anybody else been spammed by "no-ip.com" yet?

I hate to sound like the big idiot here, but what exactly in the email
you received indicates no-ip.com spammed? It looks to me like you just
have some secret "admirer" who thought you wanted a no-ip.com account,
and no-ip.com emailed you to confirm that you do want the account.

spam is like pollution in that (a) whenever you're not sure if you're
doing it, you probably are, and (b) if everybody did whatever it is,
life would be universally worse for, well, everybody.

Random disclaimer: Yes, we're a competitor of no-ip.com's... And yes, we
used to send similar emails to people signing up for an account,
although nowadays instead of sending them an initial password we send a
confirm URL instead.

that's the right approach. no-ip's problem was they presumed my permission.

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
Behalf Of Paul Vixie
Sent: May 3, 2002 5:18 PM
To: nanog@nanog.org
Subject: Re: anybody else been spammed by "no-ip.com" yet?

> I hate to sound like the big idiot here, but what exactly
in the email
> you received indicates no-ip.com spammed? It looks to me
like you just
> have some secret "admirer" who thought you wanted a
no-ip.com account,
> and no-ip.com emailed you to confirm that you do want the account.

spam is like pollution in that (a) whenever you're not sure
if you're doing it, you probably are, and (b) if everybody
did whatever it is, life would be universally worse for,
well, everybody.

You have a broader definition of spam than me, I guess. And yet, believe
me, I do hate spammers...

> Random disclaimer: Yes, we're a competitor of
no-ip.com's... And yes,
> we used to send similar emails to people signing up for an account,
> although nowadays instead of sending them an initial
password we send
> a confirm URL instead.

that's the right approach. no-ip's problem was they presumed
my permission.

Well, they might have stolen that approach from us, though, in a way (at
least, it seems vaguely familiar to me)...

The way we used to do it was this: you go to our site, read the AUP
(which has a strict no-spamming clause, but every day a few idiots
forget to read that section and find out it exists the hard way ;-)),
fill out a form with your choice of username and your email address (the
form also warns _in advance_ that we do require people to be on an
announcements mailing list, but these days we send about one email every
four months). Then our system would send you an email that says
basically "You (or someone else) requested an account at our site. If it
was you, log in within the next 48 hours with this initial password to
confirm your account. If it wasn't you, then we apologize for the
inconvenience, and the unconfirmed account, along with any reference to
your email address in our database, will be automatically deleted in 48
hours"

Isn't that the same as what no-ip.com is doing, except that they don't
have the "if you don't reply in 48 hours, we'll forget you ever
existed"? Is that the part you find to be missing in no-ip's modus
operandi?

FYI, our new approach is that you fill out choice of username, choice of
password, and email address. We send a thing to you with a confirmation
URL; if you go to that URL within 48 hours or so, great, the account
keeps existing. If not, then byebye account, and we expunge any trace of
you from the database.

Vivien

You don't even have to be in the "big idiot" league to figure out that in
both the "wrong" and the "right" approach as sanctioned above by a higher
authority, an email message (aka spam) is sent to the presumed subscriber.

One sends a password, one asks for permission to issue a password on their
site. What's the difference in the annoy factor, if indeed one were to be
subscribed by a secret "admirer"?

Mr. Halmu chose to think, rather than bindly obey...

--Mitch
NetSide

I realize this statement I'm about to make is going to open a huge...
can o worms but ... and hoefully everyone knows I mean this in the most
friendly responsible way ever but I'm not sure entirely what the big
deal with spam is. Honestly sure I get it like everyone else, in some
of my accounts more than others but I also get a real truckload in my
snailmail box. Just as with all the pottery barn catalogs <no offense
to pottery barn I guess>:) I have a delete key just like my trash can.
I know at one time the argument was made, and quite correctly that
people were paying to receive this service and these messages cost them
money. Today with flat rate access and many people not paying on a per
packet basis it seems to me that the responsibility lies with the end
user to filter properly and or dress that delete key. I always shut
down customers who spam and disrupt service simply because I don't want
the backlash or want specific ips blocked but in a way I don't feel its
right that the carriers do the filtering it seems tome up to the end
user.

