×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

5 Things the Boss Should Know About Spam Fighting

Zonk posted more than 7 years ago | from the never-give-up-never-surrender dept.

Networking 168

Esther Schindler writes "Sysadmins and email administrators were asked to identify the one thing they wish the CIO understood about their efforts to fight spam. The CIO website is now running their five most important tips, in an effort to educate the corporate brass. Recommendations are mostly along the lines of informing corporate management; letting bosses know that there is no 'silver bullet', and that the battle will never really end. There's also a suggestion to educate on technical matters, bringing executives into the loop on terms like SMTP and POP. Their first recommendation, though, is to make sure no mail is lost. 'This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

168 comments

sup (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18054504)

hay doods wtf is going on with natalie portman?

Re:sup (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18054766)

hay doods wtf is going on with natalie portman?
I dunno, but for some strange reason I have a craving for hot grits now!

Nothing lost? (4, Informative)

Anonymous Coward | more than 7 years ago | (#18054534)

Their first recommendation, though, is to make sure no mail is lost.

Nice goal, but you are going to lose mail. It is either going to get buried in the pile of spam or misclassified as spam by your software and pitched. What you need to do is pick an acceptable level -- it is all about trade-offs.

I like to REJECT (not bounce!) spam, so when you accidentally mark good stuff as spam, the sender has a chance to get the message to you later.

Re:Nothing lost? (1)

Skater (41976) | more than 7 years ago | (#18054706)

I like to REJECT (not bounce!) spam, so when you accidentally mark good stuff as spam, the sender has a chance to get the message to you later.

Yeah, thanks. Then when someone fakes my email address as the return address, I get thousands of bounce messages.

Re:Nothing lost? (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18054830)

Yeah, thanks. Then when someone fakes my email address as the return address, I get thousands of bounce messages.

Did you miss the part about:

I like to REJECT (not bounce!) spam

If I reject the mail, then you'll only get a message back if your SMTP server was the one that was sending it. If I bounce the mail, then you'll a message even if it was forged elsewhere.

People who bounce spam are almost as bad as the spammers. Rejecting spam is much better than just deleting it because it gives the sender a chance to fix your mistake.

Re:Nothing lost? (1)

Skater (41976) | more than 7 years ago | (#18054850)

Ah, okay. I didn't catch that distinction. Sorry - I'm just bitter from the thousands of messages I've had to clean up, including a mailbomb or two.

Re:Nothing lost? (1)

jeremyp (130771) | more than 7 years ago | (#18056382)

If I reject the mail, then you'll only get a message back if your SMTP server was the one that was sending it. If I bounce the mail, then you'll a message even if it was forged elsewhere.
Err, no. If you reject a mail, the SMTP server that tried to connect to your SMTP server (and got a 5xx response) will send a bounce message back to what it perceives as the sender - who is almost certainly forged in a spam e-mail.

People who bounce spam are almost as bad as the spammers. Rejecting spam is much better than just deleting it because it gives the sender a chance to fix your mistake.
You want the sender to fix your mistake? Somehow, I don't think you meant that.

Re:Nothing lost? (0)

Anonymous Coward | more than 7 years ago | (#18056622)

Err, no. If you reject a mail, the SMTP server that tried to connect to your SMTP server (and got a 5xx response) will send a bounce message back to what it perceives as the sender - who is almost certainly forged in a spam e-mail.

Only if you have a badly mis-configured SMTP server. I supposed spammers *could* use a badly mis-configured SMTP server, but in my experience all the bounces I get for forged spam are from the recipient's MTA. The botnets are interested in pumping out as much spam as possible, not handling rejects. (And what would be the point? The spammers know perfectly well that 99.9% of the addresses they are forging are bogus.)

You want the sender to fix your mistake? Somehow, I don't think you meant that.

Sure I do. If I bounce Aunt Sally's recipe for double-chocolate mango pie, I want her MTA to let her know the message wasn't delivered. Otherwise, there isn't any opportunity to fix the mistake. Of course, I'd prefer not to make a mistake in classifying a message as spam, but no system is perfect. Just how do you handle false positives?

Re:Nothing lost? (4, Insightful)

mabu (178417) | more than 7 years ago | (#18054824)

A good RBL-based system never loses mail. Any legitimate mail that is blocked causes the original sender to be notified. Content-based filtering systems don't work like that scheme, so people that use mail filtering do lost more legitimate mail, and the worse part is, the senders never know their mail was lost. This is why content-based filtering doesn't work and RBLs do.

Re:Nothing lost? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18054976)

You can use rejects with either RBL or content-based filtering. You just have to have the SMTP server in the loop when you are doing the filtering. With your RBL you can reject after the envelope, but with spamassassin (or whatever) you reject after the data. Most systems aren't set up that way for various reasons, but if you have control over your MTA you can do it right.

Re:Nothing lost? (2, Informative)

secolactico (519805) | more than 7 years ago | (#18056088)

Indeed. Problem is, examining the data is a problem when you get a huge influx of email regularly. You can always host spamassassin on a separate server and call it from the smtp server, I guess.

I know several people has said it on this thread and on almost all mail/spam threads, but it can't be stressed enough: Reject the message on the SMTP phase! DO NOT accept the message and then bounce it. I guess viruses you can discard if you want, but DO NOT bounce them!

Exchange admins, please configure your server to properly reject unknown users. Thanks.

Re:Nothing lost? (3, Insightful)

digitig (1056110) | more than 7 years ago | (#18055158)

RBL-based systems do lose mail. A potential customer emails me and a competitor with a request for a quotation. From me they get a blacklist notification, from my competitor they get a quotation. The potential customer, upset at being accused of being a spammer, never bothers trying to email me again. I've not only lost their original email but I've lost all future email from them too.

Re:Nothing lost? (0)

Anonymous Coward | more than 7 years ago | (#18055520)

It depends on the sort of business your in - we would never reject email either for the same reason as you, but I'm glad one of our suppliers did. Badly configured server (open relay), got on Spamcop's blacklist, suppliers server rejected it - which was the only warning we had.

Result: we fixed our server, and gained respect for their IT guys.

WTF? (4, Interesting)

Watson Ladd (955755) | more than 7 years ago | (#18054544)

How does the CIO not understand what the IT deparment is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

Re:WTF? (3, Insightful)

cyber-vandal (148830) | more than 7 years ago | (#18054562)

Because the people who appoint them don't understand IT either and believe it to be so simple that anyone can manage it.

Re:WTF? (4, Insightful)

winkydink (650484) | more than 7 years ago | (#18054686)

The majority of the CIO's I know come from the Apps side of the house, not the Ops side. Please note, I said the majority, not all.

Do you really believe that a CIO understands all of the underlying technology in the IT department, even at a basic level? Trust me, most don't. It's near impossible, especially when most CIO's haven't been individual contributors for many years.

