Discussion on:

The truth about email spam

Your point "That convenience and economy is part of what makes mass quantities of spam of the sort we see weighing down the Internet possible." touches on one more thing that must be corrected before spam is reduced or eliminated. That being, the economic incentive to spam in the first place.

Users, usually the same ones who complain about spam, must stop responding to spam. If spammers are not getting responses, that is paying customers, a large amount of spam will cease.

This of course will likely never happen. As long as you have grandma and grandpa windowuser out there clicking on every email they see and buying whatever trinket that is being sold, you will continue have this issue. Further, the spammers that are just phishing will continue regardless if there is a dramatic decrease in responses.

I'm a "grandpa windowuser," per faradhi, who doesn't click.

Further, my business circumstance permits separation of computer conduit and repository functions, then near-elimination of the repository.

All email, for example, reposes for only as long to read and Shift-Delete. No account numbers are stored, no lockers maintained, no lists kept. The exceptions, like 11 personal OE contacts and eight transitory bookmarks, are reviewed and culled regularly with a hard eye. Utilities attend to other loose ends.

This configuration and these practices owe in no small way to my having paid attention to your work on TR, Chad. I wish to thank you.

In particular, I appreciate your strategic thinking with respect to the tactical. You have a facility for drawing back, sometimes way back, then announcing over your outstretched, practiced thumb what you see.

What do you see, tactically, with respect to grandpa windowuser and his conduit? Assuming successful control of the repository, how better to tighten control of the conduit function?

I run DU Meter, for example, and I toggle net connectivity. I maintain software firewalls on both machines (XP and VHB) behind a router. I rely on Site Advisor and No Script; One Care and CCleaner. I'm wary of where I go.

Yet botnets and zombification still stand front and center in my mind.

Can you impart more?

"This configuration and these practices owe in no small way to my having paid attention to your work on TR, Chad. I wish to thank you."

You're welcome. I'm glad people get some benefit from this -- especially since, the greater their system security, the greater my convenience (since compromised systems often become a problem for everyone).


"What do you see, tactically, with respect to grandpa windowuser and his conduit? Assuming successful control of the repository, how better to tighten control of the conduit function?"

I've suffered insomnia tonight, so I'm responding without sleep -- and as such, I'm not 100% certain I understand what you're asking. By "conduit", I tend to guess that in this case you mean the tools for sending outgoing email. I'll answer assuming that:

There are two things that can, or need to, be done to solve a significant chunk of this problem.

1. Separate privileges. The software on most of the desktop PCs in the world does not enforce privilege separation sufficiently. This allows privilege escalation and remote execution access to nominally separate applications. It is as a direct result of this that most malware ends up on its host system.

2. My mind just drew a blank on the second point. I blame the lack of sleep. I had it firmly in mind through most of writing out point 1, and forgot just before I got to point 2. Darn it all.

While I don't remember what point 2 was, I do remember that a key characteristic both points had in common was that neither of them specifically requires the end user to do anything about spam and email security at all. If the end user was using software that benefited from better security characteristics (not just by design, but via default configuration as well), these problems would effectively solve themselves.

A few things you can do to protect yourself even without changing the design of your software, but that do require your conscious choice, include:

1. Only view and send email as plain text. Much of the problem people currently have with getting infected, getting targeted by spam emails, and getting snowed by phishing scams would evaporate if they were not viewing images, JavaScript-enabled markup, embedded Flash and multimedia objects, and hyperlinks in their email clients. These features can lead to remote code execution, conceal the true nature of a link from the user, or "silently" provide information to the spammer (such as via variables passed in an image URL).

2. Use encrypted connections for authentication on mail servers to prevent man-in-the-middle and sniffing attacks.

3. Use a stateful packet filtering firewall that filters both incoming and outgoing packets, logs them, and informs you somehow of anomalous or suspect network activity (then do something about it if such activity is detected).

Note that the first item in this last list requires almost no effort on the part of the email user -- just an adjustment to a world that isn't overrun with eye candy in email. Also note that this one suggestion, alone, can reduce your susceptibility to infection directly via email by (I estimate) at least 98%. Less direct methods like malicious email attachments and phishing are not so drastically reduced, though even the effectiveness of phishing would be significantly reduced by this one simple change in habit.

