August 17, 2008
wow, the spammers have found me on Skype
I had no idea I had a long lost missing relative with millions in the UAE.
FROM: NADEEM AHMED BUSHERI.
Compliments of the day to you. I have tried to reach you on Skype phone, but your line was busy, so I decided to write you this message. I have been in search of someone with this last name "TOBIAS", so when I saw you online, I was pushed to contact you and see how best we can assist each other. I am Nadeem Ahmed Busheri, a Bank Officer here in U. A. E. I believe it is the wish of God for me to come across you now. I am having an important business discussion I wish to share with you which I believe will interest you, because it is in connection with your last name and you are going to benefit from it.
One Late Peter TOBIAS, a citizen of your country had a fixed deposit with my bank in 2004 for 36 calendar months, valued at US$18,400,000.00 (Eighteen Million, Four Hundred Thousand US Dollars) the due date for this deposit contract was last 16 of October 2007. Sadly Peter was among the death victims in the May 26 2006 Earthquake disaster in Jawa, Indonesia that killed over 5,000 people. He was in Indonesia on a business trip and that was how he met his end. My bank management is yet to know about his death, I knew about it because he was my friend and I am his account officer. Peter did not mention any Next of Kin/ Heir when the account was opened, and he was not married and no children. Last week my Bank Management requested that Peter should give instructions on what to do about his funds, if to renew the contract. I know this will happen and that is why I have been looking for a means to handle the situation, because if my Bank Directors happens to know that Peter is dead and do not have any Heir, they will take the funds for their personal use, so I don't want such to happen. That was why when I saw your last name I was happy and I am now seeking your co-operation to present you as Next of Kin/ Heir to the account, since you have the same last name with him and my bank head quarters will release the account to you. There is no risk involved; the transaction will be executed under a legitimate arrangement that will protect you from any breach of law.
It is better that we claim the money, than allowing the Bank Directors to take it, they are rich already. I am not a greedy person, so I am suggesting we share the funds equal, 50/50% to both parties, my share will assist me to start my own company which has been my dream. Let me know your mind on this and please do treat this information as TOP SECRET. We shall go over the details once I receive your urgent response strictly through my personal email address, aBusheri@gmail.com
We can as well discuss this on phone; let me know when you will be available to speak with me on Skype. Have a nice day and God bless. Anticipating your communication.
Nadeem Ahmed Busheri.
June 23, 2008
thanks Robert, importing Thunderbird to Outlook 2007 under Vista
for the easiest guide to converting thunderbird to Outlook mail. Back on Outlook. Thunderbird doesn't make the change back easy. The only change I have to the process is that under Vista no more Outlook Express. You have to use Windows Live Mail. In Windows Live Mail, drag and drop all the .EML files converted from thunderbird then do "Export to Exchange". Then open Outlook and open the .pst that is created, copy messages in. Pretty stupid that you have to pull the mail through windows live mail to get to outlook, but that is MS fo you.
December 6, 2006
Bill still hasn't solved spam
Frequent readers know I am on the board of directors of Cloudmark, the leading anti-spam company. Today this story: You've got spam -- more of it than ever reminded me that the problem hasn't gone away. In fact as the article points out in the last couple of weeks it has gotten much worse. Thankfully Cloudmark has kept up and only a couple sneak through. I run both the Exchange Edition and the Desktop to filter both my Exchange and POP3 mail. If you have seen your filter falter under the most recent crush, upgrade to Cloudmark!
April 24, 2006
Verizon anti-spam a mess
Ok, I am an investor in Cloudmark, so I am biased, but I have always believed that white and black lists simply don't work at scale and Verizon's new system is showingn that in spades: Slashdot | Verizon's Aggressive New Spam Filter Causing Problems. The real problem is that as spam filtering goes deeper into the network and in fact sucks, users will start missing mails and not even know it. I see a huge user back-lash coming.
April 11, 2005
new pew study shows some numbness to spam
A new Pew study: komo news | Have We Surrendered To Spam? shows a certain numbness to spam. The number of people who trust mail less or are "bothered" by spam has flattened out . That doesn't mean it is any less of a problem, just that we are used to it. I am glad to see the number of people "trusting" mail flatten out. It would be a serious blow to the whole internet economy if a material number of people stopped trusting mail.
March 27, 2005
Phishing up to 33 million per week
Ouch...Linux News: Business : Phishing Attacks Number 33 Million Each Week. Have you been sucked in? This is the #1 threat to e-mail today. If you can't trust it, why? I posted earlier that Gartner predicted a meaningful fall off in on-line e-commerce due to spam. This is before phishing. I will be quite interested in the e-commerce numbers this summer after we have had a substantial flood of phishing. I expect them to still be up, but I also expect to see a meaningful haircut on the growth numbers and a meaningful number of people more nervous about e-mail based transactions.
February 26, 2005
False Positives at Verizon
False positives have always been the real gotcha with most spam solutions. When valid e-mails get stopped, everyone is pissed. I would rather receive more spam than not receive an important mail. Now it looks like Verizon has the problem. They should call Cloudmark.
February 19, 2005
Installing MTBlacklist again
Installing Jay Allen's excellent plugin: MT-Blacklist - A Movable Type Anti-spam Plugin again. When I upgraded to MT 3.1, I turned on comment authentication with typekey and that pretty much stopped comment spam. But now the spammers have moved over to Trackback Spam and I am getting hit with 30-50 a day. Time for a solution. Too bad Blacklist is just a blacklist. Would be nice if there were some logic like is available in Cloudmark for e-mail. You could do the same spam DNA on trackback spam. The standard stuff in MT of IP blocking doesn't work because they change the IP address every time. But logic around the offer and the URL should catch most of them. Most of them are about poker. Die trackback spam, Die!
February 9, 2005
80% of mobile users have received SPAM
Mobile Pipeline | 80% Have Received Mobile Spam, Survey Finds. The article doesn't say if it is SMS spam or e-mail Spam. I wouldn't doubt it if it was e-mail accessed on a mobile since all e-mail recieves alot of spam. But SPIM (SMS) is much smaller today. you need to pay for an SMS message and go through one of a few regulated gateways to the wireless networks, so I doubt this was SMS.
February 7, 2005
Spam costs $21.58B in productivity in 2004
InformationWeek > Cost Of Spam > Spam Costs Billions > February 3, 2005 A year after Can-Spam, the cost is still in the billions. Repeal Can-Spam and let the technology companies do their jobs!
January 16, 2005
New Microsoft Anti-Spyware conflicts with Dantz backup
I have been running Webroot SpySweeper, the best anti-spyware program out there. But when Microsoft launched Microsoft Windows AntiSpyware (Beta) Home I had to give free a try. This is just the rebranded version of the software Microsft bought earlier this year. It seems that they didn't bother to do much compatibility testing.
I installed it on both my laptop and my desktop at home. On the desktop computer I run Dantz backup. The laptop and other computers on my LAN have the client software on them. I did not install msSpyware on my wife's Dell laptop. I have a back-up script that runs every night around 2:00am and backs up all the computers on the network to a spare harddrive. After two days I checked the back-up status and noticed that my laptop wasn't being backed up. There were "not sufficient permission" errors and "Can't find back-up client" errors. In windows the two computers can see each other and share common drives. The only thing I changed was adding MS Spyware. Of course the behavior of Dantz could look like spyware. But I didn't even get a message like "program Dantz is trying to access the harddrive". I removed the Ms Spyware from the laptop thinking that it was preventing the back-up program from attaching. The script still failed. So I turned off spyware on the main desktop computer. The script ran just fine. So MS Spyware was not allowing the main back-up machine to reach out and attach to the back-up client and copy down files. Again no message. You would think it would be smart enough to tell the difference between a back-up program and spyware. Bye Bye Msft anti-spyware until you figure this out!
January 5, 2005
Spam King Wallace to cease and desist
DJC.COM: News from AP for the time being until the feds prosecute him. I wonder since he is the "king" if we will notice any measurable reduction with him out of service. I doubt it.
December 28, 2004
ten things you should know about Can-Spam
Thanks Lockergnome for this handy short cut to the important things. 10 Things You Should Know About CAN-SPAM - Reported by Aunty Spam's Net Patrol What it doesn't say though is that the law totally doesn't work, hasn't worked, and won't work. I read today that in 2005 Spam is going to be over 90% of interent e-mail traffic. When the "legitimate" e-mail traffic is SINGLE DIGITS, you would think that people might get off their arses and install CloudMark.
