At 21:19 09/02/03, Jason R. Mastaler wrote:
At Sun, 09 Feb 2003 09:14:13 +0100, Lou Hevly wrote:
>
> An article appeared in today's online NYT:
> February 9, 2003
> Tangled Up in Spam
> By JAMES GLEICK
> http://www.nytimes.com/2003/02/09/magazine/09SPAM.html?pagewanted=print
This article is blocked until I sign up for an account so the NYT can
sell me out to their marketing customers leading to something
unsolicited in one form or another.
Sorry, I hadn't thought of that. Still, I've been signed up there for years, long before I started using TMDA, and have never heard a word from them. They *may* have sold my address to third parties, but I somehow doubt it. Of course, I may just be na�ve.
I think it would be all right if I included the copyright:Is is possible for you to cut and paste the text from this article, or would that be a copyright violation?
----8<----
Copyright 2003 The New York Times Company
February 9, 2003
Tangled Up in Spam
By JAMES GLEICK
I know what your in-box looks like, and it isn't pretty. It looks like
mine: a babble of come-ons and lies from hucksters and con artists. To
find your real e-mail, you must wade through the torrent of fraud and
obscenity known politely as ''unsolicited bulk e-mail'' and colloquially
as spam. In a perverse tribute to the power of the online revolution, we
are all suddenly getting the same mail.
The spam epidemic has just a few themes and variations: phone cards,
cable descramblers, vacation prizes. Easy credit, easy weight loss, free
vacations, free Girlz. Inkjet cartridges and black-market Viagra, get-
rich-quick schemes and every possible form of pornography. The crush of
these messages on the world's networks is now numbered in billions per
day. One anti-spam service measured more than five million unique spam
attacks in December, almost three times as many as a year earlier. The
well is poisoned.
Spam is not just a nuisance. It absorbs bandwidth and overwhelms
Internet service providers. Corporate tech staffs labor to deploy
filtering technology to protect their networks. The cost is now widely
estimated (though all such estimates are largely guesswork) at billions
of dollars a year. The social costs are immeasurable: people fear
participating in the collective life of the Internet, they withdraw or
they learn to conceal their e-mail addresses, identifying themselves as
[EMAIL PROTECTED] or [EMAIL PROTECTED] The signal-to-noise ratio
nears zero, and trust is destroyed.
''Spam has become the organized crime of the Internet,'' said Barry
Shein, president of the World, one of the original Internet service
providers. ''Most people see it as a private mailbox problem. But more
and more it's becoming a systems and engineering and networking
problem.'' He told the 2003 Spam Conference in Cambridge, Mass., last
month that his service is sometimes pounded by the same spam from 200
computer systems simultaneously. ''It's depressing. It's more depressing
than you think. Spammers are gaining control of the Internet.''
If your own experience doesn't seem this bad, just wait. You may be a
recent convert to e- mail; your address may not yet have percolated
through the deep swamp of spammer databases (truly a land of no return).
Quantity matters, psychologically. If five daily spams seem merely
annoying, 20 or 30 will be maddening, creepy -- and chilling. Some avid
Internet users report a hundred or more a day.
The harvesting of e-mail addresses by spammers is relentless and swift.
Investigators for the Federal Trade Commission recently posted some
freshly minted e-mail addresses in chat rooms and news groups to see
what would happen; in one case, the first spam came in nine minutes.
Addresses are sold and resold on CD-ROM's in batches of millions. If you
have ever revealed your e-mail address in a public forum, or allowed it
to appear on a Web page, or used it in buying merchandise online, your
experience of the online world is sure to sound like this: ''Looking for
love?'' ''$900 weekly at home.'' ''Fwd: Your winning lottery ticket.''
''Biggee your penis 3 inches in 22 days.'' ''Have you received your
cash?'' ''Hard core so intense it's sinful.'' ''Advanced degree =
advanced career.'' ''Natural enlargement where you need it.'' ''Live
chat room with real women!!''
Your correspondents claim to care about your health. Unfortunately, they
care mainly about the length of your penis and the size of your breasts.
