back to article America: Land of the free, still home of the BIGGEST spammers on the planet

The US prides itself on being the best at a lot of good things. And, judging by the latest data from security vendor Sophos, America is still the best at spaffing spam in the world. Countries sending spam Gold medal in spam goes to the US The firm's quarterly list of countries that send spam (as opposed to hosting spamming …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Happy

    USA! USA!! USA!!!

    Commercial speech is free speech, so let me inundate you with my constitutionally protected ads for Viagra and naked pictures! (The naked pictures are not really MY pictures. Tthere are some forms of self-expression that even the First Amendment can't condone.)

    Where's the Old Glory icon??

    1. Mike Flugennock
      Headmaster

      Re: USA! USA!! USA!!!

      "Commercial speech is free speech..."

      Sorry, but that should be spelled S-P-E-A-C-H, "speach".

      At least, that was the official spelling among the busted spammers whining on news.admin.net-abuse.email back in the old days.

      1. Anonymous Coward
        Anonymous Coward

        Re: USA! USA!! USA!!!

        America: Land of the free*

        * excluding healthcare and respecting the human rights of non US citizens...

        1. Pascal Monett Silver badge

          Also excluding respecting the human rights of US citizens on occasion.

  2. Khaptain Silver badge

    Proud to be amexican

    The US prides itself on being the best at dodgy drugs, genital enhancements, and get-rich-quick schemes, as well as spreading malware.

    TFTFY

  3. btrower

    Digital stamps

    There has long been an opportunity here for digital stamps. A marginal cost of a tenth of a penny would be easy to bear for any normal mail volume, but prohibitively expensive for spammers.

    SPAM exists because it pays. Making it *not* pay is the only real way to shut it down.

    1. Shannon Jacobs

      The crowd HATES spam

      I think this would basically work, but you would need to have an interface to SMTP email, and that side of the email would remain polluted. I think a better way to attack the spammers' business models would be an integrated anti-spam tool built into the email system.

      Right now we have "Report spam" button that simply tunes the spam filters a bit. Imagine a "Hunt spam" button that would trigger an analysis of the spam. You would get a webform of your analyzed spam, with embedded radio buttons to confirm the analysis. You would confirm or reject the various results, and then submit, and it would send you another webform based on those results. The second analysis would be more refined, and it might go for several rounds until all of the aspects of the spam had been confirmed, and you had recommended the most plausible countermeasures.

      Of course we shouldn't be allowed to form a lynch mob, but we can help with the targeting against the spammers. We can disrupt ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help ALL of the spammers' victims. The profits of spam will go down, and the value of the Internet will go up.

    2. pierce

      Re: Digital stamps

      i host a couple discussion lists with as many as a few 100 subscribers, all non-profit things like attendees of a folk music festival, or members of an astronomy club. if I had to pay for every email, this would become untenable quickly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Digital stamps

        > if I had to pay for every email, this would become untenable quickly.

        A proper balance has to be struck. The OP's idea of a 1/10 penny might even be much too high.

        1/100 of a cent might even be sufficient or 1/1000 of a cent considering these people are spewing out millions of emails.

        The elephant in the room through is that a lot of SPAM comes from bot nets so the spammers would not be paying anything anyway.

        1. btrower

          Re: Digital stamps

          @Shannon Jacobs, @pierce @skelband:

          To avoid making a TL;DR post, I did not really flesh out my ideas. Implementation-wise, there are many details that leave most people behind. PKI can be difficult to understand.

          Whatever the technical details, PKI makes it possible to know who a sender is or to know that the sender is recommended by someone you know. Spammers could not send you mail because there is no way they could gain a credible recommendation and no way they can afford to pay you to accept traffic from a stranger.

          The cost associated with the 'digital stamp' is so that legitimate senders can always get an important message through. It would block trivial messages from legitimate senders, but arguably that is SPAM.

          The reason to depend upon something akin to digital currency is because it is important to legitimize the sender without necessarily identifying them personally.

          Cost would have to be adjusted to some reasonable minimum that made SPAM unprofitable but allowed ordinary legitimate mail to be economically feasible.

          To support the stamps, essentially digital currency, you need a PKI infrastructure anyway. That being the case, mailing lists that you wanted to encourage could be given a pass under a 'bulk rate'. Ones you did not want to encourage would be discouraged.

          You could develop a system of rates for unsolicited mail vs mail from known senders and mail being sent 'first class', 'regular', 'bulk', etc. The PKI can allow you to differentiate between senders whose keys are signed according to how much you trust the signer. People managing a huge mailing list would have to send 'bulk' and/or they would have to re-evaluate the value of sending to the list. I am skeptical of the net value of mailing lists to the recipients and it is the recipients we are trying to serve. If you have something you send out to a million users every week, you would have to switch from a 'push' model to a 'pull' model by placing the message on a server where interested readers could pull it down.

