page providing information on the CAN-SPAM Act for businesses. Provides an overview of the existing laws and penalties regarding spam and commercial emailers. Although the site is a federal site, the specifics are lacking. Specifically, under the "What the Law Requires," the statements are very open-ended that leaves many interpretations. For instance, "It prohibits deceptive subject lines," is very open-ended. How does one go about determining what is deceptive? What sort of metric is used? Additionally, the law specifies the use of Opt-out, but the specifics are again very open-ended. Under the "Penalties" section, it is again very vague. For example, "Relay emails through a computer or network without permission..," is somewhat too broad. How would one go about proving that someone intended to relay emails when he/she could easily say a multitude of excuses (such as "A virus used my computer as a relay," which has been known to happen before).

• • Wikipedia on E-mail Marketing Provides an overview of E-mail marketing. What the advantages and disadvantages of email marketing. The CAN-SPAM Act of 2003 that authorizes a $11,000 penalty for each spam violation to each spam recipient. To help with compliance, several third-party companies are available to help with email marketing compliance. Wiki also provides an overview of Opt-in advertising. For those interested in knowing some of the spam jargon, the Wiki does provide a glossary of terms.

• • The European Coalition Against Unsolicited Commercial Email The EuroCAUCE is a group of users (ranging from end-users to corporations) trying to find a solution to the spam problem. Their solution is for an Opt-in list. They provide the risks/benefit discussion of Opt-In vs Opt-Out. Additionally, their is link to resources that may be helpful to those who are tired of spam.

• Domain authentication
  • New Authentication System to Block Spam Yahoo! has been privately developing a new authentication system to protect email users from spam. By verifying the validity of the sender, the end email recipient can be reassured that the sender is who they say they are. The Yahoo! system uses public/private key encryption, in which an email message would be encoded with a private key that could be checked against the publuc key registered from the domain name of the server that the email claims to be from. If it matches, then all is well, if it fails, then the email is bounced and reported.
  • Domain Authentication Method Comes Up Short Sender Policy Framework, or SPF was implemented as a way to ensure that the return addresses in your email inbox are in fact who they say they are. The principle behind SPF is that DNS records are used to say which machines can transmit email, theoretically eliminating 'spoof' emails(emails that purport to come from one source, but are actually from another). However, it has now been discovered that with a few lines of malicious code and a hacked machine, SPF can be exploited.

• Bounties
  • The Federal Trade Commission has recently proposed offering a cash bounty to any citizen who helps to arrest spammers. Under the proposal the first citizen to come forward with information leading to the arrest of a spammer will receive no less than 20% of the civil penalty the FTC would eventually collect from spammers arrested due to that information. The idea is that it would be more effective if the average citizen spent the same amount of time searching for and reporting spammers as they did preventing and deleting the spam messages themselves. This would stop the problem at the root.
  • The main problem with this idea is if the FTC, FBI, and ISPs can’t find and prosecute spammers how are ordinary citizens supposed to do any better. Ordinary citizens are very unlikely to catch spammers. Rather than prosecuting spammers who abuse the internet it is believed so called “bounty hunters” are more likely to attack legitimate companies guilty of some minor, unintentional breach of the complicated CAN-SPAM Act. Putting justice in the hands of the people like this could lead to an error of internet vigilantism.
    • Spam Bounties
    • FTC Mulls Bounty System to Combat Spammers

• The "Goodmail" approach
  • With the “Goodmail” approach ISPs would sell an electronic postage stamp to companies wishing to send out bulk e-mails to their customers. This stamp guarantees companies that their e-mail will bypass all of an e-mail’s spam filters and go straight to the main mailbox as a certified message that is legitimate and safe for the reader to open. This would help people distinguish between legitimate and fraudulent e-mail by guaranteeing who the e-mail is from and that it is not a scam or virus. Also it would reduce spam by forcing companies to only contact customers likely to respond to a message in order to keep the cost of mass e-mailing down. “Goodmail” makes it unprofitable for spammers to send out bulk e-mail to which few people respond.
  • While “Goodmail” is intended to reduce bulk e-mail and provide security from phishing and scams many people feel it is just a new revenue source for ISPs and not a valid way of fighting spam. It is possible that too many marketers will be willing to pay to have their e-mails certified, resulting in large numbers of advertisements guaranteed to bypass your spam filters and go straight to your inbox. “Goodmail” is unfair to small business and non-profit organizations who can’t afford to pay for their bulk e-mails. Also “Goodmail” could cause users to view all e-mail that is not certified as unsafe. This could cause users to skip over requested e-mails because they are not certified.
    • Spam Slayer
    • Postage is Due for Companies Sending E-mail

• Bonds with escrow agencies
  • Wiki article about bonds and escrow spam techniques By adopting this approach, an 'Attention Economy' would be created, which is to say that through a user's own reports, the validity of an email or sender can be determined. The sender would be required to place a bond with an escrow agency, which the recipient could 'cash in' if the email was a waste of time. This would alert any authority to the potential spam, and appropriate action could be taken. Also, it would add more obstacles to the senders of spam.