December 21, 2004
MSDN gets hit with comment spam
Microsoft Bloggers Face Search Spam Pinch. Apparently Microsoft has over 1,200 bloggers on their own platform and have a spam problem. Their solution was typical Microsoft: disable comments across the board. I guess I better install the MT upgrade to give my server a break.
Mobile spam outpaces desktop in Korea...
Coming to a phone near you. The Korea Times : Mobile Spam Outnumbers Desktop's. this is coming to America. I already get the stuff.
Judge throws out Guilty Plea in Spam case
This one is surprising: MercuryNews.com | 12/21/2004 | Guilty plea rejected in AOL spam case The AOL employee who stole those 92 million e-mail addresses from AOL last year tried to plead guilty and the judge wouldn't let him. The judge isn't sure the guy violated the Can-Spam act. Hey judge, didn't he violate anything?
December 20, 2004
MT comment spam
I see that MT has hired Jay Allen, the original comment anti-spam king as a product manager. Good job! His latest post about the subject, though Movable Type Publishing Platform: Comment spam load issue is totally lacking in practicality. He suggests that the solution to comment spam is dynamic templates. That is also the road to a low google page rank. Google can't index dynamically generated pages well. The whole purpose of a blog (search) is hosed. come on guys, find another solution.
December 19, 2004
FTC ruling in all the gory details
If you prefer reading the original FTC ruling in all it's federal government glory, the original source document is here.
would not recommend it without at least a double tall latte.
FTC issues final definitions and guidelines of SPAM under Can-Spam
Nothing like an effecient government. Nearly a year after the law went into "effect", the FTC has finally gotten around to issuing guidelines and operational details with which some kind of real regulation may be implemented. I don't think this work will effectively reduce the flood of spam either. But here it is:
FTC Issues Final Rule Defining What Constitutes a “Commercial Electronic Mail Message”
Notice Includes Criteria For Determining the “Primary Purpose” of an E-Mail Message
The Federal Trade Commission today issued final regulations to facilitate the determination of whether an e-mail message has a commercial primary purpose and is subject to the provisions of the CAN-SPAM Act. The CAN-SPAM Act, which took effect January 1, 2004, requires the Commission to issue regulations “defining the relevant criteria to facilitate the determination of the primary purpose of an electronic mail message.” The FTC published a Federal Register notice of proposed rulemaking (NPRM) on August 13, 2004, seeking public comment on its proposed primary purpose criteria. The NPRM followed an Advance Notice of Proposed Rulemaking, issued on March 11, 2004, on this and other related issues raised by the CAN-SPAM Act.
As detailed in the Federal Register notice, which will be published shortly and can be found on the Commission’s Web site as a link to this press release, the final Rule is substantially similar to the proposal contained in the NPRM, but adds a criterion for determining the primary purpose of an e-mail message containing only “transactional or relationship” content, among other minor changes. The CAN-SPAM Act regulates both commercial messages and transactional or relationship messages. The notice makes clear that the Commission does not intend to regulate non-commercial speech through the Rule. The notice also addresses public comments received about the constitutionality of the CAN-SPAM Act, as well as of the FTC’s “primary purpose” criteria.
The final Rule sets forth criteria for determining the primary purpose of various kinds of e-mail messages. These include:
- For e-mail messages that contain only the commercial advertisement or promotion of a commercial product or service (“commercial content”), the primary purpose of the message will be deemed to be commercial;
- For e-mail messages that contain both commercial content and “transactional or relationship” content as set forth in the Act’s definition of “transactional or relationship message” and in the final Rule, the primary purpose of the message will be deemed to be commercial if either: 1) a recipient reasonably interpreting the subject line of the e-mail would likely conclude that the message contains commercial content; or 2) the e-mail’s “transactional or relationship” content does not appear in whole or substantial part at the beginning of the body of the message;
- For e-mail messages that contain both commercial content and content that is neither “commercial” nor “transactional or relationship,” the primary purpose of the message will be deemed to be commercial if either: 1) a recipient reasonably interpreting the subject line of the message would likely conclude that the message contains commercial content; or 2) a recipient reasonably interpreting the body of the message would likely conclude that the primary purpose of the message is commercial. Factors relevant to this interpretation include the placement of commercial content in whole or in substantial part at the beginning of the body of the message; the proportion of the message dedicated to commercial content; and how color, graphics, type size, and style are used to highlight commercial content; and
- For e-mail messages that contain only “transactional or relationship” content, the message will be deemed to have a “transactional or relationship” primary purpose.
Finally, the final Rule incorporates the “Sexually Explicit Labeling Rule” as promulgated in April 2004. The Commission vote approving publication of the Federal Register notice was 4-0-1, with Commissioner Jon Leibowitz not participating.
Copies of the Federal Register notice are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
ouch $1B has gotta hurt
Well it seems that the courts may be making progress against spammers Judge Awards $1 Billion in Spam Lawsuit. Of course there is no way that the plaintif will ever recover $1B from the spammers, but it is a good start. Yet the courts are a one step forward, one step back story. In the same week, a judge in MD declares that state's spam law unconstitutional on the rounds that it tries to regulate interstate commerce (which is solely a federal job).
December 6, 2004
PopFile spam survey
The guys over at PopFile have been fighting the good fight with opensource for some time. Just took their little survey today Spam Filtering Survey - Page 1. It takes about 15 minutes and helps them improve their product. You even get to be a spam filter yourself and sort mail. Only if you are really bored though...
November 23, 2004
Phishing up 5X in last 5 months
I noted earlier in the year that phishing was the fastest growing category of spam and predicted it would continue to grow rapidly. Now a new study out of the UK Phishing leaps fivefold as banks fall prey to attacks - vnunet.com confirms the growth is even beyond what I had predicted.
Never fear, Cloudmark has a solution in their new "Safety Bar". The new version of Cloudmark's client has anti-fraud (phising) built in.
November 22, 2004
Gates says Spam is done in two years
Recently in Madrid, Gates suggested that he will eliminate SPAM in 2 years. Tom's Hardware Guide: Tom's Hard News. This sounds a bit like a lengthening out of the date he originally gave. Is gates a flipflopper?
Yahoo launches DomainKeys with Earthlink
InformationWeek > Security > Yahoo Aims Crypto App At Spam > November 22, 2004. I am incredibly skeptical of these efforts. When you have to change the fundamental transport layer and get everyone sending mail to abide by your standard in order to receive protection, it is a non-starter. And does Yahoo have the chops to drive an e-mail standard? Well they do run more mailboxes than anyone on the planet, but they are not a software company and have not been big standards drivers in the past. It will be interesting. But I predict failure of DomainKeys.
November 18, 2004
Think you have a SPAM problem?
Bill Gates gets 4M spam a day. Ouch. The last part from Ballmer saying that the Microsoft developed spam filters get "all but about 10 per day" I don't believe. We have tested their stuff and it is at best 60% effective. That would leave about 1.6M spam a day in his inbox.
Spam % of all mail nears 90%
CNN reports today in Security firm says holiday spam and phishing to increase - Nov. 17, 2004 that in October 87% of the e-mail through Frotbridge was SPAM. I expect it to go over 90% in December as the holidaze approach. Have you installed Cloudmark yet?
November 2, 2004
Got my first Skype Spam
I run Skype all the time now for internet telephony. Skype comes with a built-in IM client. Got my first Skype Spam today advertising a radio station on Live365. I get requests all the time (maybe 4 a day) to add someone as a "contact" on Skype. I don't know any of these people. They are just trolling. It looks like Skype is going the way of ICQ. Bummer.
November 1, 2004
The SPIM lawsuits are starting
seattlepi.com Microsoft Blog: Microsoft's 'spim' suit. Expect them to have the same effect as the spam lawsuits. Nothing.
October 27, 2004
Can I say you I toldja so that IETF won't solve SPAM?
Internet Week > Anti-Spam > IETF Disbands Anti-Spam Working Group > September 23, 2004. Too many cooks in the kitchen. Too multifaceted problem. Just install Cloudmark.
October 20, 2004
Just when you thought it was safe to blog with the new MT version and registered commentors, the bastards have gotten smarter. I am now receiving five to seven track-back spam's a day. It is actually a pretty cleaver form of spam. They use track-back to link their site to your entries. The comment filters don't work for track-backs. Looks like MT has more work to do....
McAfee gets into hosted e-mail market
With the success of Postini and other outsourced e-mail filtering companies, the big guys are getting in. McAfee unveils new email spam filtering service. I expect Symentac to join soon. And I expect these services to be successful.
