approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(x) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Voted up, but this is really worth reading -- not because it failed (it did), but because before it failed, it was really working.
The spammers put incredible effort into quashing BlueFrog...
I was an early user of BlueFrog (and can confirm that the spammers didn't gain access to any addresses they didn't already have on their lists), and tried to contribute to followup efforts... it's a hard problem to solve, though -- how to make this kind of retaliation without exposing yourself to (possibly very serious) attack. We're all quite vulnerable online; it's surprisingly trivial for "the bad guys" to decide to permanently take your website (or the site of your company, etc.) offline.
I have a feeling that most spam doesn't pay off for the person selling, but only pays off for whichever marketing company they hired to send the spam. And this technique doesn't hurt the actual spammer (assuming they are a separate entity from the seller), as there are a fairly unlimited number of sellers willing to take a chance on hiring a spammer for a few bucks.
> I have a feeling that most spam doesn't pay off for the person selling, but only pays off for whichever marketing company they hired to send the spam.
If that's true and anybody has data to back it up, maybe publicizing it would be a worthwhile spam-combating measure.
I've een wondering about this sort of thing (overwhelming a bad actor with bogus responses) lately. I have in place PHP scripts that send Yandex and Ahrefs and Cyveillance a semi-random HTML file in respose to any request. Those semi-random HTML files just lead Yandex, Cyveillance and other bad actors down a never-ending rabbit hole of URLs that serve up more semi-random content.
What if some significant fraction of web servers did this? Wouldn't that make trolling for "IP theft" like Cyveillance does into an economically unfeasible activity?
What if nearly everyone pressed 1 when "Ann from Account Services" or "Rachel from Cardmember Services" calls, and then talked to the service rep for as long as possible?
The only problem that I can see is that "overwhelming a bad actor with bogus responses" is a subset of "overwhelming an actor with bogus responses". If this automated technique gets pointed at a legitimate business through error, malice or trickery (as per http://en.wikipedia.org/wiki/Swatting ) then that would be rather bad.
I agree. But it takes a large number of individual web site administrators to get upset enough to configure HTTP servers to send bogus responses to overwhelm. That's the idea's greatest problem, and the factor that keeps the idea from being employed on legit businesses.
In the case of web servers, the bad actors like Ahrefs often ask for things vaguely like known security problems - issues in PHP based BBS for example. Ahrefs asks for something and they get some data back. Is it my fault that they don't get back data with the exact semantics they wanted? No, as I am not a magician.
We do a similar thing when (annoying) sales people call. You can try to get rid of them as soon as possible. But it is more annoying to them to keep them occupied as long as possible. When I'm disturbed during dinner by ANOTHER newspaper sales call I'll first politely try to say I'm not interested. If they don't take the hit I change tactics and say 'You know, That DOES sound interesting. Let me talk to my wife for a moment' and put the phone down and go back to dinner. 10 minutes later you can just hang up the phone.
For years, they requested files from my web site. I got single digit referrals from Yandex over those same years. So, I went to yandex.com and looked up some of the things my web site has info on (combinatory logic, for example). I got really spammy and scammy links from yandex on those subjects, and others that I've tried.
The key here is "sometimes" versus "all". In my estimation, Yandex gave nothing but spammy or scammy looking links, and certainly nothing worthwhile. So, I decided to futz with them.
They never ask for "robots.txt", and then they download your entire site every month, for starters. Further, they lie about who they are. They send a User Agent string that doesn't reflect that it's a bot doing the downloading. The User Agent string claims to be Internet Explorer on a Windows box, yet p0f recognizes the requests as from a Linux TCP/IP stack.
Trolling for "intellectual property" infringement for third parties also seems like a scummy line of work to me. It's in Cyveillance interest to find infringements, so there's no economic reason for them to get such findings correct.
This sounds a lot like an idea some religious groups had, where they would sign up to adult websites and then charge back, with the goal to cause the merchant accounts charge back ratio to exceed 1%.
I don't get actual spam in gmail, but I get occasional bounced messages when spammers try to send email with my address in from field. Even google groups would bounce back the email I never sent. I even got spf/dkim for domain, yet they still inform me they couldn't deliver a message I never sent.
