We are developing the social individualist meta-context for the future. From the very serious to the extremely frivolous... lets see what is on the mind of the Samizdata people.

Samizdata, derived from Samizdat /n. - a system of clandestine publication of banned literature in the USSR [Russ.,= self-publishing house]

Dramatising the spam problem

Interesting legal issues are raised, I feel, by this story:

SAN FRANCISCO (Reuters) – Call it spam rage: A Silicon Valley computer programmer has been arrested for threatening to torture and kill employees of the company he blames for bombarding his computer with Web ads promising to enlarge his penis.

In one of the first prosecutions of its kind in the state that made “road rage” famous, Charles Booher, 44, was arrested on Thursday and released on bail for making repeated threats to staff of a Canadian company between May and July.

Booher threatened to send a “package full of Anthrax spores” to the company, to “disable” an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, prosecutors said.

He used return e-mail addresses including Satan@hell.org.

In a telephone interview with Reuters on Friday, Booher acknowledged that he had behaved badly but said his computer had been rendered almost unusable for about two months by a barrage of pop-up advertising and e-mail.

Here’s what happened: I go to their Web site and start complaining to them, would you please, please, please stop bothering me,” he said. “It just sort of escalated … and I sort of lost my cool at that point.

I believe that Charles Booher speaks for many of us. In some ways, it strikes me, this resembles the Tony Martin case. The complaint against Martin was that he has shot one of his burglar-tormenters in the back. But since this burglar had attacked him repeatedly and since his latest attack provided yet further evidence that, if he could, he would be back, it made sense to me for Martin to shoot him in the back in self defence, against his next attack.

Booher requested, then demanded, that his computer to be left alone. But alas, Booher was unaware that his replies merely proved that he and his email were real, so the bombardments immediately intensified. But given that Booher was unlikely ever to catch these miscreants, was it not reasonable for him to threaten complete ghastliness in the unlikely event that he did? Had he known with certainty who they were, such bloodcurdling threats as Booher’s would have been excessive. More mundane remedies would have been sufficient. However, for people who behave as Booher’s tormentors behaved, is there not a case for the reintroduction of something like hanging, drawing and quartering? Or maybe crucifixion?

I agree, probably a bit over the top. But Booher’s rather extreme reaction does serve to remind us all of just what a problem spam is now becoming for many people, and that if the free market does not spread around some answers to the problems of people like Booher, governments will be only to ready to use his plight to impose their own much more draconian arrangements, in the form of alleged cures that will almost certainly turn out worse than the disease, but whose worseness will only become obvious when it is all in place and impossible then to reverse.

I for one would love to have a comment string explaining how ‘anti-spam,’ software works, what principles it follows, how it avoids stopping good stuff while still stopping the bad, and so on. Maybe Booher’s problem has already been solved, and the only problem that remains is telling him and everyone like him what this solution is.

24 comments to Dramatising the spam problem

  • Tony H

    I sympathise a great deal with Mr Booher and with your point of view, Brian. I’ve often longed to be able to track down the halfwit toerags who propagate spam, and chuck a petrol bomb through their windows. Today I had a recommendation from a friend who knows about these things, and who says
    this outfit has worked for him. I can’t vouch for it myself.
    Posting comments on this blog brought me a lot of spam and general trash email, until I stopped leaving a genuine email address – I still get a lot regularly from old posts, however, especially from a bunch of cretins who seem to think I might want their “cheap meds”. The penis-enlargement crowd have gone quiet lately, though.

  • I’ve always advocated dealing with the spam problem once and for all by nuking Florida (where most spam is alleged to come from)

  • Ron

    “I for one would love to have a comment string explaining how ‘anti-spam,’ software works, what principles it follows, how it avoids stopping good stuff while still stopping the bad, and so on.”

    Your wish is my command! –

    Den Beste does it best – the article is on Bayesian filtering. The next generation. As per usual it is long. If you do a find on the page for “Bayesian filtering”, you will get to the meat of the matter. It looks good, I’m just waiting for it to be setup to easily hook up to Outlook.

  • Ted Schuerzinger

    Brian:

    I presume you’ve already done a google search for applications that use Bayesian filtering? Granted, it requires that you check your email and mark which messages you think are spam, but supposedly it eventually does a fairly good job of learning what messages you would consider spam.

