back to article Spam filtering services throttle Gmail to fight spammers

The growing abuse of webmail services to send spam has led anti-spam services to throttle messages from Gmail and Yahoo! Over recent months security firms have reported that the Windows Live CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used by Hotmail, and the equivalent system at Gmail …

COMMENTS

This topic is closed for new posts.
  1. Matthew Banwell
    Alert

    Gmail Spams Itself

    Gmail not only sticks mail from Google itself into the Spam folder, but also marks these messages with the anti-phishing message, "Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information."

    So, on one hand Google is sending me emails about update my Adwords billing info, yet on the other they're hiding them from my inbox, and telling me not to trust these emails. What to do?

    ;-)

  2. Mikko Kaarela

    Throttle account registration to prevent spam?

    If spammers are using sweatshops to circumvent CAPTCHA, why not introduce a system that causes delays in setting up multiple webmail accounts e.g., from same IP address (space) effectively?

    Another approach could be Google et al. to set up a limit against sending too many e-mails to too many recipients. A limit not even noticed by bona fide users could be detrimental for spammers sending large numbers of e-mails. Gmail could also throttle heavy outbound traffic that too many of the recipients report as spam. "Many mail recipients have reported your e-mails as spam, for the next X days you can only send Y e-mails per day, to max. Z recipients each..". A bit of cooperation between the mail providers would be helpful here, too.

    Obviously, these measures would not stop spam entirely, but if the spamming process turns costly and complicated, it reduces the profitability = it works.

  3. Ralph B

    Gmail Spam Filtering

    I'm always astonished at how well Google Mail filters spam - way better than my own mailserver's spamassassin config. I always assumed it was down to their feeding back the results of the mass ranks of gmail users marking mails as spam.

    Presumably a similar method can be used to limit the abuse of spam _from_ gmail accounts. If Google see lots of spam arriving from user fool@gmail.com they could automatically disable that account.

  4. James Pickett
    Go

    Just a thought...

    I assume that most gmail accounts are for personal use and generate little outgoing mail, relative to commercial operations. I don't imagine that commercial users would object to a more stringent sign-up process, leaving the rest of us with a limit of, say 100 outgoing messages/day?

    As for CAPTCHAS, has anyone tried using faces?

  5. This post has been deleted by its author

  6. Alan Silver badge

    @Mikko Kaarela

    I've often thought this would be an easy way to stop spam. Simply have a limit on the number of emails an account can send in a day.

    If you need to send hundreds of genuine emails then you need to get a premium account, which will cost money - even a few cents an email will make spam unprofitable.

  7. Pie
    Paris Hilton

    IP ban won't work

    the spammers are using a thounsands of compromised computers to fill in the email account details the humans only solve the CAPTCHA which is then passed to gmail via the compromised computer.

    As they have tens if not hundreds of thousands of computers in their control they could still create thousands of spam accounts per day even if you could only apply for one email/day/ip...

  8. Anonymous Coward
    Anonymous Coward

    As for CAPTCHAS, has anyone tried using faces?

    But how ... show a picture of a "celebrity", and hope the human guesses it.

    Maybe a better CAPTCHA would be to show a photo from a large stock library, with one of a number of possible questions : "how many trees are there ?", "Is there a church in the picture".

  9. Dick Emery
    Stop

    They really need to

    filter outgoing messages as possible spam too. Bounce it back to the sender. Or use the filter to make a note of who is sending lots of suspicious outgoing mail and delete the account if it crosses a certain threshold. Spam filtering should work boths ways. Incoming AND outgoing.

  10. Anonymous Coward
    Anonymous Coward

    No!

    >> show a picture of a "celebrity", and hope the human guesses it.

    Some of us manage to maintain our cultural vacuum* with few, or selective leaks. I wouldn't have recognised the Paris icon if it wasn't for the posts.

    *I've had mine so long now it came with a free international flight!

  11. Peter D'Hoye
    Go

    spam filter on the output?

    Why can't we just spamfilter the outgoing mails? As a bonus, automatically remove the account if signal/noise ratio is too high.

