|
Grex > Coop13 > #376: The problems with Grex, e-mail and spam | |
|
| Author |
Message |
| 25 new of 480 responses total. |
blaise
|
|
response 50 of 480:
| 
Nov 16 21:13 UTC 2006 |
Challenge-response systems are a bad idea; they produce what is known as
"outscatter". (A spammer sends an email posing as a user of a large
system; the c/r system sends a challenge to that user. That challenge
is unsolicited bulk email being sent to that innocent user whose email
address has been fraudulently used without his/her knowledge.)
|
tod
|
|
response 51 of 480:
|
Nov 16 21:35 UTC 2006 |
re #47
Direct Harvest Attacks can guess email addresses through mailserver responses.
|
rcurl
|
|
response 52 of 480:
|
Nov 16 21:38 UTC 2006 |
True. But first, but what fraction of spam is spoofed e-mail? If it is a small
fraction, then the net result would be a significant reduction in spam
(so long as the recipent's system automatically rejects denied source
addresses).
Then spoofed e-mail would indeed be redirected to an innocent user, but that
e-mail would be from him/her self, which could be flagged for automatic
rejection. Would not being able to send yourself e-mail be a major hardship?
|
rcurl
|
|
response 53 of 480:
|
Nov 16 21:39 UTC 2006 |
#51 slipped in. #52 responds to #50.
|
blaise
|
|
response 54 of 480:
|
Nov 16 22:02 UTC 2006 |
Rane, the email would not be from him/herself but from the intended
recipient of the spam. You couldn't block the receipt of challenges
without preventing yourself from being able to send to people who use
c/r systems, but unless you do you open yourself to being the recipient
of floods of challenges when a spammer happens to use your email address
as the alleged sender of a spam.
|
ball
|
|
response 55 of 480:
|
Nov 17 01:03 UTC 2006 |
It seems to me that the vast majority of spam and UCE has a
spoofed from: address. Not being able to send to myself
would be an inconvenience because I have a poor memory and
frequently email myself notes.
|
glenda
|
|
response 56 of 480:
|
Nov 17 01:13 UTC 2006 |
To some being unable to send email to themself would be a hardship. I often
do homework at a work or school computer and email it to myself as a backup.
This has often proven to be a lifesaver when I either couldn't use or lost
the media it was saved on, i.e. one time I spent quite a bit of time on an
assignment at work but didn't have time to print it. I saved it to a zip
drive, the work computer didn't have a floppy drive. I went into the lab at
school to print it out (I got there about 10 min before class started) to
discover that not only were the computer science lab computers still using
Win98 (WCC was using WinXP by then), but they had not zip drives. I just
grabbed the copy I sent myself from email, printed it and still had time to
grab a cup of coffee before class started.
|
rcurl
|
|
response 57 of 480:
|
Nov 17 02:23 UTC 2006 |
Don't your e-mail programs have a "sent mail" file? Certainly the programs
could have a "save copy" option that does not "send" the e-mail. Mine has
a postpone command, which saves the unfinished copy until I retrieve it.
I'm talking here about changing e-mail systems to suppress spam. How they
currently work is not an argument against modifying the systems.
Re #55: I would think that spoofed e-mail is the minority, but I may be
wrong. Do you have data to show it is the majority?
Re #54: Let's keep it straight who is on first and who is on second....
Say, I am "A" and a spoofer sends me mail apparently from "B", who is in
my OK file. I will receive it, recognize it as spam, and write to B to
tell them they have been spoofed and to change their e-mail address and
let me know so I can update my file. Since they have a similar file, they
can inform everyone on it that they have changed their e-mail address.
It would be desirable to have a convenient way to automate this. E-mail
addresses would have to be easily changed.
If B is not in my OK file, they will get a c/r message, and have to jump
through the hoops to contact me and ask me to put them in my OK file.