Re:WTF? (2, Funny)

Nimloth (704789) | more than 7 years ago | (#18056160)

Do you really believe that a CIO understands all of the underlying technology in the IT department, even at a basic level? Trust me, most don't.
QFT... I'm in the process of customizing SugarCRM Open Source for our company's needs, and after I'd pitched a demo to my CIO to show him what we'd be able to do with it once finished, he was really impressed. A week later I hear him in a meeting with management: "Yeah, it's open source, which means it's the same guys that did this that wrote Linux.".
*shrug* At least I got management approval :P

Re:WTF? (1)

IL-CSIXTY4 (801087) | more than 7 years ago | (#18054710)

Many CIOs today cut their teeth on the systems of yesterday, and have spent many years in middle and upper management since their days "in the trenches". They've gotten good at management, but they've lost touch with the day to day realities of what they're managing.

For example, a CIO I worked under advised us that we could increase the efficiency of our database-driven app by reading the records in a random-access manner, rather than processing the whole "file" of orders sequentially each time we wanted to retrieve a record.

Re:WTF? (1)

JimDaGeek (983925) | more than 7 years ago | (#18054972)

For example, a CIO I worked under advised us that we could increase the efficiency of our database-driven app by reading the records in a random-access manner, rather than processing the whole "file" of orders sequentially each time we wanted to retrieve a record.
Oh man... I just spit something out of my nose! Did anyone correct your CIO? To me this sounds like the last time this dude had _any_ knowledge of IT, it was with COBOL/CICS type stuff.

May you be blessed my son :-)

Re:WTF? (1)

thogard (43403) | more than 7 years ago | (#18055878)

That old guy was so wrong. Doesn't he know with modern virtual memory based disk access we can write have programs that opens a huge text file and reads through the entire thing faster than we can set up the connection to the sql server to ask it to look in an index?

Re:WTF? (3, Insightful)

StarvingSE (875139) | more than 7 years ago | (#18055592)

Managers may have lost touch with the latest techno-babble, but they should not be berated because of it. They are obviously smart individuals who were neck deep in the technology of their time. When you are a manager, you have a reasonable level of expectation that your employees will be knowledgeable of the most current technology.

Many high level concepts such as requirements, design, group management, etc can be managed by people and they don't have to have intimate knowledge of the latest technology. I am not saying that management should not learn it, but they should expect their employees to be the experts.

Why is it that there are a lot of people in IT who are so snobbish "omg!!!@!!!.... you don't know about xyz technology, you made a mistake hahahhadjhaflkdjfs luser." Are other technical/engineering fields like this? (not a knock on the parent post, just askin' in general).

Re:WTF? (1)

IL-CSIXTY4 (801087) | more than 7 years ago | (#18055834)

There's a difference between not knowing how to write code for Hibernate and not understanding what a relational database is.

C-level managers are making decisions that effect the entire department under them, and set the direction of the company. It's fine if a CIO doesn't know the nuts & bolts of the technology in use, but they should at least understand the basic concepts. That's why things like CIO Magazine and CompTIA's i-Net+ certification exist. They boil down technologies to the essential things someone in that position needs to know.

They've honed their management & decision-making skills over the years. But they should have some clue about what it is they're managing, or else they're just a highly-paid suit in a fancy office.

Re:WTF? (1)

AeroIllini (726211) | more than 7 years ago | (#18056472)

Why is it that there are a lot of people in IT who are so snobbish "omg!!!@!!!.... you don't know about xyz technology, you made a mistake hahahhadjhaflkdjfs luser." Are other technical/engineering fields like this? (not a knock on the parent post, just askin' in general).

Yeah, they are.

When you talk about the snobby people in IT, you're usually referring to those at the bottom of the heap, organizationally. These are the guys in the server room who don't really have the authority to make any decisions, and who are simply working on the day-to-day operations of the IT department.

Compare this with trench engineers at any engineering/manufacturing firm. I work as an engineer at a very large engineering/manufacturing firm, and let me tell you, engineers are terrible when it comes to lording minutiae over people's heads. Being able to quote stress calculation numbers for some part we designed a decade ago is a badge of pride. Additionally, those in our organization who are not engineers, but who are also at the bottom, pride themselves in their detailed knowledge of the bureaucracy. These are the people who are always quoting process specs and operations manuals to get their way, and they come off as very snotty and arrogant.

The ones who are not that way inevitably get promoted out of the bottom level of the organization, and I'm sure the same is true in IT departments. People who continue with that attitude will always stay at the bottom, allowing them to become bitter and feed their own need to justify their existence by lording minutiae over people's heads.

Re:WTF? (0)

Anonymous Coward | more than 7 years ago | (#18054738)

How does the CIO not understand what the IT department is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

That answer is easy, they kiss up and ??it down. No kidding, do you think big organizations want rational disciplined people at the top? Technical people rarely make it into management ranks and when they do it is with a "few" tech companies only. When they do, they tend to either not last long or become quite a success for their organizations.

North American I/T hasn't promoted from with in its organizations for decades. It is also why CIOs don't know much.

If nothing else, a CEOs perspective of a good CIO isn't the same as who you would want to teach your daughter. For your daughter would not know the word NO and would always be bent over.

Re:WTF? (1)

beakerMeep (716990) | more than 7 years ago | (#18054764)

The article seems to be a tool for CIOs to educate CEOs . But I like your "I-didn't-read-the-article-but- im-going-to-feign-indignance-anyways" thing you got going there.

Re:WTF? (1)

thogard (43403) | more than 7 years ago | (#18055838)

That is why I'm disappointed that it didn't focus on the "go talk to your local elected official about making this illegal"

Spamers have stolen the usefulness of email away and if its not fixed real soon, it will be completely worthless to more and more people. I'm hearing from more and more people "oh, I don't check email much anymore, its all junk"

"Congress shall make no law..." (1)

digitig (1056110) | more than 7 years ago | (#18056128)

It's amazing how quickly Slashdotters switch from quoting the Bill of Rights in order to defend freedom of speech that they want to ignoring the Bill of Rights in order to to condemn freedom of speech that they don't want. It's no wonder American lawyers earn so much!

Re:"Congress shall make no law..." (1)

thogard (43403) | more than 7 years ago | (#18056186)

Freedom of speech doesn't mean I have to put up with someone in my face 24x7.

It is illegal to push prescription drugs on children yet not a single DA has bused a spamer for drug pushing.

Re:"Congress shall make no law..." (1)

digitig (1056110) | more than 7 years ago | (#18056464)

You don't have to. You can turn off your computer just as easily as you can turn off your TV and radio.

Please note that I don't think that the freedom of speech argument is any justification for allowing spam to continue. I just don't happen to think it's an argument for most of the other things it's brought out in defence of, either (and I write as a member of Liberty [liberty-hu...hts.org.uk], an approximate UK parallel to the ACLU, so don't read me as being pro-censorship, either!)

Re:WTF? (4, Insightful)

rucs_hack (784150) | more than 7 years ago | (#18054802)

managers manage well by having people below them who know their jobs. That way they manage the people themselves, not micromanage everything they have to do.

A good manager should appear to have very little to do, because everything is so well organised.