  12. Glenn Gilbert

    @anyone using faces

    The point is that CAPTCHA is broken as they're using human slaves to interpret it. They're human, so it'll work.

    Also, WTF is a celebrity? If it weren't for the image of Paris here, I'd have no idea who she is. In fact I've still no idea and care even less. What about cross-cultural problems; show me a picture of President Sarkozy's missus and I wouldn't recognise her (nor him for that matter unless he was wearing a string of onions and a beret).

    This is why CAPTCHA uses mangled /Latin/ characters: everyone knows them, even Arabs and Chinese. Or, put it another way, I could even sign up on a Japanese website that had a CAPTCHA even though I don't speek the lingo. And of course that's the weakness; get a sweatshop full of barely literate slaves (or even British chavs) and they will sit there cracking CAPCHAs all day.

    Of course the only answer is a universal ID card....

  13. Glenn Gilbert

    The answer is with Gmail et al

    Unfortunately the answer lays firmly with Gmail, Hotmail, et al to validate email accounts.

    They need to put newly created email accounts "on probation" where they're limited to sending very few emails a day until, say, a couple of months have passed. If someone needs to send many emails, they can upgrade to a paid account (which should make the web mail providers happy). Once the couple of months probation has passed, and if the email account has done nothing wrong (e.g. all outbound email should be scanned for spam) then the restrictions could be lifted.

    Alternatively they should scan all their outbound email for spam.

    Probably some stick will be required to do anything: the major spam validation engines need to blacklist the web email services for them to take action.

    The odd thing is that it's in everyone's interests, except the spammers, to be more proactive in managing web email services. Gmail, Hotmail et al stand to loose a lot of credibility if this continues, ultimately leading to more people blacklisting their domains.

  14. Olly
    Stop

    Thin end of the wedge...

    "4.6 per cent of all spam originates from web mail-based services"

    Erm, why aren't we going after the 95.4% instead of wasting time on the minority?!?!?!? We kill them off first then start worrying about the minnows.

  15. Magnus

    @IP ban won't work

    The point is that the spammers are out to make money. Anything that eats away at their margins will cut down the type of spam they can profitably send and hence the overall volume of spam.

    Has anyone made a study of the profitability of spam operations btw? What is a Gmail account valued at these days? I presume the people running these kinds of scams are reasonably canny are are making a good profit for the legal risks they run.

  16. Anonymous Coward
    Paris Hilton

    My love is in league with the freeway

    Perhaps, instead of showing a picture of a celebrity, GMail could display a Zen riddle, or something that requires a certain amount of judgement and intuition.

    E.g. "This is a photograph of a tree. Are you outside the forest?" The correct answer of course is that the question is wrong, there is no outside. GMail will refuse entry to anyone who answers the question too quickly.

    Such a system would slow the spammers down, and perhaps encourage them to abandon their desire for money, and indeed their desire in general.

  17. Simon Greenwood
    Thumb Down

    re: Google is spammer heaven

    That's newsgroups, not mail, and if it is a single cretin, there is such a thing as the killfile. Use an NNTP server and a Usenet client and you will see that such things still exist.

  18. Joe Montana
    Stop

    Mass domains..

    The problem is single domains (gmail.com, hotmail.com, yahoo.com) with millions of legitimate users. Because of this, it's hard to backlist those domains without affecting those legitimate users. Not only that, but the shear number of users means that users will often have spam-looking usernames, like joebloggs432432.

    The world needs to cut down on free mass used email providers, and go back to the days when you got an account where you worked/studied, or from your isp, or even bought your own domain and had it hosted (very cheap these days, and gives you some individuality). Lots of educational establishments used to give out lifetime email accounts, that seems to be less common now as they have to pay per user licensing costs for proprietary email servers like exchange.

    Even worse is people using free email providers for business email, how can you take a company seriously when they have companyname43242@hotmail.com painted on the side of their van? Registering their own domain would have been cheaper than paying someone to paint their van.