I think the issue is that in real-world spam, the spammer is actually paying
some price to make the spam arrive in your snail mail box. This allows for
some negative feedback inhibition [if the mailings cost exceeds the return,
its not continued]. With spam, especially in this flat-rate world, the costs
are _so_ low that there is essentially no feedback inhibition. This means
that every email box could concievably recieve 20,000 spams per valid mail,
continuously.

You'll see how the problem of handling that much mail, especially when it
has essentially no value in most cases, is as big a problem for the carriers
& customers as limiting the spam in the first place.

YMMV, my opinion only.

Deepak Jain

Content providers have to recieve and hold spam mail before they
delete it. People and mailing lists who have well-published addresses
can recieve hundreds of spam messages a day. I know that, without my
filters, I would easily spend 30-45 minutes a day downloading,
identifying, and deleting spam mail. Not counting the frustration,
that's costing the company money.

I heard somewhere that ~$2 of an AOL users' monthly bill goes towards
spam management. (IS there an AOLer who can confirm or deny?) AOL
has some 10 million users. That's a lot of dough a month to handle
what appears to be no big deal. SPAM is a milder version, but it is
no better than if telemarketers called you collect to try to sell you
crap.

-Dave

p.s. Also, if you're a parent, do you think the spammer knows how old
you are before sending you "Teenage Girls Doing Farm Animals! Click
here?"

... I'm not sure entirely what the big deal with spam is. Honestly sure
I get it like everyone else, in some of my accounts more than others
... I have a delete key ...

in the time between when you sent the above, and when i read it, the
following messages were added to my mailbox:

  1+ 05/03 stay5hard@hotmail The Harder you are The More She Will Come .. Vi
  2 05/03 stayhdard@hotmail An Investment that will Rise with out a Doubt..
  3 05/03 sta4yhard@hotmail The Harder you are The More She Will Come.. Via
  4 05/03 stayharud@hotmail The Harder you are The More She Will Come.. Via
  5 05/03 "henning@mercadob Nasty Japanese Whores! 14918<<Have you ever won
  6 05/03 Cindy_W0887w08@ho fw.....$25 Investment - Massive Return<<=======
  7 05/03 Cindy_W5276c01@ms fw......$25 Investment - Massive Return<<======
  8 05/03 "Joke-of-the-Day! Patients taking Tri-Phetamine for 30 days, lost
  9 05/03 istayhard@hotmail The best Hard-on you have ever had<<VIAGRA (and
10 05/03 sjtayhard@hotmail Be Hard as a Rock.. Make her come and come../<<
11 05/03 "AEMI" ADV: A low cost professional 800 number is fina
12 05/03 "AEMI" ADV: A low cost professional 800 number is fina
13 05/03 stayhayrd@hotmail Be Hard as a Rock.. Make her come and come .. V
14 05/03 sxtayhard@hotmail Vaniqa .. Order today You Unwanted Hair Will be
15 05/03 zstayhard@hotmail The Harder you are The More She Will Come.. Via
16 05/03 stayrhard@hotmail Take the Blue Pill.. and show her how far the R
17 05/03 sthayhard@hotmail Better for Him Better for Her.. . Order Viagra
18 05/03 fobare@imcnet.net Quality Affordable Hunts!<<<html> <head> <title
19 05/03 mailing@revistatr Especial 100 edi es<<A TRIP deste m s j est na
20 05/03 "AEMI" ADV: A low cost professional 800 number is fina
21 05/03 stadyhard@hotmail Take the Blue Pill.. and show her how far the R
22 05/03 "Kitty Dials" Record Low MORTGAGE rates! *Act Fast* 11551<<<h
23 05/03 "AEMI" ADV: A low cost professional 800 number is fina
24 05/03 "AEMI" ADV: A low cost professional 800 number is fina
25 05/03 stayhnard@hotmail Online Pharmacy..Any Medication you Need Lowest
26 05/03 "Val" (&~) You only THINK you're a U.S. citizen! %8t<

