Re: Hey, a sunshine-y morning with no spam

From: Robert J. Bradbury (bradbury@aeiveos.com)
Date: Wed Apr 10 2002 - 17:42:38 MDT


On Wed, 10 Apr 2002, Dave Sill wrote:

> Recognizing spam is practically impossible. Any heuristic that's
> easily implemented is also easily worked-around by spammers once
> people start using it.

I suspect however that one could develop an adaptive algorithm.
I've got 1.5 million lines of SPAM and 0.7 million lines of personal
email stored here (from the last couple of years). I find it
difficult to believe that there is not an algorithm that could not
come up with 2-3-4 word phrases indicitive of "SPAM" vs. real
email. Ok, so "young girls" mutates into "immature women" mutates
into "nubile youngthangs". Pretty soon the database becomes
robust enough to block anything remotely related to the concept
you are trying to express. The faster the spamers invent new
ideas, the faster they are blocked (becuase people sending "normal"
email have no incentive to invent such creative expressions.
You could run the filters against "validated" conversation lists,
e.g. sci.nanotech, the extropian archives, etc. to discover unusual
phrases that are not "common" but again not "spam" to vet them.

I mean really, how many ways are there to say "lower interest rates"
or "pre-approved credit cards"???

> Tracing spam back to the originating ISP is tricky. Most spammers use
> an open relay, so DoS'ing them could get you trouble.

That is why I placed an emphasis on limited DoS'ing. You create
an annoyance/degradation problem for the admins hosting such insecure
systems. It will cause them to become aware of the problem while
realizing that attempting to make a claim against thousands or
millions of people may be futile (esp. since they are the source
of the problem in the first place). One could adopt a ratio
that each SPAM message should generate 10-100x the amount of
reverse traffic. That sould be sufficient incentive to get
the ISPs to deal with it responsibly and aggressively.

One could even make it a configuration option -- how much
junk you dump on them in response to how much junk they
dump on you. That way when you go to court you could claim
very precise damage ratios. Only theirs was unsolicited
and yours was in direct response to theirs. [Alternatively,
instead of DoS attacks, multiple emails to their postmaster,
abuse manager, reply-to addresses might be justified. A
rejection of any of these emails is reason to reject the
incoming message. I've noticed that SPAM reply mailboxes
fill up very quickly.] A combination of logging reply-to
addresses, domains or IP addresses to central SPAM
detection servers should be able to provide almost
instantaneous alerts as to when a message has been
sent to 70 million names.

> > In the world I envision you have to say "May I?"!
>
> That's IM2000. In the meantime, try TMDA.

Thanks Dave, I'll investigate these. But as I've suggested the
solutions for this problem have to start as far upstream as possible
and produce negative consequences on the originating systems or their
ISPs for this to stop. The users have to create a culture among the
ISPs that SPAM is simply not an "acceptable" use. And the mail
servers/routers have to detect this the instant it occurs and respond
forcefully to it.

Since I doubt that spammers will anytime soon be sending messages
in personal key encrypted format, I do not think this is a
really difficult problem to solve.

Robert



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:24 MST