  19. Anonymous Coward
    Paris Hilton

    Bring back account creation by invitation only

    i acknowledge that its not the ideal solution but i would be happy to have the email account creation by invitation only scheme google used when it rolled out gmail for testing purposes and limiting the number of invitations to maximum of one or two invites a day.

    The ability to allow users to create accounts on the fly does allow anyone to freely open account. In an ideal world this would have been fine but we don't live an ideal world or else everyone will be using open source stuff :)

    Having an invite method in addition with a system like CAPTCHA will hopefully reduce the number of account creation and hopefully make it slightly more tedious for spammers to use sweatshops in india to follow the process of account creation.

    It is also interesting to see how google opts to tackle the problem as more spam accounts from gmail will in effect also increase revenue for google thru the adverts they display with each email. Whether they choose to resolve the issue or follow other major companies with money in mind lets wait and see :(

    Paris; coz even she can create a gmail account now

  20. Ben Cross
    Thumb Down

    @ My love is in league with the freeway

    Ashley,

    problem would be then that "educated" people who do not spam at all would end up getting the question wrong, thus screwing themselves over in the process.

    So basically your suggestion (maybe a too hard question i dunno) would probably end up ensuring that not many people get to send emails....

    What about if i decide to send an email through outlook? - how would you stop that..? ;-)

  21. Anonymous Coward
    Anonymous Coward

    Spam really grates my cheese

    Spam is never going to stop, because the "whole industry" never gets on board, SPF had potential, and my home mail server is setup with it, it doesn't stop it being banned because it's on a public IP, the SPF record is updated within 1-5 minutes of my IP changing.

    No harm in thinking solutions though, and we have, from other posters:

    - Limit to X emails a day

    - Restrict the number of sign ups per day per IP

    - Spamfilter the outgoing mails

    My addition:

    I'm assuming these sweatshops just create the account, and then automated software is used to send the spam. The simple fact they're using sweatshops shows CAPTHAS are working, so stick one on the "send mail" page, requiring the sweatshops to send each mail individually, dramatically increasing the running cost for spammers, while only adding a couple of seconds onto sending mail for legitimate users.

    Say 1 person can send an email every 15 seconds, copy & paste the address, copy & paste the content, add attachments, fill in the CAPTCHA. Over an 8 hour shift, that one person could send 1,920 e-mails, that's a hell of a lot less than automated bots sending God knows how many thousands an hour.

    The way the UK government is going, e-mail will be banned soon anyway.

  22. Martin

    lets think out of the box

    ..voice sampling

    if they cant pronounce their "V's" properly or pronounce Guitar as "gee-taar" with a hilly billy redneck accent they that should know it all on the head.

  23. Nick Askew

    Don't delete SPAM accounts

    Don't actually delete the SPAM accounts, just silently bin everything they send. This way the spammer has no idea if they are still getting through, unless they SPAM themselves just to see if it's still working.

  24. Anonymous Coward
    Anonymous Coward

    Google Abuse

    There was someone spamming a newsgroup with abusive posts towards the people in that newsgroup, then he started sending total and usless junk messages into that newsgroup and it is still going on now 9 months later.

    Sending an email to Google Abuse I got the reply back

    "Thank you for your note. Google does not regularly monitor or censor

    postings sent to Google Groups, but we do try to prevent wide-scale spam

    and other forms of Usenet abuse. Please be assured that the information

    you sent to us is being collected and taken into account. While we

    understand how annoying off-topic posts can be, we aren't able to pursue

    most complaints we receive about them. We are using the information you

    provide to make large-scale improvements in preventing abuse. We

    appreciate your help in our efforts to increase the quality of Google

    Groups. "

    Now because of their inability to stop a Google user that newsgroup is now dead, no posts anything in it apart from that rogue person.

  25. Anonymous Coward
    Anonymous Coward

    Pay to open

    I'm not expert in this area but surely if you had to paypal (or other method) a £1 (or similar) fee to open the email account (which is then free to use) then this would help put them off. You could then limit how many accounts could be setup with that paypal account within a set space of time.

