Discussion on:

Is spam a dilemma, phenomenon, or both?

you get junk mail with snail mail, you get junk mail in Email.

Like catalogs and mail order you get in snail mail there will always be a market for that as there will always be people who want to buy stuff from those catalogs and mail orders.

But what started out as advertising junk, turned into an attack vector for criminals.

Since email is global, a criminal in "Russia" or "China" can conceivably steal information from someone living in Hawaii.

Before email and computers, criminals basically had to visit the residence and break in. Now they can do it from anywhere in the world.

That's where spam as an attack vector becomes a serious problem. Especially when the spammers can spook addresses and as the report shows, the majority of people look at the sender.

I do find it interesting that consumers believe it's an ISP/ESP responsibility for taking care of malicious emails. I think that came about because email providers like AOL/Hotmail/Yahoo mail & GMail all advertised that they have spam guards as a marketing inducement for users to use their service, thus the user now believes it's the providers responsibility. To me, that's like the snail mail postal service throwing away junk mail for you so that doesn't get to your snail mail mail box. The postal service isnt' ever going to do that.

Is there a solution? Probably the only solution is regulatory. Regulatory email in that one simply can't install an email server and begin to send out malicious email. Cloud Computing might be an answer in that the entire world wide web service is provided by 2 or 3 companies. Ma Bell is an example where the telephone systems are regulated and the ability of telemarketers are highly regulated almost to the point of unprofitability.

Until there is some regulattions on domain names, where you can't spoof/spook email addresses, spam as an attack vector for criminals will continue to be a serious problem for the individual.

That is unless everyone goes back to the old days of visiting the bank and using paper statements.

If consumers removed financial information from their computers or put them on computers not connected to the internet, thus removing the inducement to steal, malicous email and other attack vectors will continue to be a serious threat.

-Snail mail junk is different in that there is a cost to the sender which makes it less profitable than nearly free email.
- Phone system is "regulated" and they do have rules but just try and get any phone company to enforce the rules. Typical answer is "call originated outside our system".
We will solve the spam problem before the phone companies ever get serious with rules.

and believe it or not there is a market for mail order. Mostly the elderly who use it but it's a market.

The reference to the telecoms is also an analogy. As Palmetto points out, the internet is unregulated and my viewpoint is that because it's unregulated, criminals will use it.

how to combat the problem? regulate email. It's about the only way substantially reduce the threat vector. While email providers have done a great deal in cutting down spam, it's the ability of criminals to spoof/spook email addresses that's the problem as the survey shows.

How would you go about regulating email, CG IT? I was trying to come up with something, myself. I would appreciate hearing your ideas.

protocol but more importantly, a change in how PCs work using mail. Which is where the IT industry as a whole is marching toward with Cloud Computing and smart devices rather than PCs.

Changing how PCs work is problematic because almost all applications created are web enabled. But Smart devices are going to change all that. So really not much reason to put effort into chaning how PCs work.

But changing the ability of spammers to spoof/spook email would be a big step in defeating spam from non legitimate sources. The regulatory efforts of allowing only legitimate sources send mail is a step in reducing spam. ISPs have make efforts to stop this by only allowing firms with static addressing to send mail via SMTP basically legitimizes the mail. Since static addresses are the same as physical addresses, you know where the email came from. Mail servers do have some security avenues to use. Reverse lookups on domain names which will reject mail if the originating source isn't the same. But there needs to be a regulation on email where only legitimate sources which are defined as static addressing can use it.

But I'm of the opinion that really not much needs to be done because of where Information Technology is moving towards. That is smart devices and Cloud Computing. Gone are PCs which can be part of a botnet and used to send out mail. Gone are PCs that can be compromised. The consumer will use the Cloud for virtually all their Internet use and obtain applications from the Cloud Provider. They will no longer buy applications at a store or online, rather buy apps provided by the Cloud Providers. The Smart Devices don't have an operating system like Windows rather have firmware like WinCE. In the next 10 years, computing as we know it is going to change dramatically and the IT industry as a whole will change. IT will become like telecoms or rather IT and Telecoms will merge into one industry.

I was trying to figure out where users got the impression that ISP/ESPs were responsible. You solved my mystery, thanks.

That doesn't matter. I have co-workers who have never banked on line or provided their bank with an e-mail address, but they'll open e-mails claiming to be from their banks. Some will open e-mail from 'banks' they don't have accounts with. A few will open e-mails from 'financial institutions' when they don't even have ANY bank accounts of any kind!

There are still people who don't understand the Internet is pretty much unregulated, who believe everything they read on it is true. By extension, e-mail comes over the 'net, so it must all be true too.

Until proven otherwise by consistent source that are not circularly referenced.

In a similar vein, all technology is used for evil far faster than for good.

Heck even the real bank emails don't use proper authentication.

Look just emailed myself a link to get ****vicodin****, I should open it and press the linky!

