Spam is actually a sort of human rights abuse. Communications is a natural human right, courtesy of nature. It’s also an essential service and human need. Spam makes communications risky. It also corrupts the communications media.
This is a fairly typical scenario from USA Today
Nasty things began happening at Jones & Wenner not long after the Fairlawn, Ohio, insurance brokerage decided it had grown large enough to handle company e-mail in-house.
The free Web mail services the firm's 20 employees had used to conduct business no longer cut it. So the company purchased a Microsoft Outlook Exchange e-mail server.
Within weeks, e-mail spam began to inundate each employee's in-box, much of it carrying viral attachments or links to poisoned Web pages, recalls Joyce Sigler, Jones & Wenner's information technology vice president.
The virus(es) could have come from anywhere, but spam is by definition linked to the nasty side of the net.
Multiply that a few million times, and you see what spam is all about and how much it really costs. People have been talking and talking for years and not much has happened. Meanwhile, yet another gigantic source of income for criminals prospers along happily. It does nothing but cost people money.
The thinking, such as it is, leaves a lot to be desired. Dynamic, it ain’t. This is apathy incarnate hard at work doing nothing useful. The "internet culture", contradiction in terms if there ever was one, is way too laid back by any possible standards. Apparently the geniuses can't outthink the spammers, who put no effort at all into their spam production. It's not much of a reflection on the intelligence, let alone the competence, of all these self-proclaimed geniuses doing online security.
Says Huff Post in an article last week
regarding the economics of spam:
You're affected in more subtle ways as well: keep in mind that spam forces the engineers at Google, Yahoo or any other email provider to spend their time fighting spam, rather building new fun features. And because it's not just a few people footing the bill, but pretty much everyone who's ever used email, there's little political incentive for laws that really crack down on spammers.
OK, writers on HP have to earn a living, too. So if everyone has a disease, you don’t really need more doctors. Call a disaster a common phenomenon and it seems less dangerous. That’s a really nice way of putting it. It’s also missing the point for users besieged by spam every day. The reaction from the internet’s heavy hitters has been exceptionally slow and remarkably clumsy.
You shouldn’t have to do much, if any, engineering at all. There are a few options which can work with minimal retooling and cost:
Just create a return to sender function for bulk spam.
Never mind “firstname.lastname@example.org
" addresses. The net effect should be a denial of service attack on the botnets if it goes to addresses with any sort of high volume sending and will attract a lot of attention in ISP stats. Bulk returns would be a quick route to finding the IPs (computer addresses) involved in the botnets. They’d stick out very clearly.
Most importantly- So would email sources, which have to access the botnet zombies in one way or another to send spam at all. They’d have thousands of times the email carriage of legitimate addresses. Even if the original spam was sourced from a botnet sending to another botnet, returns would create an instantly identifiable profile.
(A lot of people don’t even know their addresses are sending spam. I had a spoofer who was using part of my email address with random prefixes. I found out when I started getting notices of non-delivery. I actually know where the guy is, in Rumania. I even have a fairly good idea who’s doing it. I had to contact my email service provider to fix the spoofing emails.)
Forwarding to law enforcement agencies.
We have a version of that in Australia, but it requires a bit more grunt. Analysis of spam does help find these pests, but sending forwards every 5 minutes is a bit much. If email had a simple forward box for everything classified as spam, that could be made an automatic, real time process. That’d make life a bit easier for the analysts and provide a good moving picture of real time botnet operations. They could literally be caught in the act.
Re-routes from spam and those accessing related sites could also be traced. The process of Spam > email > phishing/whatever site
is easy to follow, and the access of Spammer > phishing/whatever site
would find who the spam is coming from. In small amounts, this sort of information isn’t very helpful, but in bulk, particularly in real time, it’d be a GPS system for finding spammers.
Make spam a legally recognized nuisance and/or invasion of privacy.
Sending spam theoretically isn’t quite illegal, just very closely associated, unless the spam is part of an illegal act. Creating a nuisance, however, is illegal. A person ringing you on the phone too often isn’t illegal, but you could make a case out of it in a court for harassment, and make it stick. The same could be done with spam. At the invasion of privacy level, it would carry quite a bit of weight. Privacy laws are intended to enforce the right of people not to have their communications compromised. Simple enough. Public prosecutors rejoice, because there’d be some very easy cases to prove.
@addresses need to be seen as a shutdown option for spam. Spoofers send multiple emails from different senders with the @email suffix. They tack on a user to a legitimate email address. In my case, the spam with @my email would have multiple senders from the same address. The senders were random numbers, like #hj5ss4@addresss. If there was a “nobody but me sends anything from this address
” option, I could have shut it down in seconds. It went on for months.
Make it expensive for spammers to operate
. See Leigh Goessel’s DJ article
related to this currently suggested fix for the issue which also covers the other aspects of the HP article in detail. This option does make sense, but doesn’t really deal with volumes. To my way of thinking, spammers, like all criminals, do everything at other people’s expense, so the probable outcome of this approach is that added cost is likely to be passed on in some way. I think making it impossible makes more sense than making it expensive. Drugs are expensive, too, but the price rises just get passed on to society.
Who needs to do what about spam?
Email service providers should be all over this. Spam is a drain on their resources, and the costs, if not quite immeasurable, are absurd. Any simple fix, preferably which makes life as difficult as possible for spammers, needs to be looked at.
Users need to start asking/demanding answers to these problems which are quick, one time fixes. A few straightforward clicks should be enough.
ISPs do need to be on the ball about spam. The people producing it and their associates are also capable of trashing ISPs. They should be considered a serious potential threat to ISP business security by definition. A recent attack in Australia wiped out an entire ISP and its sites.
Governments need to recognize that spam has a lot of associations with both organised crime and high volume attack potentials in the cyber war. The ubiquitous Viagra spam could be altered into a sort of multi-Trojan mechanism with ease. So could innocuous one-off emails, texts, etc. It’s worth stamping out.
Law enforcement should be talking up its role in this area. The FBI has a cybercrime division, as do many other national and international law enforcement groups. This is a crime which might be able to solve a lot of other crimes, with a bit of planning and foresight. Spammers are typically closely linked to “persons of interest” around the world. A few clicks in the right places could expose and gut these bastards.
Internet security firms need to start looking at useful commercial options for spam management. These could be sold to the email services, rather than users, making them worthwhile commercial products for both parties with users as beneficiaries.
(Sheesh! Some logic really looks great when it’s in text, doesn’t it? Talk about the bloody obvious, but it does need to be spelled out.)
There’s a compelling reason for doing these things properly. The alternative to the above options is that users start firing back with whatever tools they might be able to find online or elsewhere. Better to do it systematically at multiple levels. If spammers can be hit by users, ISPs, law agencies and courts, it’ll become a much less attractive medium.
Spam is fixable. There are a lot of holes in its defences. Whining won’t fix it. Apathy won't fix it. Lack of imagination won't fix it. Action will.