Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Spam Software

Impoverish a Spammer Today 343

Posted by michael
from the lose-money-fast dept.
esj at harvee writes "Recently the Camram project released its latest version of a hybrid sender-pays anti-spam system. The project has proven that sender-pays works and has demonstrated how to make it work with existing e-mail systems. Camram has developed hybrid sender-pays techniques that scale down to the desktop and up to the enterprise. It's a completely decentralized system that can put spam-fighting power in the hands of individuals. It gives you control of not only the current generation of spam, but also any future commercial spam -- why replace Viagra ads from a scam artist with Viagra ads from Pfizer?"
This discussion has been archived. No new comments can be posted.

Impoverish a Spammer Today

Comments Filter:
  • The problem is... (Score:2, Interesting)

    by Kenja (541830)
    The problem is that I've seen no good way to stop non spammers from paying as well.
    • Re:The problem is... (Score:5, Informative)

      by The0retical (307064) on Friday June 25, 2004 @02:06PM (#9531140)
      The FAQ says that there is a white list. I assume from reading it that it means that they do not have to pay.
      • Re:The problem is... (Score:5, Interesting)

        by Kenja (541830) on Friday June 25, 2004 @02:12PM (#9531215)
        I dont consider a white list to be a "good" method. For one thing, most spam I get is claiming to be from a known source (ie someone who knows me has a worm and is spamming from their address book). So you cant just filter by sender. Also, white lists dont deal with the fact that a lot of email is from first time corresponders such as online retail outlets.
        • Re:The problem is... (Score:5, Informative)

          by brunes69 (86786) <slashdot@NospAm.keirstead.org> on Friday June 25, 2004 @02:39PM (#9531545) Homepage

          Also, white lists dont deal with the fact that a lot of email is from first time corresponders such as online retail outlets.

          Er, if an "online retial outlet" is sending me email I did not sign up for, then that is SPAM and is exactly the thing this is supposed to prevent!.

          If you *do* want email from a certain company, and you signed up for it, then you should add that domain/email to your white list. Simple as that.

          • If you *do* want email from a certain company, and you signed up for it, then you should add that domain/email to your white list. Simple as that.

            I can think of no more annoying system than one that requires me to adjust some system every time I want an email confirmation from some company I am ordering from. What if you're at an art fair for example and fill out an email address on a card? I sure hope I remember to fill out that whitelist when i get home - if I even know where it's coming from!

            What a
            • by squiggleslash (241428) on Friday June 25, 2004 @02:59PM (#9531767) Homepage Journal
              That's actually what this system does.

              The algorithm appears to be:

              Does it have a stamp? If so, add to white list and PASS
              Is it on the white list? If so, PASS
              Does it pass a CRM114 check? If so, PASS
              Otherwise, FAIL.

              The information is on the configuration page. [camram.org] It ought, I think, to be in their FAQ.

        • Re:The problem is... (Score:2, Interesting)

          by BRSloth (578824)
          most spam I get is claiming to be from a known source (ie someone who knows me has a worm and is spamming from their address book)

          Even better! This will reduce the number of people that forget to fix their system. ISPs (there are ISPs involved? I didnt RTFA...) probably would give their customers a warning in the first time their budget gets too right due this kind of crap...

          Some people would never update their system if arent' forced to do it.
        • Worms (Score:3, Interesting)

          by pmancini (20121)
          I agree - worms are the biggest problem with this scheme. You can't hold the spammer accountable because the spammer is most likely not even sending the spam but using millions of zombie machines.

          The best way to deal with the problem is follow the money then show up at 4am and stick a Glock in the face of the spammers and their family members. After they shit the bed give them the option to play nice or die anonymously. Harsh? Yes. But not quite as bad as prior reform methods such as the Pyramid of Sk
      • I'd like the system to let me decide if I want to collect the payment after seeing the email.

        For example, a check that I can choose whether or not to cash.

        In such a "sender pays only if the recipient wants to collect", friends (and good pr0n) spam will be free to send me stuff, but other spam (msft updates) could make me money.

      • by njcoder (657816) on Friday June 25, 2004 @02:50PM (#9531664)
        For those of us that relly on people we don't know contacting us via email to inquire about new business... this doesn't make sense. There shouldn't be a fee for email or any other hoops that might confuse legitimate email senders. Last thing I want is missing a big contract because someone forgot to fill up their email payment reserves or couldn't make out the mangled letters in the image.

        What needs to be done is to go after the spammers directly. Can you imagine the law enforcement coming up with a plan to fight drugs that involved making crack vials and little ziplock bags cost $5 each. Sure the people that buy them for legitimate reasons can register for a discount or their volume is so small it doesn't make a difference. Does this make sense? This is not a problem that will be solved with technology. Laws have to change and they need to be enforced.

        Legitimate bulk emailers, isps, large corporations and the govt should do something about it. It's gotten insane.

    • by kramer (19951) on Friday June 25, 2004 @02:08PM (#9531157) Homepage
      Yes, but the point of this is making to make it trivial to send 50 or so e-mails a day, while making it prohibitively expensive in computation costs to send 50 million emails a day.

      If it takes 3 seconds per e-mail, the average user won't notice the addition, but the average spammer will have to spend 1700 hours computing stamps to send his 50 million emails.
      • by afidel (530433) on Friday June 25, 2004 @02:10PM (#9531200)
        Ah, but the spammers aren't and won't pay for their servers. They will continue to hijack other peoples machines through worms and trojans and just eat up the CPU time of the zombie machines. This might slow down the overall flow of spam some as the total computational time available is certainly less than the total bandwidth available if the computation function is tuned that way but it's not going to eliminate spam at all.
        • by the_mad_poster (640772) <shattoc@adelphia.com> on Friday June 25, 2004 @02:16PM (#9531288) Homepage Journal

          Ah, but the spammers aren't and won't pay for their servers. They will continue to hijack other peoples machines through worms and trojans and just eat up the CPU time of the zombie machines.

          sender pays stamping is a decent solution to spam, but it's not any solution to stupid lusers.

          The solution to the luser problem is:

          • Education for the naive luser.
          • Network quarantine for the lazy luser
          • Criminal (or civil) penalties for the malicious luser.

          People need to stop objecting to spam solutions based on the existance of other problems. Sender pays stamping doesn't stop viruses and trojans because it's not supposed to, other systems like firewalls, patches, and anti virus tools are supposed to. Rather than complaining that spam solutions don't solve the malware problem, we ought to be educating people on how to use these things and working on improving them.

          • But it helps (Score:3, Insightful)

            by gr8_phk (621180)
            "sender pays stamping is a decent solution to spam, but it's not any solution to stupid lusers."

            The "stupid lusers" machines will become less usable with all that stamp generation going on. They will be more likely to notice they need help. They will also be more likely to become frustrated with the computer and stop using it (unfortunate but still reducing spam).

            Bottom line: If anyone can send you a message without penalty or authorization there will be spam. You can't have it both ways.

        • by loxosceles (580563) on Friday June 25, 2004 @02:32PM (#9531466)
          It doesn't matter whether spammers hijack others' machines or not. proof-of-work stamps will still reduce the amount of spam. Without PoW stamps, a spammer with the same number of machines will be able to send an order of magnitude more spam.

          Proof of Work stamps don't magically give spammers a horde of zombie machines to spam with. They have those machines whether or not real people use stamps.
      • Re:The problem is... (Score:3, Interesting)

        by GigsVT (208848)
        And how many messages does the Linux Kernel Mailing List send per day?

        You think large legitimate lists will count on everyone subscribing whitelisting the list correctly?
    • by Jim McCoy (3961) on Friday June 25, 2004 @02:10PM (#9531197) Homepage
      Why is this a problem? If what you are expected to pay depends on volume then it means that a non-spammer who only sends a few emails a day will have almost nothing to pay while a spammer will be unable to afford the work required to send thousands of emails. Since this is based upon proof of work and not an actual monetary amount, it will not be a cost that is difficult to bear.

      Yes, some people who run email lists out of their account will be inconvenienced, but not as much as they claim. They will just need to change the signup message to say "this is a mailing list that you signed up for, so add us to your whitelist because we will not be performing proof of work challenges and will drop you from the list when the first proof of work request arrives."

      Some will claim that the hordes of spam zombies out there will be able to do the work on the spammer's behalf so this is not a solution, but it will at least provide some rate limiting for that zombie and it will also make it much more likely that the zombie will be noticed by the user when it starts to chew up CPU cycles.
    • by yintercept (517362) on Friday June 25, 2004 @02:44PM (#9531599) Homepage Journal
      I suspect the goal of a program like this really is not to stop spam. The goal would be to increase the marginal return from the spam that gets sent and for the network to grab a piece of the action.

      When someone is paying you, it is extremely difficult to make judgments on quality of the mail. I've seen lots of email lists and newsletters start with good intentions then devolve into a garbage fountain.

      In the end the pay to send networks will take money from anyone.

      The real goal of such schemes is simply to increase the marginal returns from the spam. As the amount of spam sent to open email accounts reaches astronomical proportions, I can't help but think that the amount of cash the spammers get per email is dropping. I can't help but think that the end goal of pay for spam is that by throwing a rich third party into the equation, they will increase their return.
  • by gevmage (213603) * on Friday June 25, 2004 @02:01PM (#9531088) Homepage
    An interesting concept. Stamping of the mail is computationally intensive, verifying it isn't. I think that it's impressive for something that's calling itself an 0.3 version.

    This could really change the way e-mail is distributed.

    • by Anonymous Coward
      Sorry, but this is bullshit.

      I run a clean operation. Spam has never come from my server and I run a website for the fun of it with tens of thousands of registered members who expect their email notices to arrive and I don't make a dime and already pay a couple hudnred bucks a month for things. It is not fair that my web/mail server should be bogged down by heavy computation just to send an email when it's legitimate email to begin with. I don't want my web server to slow to a crawl every time email updates
  • What happens... (Score:4, Insightful)

    by BaltoAaron (242546) on Friday June 25, 2004 @02:04PM (#9531116) Homepage
    What happens when your box has just been highjacked by the latest MS exploit and used as a Spam server/relay.
    • Re:What happens... (Score:3, Insightful)

      by king-manic (409855)
      What happens when your box has just been highjacked by the latest MS exploit and used as a Spam server/relay.

      You would then notice instantanously, as your mouse woudl be moving 1px/minute.
      • What happens when your box has just been highjacked by the latest MS exploit and used as a Spam server/relay.

        You would then notice instantanously, as your mouse woudl be moving 1px/minute.

        those spammers are a clever bunch...

        they would just throttle their cpu usage, or suspend their process when there is a user at the machine
    • Re:What happens... (Score:5, Informative)

      by Dark Paladin (116525) * <`jhummel' `at' `johnhummel.net'> on Friday June 25, 2004 @02:13PM (#9531237) Homepage
      According to the FAQ, the calculations are that even with the number of "zombie" machines out there, there still isn't enough processing power to generate all of the necessary "stamps" - or at least it's enough to reduce the time.

      If nothing else, at least it's something, right?
      • If nothing else, at least it's something, right?

        "Something must be done! This is 'something', therefore we must do it!"

        Just because it is an idea, it does not mean it is a good idea.

        This sort of "sender pays" system will kill mailing lists. Most people do not have control enough of their mail host to whitelist addresses for this sort of system. In order to send the volume needed for large mailing lists the mailing list operators will need to add huge amounts of additional hardware.

