I realize this is a rather unusual and perhaps impractical idea, but I would
like to suggest something. While the FTC has a new "do not call" list set
up at http://www.donotcall.gov/ , why can't we set up something similar?
Set up a "don't spam me" web site.
And you think that spammers, who BLATANTLY defraud people by the millions,
steal
resources, SPECIFICALLY put in all kinds of devious strategems that are there
FOR ONE AND *ONLY* ONE PURPOSE... to get past filters SPECIFICALLY designed to
keep OUT messages just like theirs... are going to respect opt-out requests?
The person puts in their email address,
and the site uses some sort of scripting (PHP, java, CGI, etc.) to then hit
all the major spammers' OptOut mechanisms.
The *fact* is that most "opt out" mechanisms are a fraud, and those addresses
requesting "opt out" are sold AT A PREMIUM to other spammers... they're proof
not only that those are good E-mail addresses, but that they're also addresses
of people who opened the spam the opt-out instructions came in and read enough
of it to figure out what hoops they had to jump through to request the opt-out.
Most of the spam I get has some sort of "Opt Out" link or instructions on it
somewhere.
Right, and the great majority of that is either totally bogus (going for
example
to a nonexistent E-mail account or a bogus domain) or headed to (say) a Hotmail
account or something where such use is a violation of the ToS and will
therefore
be closed instantly.
If nothing else, such "opt out" mailboxes (for a mailing of more than a million
pieces) are going to flood with at least tens of thousands of opt-out requests,
and virtually no normal-user ISP accounts are prepared to deal with such
volumes
of replies, into a single mailbox... meaning that most such requests are
bounced
or lost.
Indeed, I think that some spammers probably send these "unsubscribe/opt-out"
messages to E-mail addresses of folks they dislike, sort of as a 'joe-job" or
DoS.
They do seem to honor it, for the most part.
I don't know who you're getting spam from, but that's VERY MUCH not my
experience, nor that of my consulting clients and friends.
Case in point, I
was getting in excess of 60 spam emails a day last week on my yahoo account.
I started clicking on all the opt-out links and sending remove/unsubscribe
emails, according to their instructions. Now, almost a week later, I've
gotten less than 10 a day, and that number keeps shrinking.
I think that your spam reduction is probably due more to an improvement in
Yahoo's spam filtering than it is due to the 'unsubscribe' links you've
responded to.
By setting up a super "opt-out" site, you could possibly reduce the
transmissions of spam, simply by having your users opt out at one site.
Alternately, a network admin could opt their user out as they set up the
user's email account.
Opt-out is a BAD design, right from the beginning. There are probably 20-30
million businesses in the USA which might like to sell me something. If each
one of those sent me JUST ONE E-mail A YEAR (!) that's 68,000 e-mails PER DAY
in
my Inbox, and it wouldn't be until a WHOLE YEAR LATER that the flood would
stop.
And that's if EVERY 'opt-out' request was in fact honored (in fact, almost none
are).
How many "opt out" hoops are YOU willing to jump through? Especially when no
two spammers have quite the same procedure for "opting out"?
Is it a "magic bullet"? Obviously not. The site would have to be
constantly maintained to keep opt-outs updated. Users would likely have to
visit the site periodically to opt out on spam, once their inbox started
filling up again. Distinctions would have to be made between spam and
newsletters. Perhaps spam would need to be seperated into categories
(pornographic, get rich quick, mortgage/credit, medical, etc.) with an
option to opt out only from certain categories. There are certainly other
aspects to consider as well.
The bottom line however is that A RECIPIENT'S MAILBOX IS *THEIR* PROPERTY and
they shouldn't have a dumptruck backing up to it every day to shovel tons of
unwanted crap into it.
The government needs to make it clear that sending spam is ILLEGAL, and they
ought to pursue it vigorously. Until they do, we need to implement technical
means (like my permission list, coupled probably with some kind of a content
filter) which will reduce the number and bulk of messages that DO get
through...
dispatching most of them (and most of the bulk) automatically, and reducing as
much as possible the time and effort it takes for a human to deal with the
residual ones that do still slip through.
I guess what I'm looking at is that users can filter spam, but it doesn't
stop the spam from coming in the first place.
I personally believe that the first really practical place for spam to be taken
out of the delivery chain (in general!) is at the destination domain (based on
the E-mail address). This might be at the intended recipient's ISP, or at
their
personal domain's domain service provider.
Now, IF a sending ISP is able to detect a flood of spam coming out... then it
would be nice to catch that, too. That's really a separate problem.
Perhaps though, again, some sort of 'abnormal behavior" detector is appropriate.
For instance, a typical home user probably wouldn't send more than (say) 10K
outgoing e-mails per month (and maybe more like 300-1K). It might be
reasonable
to apply a cap of (say) 10x their typical usage, and require they call their
ISP
or something if they find (legitimately) that they've hit their limit. This
way, a sudden big surge in outgoing sends could raise red flags both for the
user, AND for their ISP. The same kind of approach could work for corporate
and
business users, too... a sudden unexplained surge in outgoing mail could "blow
the circuit breaker" and require some kind of investigation and manual reset.
This kind of "circuit breaker" could be provided either at the customer end
(their E-mail client, their Exchange server, their local SMTP server, whatever)
or could be implemented at their ISP's MTA.
Most hijacked systems are simply not habitually going to send out the kind of
large volumes that spammers call upon them to suddenly send. If to send out a
(relatively small, by spam standards) five million piece mailing, a spammer had
to hijack 10,000 victim machines (instead of five or ten) where each victim
popped their virtual circuit breaker at (say) 500 pieces mailed per day... then
(1) it's going to be a much bigger pain for the spammer to deal with that many
surrogates, (2) they're going to run through their database of open relays and
hijacked systems much, much quicker, and (3) the companies (or individuals!)
with the irresponsibly managed systems are going to find out and (hopefully)
correct the problem before very much (more!) damage can be done.
Using a super opt-out site would allow the users to not have the mail sent to
them in the first place.
The problem with these approaches is that it is SIMPLY WRONG to expect
unwilling
recipients to have to jump through hoops specified arbitrarily by those who
they
don't have any desire to even hear from, let alone do business with.
Granted, there will always be spammers that won't play well with this,
Yup. Like ALL of them.
If spammers "played well" and really didn't want to "inconvenience" the
recipient, then they wouldn't use counterfeit forged return addresses,
deceptive
subject lines, and (especially) various evasions in their messages (much of it
based on HTML or text-as-image) to try to avoid filters put in place by the
users to keep EXACTLY such messages out of their Inboxes. But they DO all
those
things, and they do it FOR ONLY ONE REASON... because they do NOT want to
respect the clearly expressed will of the recipient.
And THAT is why your "super opt out, based on the good will of the spammers" is
simply DOA.
...but the bulk of spammers do seem to provide and abide by their opt-out
procedures.
I have NO idea what planet YOU'VE been living on.
A super opt-out web site might provide temporary relief, until
something better can be implemented.
It would result in giving spammers a HUGE list of E-mail addresses that they
might not have gotten around to harvesting on their own for a few more
hours/days/weeks/months. Sorry, I think that is a REALLY BUM idea.
Again, perhaps it is impractical, but it still might be worth considering...
For a few milliseconds, maybe. Sorry, I TRULY do not agree.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment! Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg