I don't think email harvesters generally bother with being that sophisticated. There's a study somewhere on the net where people tried seeding addresses in various places, and ISTR they found that even fairly simple concealment was effective.
They could, in principle, force UK ISPs not to accept incoming email from specific foreign ISPs blacklisted as known spam facilitators.
Pedants? Here?
For whom.
government
That would be my approach. In fact, there should be an attempt to fight spam internationally if possible. The present attempts seem to be just making some of it it illegal yet not having any measures to realistically stop it.
LOL :-)
"Ronald Raygun" wrote
"Ronald Raygun" wrote
Tee hee! :-)
Look a few posts up and you will note that I had actually mentioned this already - with an explanation that this decision will be retailer led. Thank you for adding your comments.
>
"Marcus Collie" wrote
Unfortunately, looks like my newserver isn't showing that post from you ...
"Marcus Collie" wrote
*Which* retailers do you think would be daft enough to say "Nope, I don't want your custom now even though you've already piled up your basket full of goods you are eager to pay for, I am just as sure that I'd get the money as I was yesterday when I accepted credit cards without C+P, but your credit card doesn't yet have C+P so I don't want to have the profit from the transaction of your business..." !!I'd really like to know which retailers would be so silly, 'cos I'd probably boycott them on principle (because if they are so inflexible in that respect, they probably are with other issues too).
Yes, in about 2010...
In a couple of years the retailer will be accepting the risk - at the moment it makes no difference to the current arrangements.
Regards Sunil
I doubt whether any retailer would turn you away just yet. When the 'Shift in Liability' takes place however (on 1st January 2005), retailers will be responsible for all fraud (if the retailer allowed a PIN transaction to fallback to signature). I am sure this is when retailers may start asking you to pay by other means, if you can't remember your PIN.
If was a fraudster, I am sure I would take my stolen card (who's PIN I conveniently "can't remember") to a customer friendly retailer, who allows fallback to signature rather than go to another retailer who will only take your PIN enabled card if you know the PIN. After a short while, the first retailer would review their fallback to signature policy. Fraud will migrate to the weakest link.
Just my thoughts.
Si.
Well, for a start it's a pretty drastic solution. My place of work is indeed blacklisting some ISPs on that basis, with the result that people who happen to use those ISPs can't send us mail. For a while I blocked mail from aol addresses, but I had to undo it because people I know started using aol. Since spammers can keep switching ISPs you might well end up blocking whole countries, e.g. Korea, which is not that far from completely cutting yourself off.
There's also a technical problem. The email transport protocol (SMTP) wasn't designed with security in mind, so there is no verification of the sender's email address or location, or the headers which show where the mail has come from. Each gateway the mail goes through adds its own headers, so what you know is that if you work backwards down the header chain, at some point you will have the first genuine gateway address, but without some detective work it won't be obvious which one it is. And whoever is operating that machine is unlikely to be directly involved with the spam. Traditionally all SMTP servers acted as gateways and would forward any mail. Today that's normally disabled, but the facility is still there and may be left on by accident or turned on by a hacker; you can be sure that as soon as spammers find an open relay somewhere it will be flooded.
One approach to that is to block mail using any mail server in whole blocks of IP addresses, but again that's pretty drastic. For example I use NTL at home, and I understand that many ISPs will block any email originating directly from an NTL ip address (as opposed to the NTL mail server, which has a fairly dreadful performance), so e.g. people running mail servers on their own Linux machines will have their mail blocked even if perfectly legitimate. Conversely, since you need to block explicit address ranges you're unlikely to do more than limit the spam a bit with that method.
It can only be tackled internationally, but it needs technical as well as legal improvements. The internet was a research project, it was never designed as a commercial service. Most people talking about the history of the internet seem to mention the bit about it surviving a nuclear attack, but few people seem to notice that that isn't a very significant design criterion for commercial use!
I don't deny it, but do you deny that things are bad enough to warrant drastic measures?
That happened to me too, but I was get the techie to make a white hole in the black list to let through stuff from the specific aol address involved.
Cutting *them* off.
SMTP is wrapped in IP, and that identifies the immediate source. You have to trust your nearest-neighbour gateways, on pain of cutting them off if they persistently breach your trust. A condition for trusting them is that they in turn apply the same criteria to their neighbours. Ultimately no trusted gateway will accept email from any source other than a trusted gateway or a trusted end-source. End-sources will only be trusted if they undertake that all mail is traceable to a person who, if found guilty of sending dodgy mail will not only get their account chopped, but be reported to the authorities (spamming would be a serious criminal offence under New World Order).