A bad manager is very easy to spot. People under them feel unsupported, become over relient on rules and regulations, and everything takes so long to do that nothing gets done.

I've experienced both types of management, the bad type is painful. When I've managed (in medicine) I worked very hard to train my people to trust in their own abilities and take on and enjoy responsibility.

Nothing to do with spam in this post I realise, but then I hate spam, nasty fatty stuff.

Re:WTF? (5, Insightful)

Jonny do good (1002498) | more than 7 years ago | (#18054826)

How does the CIO not understand what the IT deparment is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

Because managers are there to manage, not to be technicians. The most effective managers should know something about what they manage, but they do not need to know the details. They are supposed to be "big-picture" people and leave the details to the experts they hire. When a manager knows too much about what they manage they tend to micro-manage and I am sure we all dislike that more than ignorant managers.

Personally I would rather have a manager that gives me the responsibility and flexibility to make the decisions that are within the scope of my job function who knows nothing about what I do and how I do it than one that is more knowledgable but ties my hands when it comes to getting things done. The CIO should dictate the overarching business strategy to the IS department and help ensure that their work helps accomplish the goals of that strategy. The details are for the rest of the department to figure out. Remember, the IS department is a supporting function, no different from accounting, marketing, or HR... it is not the business.

I'm sure I will be flamed for this response, but it is typical of technical people (not just IT, but in all functions) to have disdain for those in charge because they don't know what we know. But it isn't their job to, or else they would have no reason to hire us. A CIO position is NOT a technical position. Expecting a CIO to know everthing going on in the IS department is the same as expecting the CEO to know it as well.

Re:WTF? (0)

Anonymous Coward | more than 7 years ago | (#18055362)

The CIO should dictate the overarching business strategy to the IS department and help ensure that their work helps accomplish the goals of that strategy.

Management should be a two way street. A CIO that just goes to meetings and nods his heads and agrees isn't worth anything when he comes back to the IS department and dictates to them that the CEO just changed vendors on a major software component over golf yesterday, and the windows application has to be rewritten to run on netware 3.11 in time for the product launch next week.

A CIO who actually knew what his employees were working with and how the proposed changes affect them would (hopefully) at least offer a weak protest or a demand for a schedule change thanks to the last minute specification change. Anything to make the xOs understand that it's not the IS department's fault that they can't keep up with a whimsical captain.

Re:WTF? (1)

Jonny do good (1002498) | more than 7 years ago | (#18056338)

A CIO that just goes to meetings and nods his heads and agrees isn't worth anything when he comes back to the IS department and dictates to them that the CEO just changed vendors on a major software component over golf yesterday, and the windows application has to be rewritten to run on netware 3.11 in time for the product launch next week.

I would completely agree with you. My point is that the CEO and CIO don't always need to be involved in operational decisions at the technical level. In smaller companies they may have to deal with the issues you speak of. In a larger organization the CEO shouldn't care at all about vendors or tactical decisions made in the IT department. The job of a CIO isn't to dictate what products are used to accomplish a particular goal, it should be to dictacte the goal and let the people that have to implement the steps needed to accomplish that goal make the decisions they need to in order to get there. The CIO should understand things at a higher level, for example: they should understand what a spam filter is, if it seems to work, how much it costs to implement (software, hardware, and other resources), and is it in line with an organizational goal; but how it works shouldn't matter, only that it does or doesn't help reduce wasted resources.

In your example both the CIO and CEO are incompetent. They shouldn't be dictating a vendor change, the person or team that is implementing the end goal should be making those decisions. If the CIO is part of the team implementing the changes then it would stand to reason that they know what is going on, but in most cases they are there to keep the IT department from running wild and just implementing things that they think are cool but make little or no contribution to the business. The CIO position was corporate America's response to IT departments buying cool toys with little or no value to the organization. An MIS manager with some technical knowledge (or his/her team) should be making the decisions you were writing about.

Re:WTF? (1)

Ykant (318168) | more than 7 years ago | (#18055924)

I'm constantly reminded how lucky I am. About ten years ago, my current CIO was the person who did all the coding, back when the company was much smaller. We've grown a lot, there's an actual IT department of 20 now (as opposed to the three "computer people" we started with) but everything is still built on the stuff she coded way back when. She spent many late nights coding, coding, coding, up until about 3 or 4 years ago. She's happy enough with the current team that she's taken a step back, and just worries about the big picture. She is our biggest advocate and in our corner, but can be extremely demanding. But of all the people at the top, she's the one who knows what's within the realm of possibility. She makes some tough demands, but at least they're informed ones.

Re:WTF? (1)

JimDaGeek (983925) | more than 7 years ago | (#18054918)

Oh...Boy!!!

I have worked for 3 fortune xxx companies. None of the CIO/CTO have know _anything_ about IT. Nothing. All have been business people that were transfered from some other department. A lot of the bigger companies like to play "musical manager" where the "upper" level management gets moved around so they know more roles of the company. This gets them promoted faster... go figure.

I just recently went through a corporate re-org. The new CIO is actually a "financial" chick (though her knowledge there is _very_ limited) and has as much knowledge about computers as my 84 year old grandmother-in-law, seriously! Maybe she slept with the right people? Oh, and I don't mean that to be some anti-feminist. Our previous CIO was a real retard, I was surprised if he could even log in properly with a username and password.

P.S. I am saying all of this as a senior programmer, not a system admin. I felt sooooo bad for my good friends that were admins. Damn, those dude had to deal with a lot of crap. :-)

God, it makes me sick.

Re:WTF? (1)

t14m4t (205907) | more than 7 years ago | (#18055176)

I work at the Naval Submarine School in Groton, CT. Actually, I'm the CIO there (until the 26th when I transfer to Norfolk), how apropos.

Anyway, I took over the job when the fileserver crashed, and the CIO at the time didn't understand the difference between a workstation and a server, and couldn't figure out what "no backup" meant. Bless her soul, she's a great leader over a good many things. But she was assigned to the job because the commanding officer at the time was not IT-savvy, and said "it's just management of people, the techs know what they're doing."

After she was fired, they looked for someone IT-smart. I e-mailed my boss and said "I've been doing IT support for 3 or 4 years, one on a submarine, two in college, and several months in the Computer Science department after graduation while waiting for follow-on schooling. And I have a BS in CS." They took about 2 minutes to give me the job. That's how long it took for them to receive the e-mail.

Anyway, enough rambling, my point is that I can understand how it happens. You don't have to be IT-smart to become CIO. You just have to demonstrate to whomever is hiring that you can get the job done.

weylin

Re:WTF? (1)

nighty5 (615965) | more than 7 years ago | (#18055410)

Because the higher you go, the more you manage just people, resources and money.

What they actually do has little to do with it, this is especially the case in larger govt organisations where the CIO's are people with almost no understanding of computers.

Something for nothing and spam for free (3, Insightful)

canuck57 (662392) | more than 7 years ago | (#18054596)

You can't have both, no matter how loudly you scream.

Trouble is how many CIO understand the technology they supervise enough to make a good business judgement?

