On Jan 10, 2005, at 3:28 PM, David W. Fenton wrote:
Well, except for one key fact: when not received in error (as in the case of the messages from the dumb subscriber to this list who hasn't included the list address in his whitelist), they come from someone you have recently emailed.
I sometimes receive challenges from addresses I never emailed, as a result of a mass spam being sent out with my address forged as the return address. It's usually pretty obvious when this is happening, because I'll typically get about 20 of them at once. I'm guessing that some of the challenge/response systems are smart enough to figure out that I'm not the real sender, and that's why I don't get even more.
On two or three occasions I've also received an angry email from a real person, saying something like, "Goddammit, you asshole, stop sending me all this fucking spam!!" To these, I respond with a polite note pointing out that I never sent the spam, my address has been forged, and I am as much a victim as they are. Then my correspondent is always sheepish and apologetic. I suspect that when the angry note was written, he or she was just venting frustration and didn't expect it to be read by an actual human being.
Like you (David F), I've had the same email address for many years and it appears all over the Web, so I get plenty of spam. I now rely on the function which comes with Apple OS X's email program which sends suspected spam to a folder labeled "Junk". In theory, I can then peruse my Junk mailbox to make sure there aren't any false positives, but in practice I did that regularly for only about a week. Now I only look in the Junk mailbox when I've registered for a website that sends a password back to me, which in some cases gets misrouted as Junk. Otherwise, I just routinely empty the Junk with the Trash. (I think there's a way to change the settings so that it goes straight to the Trash folder automatically, and the Trash folder can also be looked in.) I understand that I might be throwing out a couple of false positives and missing some real email as a result, but I'm OK with that. My personal comfort level is that I'd rather miss an occasional message -- which will likely be something marginal, like a newsletter -- than spend the extra time digging through the junk just in case.
I'd guess that I average about 40 spams a day that get sent to the Junk bin automatically, plus about 20 more a day than don't get flagged and I send to the Junk folder myself. I don't know if Earthlink is filtering more on top of that. I know they offer a spam service, but I don't recall if I signed up for it.
I'm told that the Mac OS X spam system is programmed with an ability to "learn" your junk preferences, so that if I send a passed message to the Junk file or retrieve a rejected message *from* the Junk file, the program will note that data and take it into account for future pass/rejection decisions. I'm not sure how intelligent this feature is, but I've been told that it really does make a difference and therefore I should continue to "junk" my spam that gets through by that method rather than deleting it directly.
I know of one time that the challenge/response system went awry for me. I sent an email to a real person. His system, apparently, sent back a challenge to me, but it got routed to my Junk folder and I never saw it. I assumed that for whatever reason he was just ignoring my email and we didn't figure out what happened until weeks later. David B made the point that some challenge/response systems make a much friendlier challenge message than others do. This system was probably one of the clumsy ones that makes the challenge message look like spam, resulting in it being junked by the OS X system. It may even be that OS X didn't original junk such a message, but if it had passed through several similar messages from an earlier bout (ie, when I'm forged as the spam sender and get a slew of replies) and I myself marked them as Junk, whereupon OS X "learned" that I don't want to receive such messages.
If so, that's one more reason why the legit challenge/response systems need to make their message so that it doesn't look like spam itself. The one I like best is one (I don't recall the system) that allows the subscriber to write his or her own personalized message, just like many ISPs allow for a vacation message. That way, even though it's an automatic message, the receive at least recognizes it as the voice of the person he was trying to reach, sort of like hearing a familiar voice on an answering machine. (Of those on this list who are offended by such a thing, I wonder if they are equally offended by a person screening phone calls using an answering machine.)
If spammers are smart enough to check the recipients in my outgoing email and spoof challenge/response messages from those correspondents, then email is completely dead.
But I really don't think that's the case.
I think that's just a matter of time. Spammers certainly do other clever tricks. It sounds like your email address is even more public than mine, so if you haven't been spoofed in the Reply-to field, it's only because you're luckier than me. I've been told that the more sophisticated spoofing spams try to use Web occurrences of an email address link to establish proximity to other email addresses. Using that information, they might, for example, send out a spam with my address as the return address and send it out to anyone whose email address appears anywhere in the Finale List archives. Then, anyone among the list members who has corresponded with me directly, or just recognizes my name, might open a spam message which might otherwise be trashed. That sort of thing is already starting to happen. I don't see why they wouldn't continue on to the next step, as the address harvesting software gets more sophisticated.
Two other observations:
(1) For all the major philosophical difference between participants on this discussion, I see very little practical difference of opinion. We all agree that challenges which are either rude or generated by mistake should be ignored.
(2) I think a per-piece tax on email would be a good idea. The key is to make the charge a tiny one -- say 0.02 cent per message -- so that it will be barely noticeable to normal users. Even a prolific emailer won't send more than 100 message per day. At the 0.02 cent rate, that amounts to $7.30 a year, which I think is easily tolerable. For a legitimate business it will be more, but still not an unreasonable expense. Where it will be noticeable is for the bulk spammers who send out literally millions of emails. Even then, it will not stop them, but it will give them a financial incentive to be more selective in their targeting. Right now, there is essentially no cost for every message that is rejected unread, so the incentive for the spammer is that it's worth sending out a million messages just to get two responses. Compare that with postal junk mail where there is a per-piece price. Postal junk mail still thrives, but the companies that send it put a whole lot of effort and resources into trimming their mailing lists down to prospects who have a decent chance of responding. A similar incentive for email spammers would be a good thing, in my opinion.
mdl
_______________________________________________ Finale mailing list [email protected] http://lists.shsu.edu/mailman/listinfo/finale