    As for me, I use the Hamster proxy server, since it does Usenet as well as email. Its Perl-style regular expressions for killing email are extremely useful for all those spams sent to a bunch of people at my ISP — I can just kill all messages where there’s an address at my ISP other than mine. And that’s responsible for around 40% of the spams killed right off the bat.

  • Andy Wood

    I use a Bayesian filtering program called ‘Popfile’ which I found at sourceforge. I’ve been training it for a few weeks and it seems to be quite effective, though I’m not yet confident enough just to let it delete everything it classifies at spam in case it misclassifies something.

    An alternative solution I’ve heard about uses digital cash. You give your email program a list of privileged addresses from whom you are happy to receive mail. Anyone else gets an automatic reply saying “I charge 10p/message to read unsolicited email. Please resend your message with 10p in digital coins attached.”

    If the message is important enough – perhaps a job application or a note from a long lost friend – the sender will pay the money. A spammer is unlikely to pay – a million emails currently cost him almost nothing; under this system they could cost him thousands of pounds. If the spammers do pay, then you can open up lots of Hotmail accounts and retire.

    When I first heard this idea, I thought it might be the killer application that gets digital cash off the ground – though I’m still waiting. If the issuers of the digital cash also have the good sense to make it anonymous, then there will be another effect which should excite libertarians – the opening up of a virtually untaxable sector of the economy.

  • Julian Morrison

    I use mozilla email, and it’s got an (imperfect but okay) implemlementation of bayesian filtering built right in as standard. Even if I used windows, which I don’t, I wouldn’t touch Virus Express with a bleach-sterilized 20 foot pole.

    Bayesian filtering is really the best hope IMO against spam. It stands a chance of genuinely cutting into the spammers’ profit margins, because it can whisk the crud away before it’s ever even noticed, even by the gullible. And it can be as simple to train as: select some spam, press the “this is spam” button.

  • Malcolm

    Brian:

    You ask for solutions to the spam problem, and people respond with talk of Bayesian filters, Perl-style regular expressions, and other such arcana. I can imagine your eyes glazing over – and if not yours, then those of most people reading this thread in the hope of a magic bullet.

    The solution to spam begins with a willingness to learn this stuff. Those who do will find all their spam collected in a single, separate folder while at most two or three spams enviegle their way into your real inbox- at a cost of some serious learning curve initially (perhaps an evening or so of real concentration) plus the odd hour every six months or so to keep up with the latest techniques, and a few mniutes tweaking using this knowledge every few weeks.

    Alternatively, you can decide that that is too much hassle, that you are unwilling to make that investment or do not believe that you ought to need to do so. If you make that choice, you will suffer the spam in full force – but if you do, and then threaten death and destruction, you do so knowing that you chose not to equip yourself with more peaceful means to respond.

    Spam is irritating. It is a wrongfully imposed cost. It can, in extremis, render an e-mail address useless. But it is not a clear and present danger to life and limb, and it is certainly not at all similar to the problem faced by Mr Martin.

  • One not particularly complicated way of at least making things easier for yourself is to have two e-mail addresses. The first is the public one which you put on your website. The second is the private one that you give out to your friends. You then set up your e-mail account so that e-mails to the different addresses go to different places. That way you end up with one folder that is mainly good stuff and another which is mainly spam. You still have to check each e-mail though.

  • Rick C

    Ron, there are already a number of products that work with Outlook. Popfile should be fine because it’s a proxy. You could also look at Spammunition, which is implemented as an Outlook add-in.

  • I run a mail server with pretty good spam filtering. It’s a low volume server so what I do is not necessarily possible for other situations.

    The server is a Linux box running Exim MTA (a popular mail server package). It has been patched with Exiscan ACL to improve spam and malware handing. When another system connects to deliver email, the following sequence happens (hopefully I don’t screw this up):

    1. Remove server says HELO _name_. If _name_ matches my own ip address or domain name, the response is 550 (message refused). A legitimate server says HELO with its own name or ip address (ip address is frowned upon, but still used). Spammers love to say they are you.

    2. Sending ip address is checked against blacklists. I use several, including one that lists all of China and South Korea. Nope, I don’t accept mail from those countries – and Brazil is damn close to be blocked, too. Yes, I’ve been tempted to block France just for the hell of it, but I’m not quite that petty.