September 22, 2004
Can Spam compliant e-mail causes Malicious code attact
The Register is reporting that a CanSpam compliant e-mail is circulating with the obligatory "unsubscribe here" link. But click that link and you launch some malicous code on your machine. Remember that the spammer and virus writer's primary goal is to get you to click on a link. Any link. Even a mis-named link. This is further proof that legal solutions specifying the format of e-mail will not work - they can be gamed. Good thing Cloudmark just raised $11M...
September 17, 2004
Fox watching the spam henhouse
The Gripe Line Weblog by Ed Foster reports on how the Direct Marketing Association (DMA) is "helping" fight the spammers. Aren't most of them members? Does this bother you? Do you think it will be effective? Yea I thought so.
September 16, 2004
The universal spam solution critique...
Saw this on on SlashDot again today applied to the FTC idea to put out a bounty on Spammers. Use the checklist for each new idea you hear. Fun AND useful.
Your company advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won’t work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we’ll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don’t care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else’s career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don’t want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don’t think it would work.
(x) This is a stupid idea, and you’re a stupid company for suggesting it.
( ) Nice try, assh0le! I’m going to find out where you live and burn your house down!
September 14, 2004
MSft Sender ID rejected by IETF
The Register reports that IETF has bounced Msft's Sender ID proposal. The reason is intermingling of Msft patents. The industry standards board is loathe to endorse anything that requires licensing from Microsoft. Msft again shoots itself in the foot. When Sender ID was announced, I predicted this kind of issue with it, msft using anti-spam as an excuse to drive an Exchange upgrade cycle. Now the IETF has let everyone else know. I still wouldn't call it dead though, Msft has a long history of getting its way. But the road won't be easy...
August 23, 2004
IBM research readies SpamGuru for Lotus
Well the world of spam fighting is now complete. IBM Research - Anti-Spam Filtering has joined the party. I believe IBM has a better record of moving things from Research to product than Microsoft does, but the history of these kind of moves is not good. What works in the academic lab doesn't hold up in the real world very well. Why wait for this in Lotus when you can buy a cloudmark plug-in for Lotus today?
August 18, 2004
Lone programmer introduces private e-mail service
PRESS RELEASE: David Did What Goliath Didn't -- He Stopped Spam. Well the self released press release is a little mis-leading and self serving, but this guy has put up a very simple version of what many people are looking for. A post office monitored e-mail system. Basically you have client software which checks for and applies a "stamp" from the central server. The system only hands out stamps at a certain rate, so if you are a spammer and trying to send lots, the server won't give them to you. You can set your e-mail client to only accept "stamped" mail. There are of course ways to game this system, and while he talks about it as an "open" system, in the end it is another walled garden. But some version of this "1st class mail" will get traction. The key is how to deal with exceptions and people outside your walled garden who you want to get in. Exactly the same problem as white lists.
August 17, 2004
FCC tries its hand regulating SPAM on phones
The FCC has tried a new rule to combat mobile spam. I would guess that they have more leverage over that (relatively) closed network than the internet in general. In mobile, there are fewer entry points into the network and therefor more control. There are always ways in and around though. And I also see that legitimate players like SOHU can still run afoul of the laws.
August 16, 2004
New Consumer Reports article on how ineffective CanSpam is
Bradenton Herald | 08/15/2004 | Consumers: CAN-SPAM act no help. When do consumers hold politicians accountable? I know everyone in DC voted for the thing because they wanted to pass something that they thought their constituents wanted (and they did), but what happens when their solution doesn't work? Will the electorate hold them accountable? Spam legislation isn't typically a voting issue in an election, but maybe it should be. If they can't pass effective laws around something like Spam, what makes you think they are doing a good job in other areas?
Make sure you keep that Cloudmark software active.
August 4, 2004
AOL buys MailBlocks
Reuters.com reported today that AOL bought MailBlocks a challenge response anti spam company. I don't really understand this as it is only one (not very effective) technique. Unless AOL plans on buying a bunch. Or if they got a steal of a deal. Which is probably the case as no price was announced and MailBlocks was a small company anyway. The consolidation continues.
July 28, 2004
These people should be shot
A new study shows some people actually like spam. It says 20% of the respondents bought something on SPAM and 30% responded. These numbers seem high. In any case SPAM is a supply/demand game. Reducing demand is a very effective tactic. But this study seems to say it is going the other way. Who are these morons?
July 26, 2004
Cisco engineers come up with an anti-spam proposal
Cisco guys Michael Thomas and Jim Fenton have released to the IETF a mail header verification scheme that speculators believe is being worked into Cisco routers. It looks at first blush like a PGP based version of SPF. Verify the sender with PGP. Nothing new here. But incompatible with the current industry efforts. You would expect that from Cisco, try to keep the lock-in to their gear.
July 1, 2004
Cloudmark saves me from getting hooked!
Opening my mail this morning, for a moment I saw a very official looking mail from US Bank with the title "U.S. Bank regular verification! [Fri, 02 Jul 2004 22:12:31 +0600]". Sounds official huh? But just as quickly as I saw it in my inbox, it disappeared. Huh I sayz, that looked official, I bet Cloudmark made a mistake. So I go to the Spam folder and look at it. Now I used to have an account there but haven't used it in a couple of years, so that should have been my first clue. No, this mail wanted me to click on a link to "verify my information". The exact wording is: "As the Technical service of bank have been currently updating the software, we kindly ask you to follow the reference given below and confirm your data, otherwise your access to the system may be blocked." The poor grammer was a clue. Total Phishing! Cloudmark caught it and put it where it belongs. Thanks Cloudmark! Did your Spam filter catch it?
June 6, 2004
Spam becoming Mafia activity
The UK is ground Zero for phishing scams. Now they are seeing the Russian and Chinese Mafia enter since so much money is at stake. I recently read a study showing over 2M Americans have actually fallen victims to these frauds and handed over personal financial information. The success rate of these mails is greater than any other direct marketing. Because they look real! This is a true threat to e-commerce as we know it. A recent PEW study already shows that 30% of their respondents are using e-mail less due to these fraudulent e-mails. It is time for anyone with any business on the net to take notice.
June 2, 2004
McAfee is granted spam patent
Tom's Hardware Guide: Tom's Hard News is reporting on McAfee being granted a spam process patent that they applied for in Dec of 2003. I gotta believe there is prior art. Well, here come the lawyers.
May 25, 2004
SPF embracing Microsoft Sender
On mengwong's site He announces his integration of Microsoft Sender Policy thingy into "new SPF". Trying to stay relevant. There is still a VERY long way to go for anyone to change the e-mail standard in a generally accepted way. Don't look for agreement any time soon.
May 20, 2004
Spam Phisher Fries!
A 20-year-old Texas man has been convited of “phishing”, and sentenced to 4 years.
Zachary Hill was found guilty of sending email which appeared to be from PayPal and AOL, telling his targets that they needed to provide credit card and bank account numbers or their accounts “would be cancelled”.
Did it work? Apparently to the tune of at least $50,000!
Was it worth it? Well, at $12,500 per year, before attorneys fees, if it was worth it to him, he’s probably going to be experiencing a better standard of living for the next four years than he’s used to.
[The Spam Weblog] [channelTitle]
May 18, 2004
Spam this guy
This guy wants to do a Gmail Spam Test to see how quickly you can fill up 1 gig. I just sent him a 112mb file. I bet they have restrictions on attachment size, but it should be fun. Spam this guy, he needs it.
Review of free vs commercial Linux Spam solutions on server
this article Fighting Spam and Viruses at the Server, Part V: The Linux Edition is part of a series done by these reporters that actually does a good job reviewing at a high level the different approaches to server side spam fighting. And comparing what you get with free versus commercial products. A good place to start for Linux solutions.
Frontbridge releases top 10 spams for April
FrontBridge Technologies Exposes April's Most Abused Spam Subject Headlines. A surprising 80% of mail they filter is spam! Phishing scams are the fastest growing sector of spam.
May 13, 2004
The other side of SPAM filters
These guys: MarketingSherpa.com : Practical News & Case Studies on Internet Advertising, Marketing & PR have had a surprising number of good articles lately. This one is about 5 tactics MyPoints uses to get their e-mail promotions through filters to their 10M subscribers. Very practical tactics if you are doing such campaigns. In the end, I believe that e-mail publishers will have to subscribe to various trust authorities like Cloudmark's Rating system to get through. Simple message format and content tricks won't be enough.
