On Tue, 10 Feb 2004, David Berman wrote:
Subject lines for emails should be required to have only words that
can be found in the dictionary. This eliminates any spam like vi(_at_)gr@ or
m0rtgage.
This is not a sane idea. It also eliminates a stupendous volume of
legitimate mail. Can I no longer send email with a subject line such as
"node b10 down"? How about "Joe's email address is
jpg(_at_)imaginary(_dot_)domain(_dot_)edu"?
And then there are foreign languages. WHICH dictionary? How many
dictionaries?
And what about spam that comes with no subject line? Spam that comes
with a innocuous subject line that has nothing to do with the message
content? Remember, the spammer will simply alter their message again to
penetrate any defenses you raise against it until you've closed down an
entire channel to legitimate traffic.
What about email between administrators and users ABOUT spam? "What do
I do about vi(_at_)gr@ emails?" seems like a legitimate subject line.
What about bad spelers? Or tpyos?
This is not an acceptable protocol-level solution for stealth spam. Nor
are variants such as passing the words found through a crack-like
substition tree looking for 1337 phrases, as people might use those
substitutions for legitimate reasons, or arbitrary regular expression
rulesets as to what is non-spam. These are, however, perfectly fine
anti-spam countermeasures in user-level tools such as spamassasin and
procmail, where you can control it yourself and choose (at your own
risk) just how much legitimate mail you are willing to risk blocking in
order to reduce spam.
The information-theoretic observations already made about signal
channels and filters are entirely apropos here. The more tightly you
control the noise, the more the signal itself degrades.
The real problem isn't from companies who send bulk email and allow
you to opt out. The problem comes from people that are trying not to
let you opt out. Not only don't they let you opt out, but they also try
to get around your filters.
This statement is like saying "The real problem isn't the people who
knock on your door to sell you something and go away when you open it to
say no, it is the people who knock on your door to sell you something
and when you open it come in and take your wallet, drink all your beer,
and shoot your dog."
At a very crude guess, over 50% of all spam that has an opt out uses the
opt out only to verify that they've found a live email address with a
human at the other end who reads the messages. This is a valuable
commodity and can be (and is) repeatedly resold. Opting out is
therefore much like opening the door to strangers when over half of them
are likely to take your beer and shoot your dog. I opt out only when
the opt out is the URL for a well-known company, the mail header is
well-formed, and there is a decent chance that they are going to be
semi-accountable to an internet acceptable use policy in the first
place. Presuming that their SPAM made it through spamassasin and
procmail, that is.
In bad neighborhoods where the streets are rough and folks are on make,
the only solution is lots of police and punishments that make evil
behavior a poor risk for the bad guys. The internet makes every bad
neighborhood in the world hyperdimensionally outside your front door.
To mutilate a metaphor...:-)
rgb
--
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525
email:rgb(_at_)phy(_dot_)duke(_dot_)edu