Gone will be the days when any Tom, Dick, or Harry could get free trial accounts. I can see the day when you'll need the same kind of ID to get an email account as you already need to get a bank account.
That's pretty tough, I know, but it wouldn't be a problem under the New World Order, when you'd just need to get a special licence to operate your own mail server. This would not be unreasonably withheld, provided you fulfil traceability criteria. But with such mechanisms in place, there would no longer be a need for such crude IP blocking.
It depends how effective they're likely to be, and the impact of the inevitable mistakes. You may not care if no-one in Korea can send you mail, but companies with clients there would probably feel differently, and I doubt that the government is in a position to make such decisions. Individuals, ISPs and organisations are already making their own decisions about what to block, I don't see any reason for the government to enforce a universal solution.
Not much use if you don't know who to whitelist. A company which doesn't allow mail from, e.g., hotmail or aol accounts is going to have problems if it expects customers to contact it by email, they will just go elsewhere. Personally I think the approach here is wrong, as a lab paid for with public funds we shouldn't be rejecting legitimate mail just because it comes from the "wrong" ISP.
If we do it unilaterally it's cutting us off. A concerted worldwide attempt to exert pressure on rogue ISPs would be another matter. I think there is a case for telling such ISPs that their ip address allocations will be revoked if they don't co-operate, but that certainly isn't something the UK government can do on its own.
True, but not directly relevant, because SMTP doesn't make any attempt to verify the source. You can put a firewall in front of it to restrict access, which is what ISPs normally do, but SMTP itself will carry on regardless, and will believe that you are snipped-for-privacy@whitehouse.gov if that's what you tell it. (Also you can spoof the addresses in the packet headers, but that probably isn't an issue with spammers.)
There are no nearest neighbours. You may be thinking of Usenet, which does work that way, but SMTP is peer-to-peer, any machine can send mail directly to any other machine, so there is no way you can realistically build a whitelist (unless you want to accept mail from only a handful of sources, which may work for private individuals).
This is a New World Order capable of passing criminal laws which can be enforced world-wide? And will it also be a criminal offence to let your machine succumb to viruses, trojans or hackers? The record companies will be pleased, that will make kazaa et al illegal ...
And of course we all know that the bank account checks are totally secure, and accounts are never used for money laundering ...
To *send* mail is trivial, you can do it with telnet, so such a license would have to apply to anyone with an ip connection. And again, the problem is not really with the users themselves, I imagine NTL would already pull someone's account if they were spamming, the problem is with hacked or misconfigured machines. If you restrict internet connections to machines which can't be hacked the internet would get a lot smaller ...
Indeed, one has to find the right balance. One needs to be aware, though, that the mistakes are just as inevitable whether one chooses to filter stuff out automatically or by hand, even when one uses a mix of automatic and manual methods. For example, I do no automatic deleting at all, just automatic pre-sorting into separate folders, each of which I then process manually, but with a preconceived idea of the likelihood, for each folder, that most in this one will be wheat, and most in that one will be chaff. I tend to go through the chaff at the rate of about two a second, and do occasionally miss one through overenthusiastic pressing of the delete button.
I wouldn't expect it to, I would just expect it to fine ISPs for delivering spam, and so the ISP will have to make its own decisions about whose input it chooses to reject.
Well, I do agree that governments have a poor track record of achieving good results from regulating stuff. Maybe there is an opportunity for ISPs to compete against each other on the basis of how effective they are at eradicating spam. The MPS is pretty effective at limiting the amount of snailmail spam we get, and I'm not sure this is backed up by law in quite the way TPS is. I only get about 5 items of junk mail in the average week, but several hundred items of e-spam.
[sorry about the edito, "able to" were the missing words]It may not even be a good idea for governments to stick their oar in, it may be better if the ISPs voluntarily club together to clean up their acts and refuse to accept or forward any IP traffic at all from/to non-cooperating ISPs.
It doesn't matter what's in the damned SMTP. They can restrict on the basis of IP. They know who owns and runs the routers, and responsible ISPs can require their peer router operators to shape up on pain of being given the Internet Death Penalty.