So lets lock down the interwebs and allow the Chinese government to run it so we can be safe from our selves. Or wait maybe just give it to Google so they can not be evil some more.

You feel that the drug vendors are making enough money to pay all the bills and make a profit. I wonder who is buying that stuff.

I've always thought internet and other remote drug dispensing systems are wrong.

We have pharmacists to help up not make stupid choices like drugs with conflicts. Answering questions about what is safe and how to take them. and yes it is worth the cost.

Not that I hope for internet nannies for john Q public. But financial transactions are in the same venue, they are at increased risk when done remotely.

Our system, credit debit and interbank, is not secure enough in the USA for general use in my opinion.

All in all I wait for the day the phone app overwhelms the banking system with illegal transactions to Pakistan and premium text messages to Russian companies.

All hail vicodin spam!

with Cloud Computing and it's going to change the way IT is as a whole.

...I'm not a fan of the cloud.

I would be curious to learn why you say that.

my reason for taking so long to reply. The following link provides a good case against cloud computing, and it's a fair case.
There are five parts and a conclusion.

http://www.cio.com/article/477473/The_Case_Against_Cloud_Computing_Part_One

That is one area that very little should be done through email if anything and baud forbid it be with unencrypted email. I mean, I've sent questions to my bank contact but the answers are always discussed by phone. Even ING, which is pretty much web banking only contacts me by paper mail.

I get notified about my monthly statements that way. The key factor is that I requested this mail, so I'm on the lookout for it.

Debits and credits regularly approaching equality?

Nope, whether measured in terms of quantity or of value.

.. but is it signed and encrypted? (granted, a one-way report is far less suspect than email requesting a response).

They are notifications. I then go to the bank's web site and take care of business.

Enough people believe anything seen on TV or in the movies is true let alone on the Internet. Sadly, stupidity doesn't require a license.

While I'm often the first to hand out a yellow card for gross excessive stupidity, some of these folks still just don't know. I can't blame someone for making a mistake when he's never been told what he's doing is dangerous.

I've said it before, but it goes back to when PC prices dropped to where they were affordable for everyone, along with the manufacturers pitching their products as entertainment devices. When PCs cost a couple of grand (that was once real money, kids!), people didn't mind spending another $200 at the local tech school to learn how to use it effectively. Who's going to spend that kind of money on a $400 system?

Be it Apple or Microsoft claiming absolute usability with no learning curve. Selling information machines as toasters has to be one of the greatest marketing coups in the industry.

The cost drop is another interesting angle to it all.

Willful ignorance is still rampant also though. "oh, I can't learn to do that, I'm to set in my ways" is a very common response to suggesting better ways to use the work tools provided to non-IT staff (and, sadly, some IT staff).

National Postal Services (USPS, etc.) should run e-mail marketing. The problem is that you can send out a million e-mails at no or low cost. If the return is 1 person per 10,000 e-mails that's still 100 customers/suckers per mailing.

If commercial e-mail needed some kind of e-stamp to be automatically pass through e-mail filters, then legitimate vendors would use that. If spam costs you something and you have to register with a legitimate authority to use it it limits the number of scoundrels that get through.

If sending a million e-mails cost you $100 then it at least cost them something and they had to present some kind of credentials to a supervising authority.

Maybe all e-mails should go through Postal systems and we should all pay a few fractions of a cent to keep the e-mail universe sane.

Is losing money big time. I would prefer a different approach.

but friends of mine who work there say the USPS hasn't a clue how to run the systems they got now. They get hacked occasionally too!

I'd sooner trust the big brown to run a new system like that! However, I doubt most would want to pay extra. My hotmail works fine; I rarely get any spam at all.

My ISP server based email is another story. Fortunately we have postini and a service to delete all mail that gets past postini, BEFORE we download it. That keeps 99.999% of the cr@p outta my PC in the first place. =D

It's not all advertising in physical mail. There is a noticeable dose of fraud and barely legal attacks long before electronic mail became popular. Consider the "you may already be a winner" envelopes that require a small fee be returned to the sender then usually two or three more before you feel the real bait and switch or bait and run ending.

As PT Barnum said "there is one born every minute". He was referring to suckers and if emailing spam costs almost nothing and you can get a 1 in 1 million response to sell garbage to some sucker spam will live on.

What I don't understand is why we have not gone to an email system that validates the return address against the IP address of the sender. If you check back on Johndoe@mycompany.com and it is a valid email address and comes from IP 1.1.1.1 and mail.mycompany.com is mapped to 1.1.1.1 then consider it valid otherwise toss it.
- Would it cause extra traffic, I think not because it would eliminate a huge portion of the spam.
- Would spammers just start sending from legitimate systems. Probably yes but that can easily be blocked.

Someone help me out here, what am I missing from the revamp email system solution?
(And don't say it takes too long to change, we have been dealing with spam for years).

I will have to mull your concept over a bit. Sounds interesting.