        No amount of adv

    • Re:What happens... (Score:5, Interesting)

      by Jim McCoy (3961) on Friday June 25, 2004 @02:15PM (#9531274) Homepage
      Others have mentioned that this will make it easier for the user to notice that their PC has been hijacked, but another side-effect is that it will perform a rate-limiting service on that zombie. If each zombie can only send 100 messages an hour instead of 100,000 then that is another important benefit.
      • No, the user will say "my computer is getting slow. Must be time to buy a new computer" same as they do now.
        • While some users can be inconceivably stupid, I somehow doubt that the vast majority of them are going to not notice that over the past day their computer suddenly slowed down. Another option (sure to please the crowd around here and get this modded up :) is that the user might say "hmmm... windows just gets slow after you use it for a couple of months, maybe I should try linux" and the zombie problem is solved through an alternate solution...
    • They claim... (Score:5, Insightful)

      by TamMan2000 (578899) on Friday June 25, 2004 @02:15PM (#9531276) Journal
      On their site they address zombie machines. They claim that users of zombies would be more likely to notice the infection if it sucked up all their CPU and made their systems run hot...

      I somehow doubt that.

      But what I can't disagree with, is that getting the same amount of spam sent as they currently are, would take many (orders of magnitude) more zombies. They claim on their site that if you maxed out every known zombie you couldn't generate stamps fast enought to send spam at the current rates.

      This could be a step in the right direction, but I am worried about many issues for a sender pays system.
  • One Idea (Score:5, Insightful)

    by th1ckasabr1ck (752151) on Friday June 25, 2004 @02:04PM (#9531117)
    One thing they should look towards doing is maybe circumventing the payment if you are sending to someone else in the same domain. Then businesses wouldn't have to pay for all internal e-mail.

    Or maybe businesses should find a new way to communicate internally?

  • by darth_MALL (657218) on Friday June 25, 2004 @02:04PM (#9531118)
    they should be able to survive just fine according to the SPAM nutrition fact sheet [nutritiondata.com]
  • 30% Larger! (Score:5, Funny)

    by Anonymous Coward on Friday June 25, 2004 @02:06PM (#9531136)
    why replace Viagra ads from a scam artist with Viagra ads from Pfizer?

    Because I only trust my penis to professionals.
  • by www.sorehands.com (142825) on Friday June 25, 2004 @02:07PM (#9531147) Homepage
    Under the California law, if you send spam, you can be sued for $1000 per spam. That is a spam sender pay system, if I have ever seen one.

    It is just bush and the other idiots who signed the federal law, killed it and made it a recipient suffers system.

    • Nice to be able to file suit, but what about
      • Sender is out of the country
      • Sender is a zombie with fake credentials
      • Sender is a zombie sending a virus, not advertising anything
      Sorry, charlie, but much of the spam will be impossible to prosecute.
  • by TuringTest (533084) on Friday June 25, 2004 @02:08PM (#9531170) Journal
    They have a page with Frequently Raised Objections [camram.org]. Now I've made redundant 40% of the remaining posts to this article.
    • is that this scheme does not allow us to send spammers to Abu Graib.
    • From their FAQ: Isn't universal adoption necessary for a sender-pays system? For a classic sender-pays system, the answer is yes--any system requiring universal adoption is a non-starter. Because of this problem, the Camram project (and probably others) expanded the classic sender-pays model to a hybrid sender-pays model. One of the many strong features of the hybrid model for sender-pays is that it solves the problem of universal adoption. This new model provides anti-spam benefits to the very first user,
  • by Anonymous Coward
    Camram FRO (Frequently Raised Objections)

    A system such as sender-pays, which proposes a radical change in the email environment, inevitably generates objections. This is positive because it helps identify the strengths and weaknesses of the system. However, once objections have been worked through and the developers have answered the same questions approximately 10^20 times, a listing of Frequently Raised Objections is appropriate.

    Isn't universal adoption necessary for a sender-pays system?

