One of my pet peeves is the headline "n %" of email is spam, it is inherently misleading, and conveys no useful data. I guess it makes for great newspaper headlines then! On our servers looking at one email address for 4 hours, we saw 208 attempted connections for SMTP traffic referring to this email address. ...One can't measure spam in relation to the amount of genuine email, because the amount of genuine email is not connected to the amount of spam...
You may have read reports that the total amount of spam is on the decline. Don't believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000/day now. In conversations with managers at both ISPs and corporate networks, I'm hearing the same thing.
Apparently, at this stage, it is only a proposed ruling. But I am no lawyer. This story has been discussed before, when Spamhaus, which is located in the UK, was sued in the US by a spammer. They refused to come before the court as "they do no business in Illinois, and are located in the UK...After this court ruling, Spamhaus.org was under a DDoS attack, in my opinion for the purpose of preventing users from reaching the information it provided about the court ruling. This was done along-side a Joe Job, sending fake email appearing to come from Spamhaus's CEO...
The IETF DKIM working group has been making considerable progress, and now has a close-to-final draft. DKIM will let domains sign their mail so if you get a message from [email protected], the furble.net mail system can sign it so you can be sure it really truly is from furble.net. But unless you already happen to be familiar with furble.net, this doesn't give you any help deciding whether you want the message. This is where the new Domain Assurance Council (DAC) comes in...
Another paper from the Fifth Workshop on the Economics of Information Security, (WEIS 2006) is Proof of Work can Work by Debin Liu and L, Jean Camp of Indiana University. Proof of work (p-o-w) systems are a variation on e-postage that uses computation rather than money. A mail sender solves a lengthy computational problem and presents the result with the message. The problem takes long enough that the sender can only do a modest number per time period, and so cannot send a lot of messages, thereby preventing spamming. But on a net full of zombies, proof of work doesn't work.
Today we received one of the first phish attempts to be made as a web spam (comment spam/blog spam) attempt. I wasn't convinced, and thought that perhaps it was a way to gather and verify RELEVANT online identities. Someone put me straight. It's phishing. I've often in the past had run-ins with the good folks in the anti virus realm back between 1996 and 2005 who thought Trojan horses and then spyware were not part of their business. Years later the AV business people ruled it is part of their business and ran to catch up. Same with botnets.
On Monday the 3rd, California state Senator Dean Flores held a hearing of the E-Commerce, Wireless Technology, and Consumer Driven Programming committee grandly titled AOL: You Have Certified Mail, Will Paid E-mail Lead to Separate, Unequal Systems or is it the Foolproof Answer to Spam?. The senator's office said they were very eager to have me there, to the extent they offered to fly me out from New York, so since I happened to be on the way home from ICANN in New Zealand that weekend, I took a detour through Sacramento. Sen. Florez conducted the hearing, with Sens. Escutia and Torlakson sitting in briefly. Unfortunately, Sen. Bowen, who is very well informed on these topics, wasn't there. There were five panels of speakers, and I got to lead off...
Paul McNamara quotes me extensively in this piece on the EFF protest of Goodmail. When I say "the EFF has lost its mind", i really mean "the EFF has lost its way". In the early days, the EFF was about preventing the government from ruining the Internet commons, and preventing the government from putting walls on the frontier. These days, the EFF is more about preventing companies who have no power to regulate from doing things the EFF doesn't like. That is a huge change, and one that makes the EFF much less worthy of support...
There's a lot of argument as to which "anti-spam" techniques are legitimately so called. In this article, I'd like to consider what constitutes an anti-spam technique in an ideal sense, then consider the various practiced approaches to spam mitigation in that light, drawing conclusions as to how we should frame the "anti-spam" discussion. ...For the purposes of this discussion, let "spam" refer to "unsolicited bulk email". Not everyone agrees on this definition, but it's by far the most widely accepted, and without a working definition we won't be able to define "anti-spam"...
Back in the days of dial-up modems and transfer speeds measured in hundreds of bits per second, unwanted email messages were actually felt as a significant dent in our personal pocketbooks. As increases in transfer speeds outpaced increases in spam traffic, the hundreds of unwanted emails we received per week became more of a nuisance than a serious financial threat. Today sophisticated spam filters offered by all major email providers keep us from seeing hundreds of unwanted emails on a daily basis, and relatively infrequently allow unwanted messages to reach our coveted Inboxes. So, to some degree, the spam problem has been mitigated. But this "mitigation" requires multiple layers of protection and enormous amounts of continually-applied effort.