May 12, 2004
FTC settles two anti-spam suits for $122,500
Humm, out-law.com is reporting that the FTC has wettled cases against two spammers who allegedly used spam to trick recipients into accessing sexcually explicit materials. These messages didn't conform to the CAN-SPAM criteria. There was no sign-off ability. This looks to me like one of the first settlements. I wonder if they will actually pay or if the judgement just goes against the people and there aren't any assets to go after.
May 7, 2004
some articles on SPAM arrests
Computer Crimes Unit makes first arrests, Dec 11, 2003
FTC announces Second CAN-SPAM case
FTC announces First CAN-SPAM case april 29, 2004
Text of the CAN-SPAM law, Jan 1, 2004
SpamLaws.com links to all international spam laws.
12 caught for Phishing in England, May 5, 2004
Gartner Zinger on impact of Phishing schemes
From the above mentioned report out this week:
Gartner believes that the double-digit expansion of U.S. e-commerce will slow down unless service providers adequately address consumer security concerns. A future Gartner note will outline emerging antiphishing solutions, ranging from digitally signed e-mail to managed antiphishing services. Without the implementation of phishing antidotes, consumer trust will further erode and annual U.S. e-commerce growth will slow to 10 percent or less by 2007 (0.6 probability).
Wow. I think that is a bit agressive, but it certainly gets your attention doesn't it? Consumer confidence erroded by Phishing scams and other problems results in a material drop in overall on-line commerce growth. Certainly a good way to scare your clients into calling you.
Gartner notes increase in E-Mail Phishing
Gartner Study Finds Significant Increase in E-Mail Phishing Attacks. Cost to credit card issuers estimated at $1.2B in 2003. 57M Americans have likely received them. They are getting more sophisticated. SPam isn't just for penis enlargement anymore.
May 6, 2004
Cloudmark Wins PC World!
PC World has just completed a review of spam fighting tools and gave Cloudmark the nod on accuracy and false positives. Good job guys!
May 5, 2004
Ironport and Msft not a big deal
This announcemen today: Microsoft taps IronPort in spam fight | CNET News.com at first blush sounds like a big deal. Of course it does because the start-up Ironport wrote the press release. But dig deeper...
According to my Microsoft contacts, Microsoft has been testing Bonded Sender for “quite awhile” and just now are getting around to endorsing it. Bonded sender is basically a white list with a lot of “trusted” third parties and policies behind it. They will add the “bonded sender” rating into their decision tree at MSN and Hotmail when determining “spammieness” of a mail. It is just one more data point that Microsoft is saying they will trust. Good PR for Ironport. No money for them. No guarantee their “bonded” mail will get through (it still may fail other tests).
At first blush, this may seem to conflict with Microsoft’s Caller ID proposal. It takes alot of brain cycles to parse the difference, but essentially Caller ID is a small technology fix to prevent forged headers. Bonded Sender is an independent third party validating senders. I am sure Microsoft believes there are benefits to not being in the bonding of senders business, while Yahoo and AOL believe they want to be in that business. It is clear that Microsoft is taking the partner with third party approach for sender authentication as opposition to Yahoo/AOL approach.
In the end, good PR for Ironport. Probably no money. Don't know if they will sell any more mail pumps to send stuff to Hotmail users.
May 4, 2004
Results of my SPAM poll
Here are the results of voting on my site over the last month or so.
What is the best solution to SPAM?
Legislation 14 %
Client side filters 3 %
Server side filters 10 %
Client/Server combo filters 28 %
Change in SMTP adding authentication 35 %
Other 7 %
Total votes 28
Looks like most people believe it will take a change to SMTP to solve the SPAM problem. Or a combination of Client/Server filters. In any case, something has to be done!
Here is a live link to the results
April 20, 2004
New IDC report on ROI for spam solutions
Security Pipeline | News | Anti-Spam Protection Pays Its Way says IDC. This report is different from ones in the past that just take a cost per mail, multiply it by number of mails and % that are spam. This one surveyed 1,000 IT managers and asked them how many resources they dedicated to spam before and after installing a soluiton. It dropped from 43 minutes per day to 5 minutes per day. Big ROI.
Radicati Group validates Cloudmark TCO
Radicati Group Releases New Study "Cloudmark: Spam Reduction Analysis". Bottom line, $2.21 per user per day. Meaning over $5M savings for a 10,000 person company. WOW!
Email this Release | Printer-Friendly
Radicati Group Releases New Study "Cloudmark: Spam Reduction Analysis"
Research Study Shows Impressive TCO and Productivity Savings, Plus a High 94% Spam Reduction Rate for Cloudmark's Authority Enterprise Solution
PALO ALTO, CA -- (MARKET WIRE) -- 04/20/2004 -- The Radicati Group, Inc., a leading market research firm, released today a new study analyzing the Total Cost of Ownership (TCO), Productivity Savings, and Spam Reduction Effectiveness (SRE) for leading Anti-Spam vendor Cloudmark.
With the volume of junk messages escalating every day, spam is quickly turning from an annoyance issue for users, to a major productivity loss problem for corporations. Cloudmark's large enterprise gateway solution, Cloudmark Authorityâ„˘, demonstrated a productivity savings per user per day of $2.21. This figure means an annual savings in excess of $5 million for a 10,000 person company.
"We felt it important to conduct this study to report a real-world scenario where an anti-spam solution is actually deployed and running over time at an Enterprise gateway," said Sara Radicati, President and CEO for The Radicati Group. "It is encouraging to see the results of Cloudmark's performance at actual customer sites."
April 18, 2004
Wow, I cleared my spam folder at noon on thursday. It now has 107 spam in it (thanks to Cloudmark) and ZERO false positives. Wow, 107 spam in 3.5 days, half of those a weekend. I am glad for Cloudmark!
April 16, 2004
Google: the ultimate spam machine
GMail is running into more trouble. Not only are their privacy concerns with their plan to read everyone's e-mail, the plan to append "targeted" ads apparently may fly in the face of many of the anti-spam laws passed recently. Australia certainly thinks so. California is also complaining. I understand how it would be a violation when a third party appends ads without your expressed consent to the product or content. I wonder if the users had more control over the ads if it would be less legally offensive?
PC Mag review of SPAM filters
Here is the latest round-up. Scorecard: Personal AntiSpam Tools. Norton gets the editors nod, but I don't understand how. Cloudmark had lower false positives and nearly equal accuracy. Cloudmark got dinged for customization of the client, but that is it. I would prefer a client that performed better than one with more bits to twiddle (and screw up the accuracy).
April 15, 2004
Comprehensive list of MT-Comment anti-spam approaches
John Battelle's Searchblog: F*cking Spam post garnered lots of comments from the industries best thinkers on blog spam. Read all the different approaches here. I have used a couple. I use Mt-Blacklist AND have renamed the comment CGI. I don't get spam anymore.
April 14, 2004
More evidence of collaterol bad SPAM filter damage
A bunch of articles recently have pointed to e-mail publishers not being able to get their wares through increasingly strick spam filters. Email lists struggle under spam avalanche - ZDNet UK Insight. This is a real problem. In the early days of e-mail, one of the most useful things was being able to receive e-mail news letters on different topics. Now many poorly written filters are doing a bad job with these kinds of mail. That is why it is important to pick a good filter. Like Cloudmark. It is possible to make good decisions on what is and what is not spam. Part of the problem is that there are alot of ineffective spam companies out there actually selling customers. Some customers conclude "all spam solutions suck". They should be concluding, "my spam solutions sucks and I need a new one." Start looking for spam solution replacement sales.
Cloudmark has a rating program that is an additional step to help valid e-mail publishers get through their client.
False positives at Earthlink!
Was signing up today at SEG America for the Segway user group. The registration process requires them to send an e-mail to you for verification. It seems that Earthlink's SPAM filters are so bad, that SEG America has to point out a work-around to their users with the following warning:
NOTE TO EARTHLINK MEMBERS!
We have experience many bounced registration message because of EarthLinks' spam blocker is sensing false positives. Please take required actions so that our email provider may send your verification code to you.
Wow! This is the inherent problem with network based SPAM blockers. You may never know that they are stopping valid e-mail.
April 8, 2004
Spammer looses lawsuit, but not for what you think
There has been much debate as to the effectiveness of laws against spammers. So when you read that Spam Fighter Habeas Wins One you might be inclined to believe the laws are working. But look closer. Habeas is using old school trademark and copyright law. In their system, e-mailers need to have their copyright Haiku in the e-mail to get through the filter. A spammer who forges the Haiku is guilty of copyright infringement. Not of breaking a SPAM law. Very intriguing. And apparently working.
