Re: OT: GMail and Spam

From: Henry Spencer (henry_at_spsystems.net)
Date: 03/22/05 

Date: Tue, 22 Mar 2005 05:54:30 GMT

In article <pan.2005.03.21.02.50.50.707644@GMail.Com>,
Craig Fink <WeBeGood@GMail.Com> wrote:
>> ...So the spammers aren't getting the bills, and they have
>> an essentially unlimited supply of CPU cycles at their disposal.
>
>I wouldn't call it unlimited, not yet anyway. Depending on the algorithm
>used, the amount of CPU time could be greatly vary. So if it takes each
>machine 1000, 10000 or even 1,000,000 times the CPU time for each e-mail,
>the hijacked machine can only send out 1/1000th, 1/10000th or
>1/1,000,000th the amount of spam.

Remember that machine speeds vary greatly -- not all operating systems
require you to constantly upgrade your hardware just to keep up with the
software bloat -- and that there are machines which legitimately have
cause to send lots of mail, e.g. mailing-list hubs. I'm very skeptical of
being able to pick a level of effort which will not be prohibitive for
legitimate users and yet will impose serious burdens on spammers. (There
are so many zombie machines out there that they can easily pick the best
and fastest, bearing in mind that there's a strong correlation between
vulnerability and the need for constant hardware upgrades...)

Too many of the folks who invent such schemes never seem to think hard
about possible problems or countermeasures; they assume an idealized world
in which all legitimate mail users are similar and the spammers are not
allowed to react intelligently.

>...When the user of the hijacked machine notices
>that his machine seems to be moving at a crawl...

As I understand it, there are already zombie control programs which stop
the unauthorized activity the instant the mouse moves or a key is pressed,
and resume only when all is quiet. The user never notices anything wrong.

>or his e-mail bill is
>growing rather fast, or he ran out of "pay as you go money", he's more
>likely to fix his machine.

A hit in the pocketbook will get people's attention... but they need to
have something they can usefully do about it. That's actually not a
trivial problem for independent Windows users (that is, people without
savvy tech-support staff handy) these days. Install the latest upgrade?
That's the one that breaks half the software, right?

>One dollars in your e-mail check book account
>would allow you to send unlimited e-mails, but limit the rate to 100
>e-mails (a penny per e-mail) at any one time. After that you can't write
>any more e-mail checks, or send any more e-mail, until some of those
>written checks expire without being cashed (cashed check = spam).

There will be quite a few people who'll need more than that, especially
people who use email for *work* with substantial groups of correspondents,
and simply cannot have their email arbitrarily interrupted. The spammers
can and will select well-funded zombies.

Yes, there are conceivable fixes for this sort of thing, but the
conceptual simplicity is quickly lost as complication after complication
is applied to try to rescue a fundamentally over-simplistic concept.

>Also, to
>get the mail through requires a round trip and valid addresses at both
>ends, not just a mail server willing to accept and send.

I'm not quite sure what you're saying here, but I'd be willing to bet the
zombie legions won't have any trouble pretending to be legitimate.

>The Scientific American article is a good one, and really talks about a
>multifaceted anti-spam effort for a spam free future :-J, not a silver
>bullet. I just found these two of the more interesting concepts.

I fear that a multifaceted approach which includes concepts like those is
not likely to be sufficiently well-thought-out to do the job. 

-- 
"Think outside the box -- the box isn't our friend."    |   Henry Spencer
                                -- George Herbert       | henry@spsystems.net