The one thing I will tell them follows like this:

Trust your own I/T staff for maters of technical choice and direction, they have the most to gain, the most to lose and have to live with the consequences. Vendors know how to sell problems then the solutions, users know how to blame their lack of patience and personal issues on computers. I/T personnel often are the ones to eat the heat on organizational issues beyond their control. This includes the flawed systems we use today. Let I/T participate in business descisions, not to rule but nor to be a door mat for the next irrational business type having a conniption fit.

Uh, how about... (0)

Anonymous Coward | more than 7 years ago | (#18054616)

Just routing what you suspect as spam into a separate folder. That way, if anything looks legit in there, I can double check before deleting it. You know, leave the power with the people. Why do you guys feel the need to protect us from ourselves? Oh, nanny IT. Rather than train your people properly, just protect them from themselves... it works so well for government after all.

The Silver Bullet (0)

Anonymous Coward | more than 7 years ago | (#18054656)

How to eliminate spam:

0) Use a whitelist. Validate incoming messages against trusted keys using strong public-key encryption. This has been around for, oh, 30 years.

1) Don't bother with any blacklists.

2) Incoming messages not on the whitelist are automatically returned with a challenge. The user does not see the message until the challenge is solved, at which point the sender could be added to the whitelist.

One good challenge involves finding a partial collision for a strong hash. For example, find a 12 byte string which when appended to [some 4 random bytes] hashes to [some 4 random bytes plus the remainder padded with don't care bytes]. Using a partial collision allows the difficulty to be tweaked. For example, a challenge requiring one minute of average computation could only be solved 1440 times per day. Most email would be whitelisted and spammers would not be able to solve challenges economically.

3) No more spam!

Re:The Silver Bullet (1)

maynard (3337) | more than 7 years ago | (#18054860)

Now try to implement your suggestions on a mail server that supports 500 users or more. Good luck.

Silver Ricochet.. (1)

tempest69 (572798) | more than 7 years ago | (#18055040)

You have a nice start, but it has some weird consequences.

1. Sending email gets infuriating as your machine slows to a crawl anytime someone hasnt whitelisted you.

2. Maintaining a Taint Free Whitelist gets to be a bit tricky.

3. How is this going to work for services like Gmail and Yahoo? A minute of chug time on a machine is expensive if your offering it for free. If you whitelist them it doesnt do much good because then spammers just use those accounts

4. How does this work for people in poor areas of the world using some antique machine (like a Pentium 200 mmx) where email would take 30 minutes a peice to send. Counter Proposal--- 0) No white list, however a digital signature (spam score/service type) from trusted trackers (like spamhouse, etc). 1) A proposed challenge is sent for (CLASS1 Trusted) 2) The client will either accept or decline the challenge to drop to the next level (CLASS2 Trusted) which would be a lighter challenge, but sorted accordingly. 3) After negotiating the terms of transmittal then the problem would be solved, and tagged appropriatly. With standard sendmail at the very bottom.. _________ some of the kickers... The spam score is a monster again.. as you need to have both a "start date" and a "most recent date" to classify the longevity of the account, and that it hasnt been used for spam lately. As well as having a "Diversity" score that keeps spammers from farming accounts for later use. The spam score keeps people from having to endure the longer wait. It also allows for the free-email systems to track individual accounts without so much work.

As far as the challenge goes I would go with an AES key that needs the last X digits solved.. But hash collision seems fine to me.

It is still a pretty weak solution for the people with low computer power..

Storm

Re:Silver Ricochet.. (1)

IkeTo (27776) | more than 7 years ago | (#18056516)

> you have a nice start, but it has some weird consequences.

> 1. Sending email gets infuriating as your machine slows to a crawl anytime
> someone hasnt whitelisted you.

This really does not need to be slow. There are many "trapdoor functions" for you to build your challenge response. Given the answer (that you pick randomly) you can easily generate the question (and therefore can easily check whether it really answer the question), but given the question it takes an arbitrarily long time to compute the answer. The server only need to run the "fast" routes, but the client need to run the "slow" route.

> 2. Maintaining a Taint Free Whitelist gets to be a bit tricky.

Most people only have so many people contacting him, so building a white-list is not as horrible as it sounds. Not to say that this is particularly interesting for support staff of companies, though, who constantly need to respond to emails from complete strangers. And you can build software that if a challenge-response is answered correctly, and, after reading the mail, you do not click on the delete button before you do other actions (e.g., to archive it or to place it into some folder), the sender is added to the white-list automatically.

> 3. How is this going to work for services like Gmail and Yahoo? A minute of
> chug time on a machine is expensive if your offering it for free. If you
> whitelist them it doesnt do much good because then spammers just use those
> accounts

That's for Gmail and Yahoo to think about. If the market is full of solutions that have negligible spam problem, they will be creative to think about solutions that they can adopt as well. The current problem is that the whole market is filled with solutions that has "features" (like unauthenticated and deniability) that some people somehow like while at the same time encourage spam.

> 4. How does this work for people in poor areas of the world using some antique
> machine (like a Pentium 200 mmx) where email would take 30 minutes a peice to
> send.

Hm... if you mean that those computers need that amount of time to just send e-mails, then those systems are not usable today already, no need to cater for them. If you mean that those computers need that amount of time to answer a challenge-response, then the answer is simple: just have that person to talk to the one he want to contact in some other means, like a phone call, so that the address is put into a white-list.

Now my take for adding one more question:

5. This doesn't solve the problem when your friend's mail account is broken (by virus or trojan horse), and subverted into a spam sending center.

Re:The Silver Bullet (0)

Anonymous Coward | more than 7 years ago | (#18056066)

*headdesk*
Yes, some people use challenge/response for anything not whitelisted. Two reasons this is bad
(1) It's annoying, hardly anybody uses it. So if e-mail is going out to you that isn't that important to the sender, but personally important to you, you might get screwed.
(2) Collateral damage, this happens a lot. The challenge goes to the person whose address got forged. And sadly, you cannot neatly tuck full challenge messages into SMTP reject messages.

And honestly, why do you think one slashdot poster in a couple of paragraphs has a chance of solving a problem that the experts haven't been able to yet?

Re:The Silver Bullet (1)

imroy (755) | more than 7 years ago | (#18056366)

Anonymous Coward said:

Incoming messages not on the whitelist are automatically returned with a challenge.

Translation:

It's not enough that I get spam, I wish to share the problem with all the people whose email addresses are being used by spammers!

Thanks for spreading the problem, idiot.

POP? (3, Insightful)

Corporate Troll (537873) | more than 7 years ago | (#18054662)

SMTP and POP

Now, nothing against educating management... but POP? POP doesn't belong in the enterprise. Even at home I have my own IMAP server. POP is a relic of the dialup-time where you only had access to your own computer and nobody else (seemed) to have one.

A shame that gmail doesn't support IMAP, I'd prefer it that way instead of that poor POP3 hack they use...

Re:POP? (1)

MichaelSmith (789609) | more than 7 years ago | (#18054728)

POP doesn't belong in the enterprise.

