To: WSFAlist at keithlynch.net
Date: Thu, 20 Jun 2002 21:09:33 -0400
Subject: [WSFA] Re: spam, spam, and more spam
From: ronkean at juno.com
Reply-To: WSFA members <WSFAlist at keithlynch.net>

On Thu, 20 Jun 2002 02:12:34 -0400 (EDT) "Keith F. Lynch"
<kfl at keithlynch.net> writes:

> The cluelessness consists of thinking anyone will fall for it,
> thinking they can get away with it, and thinking anyone will be
> intimidated by their threats of lawsuits and claims that the FBI
> is investigating people who report their spams to their ISP.
>

I would think that just about any ISP would want to close the account of
anyone who spams via their service, because of the large number of
bounced messages coming in as a consequence of the spam.  This would seem
to be true even if the ISP had no ethical qualms about spamming itself,
and did not care about complaints coming in.

A CD can hold up to about 700 MB of data, so a CD of email addresses
could hold some 20 million addresses.  Perhaps that's why we see '14
million email addresses' advertised so frequently - 14 million is a
convenient number of addresses to fit on one CD.  Obviously, a large
percentage of the addresses on one of those CDs offered to spammers are
not valid addresses.  An estimate of what percentage are bad addresses
could be made by sending out a test message to, say, 100 addresses
randomly chosen from the CD, and then counting the bounces which come
back.  But let's say 50 percent of the addresses are bad.  If a spammer
sent out a 1 KB spam message to one million addresses, he would get back
500,000 bounces, a total of 500 MB of data (actually more, because of the
added boilerplate in a bounced message).  500 MB is way larger than what
ISPs usually provide for an inbox, so it seems that the spammer's inbox
would quickly overflow, and the extra data would create an annoyance for
the ISP, requiring the ISP to take some action to clear the data.  Also,
much spam these days is html, with graphics, so the average spam message
is really far larger than 1 KB.

Am I right that an ISP would be inconvenienced by hundreds of thousands
of bounces per day due to the activity of one account, or is there some
way that an ISP can just ignore bounces?  If I am right that almost all
ISPs, acting in their own interest, shut down spamming accounts as soon
as large scale spamming is detected, then the question arises: how do
spammers access the internet?  Do they open a new account for each
spamming session, even if the account will work for only a few hours?

Juno offers free email accounts, but Juno is not suitable for spamming
because their software blocks attempts to send even just one message to
more than 50 addresses, and a warning is issued when a message is sent to
more than 20 addresses.  Also, sending more than about 20 messages in a
session, even to just one address per message, triggers a warning, and I
think that sending more than 50 messages per session would be
automatically blocked, and would trigger an alarm.  By finessing the
limits, I suppose a spammer could send a few dozen spams per day using a
Juno account, but it hardly seems worth the trouble, since Juno will
close accounts which are the subject of abuse complaints.  It takes a
good 10 or 15 minutes of manual tedium to set up a new Juno account,
involving a toll-free call to download an access number list, and
answering questions about how much money one makes, how many cats one
owns, etc.

There are free web-based email accounts, such as those offered by yahoo
and hotmail, which are easier to set up than a Juno account, but I think
that those accounts are similarly blocked from sending out large volumes
of email.

Yahoogroups is sometimes used by spammers, as evidenced by the fact that
a couple of yahoogroups I subscribe to have been hit recently.  The
method used is that a spammer simply subscribes to a yahoogroup, then
begins spamming the group.  But that is not a very effective way to spam,
since a typical yahoogoup has only a few dozen subscribers, and the list
owner will act quickly to ban the address from which the spam comes.
Also, a yahoogroups list owner can manage the list settings to require
approval of new members, or to put new members on 'moderate' status,
which prevents their postings from reaching the list without the list
owner's approval.

So, how do spammers access the internet in a way which allows hundreds of
thousands of messages per day to be broadcast?

> I suppose there are a few legitimate businessmen caught up in it.