They do not discriminate by sex; either way, you are assumed to feel
inadequate. They offer implants and human growth hormone therapy. They
are pharmaceutical enthusiasts, but we're not talking about penicillin;
it's ''Viagra-Phentermine-Xenical-Propecia and MORE!'' They care about
your finances. Here come the guaranteed paths to mortgage deals of a
lifetime, cheap insurance, million-dollar prizes, hot stock tips and
secrets of commodities trading.
Parents panic when they discover that their teenagers have mail from
''Mellisa'' at SexAffair.org: ''Hi there! I got your e-mail from
Jennifer and I just wanted to tell you strait up, I really like -! She
told me u're into -- too. Lets hookup for a juicy weekend.'' Does this
mean the kids are checking out porn sites? (No, it does not.)
Another major spam category is ''fast cash -- work at home.'' More often
than not this is a do-it-yourself kit -- you pay up front, and they send
you everything you need to be a spammer from your own PC.
How this bane came to sully the greatest revolution in personal
communication since the telephone makes for a complex and troubling
story, with no promise of a happy ending. From the beginning, the
Internet has tried to fight spam with grass-roots vigilantism. Software
companies now routinely build spam-filtering technology into their e-
mail programs, and independent programmers are struggling to devise more
creative methods for separating wheat from chaff. Millions of individual
e-mail users are trying to devise coping strategies of their own.
Consumer advocates are working mostly in vain to persuade lawmakers to
take action in what should, after all, be a popular cause.
Each in its own way, for different reasons, these efforts are failing.
Long, long ago, in a previous century, when the Internet was young,
people discovered both the power and danger of mass e-mail. One online
pioneer, Brad Templeton, says he believes he has pinpointed the first e-
mail spam: in 1978, a Digital Equipment Corporation salesperson typed
several hundred addresses by hand -- those of scientists and researchers
on the Arpanet, the predecessor of the Internet -- and sent them an
announcement of a product presentation. A small furor erupted. ''Where
is the line to be drawn between this sort of thing (if it is to be
allowed at all) and advertising?'' a recipient at Stanford University
asked plaintively. The Net was a scientific and military enterprise --
most emphatically noncommercial.
The modern epidemic began 15 years later, coinciding with the explosive
popularization of e-mail in 1993 and 1994. A chain letter began to
spread, titled ''MAKE MONEY FAST.'' And a pair of Arizona immigration
lawyers, Laurence Canter and Martha Siegel, bombarded the Internet with
a notorious advertisement about the ''Green Card Lottery.'' Angry
recipients counterattacked, overwhelming the lawyers' service provider
with complaints. But these proto-spammers were unrepentant. Eventually
they tried marketing a book, ''How to Make a Fortune on the Information
Superhighway: Everyone's Guerrilla Guide to Marketing on the Internet
and Other On-Line Services.''
Frauds and cons from the horse-and-buggy world quickly adapted to the
new technologies. One of the most shameless is the so-called Nigerian
spam. The subject is ''Urgent/ Confidential'' or ''Assistance
Required.'' The sender confides that he is a bank manager or political
exile or son of the late commander in chief of the armed forces in
Lagos. He explains that he needs your help in transferring $21.5 million
in cash out of the country. ''I will like you as an foreigner to stand
in as the next of kin. If only you will send your bank- account
information, you can have a 40 percent cut.'' It's always the same
letter, more or less. ''Should you not be in a position to assist, this
deal has to remain a secret till the end of time.'' Sure. Some secret.
Few Internet users realize that this particular con began with
handwritten letters and only recently grew into a mass-market business,
in the category of World Gone Mad. Perhaps there's a reason for one con
artist to ''solicit for your assistance in this mutually benefiting
business transaction''; surely it defeats the purpose when they all send
this same e-mail several times a day, week in and week out. Today it's
from Dominic Tutu and Dominic Egbu, separately. Before that it was Dr.
Lawrence Adu and Dr. Francis Oputa and Dr. Williams Ossai and Dr.
Shuaibu Hamza. There can hardly be any unsuspecting victims left, so you
have to wonder -- what's the point?