    You would also have the benefit of being able to prove who you are if your account is hijacked or you forget the password.

  26. Greg

    @Anonymous Coward

    "by invitation only scheme google used when it rolled out gmail for testing purposes and limiting the number of invitations to maximum of one or two invites a day."

    This is completely useless.

    I'm a spammer. I get an invitation (I play nice on a forum and say please please, like people did for gmail accounts).

    Next day, I have 2 accounts as I send myself (well, my bot does it) an invitation, being limited to 1 a day.

    Next day, I have 4.

    After 10 days and an hour (the hour it took to get the first invitation from a forum), I have 1000 accounts.

    After 20 days, I have 1,000,000

    After a 33 days, I have more accounts than human beings on the planet.

    Not such a great idea. If *I* want to invite three friends, I can't.

    But it does absolutely nothing else than annoy legitimate users and prevent the amount of spam worldwide from doing more than doubling each day.

  27. James
    Alert

    :blackhole:

    Please, please, everyone blackhole mail you don't want.

    Most of my spam are responses to mails using addresses in my domain name.

    "We have detected that this message is SPAM"

    If the filter programs would scan the message body & send replies to the addresses it found there, rather than the from/reply address which is always bogus, my spam box would be practically empty.

  28. Anonymous Coward
    Anonymous Coward

    ways to beat the sweatshops?

    Could this work?

    - Credit card authentication. Users are severely limited to say 10 outgoing emails per day unless they verify who they are via a credit card check - the infrastructure is already there thanks to google checkout.

    - Phone numbers, the user must give a valid phone number - google calls them (could be an automated call) to verify that it is really their number. If later found to be spamming then they can be traced by finding who bought the number.

  29. Ed Mozley
    Go

    It's perfectly obvious what needs doing

    1. The captcha test should have to be passed every time you send an email rather than just when you create an account

    2. When you send an email there should be a delay of about 10 seconds while it tells you a joke or something to pass the time. Not so bad for the average user but x 1000 spam emails and the spammers capability is severely limited.

  30. David Cornes
    Stop

    The price of freeloading

    The price we pay for 'free' services is this sort of shite.

    STOP giving away free email accounts. When people have to pay for something then perhaps they'll value it more. I don't think a charge of a few dollars/pounds a year is unreasonable for something people now find as vital as an email account.

    Awaiting the responses of "what about the poor/developing countries"...

  31. Steven Raith
    Thumb Down

    @Nick Askew

    "Don't actually delete the SPAM accounts, just silently bin everything they send. This way the spammer has no idea if they are still getting through, unless they SPAM themselves just to see if it's still working."

    It's still a waste of resources for the email provider - it still has to process a frontend for the user, or an SMTP connection to their client machine.

    Just junk the accounts.

    Spam filters never used to annoy me, but I have missed an interview for a desktop support role with a City firm because the agent simply used the subject "FW" in his email.

    Buggeration :-(

    Steven R

  32. Clive Powell
    Coat

    Problem with all the suggestions ....

    Everyone is assuming that the spammers are using the "normal" methods of send spam, like actually logging on to Hotmail or Gmail or using Outlook. But they use their own programs (not difficult to write), and so where would the CAPTCHA test come from, or credit card authentication? Also, if people would check on the spam they receive, the From email address is normally different from the Reply email address. The addresses get spoofed. So a better idea would be to send an email reply to all the email addresses held within the body of the email. Any that get bounced means the address is not valid, and if you suddenly get lots of emails from servers you know nothing about, you will now know you need to run a virus check very quickly because you are part of a botnet, or your email address has been compromised.

    Mine is the big target on the back.

  33. TheThing
    Go

    Usenet spam

    The solution to usenet spam is just to get a decent newsreader and possibly a proxy as described here http://improve-usenet.org/ Filter out anything from googlegroups and you're back with a nice, clean news service.

    It is a bit strange that Google don't appear to care that they're trashing the usefulness of one of their products by allowing Google groups accounts to send messages, but that's their problem.