    For a classic
  • where is that big form listing why it will not?
  • by LordPixie (780943) on Friday June 25, 2004 @02:14PM (#9531251) Journal
    From Camran's FRO [camram.org]

    One benefit of zombies being used to generate stamps is that the machines will become hot, slow, and probably unreliable, all of which will be noticeable to the end-user. With luck, this means some people will get their machines fixed and reduce the zombie issue.

    You just have to love a product that has the potential to toast a clueless luser's computer. I would be more than happy to shell out good money for software that has "Makes PC's burst into flames" listed as one of the features. And this stuff is Free !


    --LordPixie
  • We need a more fool proof system than this to make spammers PAY for the distraction and wasted time they inflict on us all. Die die die!
  • Standard Stamps (Score:3, Interesting)

    by Roger_Wilco (138600) on Friday June 25, 2004 @02:19PM (#9531330) Homepage

    It seems to me that one should need only one stamp generator. I receive a payment request containing a message encrypted with a short private key, and as "postage" I need to decrypt the message and return it. As computers get faster, the key length used to encrypt the message gets longer. The receiver can thus decide how much postage is required.

    This way the stamp generator doesn't need to have any secret component, and could be written in any language. It could be part of the mail client.

  • Read the website! (Score:4, Informative)

    by jschottm (317343) on Friday June 25, 2004 @02:21PM (#9531360)
    This is a calculation based stamp, not anything financial. It's not going to cost anything. It allows for white-listing on a per user basis that exempts senders from the stamp requirement. Therefore, if you wanted to get on a mailing list, you'd add them to your white-list. Yes, it's an extra step, but what's one extra step when you sign onto a mailing list compared to having to dig through hundreds of spam messages a day?

    Have some (slightly out of date) documentation:
    One section [billerica.ma.us]
    Another section [billerica.ma.us]
  • Someone is doing something illegal lets charge them for doing it..

    And in next weeks news you can kill someone and get away with it by paying enough money..

    Oh crap I forgot that already happens in this country anyways so these anti spam ideas are right along our lines of justice.

    Give me a break, We have some of the most lax punishments in the world for some crimes and insane punishments for others ( You can go to jail for killing someone and get out in 10 years, Get caught with some dope and you can go to
  • The only ones that can stop spam in its' tracks are the credit card companies. You have to make a purchase with a card. Have the credit card companies stop any payments to known spammers - problem solved. This is the bottom line - stop the flow of cash - stop the problem. Is there any reason this cannot be done? Why is this never mentioned. The companies that facilitate spam can stop it today.
    • Would this in any way be considered fraud on your part? I like the idea (a lot), but I'd hate to get countersued (or stuck with the cost of penis enlargement pills :-)

      I threatened to contest a charge to a local merchant once (he sold me defective merchandise, looked up *on his computer* my purchase info, then refused to exchange or refund because I didn't have my receipt). Just the threat was enough because it doesn't take many complaints before you lose the ability to accept credit cards at all -- doomi
  • Like whitelists and keywords, this is a special case of a token-based system. Token-based systems depend on the sender performing some action that is, at the time they send it, sufficiently hard to predict, unusual, or onerous for a spammer to bother with it.

    For example, I have certain addresses that bypass my spam filter either partially or completely, and I have set up a scheme for my kids whereby a sender has to know a "magic word" to get in. Whitelists, of course, make the sender address the token.

    Right now, these are good enough.

    Spammers are beginning to respond to whitelists, though, and trying to guess sender names. It's only a matter of time before they start using the address books in their zombies to build up lists of probable whitelists, and start sending spam using pairs of addresses from the same address book the way viruses already are.
  • Gosh this is a great idea for .... oh, geeks, but unless the vast majority of ISPs, corporations and users implement THIS system, it is a programming exercise. So when you implement this - your friends get through, the random junk gets dropped and anybody that is new to you gets a very anti-social message about not accepting your mail till you do something wierd. So these folks answer to anti-social behavior on the part of spammers is to be anti-social themselves.