"As long as you have grandma and grandpa windowuser out there clicking on every email they see ..."

faradhi, their behavior would be the same if they were running Linux or a Mac. They'd still be clicking on their messages indiscriminately and providing economic feedback to spammers, regardless of their OS, e-mail client, ISP, or hardware class.

Chad, I'm surprised there aren't more comments on this topic. I think it's timely, and relevant outside the realm of security (economics, infrastructure, protocols, sociology).

I was not trying to single out windows users or the elderly. I was just trying (I guess a little too hard) to be funny.

Understand, I am not trying to bash windows. I am a Windows admin. You are correct it does not matter the platform except to say that with Windows, the phisher are more easily able to install malware.

"I think it's timely, and relevant outside the realm of security (economics, infrastructure, protocols, sociology)."

First, thanks for the kind words.

Second, please feel free to expound your thoughts on relevance outside the realm of IT security. I'd love to see what you have in mind.

The key is to make the cost greater than the benefit, or at least make the two close enough that spammers can find "better" ways to get benefits. You can achieve that by increasing the cost (eliminating the means by which spammers offload their resource costs on unsuspecting MS Windows users, et cetera), decreasing the benefit (eliminating most of the return on investment spammers get, such as by getting everyone to stop responding to spam), or both.

Even phishing requires a balance of cost and benefit that favors the phisher sufficiently to make it worthwhile. The benefit is just less prone to reduction by user education than plain ol' unsolicited commercial email.

If most of the work is being done by robots the cost is
very low.

The problem is to make sure the rewards are low enough.
This is difficult. If you send a million phishing emails and
only get 10 responses that can still pay for the effort you
put in. If you send a million African fee scam emails and
get ten responses it is worth it.

I am glad the original post noted that solutions like
charging for email will not work.

As to user education there is a saying "one born every
minute" and most of today's internet scams are old scams
from the pre internet era simply transplanted. People
need to learn caution.

Internet scams are, however, getting cleverer. My wife
runs a bed and breakfast in Edinburgh and we nearly got
scammed by someone wanting us to charge his credit
card ?5,500 for ten guests, send ?4,000 by Western
union somewhere and keep the rest ( which was more
than we were charging. I sent all emails relating to this to
the police. We got two similar scams in email since then
and they went to the police too. MInd you I still cannot
spot the scam in that one, I just know it is there.

The scam lies in the fact that the credit card is probably no good. If the card is good, it may be stolen. Either way, you are out 4000 pounds. You send out money via a method that cannot assure identity, hence no one to recoup your loss from. Never send money to unknown parties via Western Union, postal money order or any other method that does not verify the identify of the recipient.

My favorite cure is to jail spammers for theft of service.

Jail terms should be comparable to those of other thieves of similar magnitude.

It's not a joke, it's not because Grandma and Grandpa should be more wary, it's not because OS and application vendors aren't sufficiently vigilant - it's because there are scum who steal.

Hose 'em.

That should be "scum who prey". Either way, I agree with you. Lol, better yet...make it punishable by death! Because if they aren't spamming or phishing, they'll find another creative illegal outlet.

Being careless about email security is like leaving your
house unlocked then complaining if you get burgled.

Punishing burglars does not stop burglary. Locking doors
stops burglary much more effectively. Burglar alarms are
still better.

Punishing spammers will not stop spam. In any case robot
spam makes it hard - impossible? - to trace the ultimate
source.

My orginazation...according to our reports..receives between 3/4 to 1 million email messages per month. Greater than 90% is always spam. If you don't have a spam blocker in any large organization...I really don't see how email can actually be useful. Desktop client plugins just aren't acceptable at that level.

But yes, we should punish them. There needs to be international laws to stop the loose cannons in Africa, Southeast Asia and other 3rd world areas where the lack of local laws (or enforcement)let these guys run around unabated sending spam, DoS attack and other such bs. If they allow more than an acceptable amount of this garbage...kill that ISP's fiber connection. Almost every DoS attack I've seen 1st hand led me back to anh IP range hosted by some service hosted in Africa or SE Asia.