A few of the responses you quoted in a recent message seemed genuinely
contrite, but I suppose one never knows for sure.  I can believe that a
legitimate but naive businessperson could fall for a 'let us advertise
your business' offer from a spammer, not thinking carefully enough to
realize that the spammer will send out hundreds of thousands of unwanted
messages, to yield only a handful of serious responses to the business
which buys the advertising, and that the complaints will likely outnumber
the positive responses, and generate ill-will toward the business.  Then,
when complaints flood in to the advertiser, the light dawns, and they
have learned the lesson.

But there is something I find puzzling.  Based on the responses you
quoted, it sounds like some of the complaining you have done has been to
the spammers themselves, as distinct from the business being advertised
(if different from the spammer), or the originating ISP.  I would think
that complaining to spammers would be a waste of effort 99% of the time,
based on the hostile or ignorant attitudes evidenced by the spammers'
responses, as well as the common sense observation that spammers are not
ashamed of what they do.  Also, complaining to spammers might result in
them taking some malevolent retaliatory action against you, e.g. making
false complaints to your ISP that you are spamming or harassing, hitting
you with an overload of email, or simply adding your address to as many
spamming lists as they can.

I would think that it would be much more effective to complain directly
to the originating ISP, and possibly to the business being advertised (if
it seems to be a legitimate business), and just ignore the spammer.  I
would think that even sending a 'remove' request to the spammer would
most of the time result in your address being added to a 'live' list,
rather than being removed.  Your address might be removed from list A,
but then added to lists B, C, D, etc.

Probably some high percentage of long-time spammers are dishonest to the
extent they will not honor 'remove' requests, though they may pretend to
do so.  Some spammers may consider themselves to be honest, precisely
because they do honor remove requests, but they are still spammers.  Some
few novice spammers might genuinely believe that are sending to an
'opt-in' list, but that fantasy would quickly be destroyed when
complaints begin to pour in to their ISP.

Here's an idea for stopping spam.  The FBI already has numerous
'Carnivore' devices in service which monitor and parse the email stream,
and perhaps also monitor web usage.  It would seem to be well within the
capability of the technology to put email traversing the internet
backbones through a parser which could be programmed to check for
messages sent to more than, say, 100 addresses, or messages of identical
content from the same origin which number more than, say, 100 within a
day.  Those messages would then be simply deleted from the data stream.
So, a hundred identical messages from the same sender, each to a hundred
different addresses, could be sent within one day without being blocked,
which would result in 10,000 messages being received.  10,000 is far less
than 1,000,000, so perhaps that protocol would reduce spam to a great
extent.  But since spammers might slightly vary the content of their
messages to defeat that protocol, a more sophisticated protocol might be
needed.  A more sophisticated protocol might keep running track of the
cumulative number of 'To:' addresses within any messages sent by a given
sender that day, and simply delete from the stream any further messages
from that sender that day, once the cumulative 'To:' address count
reaches some number, say 500.

Since there is a legitimate need for some businesses to send out
newsletters to their customers, those businesses could be issued a
permissive code which would be appended to the headers of their outgoing
messages.  The parser would be programmed to allow mass mailings which
have the correct permissive code, which would be unique to that sending
address, and possibly checksummed surreptitiously within the message, as
an additional safeguard.  The permissive code would be automatically
stripped off those headers when the message finally leaves the backbone,
to keep spammers from harvesting the code and using it to forge headers
for spam.  The permissive codes would probably have to be changed from
time to time, and those which become compromised would have to be
changed.

That technique would not work to eliminate spam throughout the world,
unless the parsers were placed on all backbones throughout the world.
But within any area or country served by backbones which have the spam
parsers, it should be very effective at eliminating spam, regardless of
where in the world it originates.  A determined spammer might be able to
somehow defeat the safeguards, and the system would not stop spamming
done on a very small scale, but the system would not have to be perfect
to be useful.

One way to implement such a system would be for the U.S. government to
provide leadership and funding for it within the U.S., but government
involvement would not be a necessity.  The system could be implemented on
a voluntary basis ISP by ISP, or by groups of ISPs who share the same
connection to the backbone, though the spam parsers would be more
effective if located on the backbones.  One would think that the market
would richly reward ISPs who are among the first to implement such a spam
elimination system, and that the internet would be a more profitable
industry with a brighter future, after spam had been largely eliminated.

Ron Kean

.

________________________________________________________________