Where I work we can use either. Inboxes on the mail server have a 16MB limit and they regularly fill up. Because I need to keep more than that I use POP.

Re:POP? (2, Insightful)

Corporate Troll (537873) | more than 7 years ago | (#18054792)

16MB? Wow... That's suckitude pure... My personal mailserver can cope 2Gig, and that's only because the /var is a separate partition of 2Gig. I don't know what it is at work, but I haven't reached it yet.... I get those funny videos all the time, but I delete them at once, so my space usage isn't all that big. Haven't heard complaints of the management types yet, so I think that the limits are very reasonable.

Frankly, tell IT to buy a few disks.... 16MB is about what I had as a student at the University computer in 1994.

Re:POP? (1)

maynard (3337) | more than 7 years ago | (#18054990)

Try supporting 500 users using traditional unix INBOX file format. Clients must perform a linear extraction to cull out headers, which leads to tremendous scalability problems. The solution is to implement a db which creates an index of headers for clients.

Then things get better. But that still doesn't solve all the problems with excessive spam.

Time to dump smtp for something better.

Re:POP? (1)

Corporate Troll (537873) | more than 7 years ago | (#18055020)

Hey, I'm talking about a 5 user system.... INBOX works fine for that. 100++ users should use a database, but that's simply overkill for my situation. I'm not saying that INBOX is a good solution, but 16MB mailbox is a bit small... Ever a moderatly big database can cope much more

Re:POP? (0)

Anonymous Coward | more than 7 years ago | (#18055170)

Try supporting 500 users using traditional unix INBOX file format.

Then start using Maildir format and an IMAP server that supports it.

Re:POP? (1)

maynard (3337) | more than 7 years ago | (#18055230)

Damn straight. I'm working on it. Have to remove all those bullshit client nfs mounts of the mail spool first. They all expect INBOX. Once that's done - boom! - to email sanity I come!

Re:POP? (1)

AeroIllini (726211) | more than 7 years ago | (#18056562)

I work in a giant company of 150,000 employees. Each of us gets 20MB of space on the Exchange server, for mail and calendar.

Every employee, outside of the factory, has their own computer to use at their desk, and if you need to bring files away from your desk frequently, it is not difficult to swap out your desktop for a laptop. (I'm not sure how much extra the laptop costs in a given manager's budget, but it's not much.) There are bigger network servers available for passing files around, but they are paid for by managers' budgets, on an as-needed basis.

No one really has a need to log on to a computer that's not their own, so it makes sense to distribute storage capacity for email among the employees' desktops and laptops, instead of sinking money into giant datacenters. Those desktops and laptops have disk space available, anyway.

This system seems to work well for the company. Occasionally someone with a desktop wishes they had network access during a meeting, but if that happens often enough, their manager just upgrades them to a laptop which they bring to meetings. There is secure wireless available everywhere, and everyone with a laptop gets a docking station at their desk, including a real keyboard, real mouse, and real LCD screen.

Outside of college, I've never really been in a situation where I've needed to log onto lots of random computers and still have network access to my files/email. 16-20 MB is not unreasonable.

Re:POP? (1)

torrentfuze (1065424) | more than 7 years ago | (#18054840)

I prefer to download all my emails and read them using POP than have to wait for the network lag to give me my emails.

Re:POP? (1)

Corporate Troll (537873) | more than 7 years ago | (#18054876)

I understand that, but that falls in the category "dial-up".... On a LAN, the network lag should be insignificant. Sure, that 10M powerpoint from my boss, won't open immediately, but with POP it would take ages to download it in the first place. I just delete it without opening it ;-)

Re:POP? (1)

vadim_t (324782) | more than 7 years ago | (#18054948)

Then use offline IMAP. It's the best thing of both worlds: Mail's on disk, so it's quick to access, but it's also on the server so you have all your mail anywhere.

Re:POP? (1)

DogDude (805747) | more than 7 years ago | (#18054890)

What's wrong with POP? I don't see any limitations or problems with it.

Re:POP? (1)

Corporate Troll (537873) | more than 7 years ago | (#18054994)

Not married, no children, eh?

I won't start to enumerate all that is wrong with POP but consider my simple configuration: I have my own mailserver. Now if I would use POP, I would be constrained to one single machine. This does not reflect reality, we have one laptop and two desktops. Now, if I check my mail on my wifes computer (it's the one that is always on), and a good friend sends me email. Alas, I don't have time to reply at that moment. Later, my wife is shopping at amazon on her computer and I think it's a good idea to reply to that friend. Ooops... Mail gone. Wife, can you please do your amazon shopping on one of the other two computers because I need to reply to that friend.

IMAP gives you your email on every computer regardless what one it its. POP is fine for single-computer usage and the world have moved beyond that.

Re:POP? (1)

DogDude (805747) | more than 7 years ago | (#18055118)

I just tick the checkbox that says "leave on server". Works fine for me.

Re:POP? (1)

Corporate Troll (537873) | more than 7 years ago | (#18055164)

Yes, I did that too...You always get tons of mails saying they are new but they are not... and with gmail it doesn't work at all. Mails marked as read are not resent...

IMAP is superior... Try it for a while, and you'll see the light. Not so long ago, I thought the same thing...

You can have some of both (1)

timeOday (582209) | more than 7 years ago | (#18054666)

Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'
This is misleading. There's no reason one spam filter cannot provide both higher sensitivity and higher specificity than some other inferior spam filter. Once you pick a filter then, yes, there is a tradeoff in selecting your decision boundary.

Why Is It? (2, Funny)

George Johnston (1018968) | more than 7 years ago | (#18054714)

Was my spam filter installed backwards? It seems to let the ads through and trashes emails from my friends... Don't mind me, I am just auditioning for a CIO job. It pays a lot better.

Beware the combination of spam and UETA (2, Insightful)

grandpa-geek (981017) | more than 7 years ago | (#18054750)

Around 2000 there was legislation adopted in many states called the Uniform Electronic Transactions Act (UETA). Under UETA a legal notice sent by email is considered delivered to the recipient when it enters the recipient's ISP, regardless of whether the recipient ever sees the email. This was the UETA drafters' attempt to create the equivalent of something called the "mail box rule" for email. AFAIK, under the mail box rule, if you give a legal notice to the post office, it is considered delivered.

There are numerous examples of legitimate emails getting caught in spam filters, and there are ways to format a legal notice to raise the likelihood that it will be caught by a spam filter.

In addition to educating our corporate managements, we also need to educate legislators about this and to get UETA amended in the various states to recognize the realities of todays electronic commerce environment.

Re:Beware the combination of spam and UETA (1)

nuzak (959558) | more than 7 years ago | (#18055914)

> AFAIK, under the mail box rule, if you give a legal notice to the post office, it is considered delivered.

Delivered, yes. Received, no. Try serving a subpoena that way.