Spam costs $4 Billion a year in productivity
I case you didn't know spam was a big problem, there is a new study:
SPAM costs USD 4 billion in US corporate productivity Telecom Paper (subscription) - Houten,Netherlands Half of all e-mails sent today in the United States is spam, eating USD
4 billion (EUR 3.38 billion) a year in corporate productivity, according to the recent study...
ProofPoint Spam Audit
Well the anti-SPAM software market is getting mature when you see announcements like: Proofpoint Offers Free Spam Audit Service for Large Enterprises. Basically a sales tactic to try to get customer trials. "We can beat the other guy" type of thing. Has been succesful in the past...
April 7, 2004
Universal response post for crackpot spam ideas
This is a very funny checkbox-based form-letter for responding to crackpot spam solutions proposed in message-board posts:
Your post advocates a
( ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
April 6, 2004
The slippery slope of content analysis of messages
The police need a warrant to tap your phones. You can have a very high degree of confidence under normal circumstances that your phone calls are not being overheard. But what about your e-mail? Or instant messages? Content scanning really started with Viruses. No-one wants viruses, so we all install software to scan messages and identify offensive viruses. And then comes SPAM where we want the offense to disappear as well. Then some corporations have certain "content" policies or IP protection policies that alert them when certain key words are in messages. Now Google's GMail wants to scan messages and determine what ads to attach to them.
Colin Fahley writes very insightfully:
Google's new "G-Mail" service (run by "G-Men"?!) is a paranoiac's
nightmare come to life: an e-mail system that analyzes each piece of
mail not simply for spam detection and virus detection, but for
targeted advertising! Want to embarrass a friend using G-Mail?
Send an e-mail mentioning only "farm sex" or "kiddie porn", and
who knows what "targeted advertising" he or she will get. Perhaps
there will be a knock on the door from the FBI.
Despite promises that content analysis will be isolated from any
record-keeping, and totally performed anonymously by computer
algorithms, the fact is that one's mail is being analyzed, and
even requests for banner ads represents an information leak --
connecting your interest with your IP (since your browser fetches
the banner ad from whatever source). With a modest amount of
extra data mining, an "anonymously targeted" banner ad betrays
So where are the limits? You think what you write to your girlfriend is your own? Maybe you encrypt it? But then the Virus, Spam, content filtering, and advertising bots will have to break into it to do their work. If they can't your message will not be let through. It is a totally slippery slope. Where are the edges???
The kind of Spam analysis I would do if I had the time
WWW.COLINFAHEY.COM : Spam : The Phenomenon. This guy has too much time on his hands, but does a VERY good job with the history of SPAM, a detailed analysis of very current (march 29-31, 04) messages, and current spam fighting techniques. He comes down on the very far end of privacy zealots when it comes to recommending acceptable solutions, but I don't mind that. Very interesting reading.
April 5, 2004
My friend Eric on encryption in e-mail and some good pointers
In response to an e-mail from me, my friend Eric sent these useful thoughts and pointers on encryption.
don't know if you've found these, but they're somewhat helpful different points of view:
i assume you know about these guys:
if you're ready for some heavy reading, this hase some interesting ideas:
this is a general interesting list of whitepapers:
what are people going to use encryption for?
is it ever going to come to a point that the email that goes between my mother and i is encrypted? even if it were just clicking a button on and off, would it even be worth doing?
it's just my general impression that people don't seem to feel they have much to hide in general, and i would have to think part of that is because they don't.
would the world be a safer place if everything was encrypted? likely, but i don't think that it'll really happen until it's just an automatic feature in hotmail (where it detects that you're talking with someone who accepts encrypted email and automatically turns it on).
the only problem with that, is that if you don't have the user conciously aware that they are using encrypted data (if you don't require extra or more stringent passwords to get at your private key, etc) it basically defeats the purpose of most of the encryption: if you can just type in the name of their dog as their password and get into their email, which automatically shows you the decrypted versions of their emails, what good did it do that it was encrypted?
so.. things are marginally improved -- people can't sniff email in transit and see everyone's messages. so that's good.. but.. i don't know who will pay for that incremental improvement.
FTC spam study
The FTC in April 2003 did a study of spam and the false claims therein. Maybe a bit dated, but the distribution is quite interesting. Good background reading.
March 26, 2004
AOL SPAM filters failing
This week AOL was crowing about how great their spam filters were and how spammers are moving on to other "less well protected" isps. They claim spam is down from 2.6B to 1.9B messages.
But a closer look reveals that their tactics are heavy handed and causing some users great concern! Slashdot | Dealing with False AOL Spam Reports?
AOL does have a fair number of small businesses that use their e-mail infrastructure to send and receive all company communications. These are being marked as spam! How long do you think these subscribers will stay with AOL? More rats fleeing the ship...
Secure e-mail now
A couple of readers have asked if there are any easy to implement mail encryption schemes available to an individual today. Unfortunately the catch here are the words "easy to use". Of course most mail clients support public/private key pairs (most based on PGP), but the set-up is a hassel. If you like pulling fingernails, read how to configure Outlook here. You have to pay for the keys and provide a high level of authentication (your first borne) to get the highest level certificates. And then of course everyone you send mail to needs to do the same thing. Key pairs are a very heavy weight solution to the problem and I do not believe will ever be widely adopted.
There is hope on the horizon though for a lighter weight keyed encryption. It is called Identity based encryption. The major proponent is Voltage Security. The promises are good, but this one fails another test: "today". It is not yet available. And it looks like they will first sell to government and enterprises with no option for a single end user product. Of course there are other secure messaging providers to the enterprise like Tumbleweed, PostX and a long list of others. But again, those sell to the enterprise or into verticals.
There are "secure e-mail providers" that will sell you a new acocunt that is "secure" to various degrees. A Quick search of Google for "secure email" results is a long list. But you need another e-mail address. And different services offer different levels of "Security".
Another approach is to basically not send the e-mail to another client, but rather to a secure server, and forward the receipient a mail with a HTTPS link in it to the message in a browser which requires authentication, passwords and all that. This approach is lighter weight than key pairs, but takes you out of your traditional mail client. And again, most solutions are for enterprise. One Portland company doing this is Kryptiq. They started out as a generic secure e-mail company, then focused on health care as a vertical to get deeper into the workflow. Again, not for consumers.
Now wouldn't it be nice if there were a client plug-in that just worked without alot of central set-up and was seamless to others? In other words if someone outside the system sent you a mail, you would get it. If you sent a mail "securely" to someone without the system, they could sign-up or get it very easilly. Or request a non-encrypted copy if they didn't want to sign up?
Ok, I am working on it.
All designated sender schemes blow chunks...
Props to Technology Review for getting my synapse's connecting on this one. All the designated sender schemes out there basically attack the problem of forging domain headers. That way you can't say you are from Yahoo and not really be. But spammers are free to buy as many domains as they want and keep sending mails from there. I still believe that a combination of client and server techniques are required.
Here is the meat of their arguemnt:
"Yahoo!, Microsoft, and the SPF working group are all backing competing proposals that have been characterized as “designated sender." (America Online has endorsed and is experimenting with the SPF version.) They all attempt to give a receiving e-mail server a way to determine whether the "From" address on an incoming message has been forged.
These anti-spam methods, if widely adopted, would certainly devalue one important tool in the spammers’ current repertoire. We should keep in mind, however, that spammers have many tools. The best these techniques can do is to keep a spammer from using your domain (or AOL’s, or Yahoo!’s) as a "From" address. Spammers could legally acquire thousands of valid domains at little cost, provide valid SPF and Caller ID records for them, and discard them when they drew the attention of spam-fighting organizations.
Such designated sender techniques have other drawbacks as well. One problem is that legitimate mailing lists would become difficult to operate. Another is that e-mail forwarding services, such as those supplied by MIT alumni and other affinity groups, would be broken. "
Radicati pontificates on SPIM
Wired News: Spam Monster Eyes Another Target: SPIM. The Radicati Group is trying to get out ahead as an analyst by identifing SPIM (Spam on IM) as a trend and quantifying it. I use two IM clients today and don't recieve any spim. I used to use ICQ which was all SPIM so I got off. AOL and MSN seem relatively free. But I know it is coming....
I personally receive more SMS spam than SPIM. What is SMS Spam, SPASMS?
I like it SPASMS....
