Spam

Many people advocate solving the spam problem by discarding the current email infrastructure and replacing it with something with something new. This approach is gaining added attention. Bill Gates predicted an end to spam at the recent World Economic Forum. His solution features an electronic postage scheme, presumably based on the Penny Black technology currently being developed by Microsoft.

I think Gates is right that a massive re-engineering is necessary to stop spam, but I think he's looking through the wrong end of the binoculars. Most of the spam coming into our mailboxes today is the result of design flaws and implementation bugs in Microsoft products. If these flaws and vulnerabilities were remedied, the spam problem would drop to a fraction of the current levels.

The problem is that over the past year, virus writers and spam senders have begun pooling their efforts. Microsoft products have always been very susceptible to malware like viruses and worms. At one time this was a local problem. An infected system was a hazard primarily to the PC owner and his co-workers or friends. Now, spammers have discovered how to use malware to convert a PC into a high-volume spam transmitting platform. That has turned malware infection into a global problem, and the primary factor driving the current spam epidemic.

So when Bill Gates says we need to change the infrastructure he's right. But maybe he ought to look at fixing the defects in his own products before trying to remake the entire Internet to ameliorate those defects.

In a recent article I discussed using Javascript to protect email addresses on web pages from harvesting by spammers. Most common techniques use Javascript to synthesize an address and insert it into the document. The article explained my concerns with that technique.

In a recent entry I discussed the "entity encoding obfuscation" technique to protect email addresses posted to web pages from spammers, and I demonstrated it is ineffective. So, the obvious question is, "What is effective?" Several people proposed techniques that employ Javascript. The methods they propose all appear effective, but I'm not enthusiastic about any of them.

I knew once Congress passed the CAN-SPAM act it would only be a matter of time before the spammers responded. The response I expected would be for them to start sending new forms of spam. See, the problem is Congress didn't pass a law that outlawed spam. Instead, they passed one that legalized it and prescribed how spammers could go about doing it.

Tonight's spam load contained one with this paragraph:

It is not our intent tosend unwanted mail. This e-Mail issent under the FederalRegulatory Laws of the United States..If this message has reached you in error, and you wish to block furthermailings, simply click BLOCK ADDRESS and send a blank message.

This spam appears to be completely compliant with the CAN-SPAM legislation.

I've got a feeling I'll be seeing a lot more of these this holiday season. Consider it a little gift from our elected legislators.

Spammers obtain their list of victims primarily by harvesting web pages. They use special address extraction software that will spider a site and extract all of the email addresses off its web pages. Entity encoded address obfuscation is one technique to protect your web pages against harvesting. It's popular and easy to do. Unfortunately, it doesn't work.

Link: Substitute Version of S.877 (CAN-SPAM) (110KB PDF document)

C-Net is reporting that the U.S. House and Senate have reached a compromise on the CAN-SPAM act. The bill has passed the Senate and is now heading to a vote on the House floor--bypassing committee hearings. The bill is supported by all of the marketing special interests and opposed by all the anti-spam and consumer groups.

I just phoned SBC and asked them to terminate my phone service. Come Monday, I will be without wired phone service. Between cable Internet and cellular phone, it just wasn't being used for much. It was costing me about $35/month for this underused service. I can throw a small part of that at an upgraded cellular plan and pocket the rest.

You could say that SBC spam cost them a customer. The final straw that prompted the cancelation was their $5 late charges. My bill paying cycle is out of sync with their bill sending cycle, so I almost always got hit with the late charge. This irritated me greatly.

Some time back, I used their electronic billing and it worked great. I'd be notified when my bill was ready, and jump over to my bill paying service to schedule a payment. Then, however, they started spamming my email with the most ridiculous crap, like promotions for the San Antonio Spurs. I phoned corporate offices in Dallas, but they failed to stop the spam. I ultimately got it to stop by canceling the on-line billing service and having them purge my email address from their databases.

So I'm thinking that maybe if they hadn't misused my address for spamming, I probably still would be a customer. I would have still had the ebill service, I wouldn't have gotten slapped with the late charges and I wouldn't have gotten pissed off at them. (The business office person worked hard to keep my business, including offering to rebate a couple months' late charges.)

You know, at one time giving up your land line was a terribly heroic thing. I suspect you all are very blase about it all. I know I am.

Google Keywords: domain registrar, Dotster, spam, stupid gits.

Although not the cheapest, I've been satisfied with Dotster as a domain registrar. Then, they decided to spam the tech contact of a recent registration with unwanted email saying, "You have the .ORG domain, now buy the .COM domain." Stupid gits. First, nowhere did I ask them to spam me with advertisements. Second, if I wanted the bloody domain in the first place, I would have registered it.

Last Friday was not a good day. 72,996 AOL users were spammed from my mail server. I'm not talking about one of those incidents where my domain was forged into spam sent from Korea. I'm talking full frontal stupidity: crappy code and lazy administration allowed a spammer to pirate my mail server. This may be the most embarrassing incident in my professional career.

Link: Verisign redirects error pages.

Verisign, the operator of the largest databases for Internet domains, has taken greed to a new level. This week, they implemented a new service to squat on domain typos, and cavalierly broke major Internet functions in the process. Their service, called Site Finder, redirects web queries for non-existent domains to a web site they manage. They will be able to make money by showing you advertising when you make an error typing in a URL. The change, however, creates signficant havoc.

I've estimated my spam load will go up about 6.25% because of Verisign greed. Spammers can get into trouble if they forge a return address using a valid domain. So spammers often use an invalid domain in their return address. That's good news, because bogus domains are easily recognized and mail from them can be bounced as spam.

Verisign broke that. Now, when the mail server checks on a bogus domain, it no longer gets a "no such domain" response. Instead, the mail server gets a response saying the domain is valid, and it points to a Verisign mail server. This means the checks for forged domains no longer work, and all that spam that used to be bounced out of hand will now be accepted.

The Verisign change is going to create confusion for my users. Before, if they made a typo in a the domain part of an email address, my mail server would intercept it and return an error. Now, the message is going to be passed along to a Verisign mail server, which is going to cause a misleading error. The user is going to be told the user does not exist, rather than the domain is invalid.

Verisign has shown continued arrogance and hubris in their management of the Domain Name System. Unfortunately, the organizations that oversee them have been ineffectual in their management. This time, however, they may have pushed too far. The Internet Software Consortium which writes the software that runs most of the DNS, is preparing a new version that will filter out the bogus Verisign responses. I expect this will be deployed quickly, so that network operators can route around the damage created by Verisign.