    Thanks, nothing says screw off and leave

  • Something just occurred to me:

    Currently there are laws in place which govern truth in advertising. What if it was made illegal to intentionally misspell words with the goal of circumventing content filters?

    Also, can't we just file civil suits against companies who sell their products through spammers? I know that currently companies that have insufficient corporate ethics facilites set up (i.e., an ethics officer, a company ethics statement) can be held liable when one of their employees engages in unethi
    • This would only apply to companies in countries with such laws. It would not be a big deal to just move offshore - which most spammers have done. It is also difficult to locate such spammers in the first place. They never seem to put their physical address in the spam - clever eh?
  • by btempleton (149110) on Friday June 25, 2004 @02:36PM (#9531518) Homepage
    Combining challenge/response with cpu stamps, java and other factors. It allows the problem to change over time, requires no new software at the sender's end (which is the big non-starter) and still allows anonymous mail.

    It's at this page on cpu stamps and challenge response [templetons.com].
  • by Mustang Matt (133426) on Friday June 25, 2004 @02:46PM (#9531620)
    All the people running 200 MHz mail servers are only going to be able to send 10 legitimate emails per day and spammers will hijack more unpatched 3 GHz machines and do distributed computations and send out more spam than ever that gets through because it's passed the computation test.
  • Many Major Flaws (Score:3, Interesting)

    by Andy_R (114137) on Friday June 25, 2004 @02:55PM (#9531730) Homepage Journal
    Not all devices will have enough computing power available. My grandmother has an Amstrad E-mailer. How long will it take the 4Mhz Z80 in there to generate a stamp? How about the cpu in my phone?

    From the Faq "You only generate a stamp the first time you mail someone." So when all 20 of the biggest spamhouses have generated a stamp for you, you are right back at square 1? Net cafes with changing clientelle pay a higher price than spammers? Forged headers cliaming to be from friends don't need a stamp?
    • Re:Many Major Flaws (Score:3, Informative)

      by loxosceles (580563)
      As for low-power devices, sure, that's a problem. Unless you have a better idea, though, you'll just have to live with TMDA or some other solution that doesn't require as much cpu time. You could even send your key to recipients ahead of time and get them to pre-whitelist it.

      As for the other comments, you ought to read about camram. camram whitelists by pgp keys, not by sender. Initial messages have both a hashcash stamp and a pgp key. If the hashcash stamp has enough bits, the pgp key gets whiteliste
  • by Vexler (127353) on Friday June 25, 2004 @03:11PM (#9531906) Journal
    ...and let's see if people like Bernard Shifman and Scott Richter can spam me with an Etch-n-Sketch.
  • by crovira (10242) on Friday June 25, 2004 @05:12PM (#9532973) Homepage
    This is another hair-brained scheme that I can already see problems with.

    JUST SUE THE PEOPLE WHO HIRE THE SPAMMERS, BIG TIME!

    Drying up the demand mean that they don't make money. Not making money means that they don't bother spamming.

    What they want is $$$.

    Take away their market buy making it no longer cosat effective, by passing laws that will sue the pants off of anybody that send you Spam. And don't worry about borders. You can BUY the border agreement with a percent of the fines.

    Its simple economics. Supply and demand. As long as there is a demand, these schmucks will supply.

    Tony Sopranos may be immune but his customers are supposed to be legitimate businessmen... You can't sell squat when every Spam you send can get you X thousands in fines levied against you, in every jurisdiction and with every offense.

    And NOBODY is going to bve AGAINST this law. (If they are, they're suspect...)
  • by GPLDAN (732269) on Friday June 25, 2004 @05:38PM (#9533113)
    You may be an anti-spam kook if...

    Click Here, it's funny in the so-true-it's-sad way [rhyolite.com]

"There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce

Working...