  34. Kaitlyn Kincaid
    Thumb Down

    @ Ed Mozley

    oh heck no! I have a hard enough time figuring out some captchas ONCE, forget every time I want to send an email.

  35. Glenn Gilbert

    It's unfortunate but free accounts are both useful and necessary...

    Free accounts are required for many reasons, mainly to do with anonymity:

    * signing up to websites to avoid their spam

    * signing up to a website to track their spam

    * a temporary email address for an advert (e.g. newspaper/website)

    * a one-off email address to bait phishers / scammers / marketingdroidtards

    * testing applications

    * etc.

    And why on earth should I let everyone have my 'real' email address? This is the internet for goodness sake.

    In exchange for giving us a "free" email account, they get access to our emails (Gmail) and display advertising. Therefore they, Gmail, Hotmail, etc. have a vested interest in sorting it out.

  36. Hany Mustapha
    Paris Hilton

    @Matthew Banwell

    Has it not occurred to you that this email from Adwords might be a phishing email? Why would Google possibly need you to update your details? Have your ads indeed stopped running?

    Paris because... erm... he and she might appear to be well suited!

  37. max allan
    Unhappy

    None of these "ideas" will work

    All these ideas about limiting numbers of mails, improving captchas or whatever will work. None of the spammers actually sit there in front of a PC typing in the thousand mails, they use an open relay somewhere on the net and a script.

    It doesn't matter what limitation hotmail puts on me, 1 email a day with a captcha to guess and a 10 second delay. The spammer can still send his messages through the relay without a problem.

    What we need to do is move to a solution that requires computation to send a mail (like PGP/SMIME signing or encrypting). That way the spammer needs more PC power to send the message. If he wants to send 1 message it takes a second of his CPU time to do it.

    Then he needs to buy a botnet :-(.

    The "auto-reply" to check validity of an address works for a while, except we're talking about spammers that have registered a valid gmail/hotmail/... account. So the reply will be delivered. Of course you can require a response to that reply to add the sender to your whitelist, but there are always idiots out there who can't understand what they're supposed to do. Most of them are users at work rather than friends, so it's not a big problem. But for the stupid masses to sign up, it's too complicated. (like walking AND chewing, talking AND thinking being president AND not being a dick etc....)

    Oh well, looks like we're stuck with spam.

  38. John
    Paris Hilton

    @James Pickett AND @faces

    "As for CAPTCHAS, has anyone tried using faces?"

    At last, Paris can have a purpose.

  39. Matthew Banwell

    @ Hany Mustapha

    Quote "Paris because... erm... he and she might appear to be well suited!"

    They're not phishing spam emails in my Gmail. They're from Google. Therein lies the humour.

    It's very simple. Just like Paris...

  40. Anonymous Coward
    Anonymous Coward

    ElReg redux

    "Obtaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google's services in general, spammers receive an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use."

    Haven't I read that exact phase 3 times now in ElReg GMail stories?

  41. David Barr

    Only Workable Solution

    Appears to be to start blacklisting service providers until they clean their acts up.

    When users start getting "Your mail was rejected because your service provider does not maintain their system against UCE properly" then they'll start voting with their feet.

  42. vincent himpe

    smart captchas

    instead of using letters and number. the server could generate a 'smart' picture.

    Ik could generate s composite image on the fly.For example :afruitbasket with apples,pears,oranges, and then ask the question: how many oranges ?

    someone else posted the idea of using stock photo : that could be automatically circumvented. it's a matter of cloning the databse.

    if the images are 'generated' then this is not possible.

    another thing could be cartoon like faces. show 10 faces , with a random male/female ratio. and ask questions like : how many have brown hair...

    if you overlay them a bit then pixel mapping tools would have trouble 'counting' colored zones, but for a human the difference is still clear..

    or you could still use numbers and letters in the catpcha. deform them and give them a color. overlay the letters partly. then ask question to spell only the letters in a particular color . again matching algorithms would fail. make sure there is overlap between letters of the same color.

    for example: the text HELLOWORLD. H and E are partially overlapping and green.