    3. If the message says it is from Yahoo or Hotmail, then it is checked to see if it really is from them. Spammers love using throwaway accounts from free mail systems. Messages that aren’t really from them are bounced. This special check will be expanded to include other free mail systems as time permits.

    4. If the recipient does not exist (or is not local), the message is refused.

    5. Message body is received.

    6. If there is a file attachment, it is scanned for viruses. If any, the message is rejeced.

    7. Message is passed to SpamAssassin and scored based on key words and phrases that are typical of spam (e.g. “make money fast” or “penis enlargement”). If the message scores high (>10.0),it is rejected. If the socre is moderate (>5.0), the subject is changed to “[SPAM x.x] subject”.

    8. If we got this far, the message is accepted and will be delivered (unless I left some steps out in my description).

    Note that I am doing the virus and spam scan while still connected to the sender. This guarantees that bounced messages don’t go to some innocent schmuck who’s address was forged as the return address, known as a “joe-job”.

    Very little spam makes it through my filters. The majority is blocked by the blacklists. A business doesn’t always have the luxery of using blocklists (especially ones that refuse entire companies), and often can’t afford to take the chance of bouncing based on the spam score.

    This system also has the disadvantage of not allowing individual user settings. That simply can not be done when scanning while still connected. If you implement a system allowing personal preferences, then high scoring emails should be deleted and NEVER bounced since the odds are it won’t go back to the sender.

  • “A Silicon Valley computer programmer … was unaware that his replies merely proved that he and his email were real, so the bombardments immediately intensified”

    I wouldn’t want somebody that ignorant of the basics of web life, and apparently unable to do five minutes of reading up on the most basic facts about a problem, working for me as a programmer.

    That said, there is clearly nothing wrong with threatening spammers with horrible tortures.

  • Rob Read

    If I got that annoyed about spam I would go to the trouble of obtaining and then emailing the spammer back pictures of their families.

    Nice happy pictures! Nothing threatening about that eh?

    Bet you never get another spam from them…

  • FeloniousPunk

    Yes, Bayesian filters are good and there are other tricks you can try, but the spammers have pretty wily programmers at work for them, and within a period of time, the solutions we have to defeat spam are rendered invalid. My girlfriend for example got complaints from some people we did not know who were receiving spam with her address in the from line – someone had forged it. It also seems that my filters, which had been pretty effective, are less so now. And let’s not forget that fighting spam is becoming an increasingly time consuming task – even if I stop it, I am now playing the spammer’s game.

    The only real solution is to go after the human beings behind the spam. Spam won’t become manageable until there is significant risk to the lives and/or livelihoods of spammers.

  • R. C. Dean

    I use a yahoo mail account for personal email. They have a Bayesian filter set up on it with an E-Z interface (check-flag the spam, hit the Spam button, spam is deleted, filter is trained). I don’t know for sure if it is collaborative (i.e., the filter is being used by, and trained by, everyone on yahoo mail), but I think it is.

    It works pretty well. This morning I checked my mail for the first time in a few days, and had 35 spams in the spam folder and 3 or 4 in the real folder. Check and click, and the ones that made it through were gone.

  • SWO GUY

    I hope he asks for a jury trial.

  • Dale Amon

    It’s really only a matter of time before some spammers get themselves killed.

    I doubt there will be many who feel sorry for them when it happens, either.

  • Harry Payne

    I further endorse Popfile and recommend you stick with its learning curve. My secondary back-up is Mailwasher, which scans e-mails at the ISP servers and marks them for deletion as per the rules you set up. Good for getting rid of bogus MS patches.

    I’d hate to see it made mandatory to filter spam – I remember the huge wave of disdain about the Great Firewall of China, which blocked another type of information, and which could so easily spread elsewhere – but there’s got to be a fairly large market now for ISPs aimed at ordinary users which kill the bloody stuff at their end of the pipe. Clive Stafford et. al. started Demon Internet with 100 subscribers, IIRC; it shouldn’t be too difficult yet.

    As for Mr. Booher, I hope that either a) the jury find him incredibly not guilty and buy him a steak dinner, or b) if found guilty, the judge awards $1 dollar in damages and no order as to costs.