Early Internet users reacted so angrily to commercial mass mailings that
fake return addresses became a necessity. America Online and other large
service providers began closing accounts used for spam. The next big
step -- indispensable to the spam epidemic -- was the rise of free mail
services: Hotmail, now owned by Microsoft, and Yahoo. Two features of
the modern Internet (both more or less accidental) make spamming easy:
service providers desperate for market share at all costs; and an
architecture of relatively open and insecure mail gateways. Together
these enable hit-and-run e-mailers to create quick, disposable, false
identities. It's why so many of your correspondents have addresses like
''[EMAIL PROTECTED]'' -- though that one, offering me
''eBay insider secrets,'' day after day, turns out to be not just a
pseudonym but also a forgery, not a real Hotmail account at all.
For that matter, anyone named Buffy who sends me e-mail is a spammer,
judging from my experience. A suspicious number of my correspondents now
seem to be called James. It seems safe to assume that a sender named
NoMoreConstipation68487 is a spammer. Likewise for Persondude1 -- but
no, that turns out to be my 11-year-old nephew. Sorting the good from
the bad looks easy, but it's a real problem, both for humans trying to
manage their in-boxes and for artificial intelligence.
A human being, looking at a sender called ''[EMAIL PROTECTED],'' can
guess it's not a real person. Looking at subjects like ''Do your butt,
hips and thighs embarrass you'' and ''My husband's not home, come and
have me!'' and ''Make money fast'' (yes, this ancient artifact still
makes the rounds), a human being knows enough to press the delete key.
Why can't a computer be that smart?
Many programmers are working to automate the filtering of spam. The
spammers, of course, are working to stay ahead. They forge identifying
headers; some of your spam now appears to have been sent to you by you.
They continually change the content, even adding random text. They make
their subject lines sound real, or at least plausible:
� How are you? � Thanks for requesting more information. � Error in your
favor. � It is critical that your Internet connection is fixed. �
Someone is waiting for you. � Listen to what people are saying about
you. � Pentagon readies war plans. (This one was an attempt to sell
heating-oil options: ''$5,000.00 minimum investment.'')
Another gambit is to have their computers insert your name:
� James, is this still your e-mail? � James, your paycheck has just
increased! � Hello, Gleick, darling.
All this in the name of tricking you into opening the message. ''Baby
you're so strange'' -- can you resist? ''Do you remember me?''
Every major e-mail program now comes with filters meant to spare you the
trouble. The idea is for the computer to detect spam and delete it, or
at least move it into a separate folder where you can while away your
time examining it later. Microsoft's e-mail clients use simple rules. If
the first eight characters of the sender's name are digits, they guess
the mail is spam. Likewise if the subject contains dollar signs and
exclamation points, or if the message contains ''money back'' or ''check
or money order'' or ''over 21'' or ''Dear friend.''
This approach catches less and less spam as time goes on, because the
spammers buy the same software and test their mail in advance. If you're
an enthusiastic computer user, you can add filters of your own. You can
even download interesting filters from sites organized by other spam
victims. You can't expect perfection. There will always be false
negatives -- junk mail that manages to sneak through.
More troublesome, however, is the problem of false positives --
legitimate mail that is blocked. If your filter deletes what it thinks
is spam, you may never see the message from your long-lost high-school
sweetheart, who finally wants to make contact but uses too many
exclamation points, or calls you a dear friend, or mentions sex.
Most corporate networks use spam filters, and many Internet service
providers are also installing them, in response to pressure from their
customers. The effectiveness varies widely. People use whitelists
(friends) and blacklists (known spammers). People get frustrated and
overcompensate, putting all of hotmail.com and yahoo.com and aol.com on
their blacklists. ''Am I likely to miss important e-mail?'' writes
Michael Fraase, a Minnesota Web consultant who goes to these extremes.
''Probably, but I have no way of knowing. Unfortunately the spam problem
has become so bad that it's on the verge of rendering e- mail useless.''
One of the best tools for network administrators is an ever-evolving
program called SpamAssassin, which uses a range of tests and a point
system to identify spam. This is subtler than simple yes-no filtering.
Messages get points for capitalized words like AMAZING and GUARANTEE and
PROFITS. They get points for mentioning Viagra -- especially ''natural''
or ''herbal'' -- or penises or breasts. They get points for requesting a
credit-card number, for including a toll-free number and for offering a
full refund. They get points for odd-looking dates: much spam appears to
have been sent in 1941; much appears to have been sent from the future.
They get points for lively font colors and embedded scripts or links.