Five Things Everybody Needs To Know About Spam (5, Informative)

mabu (178417) | more than 7 years ago | (#18054780)

Forget CIOs... there are many system administrators who don't know the real issues regarding spam. Here are some things everyone needs to know:

1. Content filtering is not a solution.

I hate to say it, but it's the truth. Filtering mail based on what's in the e-mail message is a never-ending battle that does not work. It slows down mail service, causes legitimate mail to be blocked more often than using RBLs, and violates peoples privacy, costs more money to maintain and makes the mail system inherently less efficient and reliable.

E-mail used to be instantaneous. Now it isn't, because all the major ISPs toss their mail into big queues where they go over it and file it away or pass it on. If you send something to a Bellsouth users nowadays, they *might* get it 6+ hours later! Stupid, content filtering doesn't work and creates worse problems.

2. The Spam problem is mostly a law enforcement issue and not a technological issue.

99.9% of spammers break the law. The reason why spamming is such a problem is because national and international authorities won't get off their lazy asses and prosecute the spammers for the laws they break. In the end, you'll do more to reduce spam by petitioning your local district attorney to prosecute spammers than installing some obnoxious cpu-chewing filter that will become obsolete within two weeks. And no, the jurisdiction issue is bogus. Technology exists to track all these spammers right back to where they are. There are spammers all over the world and especially in the U.S. that can and should be in jail right now, but they're not because the Feds are more interested in going after people like Tommy Chong. Call your D.A. Call your Congressman. Complain that your reps aren't putting these guys in jail.

When I say "spam" I mean the big spam operations. The industry can easily police itself of low-level, incompetent opt-in schemes, but that's not the real "spam" problem we're talking about.

3. Don't listen to the anti-virus/anti-spyware software companies.

These companies make their living off of spam. There is an inherent conflict of interest in relying on Symantec or any other company to be trusted to help deal with the spam problem. They need spam and they'll never do what's necessary to stop spam from becoming more of a problem. This is analagous to why car manufacturers won't build more reliable/efficient cars when they are capable of doing so -- it's not profitable for them. Stop looking to McAffee or any of these other foxes to be trusted in helping you guard your henhouse.

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

Spammers steal bandwidth, violate peoples' security, tamper with third-party computers and bog down the Internet. Content-based filtering does not hurt spammers. RBLs do. Relay blacklisting is the single most effective deterrent in the war on spam. PERIOD. No other method both stops spam, and makes it exponentially more expensive and troublesome for spammers to do their job.

Relay blacklisting works. If you don't like RBLs, chances are you just had a bad experience with a bad one. Try a different one or create your own. They work. They work exceptionally well and best of all, they save bandwidth and resources from the spammer's grimy hands. They also have the added benefit of stopping the propagation of worms and punishing irresponsible ISPs who allow their zombie users to pollute the Internet. There is NO BETTER THING CURRENTLY you can do to combat the spam war than by feeding and using RBLs (aside from following #2 and complaining that spammers aren't being prosecuted).

5. There are not that many spam operations. The spam epidemic is not unstoppable.

The amount of spam going around on the Internet has increased but only proportionally to the amount of user and bandwidth growth, and not due to more and more people getting into the spam business. A cursory examination of most spam clearly indicates that there are merely a handful of "spam gangs" responsible for the lion's share of the spam. These people are also likely responsible for most worms and viruses propagation, and most of the phishing schemes.

Why are so few people responsible for such a big problem and why is nobody really going after them? That's a more important issue to investigate.

Let's stop putting band-aids on the problem at our own expense.

Re:Five Things Everybody Needs To Know About Spam (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18055436)

1. Content filtering is not a solution.


It's certainly part of the solution. For me at least. And I get a lot of spam every day.

2. The Spam problem is mostly a law enforcement issue and not a technological issue.


Yeah, just like robbery. Don't hold your breath.

3. Don't listen to the anti-virus/anti-spyware software companies.

Don't you think you're a bit too paranoid?

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

Maybe this is your favorite solution. But black lists do not work. If you have experienced problems it is just a sign that they do not work. Spammers use bot nets, and change addresses just for that.
I use a combination of white listing and content filtering, and it is working great.

5. There are not that many spam operations. The spam epidemic is not unstoppable.

Look, spammers will never go away. Just as commercial propaganda in snail mail. Even if it's illegal.

Re:Five Things Everybody Needs To Know About Spam (0)

Anonymous Coward | more than 7 years ago | (#18056194)

>1. Content filtering is not a solution.
          Yes it is. It's not good, but it works. ISPs with 6 hour backlogs are just not spending the cash needed to keep enough filtering hardware in place, and/or bought inefficient filtering packages, didn't optimize it any, etc. Fixed filters are bad, but a bayesian filter works GREAT. I pulled about 800 messages a while back, 140 spam properly flagged (with no messages falsely flagged as spam), and like 2 spams that got through.. I'm subscribed to several security mailing lists, and the 2 spams had security mailing list excerpts in the body, so I'm not surprised they weren't flagged 8-). Anyway, with something like spamprobe, it took maybe 2 weeks to start blocking some spam, and maybe another 2 weeks to become "mostly" effective. It's just gotten better from there.

>2. The Spam problem is mostly a law enforcement issue and not a >technological issue.

          Yes you're right. But the police, FTC, etc. don't seem to have anyone with the technical ability to track spammers down, and are so spotty about enforcement, that they might as well not exist.

>3. Don't listen to the anti-virus/anti-spyware software companies.
          Right again. Putting a virus filter on the E-Mail isn't a bad idea, but I wouldn't use them for spam filtering.

>4. Most anti-spam methods do nothing to stop spam, except relay >blacklisting.

          Most spam is now sent via random Windows boxes that get cracked and are used to send spam. From what I hear of some BIG operations (that aren't getting these 6 hour delays and crap), they will use blacklists as an INITIAL filter to knock out some spam, but then do other filtering to catch the rest.

>5. There are not that many spam operations. The spam epidemic is not >unstoppable.
          You are right.

>Why are so few people responsible for such a big problem and why is nobody >really going after them? That's a more important issue to investigate.

          Hear hear! I wonder if the FTC etc. even realize they could arrest like 10 people and take care of most spam? Until they do something, or some vigilantes take care of the spammers for them (hint hint!), knowing that just 5 or 10 people are sending doesn't help block though -- they're usually using illegally constructed botnets to send the spam. These spammers tend to have enough cash and no sense of morals to abuse the legal system; "regular people" that have tried to hassle spammers tend to get sued; witness spammers suing some of the spammer blacklists by trying to claim they aren't spammers; in a few cases the judge even sided with them! Insane but true.

Heres a way to end spam. Completly. (1)

El_Oscuro (1022477) | more than 7 years ago | (#18056862)

One key is to understand how spammers work.
  1. A spammer sets up a "bot-net" of compromised Windows computers, sometimes in the thousands.
  2. The spammer configures the zombies to send out about 1,000 spams a day, which most computers can handle without the user noticing.
  3. By using thousands of zombies [emailbattles.com], a spammer can send out millions of viagras a day, at almost no cost to himself.
  4. If 99.9% of the spam is filtered or ignored, it doesn't matter to the spammer, as the .1% represents thousands of sales per day.

