More anti-spam resources from Andy Lester:
More anti-spam resources from Mitch Wagner:
- Notes on Internet Mail, which is John R. Levine's E-mail blog
- The Spam Weblog
- POPfile, an anti-spam client
And Paul Howell's letter:
It's nice to gather readers' opinions and share them with us all, but too often of late you've shared old ideas that have been considered and rejected ... yet you've shared these ideas with us as if they were things of value. This does your readers no service, and your editorials lose value to me, and perhaps to others, each time it happens.
The latest example is the three variations on a "single simple theme" that you shared in your "Readers' Ideas Take A Bite Out Of Spam" article: send a message back to the spammer saying "No thanks, I don't want any spam from you." In the early days of spam, this activity simply told the spammers that the E-mail address was alive, and hence the address actually gained value to the spammer either for more spam or for selling the E-mail address as part of a list to other spammers.
Today, of course, all this idea would do is clog up the E-mail pipes even more. The majority (yes, majority) of spam coming to my clients' in-boxes is from hijacked home computers on broadband. Not from identifiable, semi-legitimate bulk E-mailers, but from home PCs on DSL and cable broadband that have been infected by Trojans and serve out spam all day, unwittingly, until the ISP figures it out and shuts them down. Any return E-mail to these spam factory robots is ignored, of course. They aren't set up to process incoming E-mail.
A worse problem is that sending such a reply would unwittingly bomb legitimate E-mail users who are totally unrelated to the spam problem. How? Most of these spam robots send out E-mail with spoofed headers, including spoofed return addresses, for two good reasons: (1) they can hide the robots better that way, making them more difficult to trace back, and (2) the spam messages seem more legitimate when they come from a "real" E-mail address.
I should know. Several times a week I get spam messages from myself, offering prescription drugs at steep discounts. One of my E-mail addresses has been listed on a Web site for many years and has been harvested by many spammers. That E-mail address is now used (spoofed) by spammers as a reliable outgoing address so often that I get spam (and viruses and Trojan attachments) from myself, and others I know get them from "me." When it first started, I was accosted by several colleagues saying "Ack! Fix your computer! You've got a virus, and it's sending out E-mails!." I have not been so infected.
One byproduct is that I now get several E-mails per day from friendly mail servers, automatically telling me that the E-mail address I was trying to reach with my offer for discount Rolex watches has a full mailbox or is no longer available at this address. So I know that my messages are getting through.
So, regarding your editorial, none of the suggestions from readers of the "cat-o-nine-tails" persuasion will help me, none of the "traceable sender" or return E-mails ideas will help me, and certainly none of the "pay-as-you-go" ideas will help me. Improved filtering does help, both on my incoming servers and at my desktop.
Alert ISPs that automatically alert and shut off access to the robot spam clones would help--but such ISPs don't exist. That would alienate those who pay them. If you want to get the broadband ISPs to help, let's threaten to make THEM pay the per-E-mail fines for the illegitimate clone spam factories they harbor on their networks.
Simple solutions for complex problems are rare in any field. A quick look into the archives of any forums discussing spam solutions or a conversation with any competent spam-security consultant should have buried these ideas. Perhaps a more meaningful article in InformationWeek would address precisely this issue--Why Simple Solutions Won't Work Against Spam.
With best wishes for a clean in-box in the New Year.
Business Technology: A Trip To The Woodshed For Serving Tainted Spam