If we focus attention on those few areas of the net somehow total spam, virus bots and DoS attacks will diminish greatly.

spammers are hidden behind many individual from whom they indirenctly use their services, without them being aware that what they do will in fact help spammers. Spammers are exploiting every legal holes and will use them as they want. They succeed only because they can aggregate the power forces of their agents in a way that only they know really how their scheme works.

So you'll put a few of them into jails, but most spammers will not be accessible. The largest spammers are known, but legally difficult to attack, because most of what they initiated was not performed by them directly but by armies of their unaware agents, which most of the time can't even be prosecuted as they did not know they were failing somewhere, or because they have also been abused by false information.

This juticiary fight will also be very costly. I am sure that there are more cost effective solutions, by multiplying the collaborative efforts in protocols and monitoring of the internet use, using legal ways such as the collection of aggregate statistics, to help finding much faster the sources of injection.

Currently the fight is only performed at the reception sites, and only in one of the protocols. The fight must go further and should monitor the netweok usage globally, in all its used protocols (including DNS, IP routing announcements, routers,), but also by changing the distribution of costs so that it will be very prohibitive for spammers.

For exemple, every one should have a legitimate right to own one or a few domains. But registrars have the very bad practice of decreasing the costs for domain names bought in volume. This should change: the cost per domain should be proportional (or even higher above some maximum threshold) to the number of domains bought by someone on a given registrar. The same should be done also for domain name hosting. Also the number of owner changes allowed for a given domain should be reduced, or should require some additional fees to pay to the registrar and to the registry.

Finally, the Internet should really adopt faster the IPv6 protocol and give everyone a free static IP address, to also help locating the legitimate users and avoid side effects on them, just because they subscribed to a large ISP that necessarily has its share of infected customers.

The system of dynamic IP addresses desserves the rights of legitimate users to have their emails delivered.

With IPv6, you'll no longer need dynamic NAT (just static NAT between your local private network and the internet). Seding emails with IPv6 instead of IPv4 could really help getting the legitimate emails delivered correctly without suffering the cost of false detection.

PhilippeV: spammers are hidden behind many individual from whom they indirenctly use their services, without them being aware that what they do will in fact help spammers.

Spammers use botnets. True.

PhilippeV: Spammers are exploiting every legal holes and will use them as they want.

Spammers are scum who abuse any loopholes they can find in the legal system. True.

PhilippeV: They succeed only because they can aggregate the power forces of their agents in a way that only they know really how their scheme works.

That looks like another reference to botnets. Spammers manipulate others to do their work. True, and classifiable under "scum" also.

PhilippeV: So you'll put a few of them into jails, but most spammers will not be accessible.

Many things are "difficult" yet not impossible.

PhilippeV: The largest spammers are known, but legally difficult to attack, because most of what they initiated was not performed by them directly but by armies of their unaware agents, which most of the time can't even be prosecuted as they did not know they were failing somewhere, or because they have also been abused by false information.

No, I wouldn't want the unknowing end-users infected by botnet software to be prosecuted. I'd want the original authors of the botnet software prosecuted.

PhilippeV: This judiciary fight will also be very costly. I am sure that there are more cost effective solutions, by multiplying the collaborative efforts in protocols and monitoring of the internet use, using legal ways such as the collection of aggregate statistics, to help finding much faster the sources of injection.

I'd prefer fines over jail time for reasons I'll describe to you at great length if you ask, but in essence I'm supportive of prosecuting SPAM-related efforts under property law. It is, in real terms, use of the recipients' property without permission. Better protocols might make such crimes more difficult to commit, and would be nice to have, but the activities are criminal. Regardless of the difficulty of proving the identity of the perpetrator, in any scenario that it can be proven, they should be deprived of financial assets equal to any and all gains realized by their illegal activities. If they have spent most of it and their net worth is less than what they stole, I'll take their net worth. Shared equally with the other members of the class, of course.

as you could apply the same logic to post office mail. USPS claims mail spam keeps overall mail cost down through volume.

But at least in the post office box scenario, the durn spammer pays for the transmission.

If there were some way to attribute a cost to the transmission of such, that alone would reduce it by half; I bet.

Of course that could be no more practical to implement than the methods to get rid of it in the first place.