The trick is to target the one vulnerability all spammers have: A website to sell their goods. All spam messages have a link where you click to buy the viagra, invest in Nigerian hedge funds, etc.

This vulnerability could be renlentessly attacked by ISPs, where each filtered spam generates an automatic "opt out" message to the website contained in the email. Kind of like bluefrog [emailbattles.com], with attitude. The beauty of it is, unlike bluefrog, there is no single point the spammers can attack, since individual ISPs would be generating the opt out requests instead of a single website.

Right now, a spammer only has to process the requests from the spam that actually gets through and is responded to. If this is implemented, the spammer would have to process (or ignore) every spam sent out by one of his zombies. Kind of a Self-Denial of Service attack.

When you have to process 18,000 requests a day, your hardware and bandwidth costs are minimal. If you had to process all 18,000,000 your zombies sent out, your costs would be considerably higher, and it might make spamming somewhat less profitable.

mail is broken (4, Interesting)

maynard (3337) | more than 7 years ago | (#18054782)

I'm shutting down our lab mail server and migrating a large userbase to central university mail services because of all the problems we're experiencing with supporting an internal mail server. Everything from excessive spam (and it's well over 90% of all incoming connections), people using email as for storing files (as if it were a home directory), and recent rulings demanding that IT offices track email and IMs [go.com].

I worked out how much staff time we spend maintaining and supporting our mail server and was shocked. For a service that's commoditized and available for free from any number of vendors (never mind our uni's central IT service we're already paying for), and I worked out that last year we had spent ~100 hrs/yr of staff time. Looking back I realized that in years previous we had spent far less on a per year basis. IOW: staff consumption on mail service was growing while prices for commodity email service was plummeting (all the way down to near free).

Dumping email support is the only rational solution.

Where will this go? I think email (as in RFC822, etc) is doomed. The protocol is broken. It has no safeguards to confirm the legitimacy of the sender or recipient, no mechanism to secure the communication during transmission (like a real envelope), and as a result the protocol begs to be exploited by Internet fucktards. Which is exactly what's happening. Time to toss SMTP and start from scratch.

Re:mail is broken (1)

DogDude (805747) | more than 7 years ago | (#18054942)

Why bother handling mail yourself? Like you said, it's a cheap (free) commodity now, and the people running the big services are the experts. Running your own email these days is the equivalent of trying to generate your own power. Yeah, it's neat-o if you can do it yourself, but it's cheaper and easier to let the professionals handle it so that you can get along with doing whatever it is that you do.

Re:mail is broken (1)

maynard (3337) | more than 7 years ago | (#18055008)

I've been running large mail servers for a decade and a half. It's not about skill. The problem is that the protocol can't confirm the basics of what it means to safely communicate. One must confirm that the sender and recipient are who they say they are. One must confirm that the communication is private. One must finally confirm delivery and receipt of the message.

SMTP does none of that.

Re:mail is broken (1)

thogard (43403) | more than 7 years ago | (#18055962)

X.400 can confirm who the senders are. Thats pointless for most spam today. Check out the messages who happen to have links to https sites and you will see that many spamers are happy to set up a real company and get a cert just to sucker a few more people. Its just a tiny cost of doing business that they are more than happy to pay for.

I on the other hand am not happy to pay the thousands of dollars every year to run an x.400 like certificate chain and email system.

Re:mail is broken (1)

maynard (3337) | more than 7 years ago | (#18056628)

Yeah. The cert authorities are a real problem right now. X400 is a reasonable alternative.

Some in this thread have argued that spammers will simply obtain proper certs and go their merry spamming way. However, I think that the formality of purchasing a cert means that records of the purchase would be available for subpoena. At that point, it's up to a state prosecutor of US Attorney to take the next step.

Re:mail is broken (1)

flyingfsck (986395) | more than 7 years ago | (#18055128)

Uhm, if you are spending that much time on it, then you are doing something wrong. Well over 99% of email coming my way is spam, but it never enters the server - it simply gets rejected using RBLs, grey listing and other methods. The remaining little bit, is filtered very well by Spam Assassin and I only tune the server once a year around Christmas time.

Re:mail is broken (1)

maynard (3337) | more than 7 years ago | (#18055142)

Great solution for a personal mail server. But when you're responsible for systems that handle mail for VIPs like Nobel Prize winners and scientists regularly interviewed on television... things change.

Re:mail is broken (2, Insightful)

nuzak (959558) | more than 7 years ago | (#18056024)

> I think email (as in RFC822, etc) is doomed

If you really demand a uniform end-to-end authentication mechanism, X.400 is over that-a-way.

A full blown information war is being waged over email, and it's surviving quite nicely. I eagerly await your perfect solution that changes human nature itself. I tire of the pontifications of armchair architects.

Re:mail is broken (1)

soliptic (665417) | more than 7 years ago | (#18056554)

I would have to agree, email is pretty much dead in my eyes.

I used to check my email several times a day - now I check it maybe once or twice a week. And with 500+ spam for every 1 or 2 legit emails, I barely know why I bother anyway. Sure, Thunderbird's Bayesian and whitelist filtering help somewhat, but it's too late - I'm past caring about email now anyway. I've moved on. Everyone who knows me, knows that they'll get a far faster response dropping me an IM, PM or SMS.

Blue Frog (2, Interesting)

crapjunk123 (1064708) | more than 7 years ago | (#18054800)

I really miss my Blue Frog. Just a promising little pet that never had a chance. Maybe Okopipi will make an appearance someday.

Uhh... you can have both... (4, Funny)

JimDaGeek (983925) | more than 7 years ago | (#18054834)

remember, Bill Gates said he would end spam. As a "trusting" MS user, I believe him. So, since spam has ended, I don't know what these "systems" guys are complaining about. Geeez.

Re:Uhh... you can have both... (2, Funny)

Jonny do good (1002498) | more than 7 years ago | (#18055110)

remember, Bill Gates said he would end spam. As a "trusting" MS user, I believe him. So, since spam has ended, I don't know what these "systems" guys are complaining about. Geeez.

And I am going to ditch my firewall as soon as I get Vista because Bill says it will be a secure OS.

I think the most important thing is.. (1, Funny)

Anonymous Coward | more than 7 years ago | (#18054928)

..make sure it is clear to your boss that they might lose some legitimate email with porn because of spam filters.

there is a silver bullet (0)

Anonymous Coward | more than 7 years ago | (#18054958)

There is, or rather are silver bullets, for end-user organisations who can afford to pay for it, anyway. Actually there are several, requiring various degrees of clue at the end-user's end, and the less clue you have, the more you have to pay to make the problem go away. This thread will be full of SpamAssassin and Exim recipes that can be made to work "free", but for Joe IT director of WidgetCo there may not be budget to buy that amount of clue - or they may not know that they can do; and if they have it already, they've already paid for substantial clue. (go on, admit it, if you're one of those posters with recipes, you have your CVS and authentication and firewalls and home directories and print servers just as sussed, don't you?) The stuff you can pay for ranges from, well er, from *this* to /that/... go read the ads, you'll see where those limits lie. They all work, for various values of work, with varying requirements for input of clue, cash, button clicking and typing.