Yes there are.
No, I'm thinking of IP routing.
No it can't, not unless they're on the same physical net, otherwise it has to go through routers, which can impose restrictions on what protocols it lets through from what addresses.
In principle yes. You would simply force your local network providers to refuse to collaborate with dodgy foreign providers.
One would hope that if the measures weren't effective, they wouldn't be in place. They need not, of course, be 100% effective in order to be a huge benefit.
Indeed. That's what I was suggesting. Anyone with an IP connection who abuses it should lose it.
?
How can you fine an ISP for delivering spam? That would be like fining BT whenever someone made a harassing phone call.
The key point there is that sending physical mail costs money, whereas email is normally free (up to whatever bandwidth you've paid for). One approach would be to charge even a small amount, like 0.1p per mail sent. However, again unless you can get that enforced worldwide the effect will be limited.
The backbone networks are mostly run by governments or government-sponsored organisations, and likewise the high-level address allocation is done by similar bodies, so in practice governments are involved anyway. Also the whole design of the internet is that packets find their own way through the network, if you put a block in one place they will find another route.
Which is back to where I started, as a unilateral act by the UK that would mean cutting ourselves off from the rest of the world, since we can't force other countries to "shape up". Maybe the US has enough clout to be able to force such a solution but we certainly don't.
So you're going to expect every router to have tables of millions of blocked addresses? Not realistic.
Which by your definition is everyone (since you define "dodgy" to include the routing of packets from anyone who might themselves be dodgy).
They need to be pretty close, because the spammers will migrate to any method which works. E.g. if you've looked at any spam lately you will see that it includes a lot of random gibberish to fool text scanners, and all the key words (viagra etc) are spelled in exotic ways.
So anyone who was compromised by sobig et al last year is now banned from ever having an internet account again?
Well, not just for delivering, but for failing to take steps either to avoid delivering, or to trace the miscreant, just like BT will co-operate in tracing the maker of nuisance calls (BT presumably do this not because they're jolly decent chaps, but because something compels them to).
But governments could block all routes into the country.
I gather there was a pretty effective ganging up on Telewest/Blueyonder by other ISPs a year or two ago, which forced them to shape up PDQ. That was only a Usenet death penalty, mind, not a full-blown IDP, but it illustrates the principle that where there's a will there's a way.
Nor necessary. Each router need only have the capability to blacklist addresses of machines directly connected to all the nets they are routing between, which are a small number. It does not need to know about addresses behind other routers, since it will either trust those routers to apply the same policy, or else it will blacklist those routers.
Exactly. The idea is to have non-dodgy customers of dodgy providers pressuring their providers to shed their dodginess, and their dodgy customers. I think such pressure would be an extremely effective way to force them to shape up.
Point of order. The "measures" to which I was referring were not spam-detection measures, but ID-check measures on account registration. As you make it more and more difficult for spammers to get and keep accounts, a critical point should be reached at which the volume of spam will have gone down enough to have made the exercise worthwhile, because sooner or later there will be no ISPs left with whom the spammers can get an account. The ISPs will club together to operate a kind of international equivalent of Equifax/Experian who will keep a record of all people who have been booted out by ISPs, and so no other shaped-up ISPs will touch them.
If they were innocent victims, they could be given another chance and assistance in how to avoid being similarly compromised again. The genuinely guilty would basically get suspended for a period of time which would vary with the severity of their offence.
Frankly, I'm amazed how people get away with purveying systems which are so easy to compromise. They deserve a share of the blame. It's all Microsoft's fault, isn't it?
Yep you do require a PIN at all ATMs but neither a signature nor a PIN is required at Pay at the PUMP petrol stations. This means that companies such as TESCO who are operating this system are wide open to fraud on any Visa, MasterCard,Switch, etc etc card types that are accepted at these pumps. They don't give a toss for victims of fraud at these pumps, they will tell you if your lucky that the victims wont be held liable.
Is this responsible retailing? I think not.
If you challenge the entry on your statement, Tesco aren't going to have a leg to stand on if it comes to defending the chargeback. They presumably consider that the increased risk of chargebacks is justified by the savings they make on not having to pay till staff wages.
Without a hint of irony, Jonathan Bryce astounded uk.finance on 14 Feb 2004 by announcing:
The very same rationale for delaying on EMV implementation.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.