I get the occasional bit of spam in my inbox, but it is not nearly as bad as it used to be. A bit of client side spam filtering coupled with Google's filter is good enough.
Oh, this is a Kickstarter-like campaign. I didn't know what "Indiegogo" was - this is basically a landing page for someone trying to raise €1,000,000 to "fight spam". I get it.
To those who say, "stupid idea", I'm very disappointed both in the rudeness you show, and the smallmindedness you exhibit. Will this work? If implemented the way Boris writes, I believe it would for the reasons he stated. Those who say "stupid idea" have never had 4,000 orders to deal with - that's the only logical thing that can explain such reactions. The problem is in the implementation of course. Yes, it would be difficult. Yes, it would require adaptive techniques and technologies. But don't forget that people who have a really good and innovative idea don't just have one idea in their heads for their whole life. Ask PG about that...
It's a good idea. I think that, for it to succeed, you would have to work with one of the big credit card companies. If you could get them to provide honey pot-style credit card numbers, you would have something.
For those saying that competitors could be put out of business if this was misused, what's stopping that from happening 20 years ago, 10 years ago, now, 10 years from now? That's not a reason for this to not be considered, is it? That's like saying, "We shouldn't allow lawsuits because you could sue a competitor and he could lose his business defending the lawsuit due to the cost/distraction."
A fruitless idea; the very ethos of spam and malware is to scurry when a new "solution" presents itself to the industry.
So now you basically are presenting a single course "solution" that - once trumped - leaves you with millions of dollars and a need to come up with a completely new idea.
Spam isn't really an issue for me. I simply don't see it in Gmail.
A bigger annoyance is constant newsletters/emails sent from companies whom I might have transacted with long ago in the past. I have to take time to unsubscribe from all this stuff.
i have been close to sales people and cold calling/messaging is one technique, a really hard one to master, and its what leads most of the time to spam, i think a good solution would be to teach them how to do it right.. at the end sales have to be done but brute force shouldn't be a legitimate technique to it.
So maybe tell them that if you send personal messages and segment the market that would increase the response rate and reduce the spam?
There was a recent article on HN saying that spam was pretty much a non-issue nowadays to people using mail services with correct spam filtering.
Since I moved to GMail I don't know what spam is anymore: everytime people complain about spam I'm confuzzabled because I honestly thought the issue was solved.
It's great to run your own mailserver and be independant of the evil Google etc. but face the facts: people on GMail hardly get spam anymore...
Now as to how to fight spammers I'd suggest building a gigantic botnet, taking control of hundreds of thousands of credit cards numbers and ordering like mad from these spammers. Make it so big that credit cards companies start noticing the issue.
This of course should be done by someone who doesn't care about petty money...
I still get spam in my gmail inbox, nowhere near as much as I do to my spam folder but it's still there.
Most of it seems to be of the form "Hi, this is Natalia from the dating site. I loved your photo and would want to speak with you, please reply soon! xxx" rather than "buy v1agr4 4 big dikk http://10.23.133.21/m4dsexcockpillz, so I guess harder to filter.
The more annoying thing with gmail is that most of my inbox is legit mail that was never intended for me. Since the gmail namespace is so cluttered there are a few people who have almost identical email addresses to me; so I get their mail in error often.
Also google seem to have merged my account with someone elses, so I get notifications about stuff that is definitely not mine.
I get a couple a week, and today I got a couple false positives from my bank with my proof-of-payment for a new car (fairly important, basically). I've received hundreds of mails from that same address for many years, opened or forwarded each one, but today it's spam? That seems like a 2004 problem, not 2013.
Luckily I was expecting the mail, and there is a solution. I added a filter for that email address and say "don't mark these messages as spam". But "solved" would mean "spam doesn't exist anymore", in my book.
Nonetheless, I love Gmail and its spam filtering. I'm very happy to mark a few messages as spam for the greater good.
I too have a gmail address, and I'm getting spam in my inbox on a pretty regular basis (1-2 messages a week). Of course, it's about 1 message missed out of 1000+ spam messages, but that scarcity tends to add legitimacy to the message.
It also means I have to spend more time looking for the problem with potentially legitimate messages.
http://craphound.com/spamsolutions.txt