Maybe a surcharge to ISPs who have the most botnets? Heck I don't know; I'm just grasping for straws here!

I think a lot of consumer just don't want to spend any $$ on maintaining their computer. They think that they spend x hundreds of dollars on a new system so it will run w/o any maintenance. Their altitude when towards anti-virus is I paid for a version last year so I have to pay for one again this year. They do not clue in that anti-virus is like an oil change, you have to pay for it every year. Now there is "free" anti-virus they won't pay for a tech to install it properly. Using a computer is not much different than driving a car;you need to learn the rules of the road(learn what and what not to do), change oil(get a router, anti-virus) regularly. And finally they got to a competent mechanic(a professional technician) to tune up their computer. I guess this is utopia but I like to dream about it.

as it is not just about selling questionable goods.

It is also a conduit to a) infect your computer via the email, via activex, javascript, buffer overflows from the jpeg exploit, etc.
b) infect your computer with a link to a website in the email, which very well might not be selling anything but of 'interest' to you, and targetted at you.

For example spammers are now targetting c** employees with emails to websites that look legit but infect them.

and they actually can be used as an attack, by sending so much spam it overloads the email server and real email can't get thru.

I had 'bounce' spam once send me 8,000 emails in one day from some chinese spammers address. Wasn't even sent directly to me but the guy had sent out so many spams and faked my domain's email address I got 8000 emails.

One day I got fed up, went through all of my spam, went to the offending websites, got their contact info, and sent another spammer's contact info to them.

What if the e-mail system had a SPAM bounce?

When I get mail ( POP3 ) I can get headers, download and delete. The sender can blindly send, request that it was received, get a notification that the e-mail is non existent.

I see the e-mail system modified as such:
If I mark a e-mail as SPAM the server should sent a rely to the sending server indication a SPAM rejection. If the sending server is the problem the receiving server bands the server. If the server isn't the problem it uses the SPAM rejection notice to deal with its clients, ( lock out, cleansing a compromised system, etc )

A big part of the SPAM problem is the wasted bandwidth.

And as spam is almost always sent by a zombie, so it is just a zombie that gets the double wammy, not the damnspammer.

For how easy it is to spoof where an email came from, that is not a solution.

A big part of the SPAM problem is the
wasted bandwidth.

The entirety of the SPAM problem is
unwanted content. The use of bandwidth for
which their customers have paid is the
ISPs' obligation to provide, up to the
level promised. What that bandwidth is used
to transmit is between sender and
recipient.

http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=251095&messageID=2430382

At http://blogs.techrepublic.com.com/tech-news/?p=1920, Tricia discusses Time-Warner's implementation of charging for Internet service based on the bandwidth used. If this becomes widespread, home users may begin taking security more seriously. When the ISP bill arrives and they see how much they're being charged, they may start to wonder what's using all that bandwidth.

There are two sides to that notion, I think:

1. At the low end, bandwidth-based fees are a really bad idea. Customers will leave in droves for greener pastures if they discover that they have to count every kilobyte of transfer in a given month to be able to budget their bandwidth costs. Here in the US, people are not accustomed to a per service unit price schedule for Internet connectivity at the level of the home user, and the incredible inconvenience such a policy would impose on customers at the low end would be unacceptable to most.

2. I think it's a great idea at the high end. In fact, it's already in use at the real high end, which is to say in the realm of dedicated Internet bandwidth for server systems. Colocation facilities typically charge for transfer bandwidth per month, for instance. High-end residential ISP bandwidth use could well be assumed to be equivalent to bandwidth use in a colocation facility, in terms of the resource usage patterns of the customers. The alternative for reasonable bandwidth management in the presence of ever-increasing numbers of people with massive bandwidth consumption needs, assuming a finite limit on bandwidth provision capability by the ISP, is to use QoS systems to cap the most egregious bandwidth consumption -- which is a practice people are trying to get Congress to prohibit via "Net Neutrality" legislation.

In a sense, bandwidth fees for consumer-grade access was already tried, in the form of hourly-billing for dialup access. On a 56.6 modem, bandwidth and time spent on line are fairly synonymous.