Sadly, I work for a commercial enterprise operating at a particular point along that spectrum of silver bullets. I say 'sadly', because we're terribly ethical and don't like employees embarrassing us by astroturfing, and that means I can't tell you what I think the silver bullets are...

This is not a car analogy (1)

Looce (1062620) | more than 7 years ago | (#18055156)

You can't have a car that uses power, doesn't mess with the grid and uses no fossil fuel at once. You gotta have one, or the other, or a mix of both. You see, it's all a big tradeoff.

P.-S.: see this article [slashdot.org].

Question (1)

955301 (209856) | more than 7 years ago | (#18055190)

Here's a stupid question? If 99% of email is spam now, why don't we all just switch to a protocol and servers that authenticate and force identities based on a distributed trusted service? Sounds like there is so much to gain by jumping off the SMTP ship.

Re:Question (0, Redundant)

OriginalArlen (726444) | more than 7 years ago | (#18055316)

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
(X) The police will not put up with it
(X) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Question (1)

thogard (43403) | more than 7 years ago | (#18055990)

Because then Joe Spammer will change his clients an extra $500 and go out and register a company and get a cert for that company before sending out billions of authenticated messages.

No, the boss can have both... (0)

Anonymous Coward | more than 7 years ago | (#18055266)

You just have to explain the costs involved. By my estimates, if you paid someone to be an email secretary, they could accurately filter 3 to 4 persons emails a day. So, for only the cost of one more employee, the boss can his cake and eat it too.

Always remember that when the boss starts making outrageous demands, you can placate him by simply explaining how you can actually, well, placate him. The only obstacle, ever, is money. Ok, maybe money can't cure cancer, but it can certainly cure *this* issue.

It's all doom and gloom, eh? (0)

grasshoppa (657393) | more than 7 years ago | (#18055306)

A variety of comments posted already spout doom and gloom regarding email systems. When the truth of the matter is this; Spam is not that big of a deal if you use the proper techniques. I work for a small town city government, about 200 employees with mailboxes. Using about 4 different techniques ( from connection dropping based on connection metrics to content filtering of the actual message to tarpitting connections based on characteristics ), most of my female co-workers never see spam in their inbox, despite their damnedest attempts. Other admins will know what I'm talking about.

These five steps are good for your upper managers to know, but let's face it; They won't read that and understand it. Instead, use colorful graphs to highlight the work you have done to stop the spam, highlighting why certain online behavior is bad.

Re:It's all doom and gloom, eh? (2, Informative)

realmolo (574068) | more than 7 years ago | (#18055494)

"...about 200 employees with mailboxes."

That is such a small number of users, that you anecdotal evidence is meaningless.

You don't get spam because you don't have many users sending mail, your users are in a controlled corporate environment that (probably) keeps their machines virus/trojan/spyware free, your users probably are somewhat careful to only use their "work e-mail" for "work-related" stuff, and you have a domain that isn't very widely-known.

Try running an ISP with hundreds of thousands of users, a large percentage of which have viruses on their machines, and with a domain name that is a target of spammers (because you have so many users).

200 users is NOTHING. Until you are processing hundreds-of-thousands of messages per hour, you don't know how difficult it is to stop spam.

Spam fighting can be a source of income! (1)

www.sorehands.com (142825) | more than 7 years ago | (#18055642)

From my read on the anti-spam laws, the company would be an ISP for the employees. Given that, the company can sue the spammers that use deceptive headers and subject lines in their e-mails. Under California law, a recipient or ISP can get $1,000 per illegal e-mail.

When it starts costing spammers more money than they make, they will stop. In my experience, asking spammers to stop nicely does not work. Filing a lawsuit usually is the only way to get them to stop. I have one spammer that still spams after getting 6 figures yanked from their payment processing account. This time, I am asking for 7 figures in punitive damages.

Re:Spam fighting can be a source of income! (1)

Yottabyte84 (217942) | more than 7 years ago | (#18056386)

(You) CAN-SPAM nullified state laws on the matter. Only ISPs can sue now, not individual recipiants.

So, don't use verizon.com, etc.? (2, Insightful)

imagerodeo (643430) | more than 7 years ago | (#18055644)

If CIOs instituted a policy of disqualifying any vendor of Internet, data or communication services that appears anywhere on Spamhaus's top 10 list from doing any business with the company, Varshavchik feels, "the spam problem will pretty much disappear, mostly overnight."

That list (http://www.spamhaus.org/statistics/networks.lasso ) has verizon.com, att.net, serverflo.com, xo.com in spots 1, 2, 3, 4. Should CIO's stop using Verizon, ATT and XO until they clean up their act?

Author spams list... (0)

Anonymous Coward | more than 7 years ago | (#18056232)

The author responded to criticism that the article was spammed to the qmail list. From the comments section of the article:

First: I'd asked for input for this article on the qmail list. I received several replies from people who answered my question, "what ONE thing do you wish your CIO
understood about this subject?" So, at a minimum, my message was written to let people know that the project was complete and that their contributions mattered. (Not to mention
that a few of your online friends might have been quoted.) This is called "good manners."
Okay, sounds reasonable.

Also, I don't see that the article was irrelevant. It was meant, from the first, to be a document that explained the techie's side of the issue to a manager. If your CIO doesn't need to be told these things, then I'm very happy for you -- but I've already gotten several responses from sysadmins saying that a copy was sent to the boss' office. For many
readers, having the boss understand the situation _does_ help an email admin deal with the problem (i.e. the problem of ignorant-about-this management), so I think it's relevant indeed.
The author is basically saying the article is relevant unto itself rather than explaining how it is relevant to the qmail list.

Third, I'm rather irritated when I see people use the word "spam" to mean "I'm not interested in this." You could argue that my message was off-topic. (I would disagree, but I'd accept the viewpoint.) However, spam is defined as unsolicited commercial e-mail. A link to an online
article is not commercial, especially if there's nothing at that site for you to buy.
The author's reasoning is simply disingenuous. You can buy a subscription at CIO.com. There are also advertising links which (ostensibly) generate money for CIO.com. There was commercial value to the author in mailing the article out to the list.

Logically, because there was commercial value and because she admits that it could be argued the message was off-topic she must also admit that it could be argued the mesage was spam. Her response does much to convince she was motivated by commercial reasons.

Regardless, the two questions I have are: Does intention matter in determining whether something is spam? Does value (her article certainly has some value) matter in determining whether something is spam? I'm leaning towards "no" on both counts. Intentions ultimately cannot be known, so we can hardly use them as any kind of metric. Value-added emails are nice, but if the primary purpose is the value then the spam-like aspects can simply be removed (e.g. just share the article text, not a link). If we identify value-added emails as not spam, spam will simply include relevant or valuable information to mask its spaminess.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...