Jeff Key

one possible solution - http://radio.weblogs.com/0112769/2003/12/09.html#a307

I forget who this happened to, but some programmers on slashdot or whatever got the *physical mailing address* for one of the worst spammers, and signed him up for every direct mail catalog in the US. The post office was backing up trucks to deliver junk mail to him every day. And when interviewed, he said that what the programmers did was "illegal." Poetic justice reigns supreme.

Scoble is insane (http://weblogs.asp.net/jkey/posts/42381.aspx) and Michael Robertson is a crackhead (http://weblogs.asp.net/jkey/posts/33053.aspx). I'm gonna try to stay off Jeff's "axis of evil" list.

I like this approach to fighting Spam: http://tbray.org/ongoing/When/200x/2003/10/12/SpamPlan27. I'm cheap as hell, and I'd still pay a penny an e-mail to stop getting 200 spams a day.

SBC: Definitely an interesting angle.

Darrell: Are you sure that's not an urban legend? If not, that's darn funny. Too bad they didn't sign him up for tons of manure.

Jon: You can't argue with the facts! :) Scoble's a good guy, he's just an easy target.

Thanks for the link. The thing that worries me about money-based spam deterrents is that I hear it's relatively easy for these guys to get stolen credit card info. Then, not only are the victims (the spammed) getting additional charges, but you wind up with new victims -- those whose cards are illegally being used to pay for the spam.

As for using the existing infrastructure, I actually favor the digital signature method, as it's been in a good number of mail clients for a while (at least MSFT ones), as he mentioned. Add to that a SpamNet-like "vote away spam" button and you're set. SpamNet was pretty effective for me, but it used some unknown technology to fingerprint the emails, which is getting harder and harder to do. With digital signatures, you pay for the _identity_, which is constant. Once you vote a _sender's certificate_ as a spammer, it works like a primary key and there's no question as to whether or not the sender is a spammer. Of course you run the risk of blacklisting legitimate folks like catalogs and whatnot, and that problem exists today with SpamNet. If the process of obtaining a digital ID is hard enough, it may make it ineffective to try to get a new one every time their certificate is banned.

The best solution I've used in the real world so far is SpamArrest. I've been using it for a couple months now and it's stopped over 6,500 spam and not let a single one through. Yes, I need to check what it didn't let through once a day to make sure something legitimate hasn't been stopped. BUT, having to do that is a heck of a lot better than dealing with false positives and false negatives.

Hi,
I agree spamming has to be stopped!Period.

Jeff-
On this subject, seen this: http://news.bbc.co.uk/1/hi/technology/3324883.stm ?
Mail sender pays, but pays computationally so the worry of stealing to pay for spam (something I'd never considered) goes away... or does it? I guess this might just unleash zombie farms of spam computers (even more so than they are now). Interesting, anyhow.
- Jon

I saw a quick blurb about that a while ago, Jon, but didn't know the details. Good stuff! It would be a monumental task to get every email-sending application to use these new standards, which is the #1 problem in general: With such an established application base and protocols, where can you "inject" new goop that will have the least amount of impact? I say leave SMTP as it is and create a new protocol altogether, designed with what we've learned over the years. Yes, it's drastic, but anything that will have a significant impact will require massive changes on every client and server anyway, so why not start from scratch with an improved foundation?