.TM domain registar implements SPF
The Register reports that the domain registar of .TM domains has implemented SPF. They are trying to maintain the "exclusiveness" of their domains. Here is how they explain it works.
SPF (Sender Policy Framework) itself is a very simple yet effective method of cutting down spam. Internet domains already have MX records tied in with their basic DNS information that say which mail servers receive email for that machine. All SPF does is provide MX records for the domainâ€™s mail servers that send email.
As such, when an ISP receives an email, it looks at the domain, looks up the DNS record and if the mail server it came from is not one mentioned in the MX records, it either deletes it or pushes it to one side for review. Since a large number of spam messages are â€śspoofedâ€ť in order to make it look as though the email is coming from elsewhere, such a system would reduce the number of spam as well as make tracking down spammers easier.
March 24, 2004
Brightmail files to go public
Spam fighting is getting interesting.
March 22, 2004
PEW says Can-SPAM has had no effect yet
Can Spam Stop Legitimate E-Mail Marketers? - BizReport says 53% of PEW study people since Jan 1 have said they have seen no change in their SPAM volume. Now the FTC has not started enforcement yet. But it does show that the spammers are flaunting the law. The question is if they are making hay while the sun shines and will all shrivel up when the enforcement starts, or what?
Spam tactics roundup
ZD Net just did a fairly good roundup article on the major ISPs (Msft, AOL, Yahoo) guys efforts to fight SPAM. Technology solution to slicing spam lags - News - ZDNet. The upshot is that we have a balkanized set of proposals all incompatible and coming at the problem from slightly different angles. All three of the majors are focusing on the piece that I have pointed out though, which is authentication. SPF is a server authentication technique. Yahoo DomainKeys is sender/message header authentication. Microsoft's Caller ID from microsoft also uses DNS for authentication but targets the author or header and is better (they say) at authenticating forwarded mails than SPF.
A good article to get a roundup of current proposals. But you won't find any magic potion here.
I was intrigued by the Corvigo acquisition by Tumbleweed, so I read the press release and came across this little tidbit.
Corvigo's Linux-based anti-spam appliance, MailGate, was rated #1 against major competitors in real-world testing by InfoWorld in February, 2004. (http://www.infoworld.com/article/04/02/13/07TCspam_1.html) Tumbleweed can now offer customers the broadest, most flexible options for stopping spam with either the MailGate hardened Linux-based appliance, or Tumbleweed's Email Firewall, a globally scalable Windows-based enterprise software solution. In addition to award winning anti-spam capabilities, Tumbleweed's Email Firewall offers an integrated set of anti-virus, intrusion detection, content filtering, email relay, encryption and authentication capabilities.
So I go read the article:InfoWorld: Exclusive: CipherTrust, Corvigo, and MessageLabs lighten the spam load: February 13, 2004: By Logan G. Harbaugh: Security. It is a round-up article. Not a shootout. They don't pick a winner. But Corvigo says they won and leveraged that claim into an acquisition. Wow.
Another blow against Blog Spam
TypeKey is Six Apart's identity system for blog commenting. Basically they are trying to get a the root of Spam before it kills blogs. SPAM is an authentication problem. If you check authentication of a person before they write something against a central database and that database is kept clean of offenders, then you can stay pretty clean. That is the problem with SMTP today, no authentication. I will try this one out on my blog.
March 15, 2004
VA meets anti-SPAM
Early this year the FTC made another run at open proxies: PCWorld.com - Vulnerable Servers Warned. They estimate over 1 Million open proxies. I wonder if the Can/SPAM law puts some of the liability for SPAM on open proxies? What would be the effect on the spam problem if it did? Could this be an opportunity for the Vulnerability Assessment guys? I hope so.
March 12, 2004
The dangers of riding on top of Microsoft
CNET is reporting that a recent Office update (SP3) clogs spam filters
Basically, Microsoft is trying to program around viruses that grab the Outlook address book or intercept e-mail messages. But SPAM programs have to intercept and read messages as well. So in fixing one problem, Microsoft has caused a raft of others. Cloudmark is already working closely with Microsoft on a fix that should be out within hours.
Surrender to SPAM
SPAM is an identy problem
There is a bevy of proposals to solve SPAM at the authentication level. Read a good overview of them here. At the end of the day, the openness of SMTP is its greatest weakness. The thinking goes that if you set up some user/server authentication system then e-mail clients can do a better job on deciding which e-mail they want to receive. A problem today with spam filtering techniques is that there are many different rules applied to e-mail at the receiving end to determine if it can come it. And those rules are applied to to data (the e-mail) that cannot be validated as to it's authenticity, origin, or sender. So you guess. Spam filters vary on their ability to guess well. With more trusted data in the message, these systems could make more informed decisions. But that still doesn't solve the issue that everyone has different tolerances for what gets through and what doesn't. People who favor white lists today (not reading mail from anyone they don't already know), are also probably the people with Telezappers and signs on their front door saying "no soliciting". User's tolerance varies, therefore the systems must vary, be configurable. A key to any system is improving the ability to verify content, origin and sender of any messages. Most current proposals are proprietary in some way. This is too important a piece of the new economy to entrust to one vendor. Why can't we all just get along...
I am betting that a market based solution from a small, unthreatening company will be what gets traction.
March 10, 2004
Helsinki PHD weighs in on SPAM and P2P
Slashdot pointed me to a paper by a Helsinki PHD about P2P and SPAM on the internet today. Very long. But a good state of the art type piece.
More lawsuits by big ISPs and Microsoft on SPAM
Today lawsuits were filed by Microsoft, AOL, Yahoo and Earthlink under the new Can-Spam law. It is the first time these four (who make up the vast majority of non-enterprise mailboxes) sued under the new law. They have sued before under various local laws. It will be interesting to see how the stick part of the strategy actually works. The SPAMMERS will try the first ammendment trick and many others to stay in business. I did my own little test of SPAM around the new year and saw a slight drop off, but that apparently was seasonal. Talking with the guys at Cloudmark, they have seen a steady up and to the right trend in spam. No slowing down or leveling off in sight.
March 8, 2004
Symantec ups the anti in Spam wars
Techweb > News > Symantec, spam, virus, Microsoft Exchange, > Symantec Updates Anti-virus, Anti-Spam Support for Exchange 2003 > March 8, 2004. Symantec has always been the best positioned to extend their anti-virus stuff to the spam space. They just rolled out some of that today. While I haven't tested their product (and neither have the reviewers) they say they are using a number of next generation techniques that are closing the gap with some of the early leaders like Cloudmark. In the past Symantec has had scaling problems with their SPAM engine. And this time they are utilizing many of the new features in Exchange 2003 which is yet to be broadly deployed. But the hoards are a 'comin.
March 2, 2004
Microsoft won't solve spam anytime soon
Gartner has finally said what I have been saying. Microsoft's proposed solutions to SPAM won't be ubiquitious or have an effect any time soon. And they are tilted in the direction of an exchange/outlook upgrade cycle. We need more now. And backwards compatability. That is Cloudmark.,
March 1, 2004
Will Throttling save us from spam?
Techweb > News > New Products Try To Spurn Spam > New Products Try To Spurn Spam > February 18, 2004. A couple of products have come out recently trying to change the economics of spam. These are in the mode of "slow 'em down". The idea is if you find a mail server which seems to be spitting out "too many mails", then just throttle down it's bandwidth to a trickle. You can do this on the entry points of the network, or you can try to do on your own edge just before your SMTP server. These tactics are more of the same heavy handed, sledgehammer variety that create lots of false positives. The ultimate form of this is to just unplug yourself from the net. And I am not sure these throttling techniques actually cost the spammer any more resources. If I am doing it on the edge of my network, chances are that the mails are all cached in the network between the spammer and my IP address. So the real cost is in the transit points. If you put the chokepoint closer to the spam source, they just move them. If spam sources were easy to find, this would be an easy problem. It is not.
US is still the largest offender in sending SPAM
Spam's 'dirty dozen' exposed
The United States, Canada, China, South Korea and the Netherlands are the top five birthplaces of spam worldwide, according to a new analysis by Sophos. Maybe laws can make a difference.
February 24, 2004
Another tactic for SPAM, a "caller ID"
Internet Magazine - Microsoft/Sendmail deal. Spam is fundamentally an authentication problem. Who is sending the mail? Is it someone I want to receive stuff from? Are they who they say they are? Do I have a prior relationship with them? Today many spammers forge header details to hide their true origin. Today at RSA Microsoft introduced a plug-in to Sendmail's MTA that is basically an authentication signature. It lets the MTA verify the message source. There will be free and commercial versions of this. Something only Microsoft could push. Little steps. I wonder what has to happen on the publisher side? That hasn't been explained yet. Something too expensive on the sender side is not going to work.