it comes in 24 hours a day, 365.24 days per year, at about that rate. and
that's after subscribing to several source-address-based rejection filters,
and rejecting some additional sources. (otherwise it would be 4X worse, at
least according to my syslog.) here's a short term histogram:

lartomatic=# SELECT DATE(entered),COUNT(*) FROM spam
  WHERE DATE(entered) >= '2002-04-01'::DATE
  GROUP BY DATE(entered)
  ORDER BY DATE(entered) DESC;
    date | count

Picture it as a fellow stopping by every night and filling your home mailbox with horse manure...I'm sure you'll get a feeling for how most of us regard it.

A) it wastes bandwidth
B) It wastes our time
C) It's the "litter" of an otherwise clean Internet.
D) It's a method of placing the costs for the actual emailing on someone else without their explicit permission...the ISP, the user, and the ISP's other paying customers all pay for the act, either directly or indirectly.

We need to make it illegal as soon as possible everywhere.....

Let me put this into real world terms.

I run a mail server (among other things) with about 4000 mailboxes, and
about 40,000 messages a day.

over 85% of all mail on average is marked as spam by spamassasin on this
mail server.

I, late last year, had to upgrade it to a multiprocessor box with
gigabytes of memory, striped raid 0+1, etc. etc. etc. to handle the load.

I could have used a mail server only 15% of the size of this one. Or
better put, I could have used a 300mhz pentium III box with low-end IDE
drives and a modest amount (256MB) of memory instead of the Dual PRocessor
6-SCSI 2GB ram thing we are running now.

Add to that the 8-10 hours a week we spend cleaning up messes related to
spammers who decide that sending 50,000+ messages as fast as they can to
us is a good thing. For instance, on thursday of last week, we took
almost 5000 messages in about a hour from one spammer in particular. The
mail server *can't* handle this load so it basically was a Denial of
Service attack.

Right now there are 5000 messages in our mail queue which are spam bounces
which aren't being accepted by the spammer's mail server.

I could go on and on and on and on.

I might be more inclined to tolerate the spammers if they weren't bad net
citizens. They forge their email addressses so they can't receive
bounces. They don't have any consideration about the load they are
placing on the remote mail server (I've seen 40 streams open at once to my
mail server from the same class C - all injecting mail as fast as
possible). And on and on and on.

- Forrest W. Christian (forrestc@imach.com) AC7DE

Actually, I can agree entirely with this point and it makes sense.
Having direct mail in the snailmail world cost tens of cents each
certainly would tend to force the originator to go through more effort
to insure its sent to and hopefully read by someone who will then buy
what they are selling. Someone who only pas a flat fee of say $19.95
for dial or a few hundred for something faster will push as much as they
possibly can with no concern for the validity of addresses targeted.

Very good point!

Scott

Well the costs you mentioned with aol seem high but I suppose are
possible. Being a parent however and having three children who do use
the net extensively I see your point about the content they receive but
of course the ultimate responsibility for what they are exposed to on
the net lies with me the parent. I realize in my case the the case of
everyone rrading this list I'd say that we're a lot more educated and
aware of what's likely to arrive in their inboxes so we address and are
more concerned with this but I believe that protecting children is the
parents responsibility entirely. The case against spam probably should
be decided entirely on economics not on content issues. Several really
solid points are being made here concerning the economics of spam and
how it differs from snailmail. I'm actually very glad I asked the
question as the answers have given me a lot to think about and I'll go
so far as strengthened or rather made me more determined to take an
antispam position.