  • martin

    Well, I’ll take the contrary position here and say that Mr. Booher seems to be a mentally unbalanced person. I guess his co-workers can be thankful that it was spam that sent him over the edge and not something closer to them, like who took the last cup of coffee out of the pot and then neglected to make more.

    The article doesn’t say anything about it, but did Mr. Booher sue the retailer who sold him a computer without a “delete” key? ’cause that’s what most of us do with unwanted email. For that matter, is there anybody who has been on the internet for more than 6 months who hasn’t caught onto the idea of having one “public” email address (yahoo, hotmail, etc) and using it for all non-personal communications?

    Making terroristic threats is illegal, no matter how pissed off you are.

  • FeloniousPunk

    Hey martin, I’m going to come over to your house, bang on the door night and day, and use a loudspeaker to scream things at you when you don’t answer the door. I guess you’re ok with that?

    And for someone who “who has been on the internet for more than 6 months” you are deeply ignorant about the nature and scope of spam. There is far more to it than deleting the odd unwanted piece of mail.

  • martin

    Hmmmm…coming over to my house and banging on the door is somehow the same as sending someone an email which they then have to delete? Shouting through a loudspeaker is somehow the same thing as sending an email, an email that a person can’t even access until they turn on the computer, open the browser or email program, and then log into?

    You may live in cyberspace, and thus regard your inbox as your home, but I don’t. Spam is no worse than junk mail. Annoying, but not worthy of death threats.

    Someone who will make death threats over spam will make death threats over anything.

  • Diamond

    The Daily Telegraph’s “Connected” is currently running a Spam series. Last week’s article described how to set up Outlook to combat spam. You have to list email addresses which you will accept and then any others are automatically diverted into the Wastebasket which is set up to empty when Outlook is shut down. The description in Connected did not suit my version of XP, and I’m no expert, but by fiddling with it I managed to set it up on my computer and it works. On average every day, when I switch on Outlook it announces about 100-180 messages, but only a few (those I have selected) arrive on my screen, all of the rest end up in the Wastebasket. At first I checked the Wastebasket to see if there were any emails I wanted to see, and I found that I’d missed a few addresses off my list, but now I don’t bother any more, I’ve had by now over a 1000 spams, and every single one has ended up in the bin, then been deleted automatically, and I’ve not lost any legitimate messages.
    Is this too simplistic?

  • Martin, the difference between spam and junk mail is I bloody pay for the spam even though I don’t want it, while the sender of junk mail pays their own printing and postage – which puts a limit on how much they can do. Spammers have no limits. They will pump at as much as they can, as fast as they can. And they usually STEAL resources to do so by breaking into systems directly or through the use of computer viruses and worms.

    A better analogy than FeloniousPunk’s would be someone breaking into your house and using your phone to make toll calls to sell something. It’s your own fault because you didn’t use a better lock (that’s the typical excuse).

    Diamond, the problem with what you are doing (called whitelisting) is you will never hear from an old friend you lost touch with. Same for legitimate career/business offers. Would you use the same system on your telephone? What happens when your wife/daughter/son/mother calls from a payphone because their car broke down? I would never go to a whitelist system because I do reason a lot of legitimate email from people I’ve never dealt with before. Plus, you still download the messages. The problem is still there, you just don’t notice it. Spam will keep increasing. Next year, instead of 100 spams a day, you’ll get 200, the following year it will be 500. This flood of crap requires your internet provider to add additional servers and storage. That adds to YOUR costs. It’s estimated that half of all internet traffic is spam. While not a direct correlation to your monthly bill, it still means a HUGE chunk of your bill is paying for spam.

  • Ryan Waxx

    They way I look at it is this:

    Legally, Breaking and entering can be done by simply opening a door: It doesn’t need to be locked.

    In the same vein, if a spammer uses any technique at all to avoid spam-killing software, then that spammer is ignoring the ‘do not enter’ sign and picking the lock to get in.

    At that point, its trespassing and breaking and entering. In some states, its legal to kill someone doing that, no questions asked.

    Because just as a homeowner doesn’t need to put themselves at risk to identify exactly what type of criminal (burgler, rapist, murderer) is in his home, so too do I not need to probe weather the person is trying to sell me something, infect my computer, or steal my credit card information.

    Force is justified. But what level of force?

  • Given the note of the initial e-mails Booher received (full of implausible hyperbole about enlarging his penis), surely to reply in a similar note is appropriate.