          Re: "a lot of SPAM comes from bot nets"

          That is true. AFAIK, most SPAM is now coming from bot nets. Do you think that it is unreasonable to require that people in charge of putting a PC on the network bear some responsibility for damage it does? This is probably a good way to get users to be more diligent and to force companies like MS to take security more seriously. This would effectively cause all of that type of traffic to be 'metered' and would end up returning an enormous amount of the aggregate capacity of the network back to us.

          Given that the digital stamps involve actual money, the system responsible for placing the stamps would be more secure and to the extent it was breached, it would be limited to how much it could send by the money available for stamps. You could also make it so that the system asked for permission before using stamps, etc. You could have a special wallet to act as a 'postage meter' limited to a small amount sufficient for normal mail.

          Part of the reason we have SPAM at all is that PKI is in a dreadful state. It should be both usable and used by everyone. It should be largely incorruptible. Instead, it is hardly usable even for experienced users, not used except in basically broken ways and the root CAs are all fundamentally corrupt.

          Unfortunately, one of the things holding us back is that the bad guys have hijacked the PKI and DRM conversation(1) and are driving us inexorably toward 'treacherous computing'. It seems to me that the good guys who know enough to use the stuff are reluctant to vigorously pursue its use because of the danger that DRM presents.

          I am not expert in this area, but I do have some experience. As far as I know, we can definitely implement things like digital stamps and we can definitely put in place PKI such that outbound traffic from a given system is done using a PK pair and that inbound traffic can be checking up a chain of signatures to establish trust.

          Signed keys are not limited to a single one, nor are they intrinsically limited to a single use. If we have the infrastructure to deal with digital stamps then we also have in place infrastructure capable of verifying along the route from sender to receiver such that unsigned traffic is never forwarded by routers or accumulated by mail servers.

          Of course, as people worried about DRM would know, the above requires that we have a distributed trust system that cannot be tampered with by agencies like the NSA or other hostile forces. If any single entity or any colluding oligarchy gains control over the system they can(2) cause havoc and cripple the Internet.

          Technically, it is quite possible to implement digital stamps and surrounding infrastructure to eliminate SPAM as such. On the way, there are some impediments, but these (a) are political not technical and (b) need to be dealt with anyway.

          We *will* move toward some sort of micro-payment capable system and some sort of distributed trust. Along the way, we *will* have DRM. It is going to happen. However, it is very important that *well before* we implement the DRM part we entirely remove control from unfaithful trustees like Verisign, Sony, Microsoft, etc.

          (1) The 'trust' conversation currently involves the bad guys insisting that everyone must trust the bad guys above all. They demand that we give them control of all of the master keys and do as we are told. They want to breach trust going in. I'm against that and so are any other decent people with a clue about PKI. Control of things involving trust such as DNS, SSL root certificates, etc need to be distributed so that breaches of trust are effectively impossible. Currently they are controlled by the bad guys.

          (2) Eventually, by Murphy's Law, we know that eventually, 'can' == 'will'.

          1. rcorrect
            Thumb Up

            Re: Digital stamps

            To avoid making a TL;DR post

            What you and I consider TL;DR might differ just a little.

          2. Anonymous Coward
            Anonymous Coward

            Re: Digital stamps

            "and to force companies like MS to take security more seriously"

            Windows has consistently had fewer vulnerabilities that were on average fixed faster than any comparable OS (for instance enterprise Linux distributions or OS-X) every year for the last 8 years....

            1. handle

              Re: Digital stamps

              Lies, damned lies and statistics. I've never read a more convoluted claim!

    3. Vic

      Re: Digital stamps

      > A marginal cost of a tenth of a penny would be easy to bear for any normal mail volume,

      This would have no effect whatsoever on spam.

      The spammers would simply steal credit in the way they currently steal bandwidth.

      > Making it *not* pay is the only real way to shut it down.

      Indeed, but your proposal does nothing to affect that profitability.

      The Boulder Pledge is the only way to stop spammers, and that's a *very* long-term proposition.

      Vic.

    4. Anonymous Coward
      Anonymous Coward

      Re: Digital stamps

      That was Microsoft's idea, it didn't catch on.

      Everything from password resets to an email confirmation of an order placed would cost money.

      1. Michael Wojcik Silver badge

        Re: Digital stamps

        That was Microsoft's idea, it didn't catch on.

        There have been numerous proposals for impeding email spam with one sort of tax or another. I doubt Microsoft was the first to propose a micropayment system, and non-payment resource-tax proposals go back at least as far as 1997, with Back's hashcash.

        All of these, and btrower's (overly long and vague) proposal, suffer from two fatal flaws. One is that actual reputable research into the problem indicated that the benefit does not justify the cost: even when such a system works, it can't be tuned to eliminate a significant portion of traditional (mass-mailing from a limited set of accounts) spam without occasionally obstructing legitimate email.