No I think your message illustrates things pretty well. I guess the
fundimental differenc here is not only does it cost usually very little
to receive these messages it costs even less infact dramatically to send
spam. It seems there is no real reason for the spammer to be concerned
with whether the mail is properly targeted or not so a full on flood is
possible and the leads generated by this flood percentage wise have to
be many factors less than the percentage of success in snailmail.

uWell I tend to always error on the side of free expression verses
making something illegal and I definitely disagree with the statement
that its a clean internet otherwise but just like non electronic space
there are many differing standards and shades of things something I
actually think brings a lot to the quality and adventure of the thing.
Its just that maybe although I don't have a good solution for this,
these mail services should be charged more per message or something more
similar to traditional junkmail. It would force them to be more
targeted as well as deal with the costs in transporting this stuff. And
I get the thousands per day as well I just filter them or block ranges
of ips where lots of this stuff originates but I figure thats my choise
to do and would appreciate it if my upstream wouldn't make that call for
me. On Fri, 3 May 2002, blitz wrote:

I do agree here that using fake addressing and so on is really bad on
many levels. I know on one of the networks I was involved in recently
we had a customer who was a spammer and I pulled his services very
quickly, some might even say to quickly. I also realize that even
though I personally don't find it to bad to to deal with others don't
agree so like I stated my professional policy differs from what I do
personally.

Overall, an excellent post - very good illustration of why spam is wrong.
However, I prefer to solve this problem, created at the union of technology
and business (however un-businesslike spamming may be, the motivations are
business), with a solution that's a mix of technology and business. Namely,
using technology to effectively quarantine and blacklist spammers and those
who support them (whether actively or passively), which will eventually make
spamming and supporting spam so painful to the bottom line that no carrier
will allow it. We just haven't got there yet.

I really would like to hold off governmental involvement as much as possible.
Using Congress to solve technical problems is like using a hammer to cure a
hangnail: It may fix the problem, but generally you find that you'd rather
have kept the problem than taken the solution.

Naturally, the technical solution will only work if everybody supports it.
Whether or not _that_ will ever happen is another kettle of fish entirely.

When I re-read my post, I'd like to clarify the "clean" part a bit. I mean technically clean, as in all of the parts working properly as best as the fine people represented on this list can make it happen that is...so lets say "properly operating"...to be a little more specific.

The Internet certainly isn't "clean" by moral standards, and as I see it, those are individual choices individuals make, and I certainly don't want anyone, especially the "gooberment" mandating those choices for me.

Gooberment does have a place in this, though I'd rather those bastards stay the hell away from anything thats working well. I wouldn't mind if a few more states made spam illegal, like Calif and Oregon have made it.
I don't give a rat's rectum about advertisers, in fact I place them in the same category as shysters, the world could live life just fine (and cheaper) without their ilk around.

I'm going to make a suggestion which I realize that today there isn't any
easy way to do this. However, I want to throw this out because I think if
we could figure out how to do it, I think the spam problem will go away.

Anytime anyone sends a mail to my server, I want to be paid 2 cents.

2 cents is probably less than the combined costs of me recieving a mail
message. (Maybe 3 is better). That said, even if it was 2 cents, then a
spammer dropping 10,000 messages on my server would net us $200.00 - and
better, cost the spammer $200.00.

Normal email between two people would likely cancel out and be of no net
cost.

You would also want to be able to accept mail from certain senders for
free.

What I envision is some sort of micropayment protocol extension to SNMP.
something like you exchange helo's, mail from, and rcpt to's, and the
receiving server says to the sender "That will be x cents please", at
which point the server sends some sort of cert-signed digital cash.

I'm not sure how you would bootstrap this or if it will ever be possible.
I just think that if we could get even $0.02 per email from the spammers a
lot of them would stop.

- Forrest W. Christian (forrestc@imach.com) AC7DE

---------------------------------------------------------------------^^^^

Make that SMTP I guess I've been working on network monitoring too
much recently.....

- Forrest W. Christian (forrestc@imach.com) AC7DE

Anytime anyone sends a mail to my server, I want to be paid 2 cents.