    E and L are partially overlapping. both L are yellow. and so on. then RLD are green again .

    the answer would be HERLD if the question was green text only..

    if you break the 'hello world ' in two lines wo that words overlap vertically it would become a real nightmare. you would have colored 'blurbs' but the human eye can still read this wehre as a computer this would fail. if you then warp the text a bit too the game is really on ...

  43. TheThing
    Thumb Down

    @vincent himpe

    ...doesn't really matter if they're hiring people to figure the things out.

  44. trackSuit
    Joke

    So you want a new free email address?

    ?

    Best prove you are Mutual then. Here is a list of 20 email addresses which send more than 100 emails per day.

    Check through this anonymised list and tell us which addresses are spam. When you are done, we'll cross-check your results with six other people.

    Failure to achieve better than 15 out of 20 correct answers will result in no email address -but not to worry, you can keep trying until you get IT right.

    Privacy? We were all told in the 90's that email is only as private as a postcard. As I understand IT, this is still the case.

    And the voluntary spam checkers? -Think of them as temporary post office staff, sorting postcards.

  45. David Eddleman

    Re: spam filter on the output?

    That wouldn't work -- it could catch legitimate e-mail on the way out. If I start sending friends and family e-mails about great deals I found on eBay (that's germane to their interests) or craigslist or ..., then those mails will almost certainly be flagged as spam, even though they may *not* be spam to them.

    And most non-SPF reliant spam filters rely upon word/phrase detection, so if you included a few "bad" phrases into your mails, legitimately, you'd be in the same spot as above.

  46. Herby

    Outbound filters...

    Wait for a while, then if detected as "bad", bounce back and request confirmation. The confirmation may be as simple as "what is your city" which you answered when you setup the account. Then the mail goes out. Anything that causes interaction on the outbound side will help.

    As a note:

    Spam exists because it works. People are (somehow) making money doing it. If we, by any means, make it less profitable it WILL go away. Any bit helps in this task.

    Making SMTP die and come back with safeguards might do the trick! (we wish!)

  47. Anonymous Coward
    Anonymous Coward

    Is it a cat or a dog? You decide...

    I'm amazed that nobody has mentioned Microsoft's Asirra Project http://research.microsoft.com/asirra/ where you are asked to select all the cats out of a set of ten cats and dogs. The important matter is that the pool of cats and dogs is in the millions, so almost no chance of duplications.

    And to Vincent Himpe I have two words to say: colour blindness (and thus his idea could be challenged under the Disability Discrimination Act).

  48. Glenn Gilbert
    Black Helicopters

    @Vincent

    The problem *cannot* be solved with CAPCHAs. By definition they have to be read by humans, so the spammers get human slaves to do it. Whether these slaves live in third world countries and work for $1/day, or they're spotty yoofs running the 'stripper' program, humans are the weakest link.

    Can we turn Skynet on now please. Or is that the new name for a botnet?

  49. Anonymous Coward
    Anonymous Coward

    I always like kittenauth

    I've setup kittenauth for an image CAPTCHA system. It is nice because it is easier for a human to get right (I always screw up the text ones ones or twice) and harder for a computer.

    Nice thing is you use quite a variety of pictures and customize it for your users. Motorcycle site click all the Harleys, etc.

  50. Dave
    Alert

    @vincent himpe

    Nice idea, but it would REALLY screw anyone who's colour blind

  51. Pie

    re smart captchas

    The counting numbers won't work unless you make the numbers to count high as I'm sure the spammers would be happy with a 1 in 10 hit rate with the numbers of machines they have available to use.

    The coloured text may work, but ultimately if the spamers are using humans to answer the captchas then it's going to do it's job and allow them through.

  52. Richard Scratcher
    Coat

    Arms Race

    Why don't the ISPs employ their own sweatshop to identify spam? The bulk of the work could be done by computer but messages that pass that stage could be analysed by a human brain that could identify camouflaged words such as V1@gra and read those pesky GIFs.