In any case - there should be more effective and easily employed
strategies invented to halt spam. The current situation appears to be one
where people have given up. I'm only making suggestions, perhaps feeble
ones, because the current situation is untenable.
|
keesan
|
|
response 58 of 480:
|
Nov 17 03:29 UTC 2006 |
Spamassassin is getting most of my spam, but I have been adding a new filter
every day for stock spam, which mutates a lot.
|
rcurl
|
|
response 59 of 480:
|
Nov 17 06:28 UTC 2006 |
You should not have to fight spam on a daily basis. There should be a
universal solution - like the idea to charge a small fee for every e-mail
sent, say $0.001, or whatever will make untargeted advertising unprofitable.
|
ball
|
|
response 60 of 480:
|
Nov 17 07:24 UTC 2006 |
Re #57: I use (and very much like) the Berkeley mail program,
which doesn't have a sent mail folder. Any messages that I
want to keep a copy of, I simply cc to myself. I spend time
every day deleting plenty of UCE with spoofed from: headers.
If you like, I can certainly forward some to you. Spam-
Assassin has helped a lot, but as keesan suggests, the
volume just keeps going up. I may tweak my score setting.
|
cmcgee
|
|
response 61 of 480:
|
Nov 17 13:01 UTC 2006 |
Yikes! Changing your email address every time you get a spoofed email!
I'd go crazy trying to keep business cards and stationery up to date, to say
nothing of notifying friends. How would people I gave my email address to
last week get in touch with me? That's like saying I should change my phone
number every time I get a marketing call.
And, no I do not want to pay google, or ATT or anyone else to send emails!
Perhaps someone could offer a spam-free premium email service, that people
like Rane and Sindi could subcribe to and pay for. For me, prudent use of
my email on the net keeps most of my emails clean.
As for the rest, the delete key works. It takes just a few seconds.
|
blaise
|
|
response 62 of 480:
|
Nov 17 14:11 UTC 2006 |
Rane, the problem is that when you receive a message spoofed to appear
to be from C (who is not in your OK file), you will send C a challenge.
If 100 messages were sent purporting to be from C, C receives 100
challenges (from 100 different users). That is the huge flaw with
challenge/response systems.
|
krj
|
|
response 63 of 480:
|
Nov 17 16:58 UTC 2006 |
Rane in #57:
> Re #55: I would think that spoofed e-mail is the minority, but I may be
> wrong. Do you have data to show it is the majority?
I don't have data, but I handle spam complaints as part of my job,
and my experience is that the amount of spam with spoofed "From:"
addresses is, for a first cut approximation, 100%. Forging the
"From:" address is trivial, if you know SMTP (Simple Mail Transfer
Protocol). The protocol has no requirement that the FROM: field
have any relationship to the actual sender of the message.
Spammers stopped using their own From: addresses
long ago, as soon as pushback from the spam recipients started
coming back at them.
|
keesan
|
|
response 64 of 480:
|
Nov 17 17:23 UTC 2006 |
Most mail providers use a spam filter by default. Some (AOL?) use continuous
feedback from users to tune the filter. Grex and sdf are exceptions.
Today no spam slipped through my filter.
|
rcurl
|
|
response 65 of 480:
|
Nov 17 18:58 UTC 2006 |
This situation, and the responses here opposed to apparently all "cures" for
spam reminds me of the acceptance of the 40,000 annual deaths in auto
accidents, because of the inconveniences that would result from any attempt
to decrease the number of deaths.
I'm guilty of this too. I find it "cheap" to just delete the spam - so far.
But I don't argue, as others seem to here, against all proposals to eliminate
spam, without coming up with workable alternatives. If you don't like my
(probably partial) solutions, what are yours? (Ask the same about auto
accident deaths.)
There occurs interesting evolutions in the nature of spam. The Nigerian frauds
are way down and now it is investments - which, incidentally, don't seem to
provide any way to respond even if you wanted to. They don't even ask you to
do anything.
|
mcnally
|
|
response 66 of 480:
|
Nov 17 19:42 UTC 2006 |
re #65: The thing is, that smarter people than you, ones who actually know
how e-mail works, understand the issues, and aren't making wildly incorrect
guesses about the nature and quantity of spam, have been trying for years
to solve this problem. It's a hard problem: it combines technological,
economic, and sociological challenges, and that's just for starters.
