more on New Pew Internet Report on Spam

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 20 Nov 2003 08:46:43 -0500
From: Rich Kulawiec <rsk () gsp org>
Subject: [RESENT] Re: [IP] New Pew Internet Report on Spam
To: Dave Farber <dave () farber net>

[ Sorry, insufficient caffeine and I botched the header edit. ---Rsk ]


> More than 2/3 have made a
> more aggressive move, clicking to "remove me" from future mailings,
> although many voice concern that doing so only leads to more spam.

As well they should: multiple independent experiments have demonstrated
over and over and over again that this is exactly what happens.  This
connection has been well-known for many years to those experienced
in dealing with spam issues, which is why we've attempted to pound into
the users' heads that they should NEVER try to unsubscribe from something
that they didn't subscribe to.

This has the unfortunate side effect that on occasion users who really HAVE
subscribed to mailing lists, but have forgotten doing so, being filing
spam complaints about the mail they're receiving.  This is (a) just another
cost of spam and (b) a good reason for everyone running mailing lists to
keep all records pertaining to subscriptions permanently.  (The latter
is trivially easy to do: a back-of-the-envelope estimate of the data
storage required for storing the confirmed opt-in records for a 1,000,000-user
mailing list operated over 10 years indicates that it would fit easily
on a single CDROM.  And since the software to handle this (e.g. majordomo,
mailman) is free, there's simply no reason not to do so.)

> And most email users are judicious about guarding their email addresses in
> hopes of avoiding spam.

However, a great many of them unwittingly assist spammers in confirming
that their addresses are valid by their poor choice of mail clients.
To explain: spammers often send mail formatted as HTML (itself a
wasteful and foolish practice, since HTML is designed to work with
the HTTP protocol, not SMTP).  And huge numbers of the users which
receive this spam use mail clients which parse and interpret the HTML.
Spammers take advantage of this by embedding unique identifiers ("web bugs")
which, when accessed, confirm receipt of the spam and thus allow the
spammer to verify that the address (a) exists (b) is working and (c) can
be spammed via whatever means that particular spam run used.  This is
an absolute guarantee that more spam will be forthcoming and almost
certainly means that the address will sold/bartered to other spammers.

However, despite the availability of a plethora of better mail clients,
free for the downlaoding and available for all computing platforms, it's
nearly impossible to convince users to switch.

> The report argues that Americans are somewhat fuzzy when it comes to
> defining spam [...]

Spam was defined, a long, long time ago by the people in the Internet
community who first had to deal with it: the fact that other people are
unaware of the correct definition doesn't change that.  The canonical
definition of spam (in the context of email) is:

                Unsolicited Bulk Email

(There are different, but related, definitions for other forms of spam:
for instance, Usenet [news] spam is defined by the Breidbart Index.)

No doubt many people haven't taken the time to learn this definition and
to understand WHY it's the correct definition; and there are certainly any
number of people (e.g. the DMA) who have attempted to forcibly redefine
the term to suit their own purposes.  But that doesn't change it.

I'd like to keep this brief, so I'll skip the explanation of exactly how
that definition became the standard, supplanting earlier working definitions
such as "mass mail abuse" and "broadcast mail" -- but I do want to make
an important point: what that definition does NOT say is nearly as important
as what it does.  It was crafted to cover to a wide range of situations,
some of which were envisioned years before they became reality, and to
reflect the fundamental understanding that "spam == abuse", and is thus
in the same category of behaviors as denial-of-service attacks, unauthorized
use of systems/networks, and so on.

Among the things that the correct definition of spam does NOT say:

      how many copies any individual receives
      how many copies any mail server handles
      where "bulk" is measured
      what number is the threshold of "bulk"
      identical/substantially identical messages
      messages all sent from the same ISP
      messages all sent with same putative sender information
      messages all sent with the same salient content
      messages all sent at once
      messages sent during a particular period of time
      messages sent through hijacked relays
      messages sent with forged sender information
      messages whose bulk nature is immediately evident
      messages with any particular kind of content
      what someone whould do if they receive spam
      who might be in a position to figure out it's spam
      what knowledge someone might need to figure out it's spam
      what tools someone might need to figure out it's spam
      what should be done about spam

The omission of those items is not an accident: it was done deliberately
because putting them in would instantly provide spammers with a loophole
they could and would use to classify what they're doing as not-spam.
We've already seen this: some spammers have taken advantage of a popular
but clearly erroneous misdefinition of spam as "unsolicited commercial
email" and have claimed that the political/religious/charity/etc.
content of their spam exempts it from classification as such.  The slang
phrase for this disengenuous tactic is "that-which-we-do-not-do", and it's
showing up with increasing frequency as spammers attempt to simultaneously
(a) spam and (b) deny it.

And the unfortunate part is that a growing number of people who have
never bothered to learn the correct definition of spam, and are thus
constructing their own on an ad hoc basis, are providing spammers with
lots of help doing this, further exacerbating an already bad situation.

---Rsk

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/