February 17, 2004
International groups join in on SPAM policies
Governing bodies love to have things to govern. When their traditional rhelm's seem to be a little boring or un-eventful, they like to "expand their horizons" to take in the issue dejour. Spam is one of those things everyone wants a hand in "solving". vnunet.com OECD tackles global spam
Hey, we can't get the states in America to agree on policies. We passed a Federal law which has done nothing. Do you really expect an International effort to do anything? One interesting tidbit is that France thinks only 0.2 percent of their e-mail is SPAM. This is from people who eat duck liver. And to the French, those ads offering body part enlargement and beastiality pictures are valid commercial products. Oh, and probably "art" too.
February 16, 2004
SignOnSanDiego.com > News > Technology -- A new spam loophole: poorly guarded home computers This article talks about a guy who's machine was turned into a Zombie. Alex's computer had this EIGHT TIMES! Even with a firewall and a virus program. These guys are getting slick..
New Openwave product fights spam at the edge
Silicon Valley Biz Ink :: The voice of the valley economy. This is a new Openwave product to fight spam and viruses at the edge. Our company Cloudmark has a deal with Openwave to imbed their technology, I need to confirm if it is in here.
January 29, 2004
Gates lates SPAM solutions
The Register does a passable job of working through the issues with the three approaches to SPAM solutions that Gates has been talking about. Of course Bill thinks that long term, micropayments for e-mail is the right solution. Now Microsoft has been trying for quite some time to come up with a valid reason to be in the middle of millions of transactions. And to scale micropayments. Now every e-mail needing payment, now THAT is a micropayment system! Don't think Bill doesn't want to run it!
EU has two year old SPAM law that still is not working
This article talks about how the EU is "getting tough" on spam now. Finally after two years of a spam law that makes unsolicited mail illegal. The problem they say is enforcement. So I bet they need good filters.
January 15, 2004
Yahoo have the pull to solve spam?
Interesting Slashdot thread. Slashdot | Yahoo and Unilateral Anti-Spam Technology?
January 10, 2004
Big ISPs say SPAM not slowing
This article says it is not stopping. Cloudmark is mentioned, but not correctly in the scope of what they are doing. They have done such a good job positioning themselves as the community approach to SPAM that sometimes people mention them as just one approach among many. In fact it is the ONLY approach that works and scales.
January 9, 2004
SPAM keeps coming
A new report surveying ISPs and major corporations suggest that SPAM has not changed and in fact may have gone up since Can-SPAM. This means that my own reduction is probably a holiday thing. And the FCC hasn't had any time to draw up enforcement actions yet anyway.
January 6, 2004
AICPA says Security and Anti-Spam in top 10 IT priorities for 04
January 4, 2004
Fed Law against SPAM might actually be working...
So I know that the last week has been a little slow as most people are off for vacation (even some SPAMMERS), so these numbers will probably change next week, but I thought I would check to see if the CAN SPAM law has had any affect on my SPAM volume. There has been a major change in the number of SPAM I have been getting since the first of the year. Down by about 2/3. Not enough to ditch my excellent anti-spam software from Cloudmark. Here is what the caught in the last four days of 2003 and the first four days of 2004.
Jan 1-4 2004: 22
Dec 27-31, 2003 67
The pundits are saying the same thing...MediaDailyNews 01-05-04
December 29, 2003
more Microsoft FUD on the SPAM front
The reason SPAM works today is that the economics work. Many people have solutions that propose to change the economics. The real thing you want to do is raise the cost of sending an e-mail. But not so much that normal people sending a normal amount of mail will notice or have to pay extra. One way is to charge micropayments for each e-mail sent out. And get a credit for each received. The probelm with clearing all those micro-payments will make that one not fly.
Then there is the idea of making senders pay with something else. Like CPU and memory power. Apparently Microsoft has figured this out BBC NEWS | Technology | Microsoft aims to make spammers pay (the technique has been around for more than a decade) and is thinking of adding it to Exchange. I don't think even Microsoft has enough MTA's out there to make a change like this. And it has the potential for back-firing in many ways just like challenge response does (causing the recipient to be a spammer).
The thinking is along the right path. Change the equation. Microsoft won't be the one that fixes it though.
December 22, 2003
PC World reviews SPAM tools
Australia says SPAM costs $2B
December 19, 2003
SPAM lawsuits fly...
Microsoft, New York launch spam lawsuits | CNET News.com
This will probably make a dent. I don't believe the whole spam economy is large enough to fend off a concerted effort by government and microsoft. But that doesn't mean it won't move overseas or morph yet again...
More ramblings on SPAM
It is funny read comments from people new to the SPAM debate. Especially those who think there is a simple solution. Like a "do not spam" list. These people don't understand the technology or the history of the SPAM fight. There has been grassroots efforts for years. The reverse of a do not spam list is a blacklist of senders. These have been around for years and don't work. Wired did a good job summarizing the reasons the do not spam list will not work.
In case you too are missing some of the research material on the true costs of SPAM, I am re-posting here an excerpt from NW Fusions with pointers to the recent studies:
In a recent report by Nucleus Research, spam was estimated to
cost U.S. companies over $800 per employee per year in lost
Ferris Research estimated that U.S. corporations in 2003 will
spend $10 billion to cope with spam:
Some projections from the trends are alarming (others might say
"alarmist"). If the growth in spam continues, according to
Jupiter Research, "the average e-mail user should expect to
receive nearly 3,900 junk e-mail messages per day in 2007":
Public rage against spam is rising. According to a November 2002
poll by Harris Interactive, an overwhelming majority (80% of a
sample of 2,221 adults) of the U.S. Internet-using public found
spam "very annoying" and 74% of the sample wanted spamming made
December 15, 2003
Profile of Spam king Bill Waggoner
If you ever wanted to know where they come from... reviewjournal.com -- News: The Spam King
The Microeconomics of SPAM
This article ajc.com | Business | Spam wars play out across Internet actually does a good job of showing the personal side of SPAM. From both the small time spammer and the end user. It is a complex problem. The Can-SPAM act will probably just consolidate the SPAMming activity into the top providers and move it offshore. The SPAM industry should love it.
December 11, 2003
Wanna read something funny about SPAM?
Check out the DMA statement about the new federal legislation: Congress Passes Anti-Spam Bill; The DMA Supports National 'Can Spam' Law They conveniently dodge the issue that most spam is moving off-shore out of their reach AND any mention of a Do Not SPAM list. They argue for an Opt-Out list. Why not Opt-IN? Because that list would be TOO SMALL! Well they are just doing what they are being paid to do.
IBM taking on Outlook?
IBM has a research group that has been thinking about e-mail for about 10 years. Their newest paper is here: ReMail: A Reinvented Email Prototype. Not really lots of new information or ideas here. Everyone knows Outlook has stopped pushing the borders on innovation. Being able to view threads better, process priorities, spam filtering, automatic virus, etc. are all things a next generation client should do. Now, what will get Msft to do them?
Spamhole sucks up SPAM
What if there were a black hole on the internet that sucked up SPAM? What if spammers spent alot of resources sending to these black holes? Would that change the economics of SPAM in a material way? Maybe. Check out Spamhole.com: Two hour email addresses. No logins required. Spam dies here.
Here is what a guy on Slashdot said
mike9010 writes "A person named I)ruid has come up with an ingenious way to combat those spammers. His program, spamhole, creates a false 'open relay' that the spammer thinks he/she can send messages through. The messages then get sent nowhere, and the spammer has no idea. "spamhole is an open project. Hopefully, through user's and developer's contributions, we will amass a collection of spamhole implementations spanning all commonly used platforms, programming languages, etc. Ease of configuration and use are the primary objectives, for the easier to use by the non-techical layperson the implementations are, the more widely adopted and used spamhole will become.""
November 29, 2003
DDos attacks cause two anti-spammers to throw in the towel
For quite some time, the anti-spam fight has been waged by volunteers. People who hate spam so much, they take their own personal time and maintian Black Lists or gather stats that "out" the spammer's ISP locations and tricks. I found an article on two of them that were recently forced to pull down their lists because the spammers sent targeted DDos attacks that shut down their servers. They used the same servers for their regular business and had to pull back from their volunteer anti-spam work. Ed Foster's Gripelog || Attacks on Anti-spam Sites Show Unresponsiveness of Legal System This is yet another failure of the volunteer system of anti-spam control. We need as many resources on the fighting side as there are on the spamming side (or more). Go Cloudmark.