In a delightful SpamAssassin irony, a message gets extra points for
declaring that it is not spam. After all, such statements are invariably
lies. So are the following:
� This is a one-time mailing. � There is no catch. � This message is
sent in compliance with spam regulations. � You're getting this message
because you registered with one of our marketing partners.
Like so much of the online world, spam becomes circular and self-
referential and tail- chasing. Mail titled ''Clear your in-box of spam''
and ''Say goodbye to junk e-mail'' has to be spam.
SpamAssassin deploys hundreds of rules, adding more all the time and
readjusting the weighting scheme. If a message has enough points, it's
probably spam. But false negatives and false positives cannot be ruled
out.
The newest approach to a technological solution is a different kind of
filtering, based on statistics. A computer scientist, Paul Graham,
caused a stir in the online world last summer with a proposal for
adaptive, probabilistic filtering. The idea is to give up trying to list
specific features of spam, to quit trying to get inside the mind of the
spammers. ''Over the past six months, I've read literally thousands of
spams, and it is really kind of demoralizing,'' Graham declared.
''Norbert Wiener said if you compete with slaves you become a slave, and
there is something similarly degrading about competing with spammers.''
Instead, the new software keeps track of all the words in every e-mail,
calculates their statistical probabilities as spam-indicators and
adjusts these with experience. With his new method, he claims to be
catching more than 99 percent of spams, with no false positives.
Graham's screed inspired many independent programmers to work on
statistical filters. You train the software with a few hundred examples
of good and bad mail, and the software starts to get smart. If you're
curious, you can study the details. In my case, for example, the word
''Viagra'' appears almost exclusively in spam. The word ''vanilla''
appears almost exclusively in real mail. ''Awesome'' is bad; ''awful''
is good. ''Fraction'' is bad; ''fragment'' is good. I don't know why,
and it doesn't matter.
''I was skeptical of filters, too, but in my case there wasn't much of a
choice,'' says Michael Tsai, the author of SpamSieve, one of the more
effective statistical filters. ''I don't have time to categorize my mail
by hand, and if I did I'd probably get trigger-happy with the delete
key.''
If you wonder why words like ''Viag.a'' and ''pen-s'' have started
appearing in your spam, this is why. It's the spammers trying to outwit
the filters. They have also begun appending random chunks of innocent
text.
After weeks of training, my spam filter didn't see a problem with a
letter titled ''See what hot girlz do behind closed doors!'' To a wary
human, just the word ''girlz'' would be a giveaway. The filter didn't
suspect anything unwelcome about a letter from Ivanna Come titled
Obscene Facial Pictures. You can't say these spammers are brilliantly
concealing their intentions. A human being gets the point. Yet none of
these words, singly or in combination, triggered the alarm in my
filtering software. The filter still thought this might be legitimate e-
mail:
Looking for a good time?
Want some FREE ladies?
Then click here!
Deep inside the majestic Pennsylvania Avenue headquarters of the Federal
Trade Commission lies the control center for the government's battle
against spam, such as it is. This is the grandly named Internet Lab. It
turns out to be eight PC's on desks.
''It's a great resource,'' says Brian Huseman, the F.T.C. lawyer
assigned to tell me about the commission's spam-fighting. ''I don't know
how we would do our spam investigations without it.'' While I watch,
three young staff members surf the Web.
During the Clinton administration, the commission set up an e-mail
address, [EMAIL PROTECTED], for consumers to forward samples of their spam.
The database now contains 27.5 million of these, and 85,000 more arrive
daily. Every month or so, the commission files an enforcement action
against someone, leading to a warning letter, or a promise by the
spammer to cease and desist, or even, occasionally, a ''disgorgement of
ill-gotten gains.'' No one really imagines any of this makes a dent.
The agency can't help noticing that, by and large, spam is not illegal.
Its enforcers can go after only the most obvious forms of fraud, of
which there is, after all, no shortage. The fact that you may not want
to get this stuff is not their problem. ''From the F.T.C.'s point of
view, whether it's wanted or unwanted, what we're concerned about is
whether it's deceptive,'' Huseman says.