If some of us seem a little jaded and unenthusiastic about your suggestions
it's not because we're not open to the idea of a solution -- for some of us
whose work involves combatting the problem very little could please us more.
It's because we've long ago considered and rejected as flawed all the easy
solutions and some which are not so easy. The countermeasures we've tried
to adopt have worked, to varying degrees, for limited times, until the
adversaries in the spam-sending world figured out ways to circumvent them.
You're an accomplished expert in your own field. Most of us recognize that.
Give us a little benefit of the doubt, too, and don't assume that a half our
of uninformed theorizing on your part is going to revolutionize the fight
against spam..
|
rcurl
|
|
response 67 of 480:
|
Nov 17 19:51 UTC 2006 |
I agree, I'm a e-mail system dummy. But it is still my duty as a citizen
to raise the issue in any way I can, even by offering unworkable
solutions. It is better to be part of the outcry against spam than to just
sit back and suffer from it. Nothing I do will *revolutionize* the fight
against spam, but it might raise more advocacy against it. The
"professionals" at least appear to be too complacent. Maybe we need to get
a better crop of "professionals" that better appreciate the waste of time
and other resources engendered by spam.
|
krj
|
|
response 68 of 480:
|
Nov 17 20:56 UTC 2006 |
Here's a background article discussing a recent group of "spambots"
which are behind the recent surge in spam activity:
http://www.eweek.com/article2/0,1895,2060235,00.asp
Headline:
"Pump-and-Dump" Spam Surge Linked to Russian Bot Herders"
(pump-and-dump is a type of stock market scam)
Ultimately the current spam problem is Bill Gates' fault, because
the vast majority of Windows 2000 and XP computers are not properly
secured -- and cannot be secured given the skill levels of their
owners. (That's not a joke; I recall articles in the trade press
predicting that the release of Windows 2000 was going to be a disaster
for network security.) There was a fundamental assumption when
the Internet e-mail protocols were designed: nearly every computer
on the network would have a benign and competent administrator.
|
gull
|
|
response 69 of 480:
|
Nov 17 21:23 UTC 2006 |
Re resp:67: If you had spent some time on email lists of groups that
are trying to come up with ways to fight spam, as I have, you'd know
that that's not the case. People aren't complacent about this. They
know the cost is huge. They're desperately searching for solutions.
But there's no simple way to solve it. Many simplistic attempts, like
challenge-response systems, actually ended up making the problem worse.
This is a complicated issue and the way forward is not easy.
Please give other people a little credit, for once.
|
rcurl
|
|
response 70 of 480:
|
Nov 17 22:17 UTC 2006 |
Show some progress, for once.
|
cmcgee
|
|
response 71 of 480:
|
Nov 17 22:27 UTC 2006 |
You wouldn't be able to see any progress from your viewpoint. You have no
idea how many spams you didn't get because professionals have been trying out
solutions that worked.
I suspect the fact that I can still use my grex email account that is more
than 10 years old and has fewer than 10 spam messages a day is because
professionals have been making progres.
Would you care to devise an experiment that proves they haven't made any
progress?
|
rcurl
|
|
response 72 of 480:
|
Nov 17 22:34 UTC 2006 |
I look at my Grex inbox, with ca. 40 spams a day, and I see no progress in
slowing it. Almost all the spam I'm getting now is in the same format, e.g.:
Nov 17 Christa Rhodes (1849) Rhodes message
Why hasn't all of these been filtered out from incoming mail to Grex?
|
cmcgee
|
|
response 73 of 480:
|
Nov 17 22:38 UTC 2006 |
Because you haven't set up your spam filter?
I don't filter my emails. In spite of the exponential growth in spam, I still
see about the same amount as last year. Seems to me that the rate that spam
is increasing is far higher than the rate that spam fills my mailbox.
|
tsty
|
|
response 74 of 480:
|
Nov 18 00:01 UTC 2006 |
This response has been erased.
|