The "Can-SPAM" act of 2003
Last week, just before Thanksgiving, I downloaded the text of the law that Congress passed just before the break on SPAM. I found a guy who has already read it and thinks it was written by the direct marketers. The Gripe Line Weblog by Ed Foster: The Can-SPAM law of 2003 I will post my own analysis soon.
November 20, 2003
What happens when the fox watches the hen house? You can guess. Follow this thread at Slashdot. Slashdot | SpamCop To Be Sold To IronPort?. Ironport is playing both sides of SPAM, producer and defender. You can't play that too long. Not to mention how dishonest it is.
November 19, 2003
Close this Exchange hole to SPAM!
If you are running Exchange 5.5 or 2000, you must close this hole described here: Mail server flaw opens Exchange to spam | CNET News.com You could be unwittingly relaying spam.
The Spammer's ISP
So there are ISPs who specialize in hosting Spammers. .....::: Stealth Hosting:::..... Interesting business model. I hope it is not successful.
November 13, 2003
Great summary of current SPAM legislation
November 3, 2003
Rich and I were talking about SPAM for blogs the other day and what do you know, Slashdot is talking about it now...Slashdot | Spam Rapidly Increasing In Weblog Comments. Cloudmark is doing the best job of e-mail anti SPAM and looking for ways to expand the business. Blog SPAM could be an interesting. People don't today pay for BLOG publishing tools, so getting them to pay for anti-spam could be even more problematic. Probably too early. In the end the right BLOG comment spam solution probably ties into the authorization or registration process of commentors. Maybe someone like Technorati who has enough bloggers registered may be able to do something.
October 30, 2003
New SPAM study
Pew Internet & American Life Project has produced a new SPAM study. Some may find some of the things surprising. Like the fact that 7% of respondents actually bought somehting from a SPAM. Who are these people? They can have my spam.
The history of bot baffling
I always wondered who dreamed up those distorted images that you have to get through to prove you are human. Here is the entire background... Scientific American: Baffling the Bots -- Anti-spammers take on automatons posing as humans
October 26, 2003
Tim Bray promotes pay for e-mail (again)
there are many variations of "pay for e-mail and the spammers won't be able to keep up" tim bray revives another one. ongoing · Another Whack at Spam. This is being tawked about alot on Slashdot, but there is alot of emotion and not as much reality. One of the things that I do agree on though is that the "talking heads" won't solve the problem by some kind of industry agreement. The people need to have something easy to implement that they can implement themselves. Cloudmark is working on some interesting things in this area.
October 20, 2003
Ironport trying to gain street creed
One way for companies to gain credibility with the masses is to provide some kind of free service to the industry. Ironport is offering SenderBase. Basically a list of which ISPs and IP addresses are creating the most e-mail on the internet. I guess it is one piece of information that a mail administrator could use to verify senders.
The problem with so many of these one trick pony techniques to SPAM is that they are just that. And typically you need more than one approach. Or layers. For example, just because a domain is sending alot of e-mail doesn't mean it is spam. It could be a listserver. It could be any number of valid senders. The problem is multi-faceted, the solution needs to be too.
October 13, 2003
Missouri files first suits against Spammers
Well let's see if the laws work. Nixon files first suits under state's No Spam law - 2003-10-09 - St. Louis Business Journal. I am doubtful that laws like this will work because it is so easy to just move offshore or hide your identy through shell corporations. So the questions becomes who do you sue? In the end someone has to benefit from the e-mails though, usually the provider of goods or services being schlocked. If you made that person liable....
October 8, 2003
E-mail the California Senator on SPAM
Senator Kevin Murray, firstname.lastname@example.org from Los Angeles wrote the new Californis anti-spam law that basically makes it illegal to spam Californians. Members Database
October 3, 2003
New draft of AMTP
On Sept 28, the new draft of AMTP, a secure alternatitive to SMTP was released. <a title="" href="http://www.ietf.org/internet-drafts/draft-weinman-amtp-01.txt">AMTP draft 2.0</a> I still don't subscribe to the idea that you can change the mail protocol to solve the spam problem. I just think it is too engrained in the infrastructure and the upgrade would suck. Maybe there is a phase in approach. This group seems to be doing good work in the area though.
September 25, 2003
The Spam Compar0matic
Network World just did a comprehensive review of SPAM solutions. <a title="Anti-spam buyer's guide" href="http://www.nwfusion.com/bg/2003/spam/index.jsp">Anti-spam buyer's guide</a> The result? We are on V 1.0 products that still need work on features. Not so much in accuracy (Cloudmark did VERY well there), but in usability, configuration, and other enterprise and end user features/controls. Unfortunately the products in this review are those of about 4 months ago and products have changed. Many of the things the reviewer ding'ed Cloudmark on they now have. But that is how reviews go.
One interesting issue this review brings up is that there are a set of "legacy" criteria for spam filters that many reviewers are using. They are actually features or techniques to fight spam, not necessarilly things that drive to the ultimate goal: accuracy and reliability. One example is White lists and Black lists. This is a feature on many reviewer's checklist. If you don't have it, you get dinged. But what if White and Black lists actually create more problems than they solve (which they do)? What if there is a better way to get higher accuracy and lower false positives (there is). In the end, the product that works the best and has the lowest total cost of ownership should be the one that wins. But that isn't how reviewers are reviewing just yet.
September 2, 2003
Direct link to AMTP draft by IETF
<a title="" href="http://www.ietf.org/internet-drafts/draft-weinman-amtp-00.txt">AMTP draft</a>
AMTP as alternative to SMTP
A very lively debate on <a title="Slashdot | AMTP as an Alternative to SMTP" href="http://slashdot.org/article.pl?sid=03/09/01/0253216">Slashdot | AMTP as an Alternative to SMTP</a>. I don't know what I think yet, but there needs to be some kind of First Class mail service. Now the question is how to get it rolled out? Who has market power to do such a thing? Gets the noodle going eh?
August 20, 2003
Spam Squelcher review
There are many black list efforts against spammers and here is another attempt at identifying the offending sender's source and shutting it off (or in this case, just slowing it way down). <a title="ISP software puts squeeze on spam | CNET News.com" href="http://news.com.com/2100-1032-1017930.html?tag=nl">ISP software puts squeeze on spam | CNET News.com</a> this approach basically says, if an e-mail server is trying to send me alot of messages very quickly, and many of them are the same, it is probably SPAM, so slow it down. The problem with all these approaches, is that there are many legitimate patterns that can look like this. Like someone forwarding their e-mail from a domain host to an ISP. That is typically a batch process, so they spurt all the e-mail over at once every couple of hours or so. Could look like a spammer. Or newsletter publishers. Or valid commercial senders like Amazon. They all do mail drops during down-times in the network that all go out at the same time. These approaches are all too "dumb" to be a real solution.
FTC weighs in on SPAM
Finally the FTC chair talks about how most of the laws proposed by congress will not work and may in fact be harmful. <a title="FTC chair: Antispam proposals lacking | CNET News.com" href="http://news.com.com/2100-1028_3-5065739.html?tag=fd_top">FTC chair: Antispam proposals lacking | CNET News.com</a>. He suggests that the long term fix is to <a href="http://news.com.com/2100-1038-5058610.html?tag=nl">re-write SMTP</a> (which is about what MSFT is proposing) which would be a boon for the infrastructure providers, but will not happen in our lifetimes. The real fix is adequate filters on the client and at the gateway like <a href="http://www.cloudmark.com">Cloudmark</a> and some technology like theirs combined with a registry of authorized senders to let valid trust relationships through. But this can't be done in a re-write of the protocol. It needs to be done as an add-on. It is available to day from Cloudmark (can you tell I am an investor?).
June 7, 2003
Want to follow IETF on SPAM?
<p>Go here and browse to your heart's content. <a title="Anti-Spam Research Group (ASRG)" href="http://www.irtf.org/charters/asrg.html">Anti-Spam Research Group (ASRG)</a> Looks like they are focusing on tightening up SMTP to make it harder to fake e-mail and bake trust into e-mail. That seems like a very long term play though. </p>
May 28, 2003
Spam doubling every 42 days!
<p>Ouch... <a title="" href="http://www.ajackson.org/spamstats.html">Spam doubling every 42 days</a></p>