However, the point is that spammers do send e-mails that are
entirely random text content, so they could learn to send randomized madlibs
instead.
This is a special case of a more general phenomenon. Spammers have been
forced, by the more effective antispam methods, to adopt practices that
severely limit their business success.
Everbody agrees that the most ideal way to stop spam would be to educate all
the world's users to never ever buy something from a spammer. Many of the
effective antispam schemes have the effect of forcing the spammers to do this
education themselves. Disorganized, semirandom email messages do not resemble
real advertising or inspire much confidence in a potential customer. When a
spammer has to spell his product v*1(_at_)g R0 , he is pretty severely
limited, and his potential customers are given a big clue that the seller may
not be legit.
No legitimate business today will advertise with a spammer. This is itself a
victory for antispam efforts. It was not at all clear, in the earlier days of
spam, that legitimate business might not adopt similar spam practices. Now
they realize that, as an advertising medium, spam is hoplessly polluted and
limited. Companies that run legitimate email advertising today are
scrupulously careful to do things right. (At least the ones I have allowed to
continue sending me advertising.)
In short, I don't think anti spam measures need to be 100% effective on their
own to have long term effectiveness. Every time we raise the bar for spammers,
we reduce their ability to make money from their efforts. Forcing them to buy
throwaway domains means they either have to spend some of their own money, or
steal someone elses. The former cuts into profits, the latter exposes them to
conventional law enforcement. Forcing them to buy throwaway domains also
forces them into at least a psuedo legitimate business relationship with the
domain registrar. That opens another avenue of attack against them.
Remember, spammers adopted domain spoofing in response to outside pressure. It
was not a "natural" choice for them. They could have chosen throwaway domains
instead, and in fact did for a while. They chose domain spoofing because it
was easier and/or less expensive for them and exposed them less. If we take it
away, we are forcing them to give up a choice they made for their own
advantage. We are driving them backwards. That hurts them.
The all or nothing argument is being used against SPF and other authentication
schemes in the press right now. The argument goes: SPF doesn't stop all spam,
for all time, everywhere and therefore it is useless and should be abandoned.
When my son took a logic course a couple of years ago, he learned the latin
name for this type of fallacy. (I don't recall it now.) It is such an old kind
of false reasoning that it has a name in an antique language.
Mark Holm