Regarding the spam situation and bandwidth fees, though, it won't solve the spam situation, in my opinion. After all, what do the spammers care if someone gets stuck with a big bill? Their email was already sent. All it will do is annoy the home user.

I may add, Time Warner at least is quite proactive about this! A long time ago, I mistakenly had an open relay on my home server. Within days of shutting it down myself (I saw the server getting sluggish, saw it was getting slammed), I got a letter from Time Warner, notifying me that they had received complaints that I was sending spam, suggesting that I install their free A/V software, and call them for help if I needed it.

Of course, ISP's could simply add a transparent proxy on SMTP traffic from consumers' connections, and run it through a spam detector (not a filter, just a detector). If there is a long term trend of high-volume spam activity, get in touch with them and see what's up. Even that will get some people screaming. But it is a heck of a lot more reasonable that expecting everyone to abandon Windows for a *Nix, or some of the other "solutions" that I've seen presented.

J.Ja

"Regarding the spam situation and bandwidth fees, though, it won't solve the spam situation, in my opinion. After all, what do the spammers care if someone gets stuck with a big bill? Their email was already sent. All it will do is annoy the home user."

I think bandwidth fees won't do much to help with the spam problem, but I think (or at least hope) it would probably have a (very small) effect. The reason for this is the same reason Palmetto brought it up -- which has nothing at all to do with whether spammers care if someone else is billed more for consumed bandwidth.

The idea is not that the spammers care -- it's that the people with computers hijacked into spam botnets will care about escalating bandwidth costs, and will start wondering why they're consuming so much bandwidth. This could lead to an increased awareness of system security, which could lead to fewer systems that are allowed to just run indefinitely with spambot infections.

Of course, understanding this assumes you understand the real causes of spam and -- no offense -- I'm not sure you do. You seem to think spam is caused by a protocol, when in fact it's caused by the cost/benefit relationship created by a situation in which (almost) all resource consumption for spammers can be offloaded to other people by cracking security on millions of MS Windows systems.

"But it is a heck of a lot more reasonable that expecting everyone to abandon Windows for a *Nix, or some of the other 'solutions' that I've seen presented."

It may be more reasonable than such an expectation, but improving system security across millions of systems is the single most effective means of reducing spam volume -- and the most effective improvements to security would involve architectural changes, not just shuffling feature sets on architecturally unsecurable systems.

SMTP does not "cause" spam, no more than guns "cause" armed robbery. SMTP "enables" spammers to be effective, the same way that guns "enable" armed robbers to be effective. If the SMTP protocol had the mechanisms in it that I decribe (particularly sender authentication) then it would be impossible to have the level of spam that we have now, since the bar would be raised so much higher to get a message out.

J.Ja

In another discussion, I pointed out that it's not the specific protocol that makes it possible, and I explained that -- pretty clearly I think. I don't feel like explaining it again. It was in response to you stating that SMTP makes spam possible. Please refer to that.

I still think that you are not really addressing my point (tried to respond to that effect last night, but all CNet properties were down). You are making good points, just not addressing mine.

J.Ja

Sound a lot like billing the victim of rape for cleaning the rapists clothes.

It's like billing the sender of junk mail for postage, drama queen.

The "sender", depending on how you look at it, is one of two things:

1. the botnet software
2. the person controlling the botnet software

I think d_kelly120020's point is that the proposed solution would punish people whose computers have been infected without their knowledge, rather than punishing the person controlling the botnet software.

I think d_kelly120020 probably started out with a good point about the owner of the commandeered computer being a victim already, by virtue of having a spambot on it. I was annoyed by the choice of analogy, which I think goes beyond hyperbole, to plain bad taste.

. . . it was in bad taste.

Good information and rebuttals about SMTP. I get quite a bit of email, most of which is realted to pharmarcuticals/drug solicitation information. I wish that I could find some way to eliminate/minimize these medical spam emails, which comprise nearly 85% or more of the email in my inbox. I use MailWasher Pro and it does a good job of filtering, but still, I get quite a bit of medical drug solicitation SPAM email.

Hear, hear!
Given the statistics, it is well worth the spammers "minimal" efforts to produce spam. The return on investment is near phenominal. And Chad, you are precisely correct in your evaluation of the cause. The not-so-nimble minded home users out there who just HAVE to click on everything they see because it's there.
Excellent work!