I believe we need to modify the SMTP protocol or create a new version. Again, the internet founders did not think about security and it's just too easy to send email and make it look like it's coming from a reliable source. Your validation idea is a good start. The issue is to get everyone to use it or any other new methods.

Just because someone opens a suspected spam does not mean they do anything with it. Some may simply delete it after that have verified it's junk, though some may actually click on the links, argh.

is the 24% who said they 'Use the Unsubscribe link'. We (the IT community) are not doing a good job of educating people regarding this phishing tool.

"I am starting to think the problem is more than a technical issue. Could it be another case of how 'we're wired' is being used against us."

Michael, I can't believe you are just now starting to consider this possibility. Spammers have been using social engineering for years. Scammers have been doing it for millennia. In most cases it's just a new way of appealing to those who believe they can get something for nothing. E-mail just allows them to reach more suckers more quickly than 'traditional' methods.

Now, forward this to six of your friends. Bill Gates is tracking it and will send you $250!

But, steady. I was hoping that just this once it might be different.

MAAWG picked excellent questions, with the unsubscribe element giving surprising results as you pointed out.

By unsubscribing to an email received from an "unknown sender", you are inadvertently confirming that your email address is live and monitored. It like tripping a motion detection camera, it sends a signal that there's been some kind of movement (someone out there?).
Some spammers do keep a list of email considered "live" which is more valuable and can be more useful for targeted campaigns. In my opinion, you should only un/subscribe to respectable organisations emails and newsletters.

Unsubscribe to an email from an unknown outside of a reputable mailing list you have intentionally subscribed to and you can pretty much bank on your spam levels increasing.

(edit); additionally, fax spam must only be stopped for up to six months unless laws have changed. When faxes where sheik, the trick was to receive a request for unsubscription, set a six month timer against the phone number and resume spamming when the blackout time had passed. I nearly wrote a system to do just this though it was a job I was happy to see fall through.

they mark the products up then say their having a sale with mark downs which the final price ends up being their everyday price, and people end up buying the on sale products without ever really doing price comparisons.

You can mark something down 15% and it will sit in the aisles. Tell people they're not going to be charged a 7% state sales tax and they'll stampede the doors.

Spammers could be reading this right now...

Some legitimate customers, neighbors and friends have unusual email addresses, use bad spelling or grammar and either leave the subject blank or use spam-like words in the subject. The only way to tell if these are spam is to open the message.

If I am not sure whether or not a message is spam, I will isolate my computer from the network and open the spam. Some software firewalls allow you to temporarily 'disconnect' from the network. I currently use Windows 7's Network Connections to temporarily disconnect.

I am sure that I am not alone in handling suspicious email this way. This could skew the survey results.

don't have much of a choice. Open it and risk the malware, or delete it and potentially lose a sale. Sometimes it isn't easy to sort the wheat from the chaff.

Consider Sandboxie. It will isolate the application and if there is a problem you just close it.

http://www.sandboxie.com/

You can view the email first without downloading it to your computer. There are also other features prized by Mailwasher users.

So don't fear spam anymore.

We could debate whether Google is a bigger threat to my privacy, albeit a passive or inadvertent one, than the spammers.

What the poster suggested was a Google (better yet, Scroogle) search on "mailwasher" and you'll find this:
http://www.firetrust.com/
I've used Mailwasher Pro for several years and never need to use Outlook's junk mail filter -- MWP does everything for me. I highly recommend it.

Yes, the title made me think he was recommending a product from Google. Your post made his much clearer.

Oddly, I don't receive spam at home; maybe a piece a month. Yeah, I get mail from web vendors I've purchased from, but I don't consider that spam. I'm very selective about who gets my address, don't participate in social networking, and never post it 'in the clear'.

I meant search for Mailwasher on Google. I often say, "Google this..." instead of "Search for this on Google". I guess I am slowly assimilating to popular society's phrase usage. Is there hope for me?

To reply to your statement: We use mailwasher at the office as an add-in with Outlook to avoid the annoyance of Spam. It's great for the work environment and home environment, if you're spammed at home, I'm not so I use it at work only.

In 2006 I signed up for Yahoo's "Plus" account strictly to set up throwaway e-mail addys. It's really handy for e-mail accounts when you're not sure about the merchant/newsletter/contact and you don't want to use your real addy. I've tracked down companies who have either sold my e-mail address to others, or their databases have been hacked. I can trace such activities by the company name embedded within my customized e-mail addy on my Yahoo account. When this happens I always contact the offending original company and let them know what happened. Invariably I get excuses, denials, anything but "we're really sorry and we'll fix this." So, that e-mail addy gets deleted and it takes care of the problem. I've just kept Mailwasher Pro because it's so cool and useful and I only paid for it once -- no yearly fees.

I, like you, assumed that techies read these posts and everyone understands that "Google" is now commonly accepted as a verb.