Honeynet research lifts the lid on spam trends

Sanitised 'net?

It seems to me that the report will imply we waste our tax-dollars tax-pounds tax-euros and tax-yen tax-roubles tax-xxx by chasing after the event and by being in perpetual catch-up with criminality taking the lead.

It does no good, fosters a security industry that costs a fortune, has damage that costs a fortune (UK's NHS for example), makes the web/net an insecure place to be.

All the above (admittedly speculative) suggests it is time to move on to sanitation and if the perps get in a good does of chlorination to boot.

Why stick with an "any content is ok" principle when it is fine and fantastic for pure science and pure research. The truth be told is obvious.

How much will it cost not to sanitise and maintain sanitised a web/net and what would be the hidden costs compared to sanitising and maintaining sanitised?

But I want to be a good Samaritan

I wish there was an anti-spam system that would combine computer analysis of the easy sort (such as regular expressions searching for websites or email addresses) with my human understanding of what sort of scam the spammer is trying to pull. It would be a kind of semi-automated high-accuracy complaint system.

Just a few examples of the kinds of problems such a system could address:

A human can recognize a phishing scam and confirm a warning to the phished company and a copy to a legal authority and to network admins who might want to cut the access.

A human can distinguish between a real reply-to email address (used by 419 scammers and some sex scammers), trash addresses, actual accounts created for spamming, and possibly even recognize some kinds of joe jobs.

A human can understand complicated scams like fake merchandise or stock scams and help notify the appropriate companies that might want to protect the values of their brands and merchandise. (Pfizer, I'm talking to you!)

Remember the spammer can't obfuscate from humans, since the suckers are human, too. However, there are a lot more potential good Samaritans than people who are so stupid as to send money to a spammer.

Stop sign for the spammers.

a possible solution...

Buy redeemable tokens from Veisign or Amazon costing 10th of a cent and send one with each email. Your email client accepts these tokens and redeems them automatically. Only accept emails that contain these redeemable tokens. If mail is important attach a more expensive token. If Verisign / Amazon start overcharging then use another company (PayPal - yuk, Google?)

partial solutions

I use the spamhaus DNSBL on my server. This rejects typically 3000 spams a week according to my weekly automated reports. Spamassassin in reject mode (scores > 10) gets rid of a further 200.

In filter mode, I use more agressive DNSBLs (including one I compile myself) and a lower Spamassassin threshhold score ( > 7.0). I get about 300 spams per week in my spam folder, where I check one line per email (sender and subject) twice a week for false positives, and I get about 1 FP per month there.

About 20 spam emails a week make it through to my inbox.

Many commercial email rejection/filtering services provide their customers with similar or slightly better performance here than I achieve myself.

To be able to improve upon this various incremental improvements in existing standards and software based approaches are possible including:

a. ISPs to implement standards such as automated activation of RFC2369 headers when someone clicks a "this is spam" button (based on subscriber regret). This would be better than AOL making these headers invisible and bouncing an anonymised and untraceable complaint to an abuse handler unable to remove the confirmed opt in with subscriber regret.

b. Better means of identifying IP addresses which should not be sending email directly across administrative or contractual boundaries in the first place, such that an ISP can mark all addresses other than their own mailservers unsuited by default with domain owners publishing CSV records ( http://www.bbiw.net/CSV/draft-ietf-marid-csv-dna-01.txt ).

c. DNS and email server software and services making implementation of standards such as those above and DomainKeys a lot easier.

Spam....

... is a social problem with attempts to nail it being a technical solution (that doesn't mean they're not worthwhile at reducing inbox pollution, but they won't solve the issue)

We know for the most part who the spammers are and where they're operating from.

The issue is cross-jurisdictional enforcement issues and a WILL to prosecute, along with a marked unwillingness of supposed "spam hating ISPs" to eat their own dogfood and filter OUTBOUND mail.

From a technical point of view, hijacked enduser PCs sending spam could/should be easily dealt with. From a legal point of view, making ISPs liable for what comes out of their networks would provide a strong incentive to make it so.

FAIL: because right now the only ones who care about spam are a bunch of "crazed network admins" and a few complaining end users.