In reality almost all spam qualifies as deceptive. Junk messages
typically come with false return addresses. The Internet headers are
typically forged to falsify the mail servers, relays and other data that
could help trace the source. Instructions for removing your name from
their lists are typically false; your name won't be removed, and the
spammer will know you're alive and reading the mail. In theory, any of
these lies could justify action by the commission. ''Maybe there's a
deceptive statement about how your name was acquired,'' Huseman says.
Why, yes!
Here's a typical disclaimer: ''Best Net Offers never sends unsolicited
e-mail. Best Net Offers has been given the right to market to you
through our Web site partners and their privacy policies.'' That's a
lie. Here's another: ''P.S. We never ever send spam we only send to
people we think would enjoy this invitation! Psychic powers don't fail
us now!''
In practice, it's hopeless. You can't prove that you never clicked a
button marked ''O.K.'' after failing to read the fine print of a privacy
agreement, thus unwittingly giving someone a sort of authorization to
sell your e-mail address. The F.T.C. is a strong believer in these
lawyerly privacy statements, but how many people read them?
You don't want to test the Click Here to Be Removed link, because you
suspect it will just lead to more spam. This is just another in the
series of spam Catch-22's.
The spammers are elusive and hidden -- one reason Barry Shein compares
their operations to organized crime. ''These are not legitimate
businesspeople,'' he said. ''These are people who are acting in a way
that society does not accept.'' Yet it is often possible for a
determined victim to track them down. Although headers will be forged,
inspecting the HTML source of junk mail usually reveals a genuine domain
name, because, after all, you are meant to visit some Web site. Domain
names are required to list publicly a technical contact and an
administrative contact. For example, SexAffair.org, which sends a
torrent of spam from supposedly willing maidens called ''Erica'' and
''Jen'' and ''Katie,'' turns out to be Sobonito Investments Ltd., at
10800 Biscayne Boulevard in Miami. They handle Sex2go.com, too. I'd like
to talk to them about this, but they don't return my calls. Anyway,
until Congress sees fit to make their activities illegal, tracking down
spammers provides little satisfaction.
Yet the perpetrators are not just misfits and pornographers. Real
companies send spam, too -- because they don't know any better, or
because they don't care, or just in rote obeisance to the gods of
marketing.
E-mail marketers, from the sleazy to the near-legitimate, defend their
behavior by citing postal junk mail and unsolicited telemarketing. These
irritate consumers but are tolerated, up to a point. Spam is different.
It is intrusive because, in the nature of e-mail, it arrives round the
clock, demanding attention. It lacks even the modest checks and balances
of traditional marketing: to print letters and send them through the
post costs money; likewise to make telephone calls. A direct mailer
can't afford a pitch so shabby and fruitless that it will produce a one-
in-a-thousand rate of return. A spammer can, because sending a million
more copies is practically free.
We citizens and consumers have more points of contact with the world
than ever before; more points of exposure. Our front doors and mailboxes
are one kind of interface; our telephones and fax machines another; our
televisions and radios still another. Because networked computers open a
pathway wider and faster and more fluid than all these combined, the
spam epidemic will prove a need for new kinds of locks and new kinds of
rules.
From an economic perspective, if the purpose of advertising is to get
directly in my face, for the least cost, then spam is almost perfectly
effective. It's in my face, all right. As a magazine reader, you might
feel that advertisements are an intrusion, but you also know that the
advertisers had to pay thousands of dollars and that this money supports
whatever it is you like about the magazine. You've made a voluntary
economic bargain -- as you do when you watch free broadcast television.
By contrast, advertising by e-mail is the ultimate free ride. The cost
is borne by the recipients. This is a historical accident; no planners
designed the economics of cyberspace to work this way. But the
capitalists who laid the world's fiber-optic cable across continents and
oceans get no return on their investment from the spammers; the Internet
service providers whose computers send and receive these billions of
messages get no compensation. Nor, of course, do we, the targets of spam
-- we don't get the television program or magazine article or football
game or service that other advertising dollars support.
Of course, if the purpose of advertising is to get me to buy the
product, as opposed to turning me into a livid bundle of hatred and
resentment, then spam is not perfectly effective. Yet the tide keeps
rising.
