Last week, the FTC rejected the idea of a national “do-not-e-mail” registry, and this week a coalition of ISPs released a set of technical guidelines to help in the fight against spam. Both these actions point the way toward the real solution. But first, a host of bad ideas needs to be canned. The first bad idea is that laws alone can stop spam from oozing its way into users’ inboxes. For instance, Jordana Beebe from the San Diego-based Privacy Rights Clearinghouse recently said that “the real problem with spam is enforcement.”
"The first bad idea is that laws alone can stop spam from oozing its way into users' inboxes." It's not the law that would be effective against spam, it's the penalties provided in the law. (Not my main point.) "One of the reasons the FTC finds it difficult to track down clever spammers is that the Net's design makes it easy for them to be anonymous." That's untrue, although ASTA and others constantly make that claim. The net's design makes it possible to trace the spam (sometimes with some work.) The truth is nobody much tries. Most spam today is sent by some form of abuse. That means packets of some type go into an ISP's space to an IP address in that space and other packets come out (usually) from that same IP address to port 25 of the destination email servers,aimed at the intended spam recipients/victims. Tracking those incoming packets is trivial - if the ISPs would simply do it. Yes, often the packets will come from some other IP address being abused. Tracking can also be done from there. Sooner or later the packets trace back to the spammer. With the huge volume of spam there's a corresponding huge volume of abuse packets. "Huge volume" means "easy to find." But somebody (the ISPs?) has to look. Ron Guilmette looked last year and got over 100 spammer accounts closed (he had no law-enforcement power) in under 3 months. We need more like him. It should go without saying that the spam not sent by abuse is instantly trackable to its real source. That's why the abuse is committed. That the abuse makes it harder to track the spammers doens't mean it's not possible - and it isn't necessary to start with the spam and work back: simply watching for the abuse will work (does work) just fine. If any reasonable number of ISPs were tracking any reasonable percentage (like 1%) of the abuse packets then the spammers would lose, disappear. "That would be a huge mistake, as there are so many options still waiting to be tested in the marketplace." Yes. See above. It is disgraceful that ISPs and experts such as those of ASTA (and ASRG) neglect simple, basic facts. Speaking of ASTA, in February, 1999, RFC 2505 was issued. That's the RFC that describes why and how email servers should be configured to not be open relays. That's good, it's wise for any email administrator to not run an open relay. Why do I mention RFC 2505? Because it also says that securing systems against being open relays is NOT a way to combat spam. ASTA, 5 years later, is advising administrators to secure their systems (and specifically advocates securing against being open relays.) Again, it's good to not run an open relay. That's not the point. The point is that securing open relays is nearly useless to combat spam. By extension, all the securing methods are useless, as ASTA tacitly acknowledges, because ASTA admits it's really working on another solution (a global revision of SMTP, the email protocol) and that they actually are putting their faith in that approach. Why they advise what they already know won't work is anybody's guess - but what they advocate isn't useful at all in ending spam. Not at all. As Arison says: "The FTC was correct in rejecting arguments from biased business people ..." ASTA is made up of biased business people. They shouldn't be automatically trusted, either.
Loading ...
Can Bad Spam-Fighting Ideas
Posted by: Sonia Arrison June 25, 2004 08:29 AMLast week, the FTC rejected the idea of a national “do-not-e-mail” registry, and this week a coalition of ISPs released a set of technical guidelines to help in the fight against spam. Both these actions point the way toward the real solution. But first, a host of bad ideas needs to be canned. The first bad idea is that laws alone can stop spam from oozing its way into users’ inboxes. For instance, Jordana Beebe from the San Diego-based Privacy Rights Clearinghouse recently said that “the real problem with spam is enforcement.”
It's not the law that would be effective against spam, it's the penalties provided in the law. (Not my main point.)
"One of the reasons the FTC finds it difficult to track down clever spammers is that the Net's design makes it easy for them to be anonymous."
That's untrue, although ASTA and others constantly make that claim. The net's design makes it possible to trace the spam (sometimes with some work.) The truth is nobody much tries. Most spam today is sent by some form of abuse. That means packets of some type go into an ISP's space to an IP address in that space and other packets come out (usually) from that same IP address to port 25 of the destination email servers,aimed at the intended spam recipients/victims. Tracking those incoming packets is trivial - if the ISPs would simply do it. Yes, often the packets will come from some other IP address being abused. Tracking can also be done from there. Sooner or later the packets trace back to the spammer. With the huge volume of spam there's a corresponding huge volume of abuse packets. "Huge volume" means "easy to find." But somebody (the ISPs?) has to look. Ron Guilmette looked last year and got over 100 spammer accounts closed (he had no law-enforcement power) in under 3 months. We need more like him.
It should go without saying that the spam not sent by abuse is instantly trackable to its real source. That's why the abuse is committed. That the abuse makes it harder to track the spammers doens't mean it's not possible - and it isn't necessary to start with the spam and work back: simply watching for the abuse will work (does work) just fine.
If any reasonable number of ISPs were tracking any reasonable percentage (like 1%) of the abuse packets then the spammers would lose, disappear.
"That would be a huge mistake, as there are so many options still waiting to be tested in the marketplace."
Yes. See above. It is disgraceful that ISPs and experts such as those of ASTA (and ASRG) neglect simple, basic facts.
Speaking of ASTA, in February, 1999, RFC 2505 was issued. That's the RFC that describes why and how email servers should be configured to not be open relays. That's good, it's wise for any email administrator to not run an open relay.
Why do I mention RFC 2505? Because it also says that securing systems against being open relays is NOT a way to combat spam. ASTA, 5 years later, is advising administrators to secure their systems (and specifically advocates securing against being open relays.) Again, it's good to not run an open relay. That's not the point. The point is that securing open relays is nearly useless to combat spam. By extension, all the securing methods are useless, as ASTA tacitly acknowledges, because ASTA admits it's really working on another solution (a global revision of SMTP, the email protocol) and that they actually are putting their faith in that approach. Why they advise what they already know won't work is anybody's guess - but what they advocate isn't useful at all in ending spam. Not at all.
As Arison says: "The FTC was correct in rejecting arguments from biased business people ..." ASTA is made up of biased business people. They shouldn't be automatically trusted, either.