[ale] OT: the Penny Black anti-spam proposal

ChangingLINKS.com groups at ChangingLINKS.com
Sat Dec 27 21:11:00 EST 2003 

> It's just a comment that the SMTP protocol is flawed. If SMTP required 
> authentication, we'd probably have a lot less SPAM today.
OK.

> Correct me if I'm wrong, by spamarrest is a challenge-response solution, 
> right?  As things stand now (the way software works) I find this does C-R 
> doesn't mix well with mailing lists.

I registered for a list today. I tell them my email address, they send me a 
task to do that proves I am the owner of the email list. Same way for the ALE 
list right?
We can simply add a list that allows emails to come from specified email 
addresses without the verification. This way, the list does not have to 
verify. In the current system the receiver has at least some of this 
functionality already.

>  Furthermore, since the way C-R usually 
> identifies the sender, it's insecure/unreliable.

I admit it is not ultra-secure, but I don't think it needs to be either. Heck, 
using credit cards via the Internet could be improved as well - and that 
involves money.

> You are on drugs. (excuse me.  An emotional reaction.  Do the math) 
No, you don't have seem to have as much experience in this area.

> The reason 
> you get so much spam is that it cost pracitcally the same amount to send 1 
> message or 10 million.  So they send 10 million.  The numbers get large 
> enough that they can find enough idiots to respond to it and make money.

Volume helps, but it is NOT the only thing that makes spam/advertising work. A 
successful campaign can be executed in under 100,000 messages sent. With some 
test marketing, messages can be created that will pull higher response rates.
Just watch "Don Lapre's" late night infomercial to understand that.
Your solution may reduce volume some, BUT it will NOT rid the world of spam.
Think about this: We get less telemarketing calls than we do spam, and yet 
there is lots of fanfare about the do-not-call list. Telemarketing is more 
expensive but still profitable. 
The problems are:
1. YOU have never really done the math as a marketer/advertiser,
2. You don't understand that people that respond to marketing messages are not 
"idiots." We all respond to one marketing message or another. One medium or 
another.
3. And you say _I_ am on drugs? hehe. I just witnessed a friend pull $40K in 3 
months selling "college degrees" and sending no more than 1 million spam - 
litterally from his 1 bedroom apartment in Canada. I have personally seen a 
lot in the spam world, but I had never really discussed this (as we are now) 
with admin types. I can see why the spammers are ahead.

> I didn't say I thought we *should* do pay-to-send. I simply said it's the 
most 
> appealing one I've heard.
> 

> > Does anyone see weaknesses in a client-side spamarrest TYPE solution?
>
> Wasted bandwidth. 
Yes. In the beginning a lot. But, spam would quickly drop off when manual 
verication is needed.

> Extra work for the innocent.
Very little. I assume you mean sender verification. Understand that you would 
only need to verify once for each email address you send to and then their 
system can remember you. Also, it is possible to add an automated response to 
the challenge. Receiver can tell sender, "by the way the PIN number is . . ." 
The PIN can be included in the body of the text. This is no different than 
dialing an extension.

> AND, like most client-side 
> "hacks"/anti-spam solutions, the spammers are even now finding a way to work 
> around it. 
Yes, the spammers (and porn marketers) seem to be more intelligent than those 
defending against it. 

> It validates my email address to the sender. 
This does not have to be true. A challenge can be returned for EVERY email 
address.

> > If AOL or M$FT were to implement such an AUTOMATED system (set on by
> > default), do you think spammers would be able to successfully send bulk
> > email and profit as they are now?
> >
> Yes.  In about 3 months, they probably would.

How?
More and more websites seem to be using the verification mentod that 
spamarrest and marketleap use. I heard that it is possible to beat they 
system (computers can allegedly read graphics that are just black and white). 
However, many websites are using verification that seems to even stop 
colorblind people from verifying (I was shocked to come across a one that had 
shades of red and green and looked like a test for colorblindness). 
Also, even if a computer was able to read graphic images and automatically 
verify, the delay caused by doing this will equal the delay the M$FT was 
proposing. The point: Graphic verification has been around quite awhile. If 
the spammers (and others on the planet) haven't cracked it yet, how do you 
propose they would crack it in 3 months?
I am not suggesting that the system would end email advertising. In fact, I 
think that spammers would quickly convert themselves into different types of 
advertisers. 
They have a keen ability to adapt quickly when their jobs get threatened. ;)

OK. I know I beating a dead horse. They get it or they don't, Drew. 
Looks like there will be spam for a long time to come. :)
-- 
Wishing you Happiness, Joy and Laughter,
Drew Brown
http://www.ChangingLINKS.com

More information about the Ale mailing list