Sounds to me like you're applauding the spammer for doing a good job.

I kept waiting for a real solution while reading your article but it never happened.

This is interesting information to know but to whom, I'm not sure. All and all this post seems kind of worthless since it doesn't solve the problem. You mention a couple ideas to help but without being proved out they are meaningless.

Lastly, I'm not sure what a better medium would be for something like email. I have a Barracuda spam filter in place and it does a really good job at blocking spam. Very rarely do I hear a complaint about someone not receiving a legitimate email. Until a viable solution to spam is found than I believe email is pretty efficient and effective.

Thanks,
Tony Sheehan

Simple solution:
1. blacklist all inbound email
2. create a white list of acceptable recipients.
3. Pay me to be added to my white list. (just kidding)

That's exactly what I do with my personal email address, and it's very convenient for me. However, for spammers to stop sending altogether, they would have to be convinced that nobody is receiving their messages, or ever will. Since not everybody is likely to undertake the (small amount of) effort necessary to use fetchmail & procmail, or more fundamentally to install Linux in the first place, the general problem is not addressed by this.

Worse, this technique is good enough so far, probably because it isn't widely enough used for spammers to have taken note of it, and make the extra effort necessary to spam me. They seem to be just as lazy as any other end-[L]user. But, if this becomes commonplace, I expect sender info forgery to become equally commonplace. By then, some encryption-based sender identity verification will be necessary.

http://www.networkworld.com/news/2008/021108-antiphising.html

It's already possible to use PGP or GnuPG or the like to encrypt contents, and only open messages from trusted senders; having servers check the senders' identities would be even better.

It will be interesting to see how Paypal,Ebay, and the banks manage to dangle a carrot in front of the internet service industry to try to get them to go with DKIM.

You think something like this will become commonplace?

Unfortunately, any solution is fraught with technical challenges and costly hardware and software.

We may need to move from a negative system, e.g.: block a specific incoming address, to a positive system, wherein all emails are blocked unless I allow them to enter my domain. But, to be effective, every email system in the world, or our country would need to do the same.

For instance, on my phone I have call blocking unless the caller identity is forthcoming. Translating this approach to email system is a daunting test

Our firm employs a commercial service (e.g.: Postini). No doubt there are other services that are equal to the task. In an average week, at my corporate email address, I am the target of no less than 125 to about 200 spam missives. Postini???s filters and software also allow me to review the blocked emails and to designate email originators that I do wish to receive, either once or always. Consequently in a given week I see one or two emails that some clever folks have created in a manner that escapes Postini???s scrutiny. My home internet provider stops spam as I see but one a month that evade the ISP???s filters.

Overall between our home accounts and my office account, I receive 1,500 to 2,000 emails a month, of which three or four combined are spam emails that circumvent the filters. As my ISP does not provide details, I cannot assess how many emails are stopped.

Oh yes, I should also report that between the two accounts entities (work and home), my firm stops one email every two months that I should see and across my five personal accounts, my ISP provider blocks one email every three months.

But let???s examine the numbers. My guess is that in the USA there are close to a billion discrete emails addresses. How do I arrive at such a number? Lets just conjure all the folks that live in the USA, all the corporate email addresses and all the other special purpose email addresses, e.g.: customer services, sales, etc. For instance in our family of two, we have five email addresses. So I don???t think I???m far off the mark.

While my firm and my home PC???s have very stringent anti-virus defenses (and firewalls) alas others do not and thus my email address is persistently exposed to viruses and Trojans that exploit the weaknesses of other systems.

Even when I???m careful, others are not. To wit, a major corporation sent an announcement to a considerable list of purchasers that a product was delayed several weeks. Instead of sending the email notice to the addressees BCC???s, my email address and others were exposed to public view and thus retention by other recipients.

In point of fact, the onslaught of spam to my corpora6te account increased dramatically in the weeks after the exposure. By the way this has occurred with other firms and their ???global announcements???, so it is more commonplace that one might think

As asserted at the onset of this note, regrettably while this onslaught of spam messages is a pandemic flooding internet backbone and trunk links as well as mailboxes, there is no panacea.