And then, no one will want to send _you_ email. Spam or otherwise.

You would also want to be able to accept mail from certain senders for
free.

Which I guess is how you would avoid killing off legitimate mass mailing (like
nanog)....

And would that be set up sort of like peering? So instead of just major
network's peering with other major networks, all of the sudden everyone
running a mail server has to work out "peering" (clearly a different type, but
I think you would see a lot of the same mess, with people setting their own
requirements, etc) with everyone else who runs a mail server that you
regularly get mail from. I gather that peering negotiations are difficult,
even between the large networks - can you imagine what a mess this would be?
ack!

Of course, the flip side is that if I begin a business that runs a email
service that won't charge to receive mail, then I might be operating at a
competitive advantage for attracting business customers (generally an
attractive demographic) who don't want people to have to pay in order to
contact them. So you end up with either no isp willing to implement your
system, or with them having to run parallel mail systems - one free, one fee.

What I envision is some sort of micropayment protocol extension to SNMP.
something like you exchange helo's, mail from, and rcpt to's, and the
receiving server says to the sender "That will be x cents please", at
which point the server sends some sort of cert-signed digital cash.

A downside of this - if you're able to implement this, then it becomes trivial
to impose some kind of an "email tax". While that would be unpopular, once you
start charging people for email, adding on 1 more cent as tax, no big deal,
right? etc. etc. etc. I think you'd quickly see taxes here and a lot of other
places on the net, as a result. IMHO, that would be a bad outcome.

I'm not sure how you would bootstrap this or if it will ever be possible.
I just think that if we could get even $0.02 per email from the spammers a
lot of them would stop.

I think you'd be throwing the baby out with the bath water here. Yes you'd
kill spam, but you'd kill a lot more, too. And I think you'd quickly find
that the cost of administrating this system and dealing with the billing and
agreements and disputes would take up as much or more time that is spent now
on spam.

Clearly the current system (blacklists, etc) for dealing with spam isn't
perfect. But it is evolving - and if more jurisdictions in the US started
putting laws on the books that made it easier to track down, and shut down
spammers and people (isp's) that knowingly provide them service, that it will
be possible to cut out most of the spam without going to drastic measures like
this.

Apart from the various obvious problme with this (as elaborated by someone
else already), this could make things worse overall.

Its an interesting, but naive idea.. The moment there's money to be made
in receiving email, someone will exploit it in ways you won't expect.

Bandwidth is about a dollar/gig nowadays? Thus, thats about 50,000
emails/dollar of bandwidth, and that dollar is capable of making the smart
entrepreneur $1000.[1]

Now, how do I build a ``business plan'' so that many people send me short
bits of email, and where I can act as an email sink?

Off of the top of my head:

    Troll for cash? (Like I am right now!

    Make a zombie network that continiously sends me email?

    Lottery sites. (``Send an email for a chance to win! The more
    emails, the bigger the pot and the higher your chances.'')

    Subscribe to every mailing list under the sun?

    I don't remember my SMTP, but this may adjust economics so that
    bounce messages are a financial cost and are no longer sent and/or may
    be used to bankrupt an orginzation.

And, will that business plan be worse than the current situation?

Scott

P.S. If you get what you want, I'm going to get a business method patent
on the email lottery idea..... I got college loans to pay off!

[1]
This raises an interesting question of how can you claim an email costs
$.02 to receive, when the bandwidth to get it is about 3 orders of
magnitude less, and diskspace costs 2 orders of magnitude less ($10/gig)?

If your average user gets 10 emails/day, that means that each user gets
300 emails/month, and costs you $6.00 in resources?

If you have dialup users paying $20/month, do you kick them off if they
subscribe to a busyish mailing list and get over 35 emails/day?

In terms of ISP resources, emails cannot be costing $.02 each to receive.

In terms of the time to delete them, I could believe that they cost $.02
each. (If you value your time at $20/hour, $.02 is 3 seconds)