    All it would cost is a few bowls of rice a day....

  53. Shannon Jacobs
    Pirate

    A suggestion for Google to fight spammers

    The focus of this suggestion is that Gmail is losing value for all of us as it becomes spam soaked. Even their filtering is having troubles with false positives and false negatives--and the spam is just increasing--as always. Therefore I think Google should act more aggressively to drive the spammers away from Gmail.

    My latest anti-spam idea is a SuperReport option. (Kind of like SpamCop, but not so lazy and laid back.) If you click on the SuperReport option, Gmail would explode the spam and try to analyze it for you to help go after the spammers more aggressively. The result would be returned to your browser as a webform of the expanded email to guide a more direct response to the spam. Here is one approach to implementing it:

    The first pass analysis would be a low-cost quickie that would also act like a kind of CAPTCHA. This would just be an automated pass looking for obvious patterns like email addresses and URLs. The email would then be exploded and shown to the person making the report (= the targeted recipient of the spam AKA harassment victim). The thoughtful responses for the second pass would guide the system in going after the spammers--making Gmail a *VERY* hostile environment for spammers to the point that they would stop spamming Gmail.

    For example, if the first pass analysis finds an email address in the header, the exploded options might be "Obvious fake, ignore", "Plausible fake used to improve delivery", "Apparently valid drop address for replies", "Possible Joe job", and "Other". (Of course there should be pop-up explanations for help, which would be easy if it's done as a radio button. Also, Google always needs to allow for "Other" because the spammers are so damn innovative. In the "Other" case, the second pass should call for an explanation of why it is "Other".)

    If the first pass analysis finds a URL, the exploded options should be things like "Drugs", "Stock scam", "Software piracy", "Loan scam", "419 scam", "Prostitution", "Fake merchandise", "Reputation theft", "Possible Joe job", and "Other". I think URLs should include a second radio button for "Registered Domain" (default), "Redirection", "Possible redirection", "Dynamic DNS routing", and "Other". (Or perhaps that would be another second-pass option?)

    If the first pass finds an email address in the body, the exploded options should include things like "Fake opt-out for address harvester", "419 reply path", "Joe job", and "Other".

    At the bottom of the expanded first pass analysis there should be some general options about the kind of spam and suggested countermeasures, and the submit SuperReport button. This would trigger the heavier second pass where Gmail's system would take these detailed results of the human analysis of the spam and use them to really go after the spammers in a more serious way. Some of the second pass stuff should come back to the person who received the spam for confirmation of the suggested countermeasures.

    Going beyond that? I think Gmail should also rate the spam reporters on their spam-fighting skills, and figure out how smart they are when they are analyzing the spam. I actually want to earn a "Spam Fighter First Class" merit badge!

    If you agree with these ideas--or have better ones, I suggest you try to call them to Google's attention. Google still seems to be an innovative and responsive company--and they claim they want to fight evil, too. More so if many people write to them? (I even think they recently implemented one of my suggestions to improve the Groups... However, it doesn't matter who gets credit--what matters is annoying the spammers more than they annoy us.)

  54. James Butler
    IT Angle

    The nerve ...

    "Anti-spam filtering services such as MessageLabs"

    Our number one spam source for many months on end has been MessageLabs' server farms. How dare they criticize Gmail et al. when their own barn door is wide open!?!

    In the absence of SMTP-Auth or restricting outbound mail in some other immediate fashion, there's nothing any of the aforementioned providers can do to stop spammers.

  55. This post has been deleted by its author

  56. Pierre

    Funny joke

    is number one. But what about language problems? Or different kind of humor?

    As for me, I only use a bayesian engine, no prob. It trashes 200+ messages a day, never had a false positive, and only around 1 false negative a month.

    There is no way to prevent spam from being sent by pre-emptive filtering or multiplication of lame tests, as the spammers don't use web interfaces anyway. It would only annoy legit users.