Perhaps the wave of the future is to ???authenticate messages??? using some form of DES or RSA??? public key suffix to a message. Many years ago, there was an ANSI committee that explored such a vehicle to protect the content and verify originator and recipient of funds transfer messages.

But can one imagine the amount of fossil fuel we already expend to convey useless messages and to protect ourselves and will need to expend as the cataract of messages continues unabated.

As we are dependent on our cellular telephones (in whatever incarnation we employ), we are also wedded to emails or at least the medium.

I think that if they would just have a white list and everything that wasn't on it goes to "junk" and gets thrown out at an interval the you wish.
You could look through the "junk" and decide whether to put it on the white list or not.

Spam does not need to be a problem. If people want to keep sending stuff that will just be deleted the fine.

Just my opinion.

The idea of "just delete it" is part of the problem. The issue is that spam shouldn't be able to be sent in the first place. If I have to delete it, or search through it for legitimate messages, then it isn't an effective solution.

There are two ways of improving the situation. First is that ISP should block port 25 (SMTP) outbound from their customers, except to their own SMTP server unless specifically required. I'd bet 99% don't need SMTP. Second is for people to stop buying the stuff advertised through spam. They wouldn't do it if there wasn't a market for it.

This is also more complicate than what it appears. The truth is that people, after some long enough use of the Internet, can't really remamber the fact that they have actively subscribed to online services, or with whom they've discussed; many are reporting spams despite they have authorized the use of their email address.

Whitelists will not help them, as they can also clean it completely or loose their settings at any time, until they are completely unable to determine that what they receive is spam or not (for some part of the emails, it's very easy to see that this is spam, but there will still be lots of stuff sent by organizations with whom they traded in the past, and not only on the internet).

So, yes, people are "buying" things from the spams. But many more are just following the link to see what it looks like an interesting offer. Even if they don't buy anything actively, the simple fact of opening the email to read it (including remote images), or following the link will generate traffic on some remove website that is used to collect advertizing fees.

One way to stop this would be to stop completely those banner exchange services. Buying advertizing spaces on the web should require an explicit agreement between the advertizer and the web site author, not just the subscription to some banner exchange or ads exchange services.

For example, put GoogleAds out of service, it is more harmful than helpful, including for legitimate advertizers, because there's no contrat between the effective advertizers and the website designers, and it generate revenues for spammers sending links to their many spamvertized websites.

Another thing to investigate: why spammers are creating so many domain names using redirects or domain name aliases? Creating domain name aliases should be much more costly. This would limit the proliferation of random websites referenced in the content of their spew. Reducing dramatically the number of spamvertized targets would help locating the offenders much more easily and would increase the efficiency of filters.

The same should be done by increasing a lot the cost for hosting its own DNS server, or having it supported as a subdomain of some ISP. There's no reason that we continue tolerating the proliferation of DNS servers where spammers can host as many domains as they want. We need a reputation system for DNS servers (because for almost all users, this information is completely invisible to them, and out of their control as they just see a domain name which indicates really nothing).

Note that spammers are still profiting a lot from the fact that buying a new domain name does not cost them a lot (but requiring the increase of cost per domain is unacceptable). Change this by increasing the charges for hosting a private DNS server connected to the internet, and in contrast, have ISPs reduce the cost for hosting a domain on their own, better-managed, DNS servers.

PhilippeV: Whitelists will not help them, as they can also clean it completely or loose their settings at any time, until they are completely unable to determine that what they receive is spam or not (for some part of the emails, it's very easy to see that this is spam, but there will still be lots of stuff sent by organizations with whom they traded in the past, and not only on the internet).

People -- Millions, or Billions of us -- keep our automobiles tuned sufficiently to function for many years. There are horridly neglected computers and automobiles, but at least in the latter case, I can look on the road and see, beyond a doubt, that those are anomalies. The computer would not be useful if every user needed to be expert in all its operations, just as automobiles would not be useful if everybody had to become an expert mechanic to be a driver. If the average driver got auto maintenance advice on par with what the computer industry spews, we'd all be putting sugar in our gas tanks and replacing our oil with molasses.

I'm here to tell you that you shouldn't put sugar in your gas tank.