        The other, as Tom 13 and others have noted, is that most spam transmission is distributed over such a wide range of compromised machines that the tax is simply ineffective - a calculation that btrower gets quite wrong in that section of the manifesto.

        (I was going to offer more critique of the manifesto, but it's not worth it. It rarely is. I'll just note in passing that "PKI infrastructure" is redundant.)

    5. Tom 13

      Re: Digital stamps

      Bad idea because you ignore the reality of the spam culture as it exists today. The people who could be hit with an email tax aren't the spammers or wouldn't notice it. The people who would be eliminated by it have already pretty much been done in by ISP filtering. That's right, as the article noted most spam these days isn't generated from legitimate accounts on legitimate email systems. It comes from a vast army of zombie PCs sending out only a few emails each. Just like a DDoS attack, it leverages a lot of machines instead of a fast one.

  4. Don Jefe

    Regulatory Failure

    More than anything this highlights how increasingly useless the Food and Drug Administration has become. A significant part of their mandate is to control not only the distribution of prescription pharmaceuticals, supplements and medical devices, but also the advertising and marketing of them.

    They can't do that though because they're too busy finding reasons not to approve drugs the rest of the world can access, OTC in many cases. Well, that and finding reasons to fast track approval of drugs for rare conditions and those with a negligible impact over what is already available but have lost patent protection and can be produced generically.

    From a humanitarian standpoint, the FDA does more damage to the US population than any other agency. God they suck.

    1. JB

      Re: Regulatory Failure

      And allowing the advertising of pharmaceuticals on TV, with a voiceover listing all possible side effects over film of an old geezer lovingly washing his 1950s pickup!

    2. ecofeco Silver badge
      Meh

      Re: Regulatory Failure

      No, they can't do this because their funding has been gutted.

      Like all the rest of our "interfering and meddling with our right to free market" watchdog agencies.

      Can you guess why and by who?

  5. ecofeco Silver badge
    Trollface

    Yep, zombie 'bots.

    These days, 7 out of 10 times when I'm asked to fix someone's home PC (almost wrote "personal computer" as opposed to WC or "work computer" )** it's effin' malware that has caused the problem.

    **see what I did there?

  6. Nearly Anonymous
    Headmaster

    which lists

    "Third and fourth place on the list belong to India and Italy respectively, with both showing big increases in spam generation in the first three quarters of the year. Kuwait and Israel are new entrants to the Sophos list this quarter, holding seventh and twelfth place respectively."

    This last paragraph is referring to different data lists. Third and fourth place, by volume, are India and Italy. Seventh and twelfth place, per capita, are Kuwait and Israel. The text is misleading.

    1. Tom 13

      Re: which lists

      Given that the author had already shifted context when discussing Belarus, I had no problem with this at all.

  7. John Smith 19 Gold badge
    FAIL

    Amazing. The country with the most extensive system of spying on it's citizens can't

    stop it.

    Unimpressive for all that spying is it not?

    Perhaps educating those merkins a bit more could make all our lives a bit better?

    1. Anonymous Coward
      Anonymous Coward

      Re: Amazing. The country with the most extensive system of spying on it's citizens can't

      I think what would help is examples from readers how they combat spam ......

      Thank you.

  8. Charles Manning

    Belarus should be disqualified.

    They're probably using steriods.

  9. Wibble

    Interesting that the UK doesn't feature

    Better not tell Tony Cameron and associates lest they'll want to "improve things":-)

  10. Sureo

    The NSA must know whose computer is infected and sending spam. They could actually do something useful and beneficial for once. Formatting the hard drive on infected machines comes to mind. If anyone complains, send them to Belarus.

    1. veti Silver badge

      Formatting?

      If they want to be helpful, they could restore from an uninfected backup, then tell the user exactly how they got infected and not to do it again.

      It might even buy them quite a lot of tolerance for their spyiing.

  11. dogwatch

    Nigeria?

    So where is Nigeria? Was it filtered out?

  12. Michael Wojcik Silver badge

    Canter/Siegel was not first

    Back in 1994 the first spamming came from lawyers Laurence Canter and Martha Siegel

    No. That was the first commercial Usenet spam, but it was neither the first Usenet spam or the first commercial spam.

    The first Usenet spam is believed to be Thomas' religious spam ("Global Alert for All: Jesus is Coming Soon"1), which was posted earlier in '94. Wikipedia cites Thuerk's ARPANET spam of 1978 as the first known commercial spam message. Even if there are no earlier examples, that means email spam predates Canter/Siegel by some sixteen years.

    1In fairness to Thomas, there were widespread reports at the time that Jesus was breathing heavily.

This topic is closed for new posts.

Other stories you might like