    Suppress free e-mail? Every single site asks for a valid e-mail nowadays, free spam holes are vital then. Plus, being bound to you ISP provided account is NOT a good idea for obvious reasons. Employer-provided email account is slightly less annoying but can still bid a bad idea.

    As for the fee (or credit card authentication), well, great. What if you don't have a credit card (not even mentionning 3rd world)? What if spammers use their database of stolen credit card details? (stolen when, you know, legit users provided them!). Maybe GMail should ask for your passport number, check the Gov's database, thend send you a confirmation request by snail mail. Of course, this would only allow "passported" US citizens to have an email account, but they are the only persons in the world that really matter anyway, right?. And this WILL cut on the spam.

  57. Kanhef
    Boffin

    Block /outgoing/ spam

    @ Shannon Jacobs: Nice idea, but requiring too much effort and technical knowledge will limit how many users participate.

    @ max allan: They already *have* botnets sending out most of the spam. So we need to take them down.

    I think Spamhaus has the right idea: when spammer's account is identified, block everything from their IP address until their ISP cancels the account for violating TOS. These days, the source is more likely to be a trojaned computer, so block all of that user's mail until they install security patches and antivirus programs and disinfect their system. Have ISPs make that part of their TOS, and threaten to escalate and block the entire domain if they don't cooperate. This will even work for webmail providers, as they log the IPs that access spamming accounts, and can deny any access from that computer until it's clean. Ideally, they'd work with the ISP and block SMTP mail as well.

    Most systems try to avoid false positives, but with billions of spam messages sent, a low rate of false negatives still lets plenty through. Deliberately blocking good mail will make individuals take action and stop being unwitting sources of spam. Once their systems are secure, they're also less likely to become part of other botnets in the future.

  58. Kevin McMurtrie Silver badge

    100% Google proof and missing nothing

    My e-mail has filters rejecting everything from Google's servers. It has been that way since Google stopped reading abuse complaints years ago. Recently my Usenet reader has been programmed to discard Google's Usenet postings, which can be an astonishing hundreds of spams per day per group. I rarely notice anything missing except for spam floods. I've even started using Yahoo for searches because Google results are spam too.

    All of this talk about the difficulty of spam filtering is complete BS. Most of the Google abuse is coming from familiar criminal havens that nobody else accepts traffic from. A few firewall rules will fix at least 90% of the problem. Google is fast on their way to becoming a dot-com memory because they don't maintain their systems.

    Where's the popping bubble icon?

  59. Matt Horrocks

    @Matthew Banwell

    E-mails about Adwords are most likely spam, it seems they have moved on from online banking phishing to Google Adwords phishing - receiving messages about Adwords which links to a dodgy domain on accounts with nothing to do with adwords myself.

  60. Erik Aamot

    been impressed so far with ..

    .. the new AT&T Yahoo! ( DSL here ) anti-spam .. it's like next to nothing on one very public account I've had for 5 years, my main account, which is listed in the WHOIS for about 60 websites used to get 50-80 pieces a day .. now it's averaging 30 per week .. and as far as I can tell, I'm not missing any *real* email at all ..

    the solution is with the major ISPs and mailservers .. it costs them huge money to store, even temporarily, all that SPAM .. what is it .. 90%+ of all email ?

  61. JJ James
    Paris Hilton

    TrendMicro blocking Gmail

    It looks like Trend Micro is now completely blocking mail from Gmail accounts:

    Technical details of permanent failure:

    TEMP_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 450 450 5.7.1 Mail from 64.233.166.177 blocked using Trend Micro Network Reputation Service. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=64.233.166.177.

    I think that Herby's idea has some merit. Forcing users fill out a captcha for every email is too inconvenient, but getting users to fill out a captcha IF their email looks like spam, is less so. That is unless you happen to be a legitimate Viagra salesman. Things are really hard for them these days.

    It would be too expensive for spammers to pay for a captcha to be solved by humans for *every email*, even using third world labour.

    Paris, because she could make things hard for a Viagra salesman

This topic is closed for new posts.