Many people who hate spam believe, honorably enough, that it's protected
as free speech. It is not. The Supreme Court has made clear that
individuals may preserve a threshold of privacy. ''Nothing in the
Constitution compels us to listen to or view any unwanted communication,
whatever its merit,'' wrote Chief Justice Warren Burger in a 1970
decision. ''We therefore categorically reject the argument that a vendor
has a right under the Constitution or otherwise to send unwanted
material into the home of another.''
Odd forces have conspired to create paralysis in the government on the
matter of spam. Corporate marketers and Internet traditionalists have
found themselves in an accidental alliance. The marketers, particularly
the powerful Direct Marketing Association, have lobbied hard to preserve
their ability to send cheap messages to potential customers; ''self-
regulation'' has been the industry's watchword. And the Internet's
culture, too, lines up against government intervention. The word
''clueless'' might have been invented to describe legislators with an
urge to meddle in the high-tech arena. In cyberspace, policy and
rulemaking have come from the bottom up, and the benefits have been
spectacular. Time and again, the online world has behaved like a self-
healing organism, outwitting authorities who tried to impose structure
from above.
But cyberspace belongs to the world of human beings, who rely on laws to
discourage the worst behavior and to protect the powerless. The grass
roots have not solved the problem - - indeed anti-spam posses have often
caused trouble of their own, with blacklists that block mail from
legitimate sources. And even the Direct Marketing Association has come
to believe that spam hurts its members. ''I've got caught in the vicious
cycle,'' says Regina Brady, an e-mail marketing consultant who works
with the association. ''All of a sudden your e-mail address is spun out
into cyberspace. This is a real problem for legitimate marketers trying
to do the right thing.'' This fall, after fighting it for years, the
association came out in favor of federal anti-spam legislation in some
form.
Arguments about such legislation tend to focus on the issue of ''opt
in'' versus ''opt out.'' In opt-out schemes, which the marketers favor,
consumers have to take action to declare their unwillingness to receive
unsolicited bulk mail. If the system is opt-in, then marketers have to
be able to show that consumers have given their consent to receive
solicitations. The European Parliament recently voted to adopt opt-in
requirements, putting Europe far ahead of the United States in acting
against spam.
''The reason it happens with impunity right now is that in fact it's not
against the law,'' says James Love, director of the Consumer Project on
Technology, a Washington-based advocacy group. He says he believes that
making it possible to collect fines from spammers would change the
balance of power significantly. He also says that the international
nature of the problem need not be a barrier to effective action. ''Spam
should be a good test case for cross-border consumer protection, because
everybody thinks a spammer is lower than a sniper. Go into a treaty-type
mode, where you try to get everybody to agree, from Korea to China to
Turkey to Russia. You could build enormous pressure to comply with
this.''
As remote as an effective solution seems, the spam problem might not be
so intractable after all. The Telephone Consumer Protection Act of 1991
made it illegal to send unsolicited faxes; that law passed with strong
backing from manufacturers of fax machines. It should be extended to
include unsolicited bulk e-mail.
For free-speech reasons, any legislation should avoid considering e-
mail's content; trying to define key words like ''commercial'' and
''pornographic'' only leads to trouble. And it isn't necessary. For that
matter, even short of outlawing spam, two simple measures might be
enough to stem the tide:
1) Forging Internet headers should be made illegal. The system depends
on accurate information about senders and servers and relays; no one
needs a right to falsify this information.
2) Unsolicited bulk mail should carry a mandatory tag. That alone would
put consumers back in control; all the complex technological challenge
of identifying the spam would vanish.
We need to be able to say no. No, I'm not looking for a good time. No, I
don't want to ''e- mail millions of PayPal members.'' No, I don't want
an anatomy-enlargement kit. No, I don't want my share of the Nigerian
$25 million. I just want my in-box. It belongs to me, and I want it
back.
James Gleick often writes for the magazine about technology. His next
book, ''Isaac Newton,'' will be published in May.
----8<----
> Still, as evidence that spam is beginning to be considered a serious
> problem by mainstream users, it's worth skimming through.
I think it's pretty f'in far past a ``serious problem'' at this
point. What I don't understand is why no one is taking the initiative
to try and cure the disease (with a re-design of the SMTP) instead of
focusing on all these software band-aids.
A brief google didn't turn up much; there's this: http://news.spamcop.net/pipermail/spamcop-help/2001-October/016348.html _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
