Re: [9fans] spam (was "pathetic")

[Keith Nash <kjn9@citizenearth.com>]

On Friday 27 February 2004 13:07, David Presotto wrote:
> So just take it to its logical connclusion and
> make it a pull protocol.  You get a note with a URL
> and grab it at your leasure.
...
> It changes the nature of spam somewhat, i.e., it would
> become a short message containing nothing but a URL and
> a subject.  Oops, that's what most of my spam already is
> but at least it means they can't fire and forget, they have
> to leave servers up.

I like this idea; although I don't think it hurts spammers enough.  If you send 10 million _almost identical_ messages, it is a trivial exercise to write a PHP or CGI script to deliver the appropriate message payload when 0.1% of the recipients call for it.  I am assuming that, in this new system, SPF records have been implemented, so that the spam is not delivered from a transient network of compromised Windows machines.

The rules for new-style messages could also say that:
(1) the message payload can only be picked up from the domain that sent the message;
(2) if A sends mail to B, A must whitelist B for traditional SMTP.  Therefore, if A is unknown to B, B may automatically send (traditional SMTP) verbose messages to A stating that A's message <Message-ID> has been received but its payload has not yet been collected.  If these messages are rejected, or elicit an adverse response, B need not bother collecting the original message payload from A.

This hurts the spammers a little more, because now 100% of recipients will send back a long SMTP message.  Hmm, the spammers seem to be able to afford the bandwidth; and we can't make the automated response too long, or a user will be able to mount a DOS attack against his own ISP, simply by sending lots of mail.  OTOH, maybe that's not a bad thing: an ISP _ought_ to cap a user's outgoing mail allowance long before it hits the 10 million per day mark, unless the user has made arrangements in advance to pay the ISP for this service.

A computational challenge/response is sometimes suggested: the automated mail from B to A could contain the challenge.

And of course it will be more difficult than at present to configure mail servers without creating mail loops.  The effect of these can be mitigated by delaying the sending of automated responses.

And it goes without saying that there is no complete solution to spam: my snail-mail is about 2/3 spam.  It's the price that I pay for having an address that anyone can send to.  All we can aim for is to try to reduce email spam to the same sort of manageable level.

Keith.