Diary of a Dying Inbox
Years ago when spam started to get really going, people started saying it was going to kill email off as a useful and viable medium for communications. I saw bits and pieces of this happening to those around me, but it wasn't such a big deal. I was very careful with my addresses, or at least with who got which one, and it just wasn't that harsh on my end. This has changed, in a very severe way, over the last few years.
Many people will say "If you'd just do this and this you won't have a problem", but I've done many of those things and I still have the problem, and it's just growing worse. My inbox is literally dying off, as I find my behavior changing more and more. And it's not just my inbox, I'm deluged on many fronts, as are many others.
Up until a few months ago, this was an entirely manageable problem. You see, I used to live via email. I'm on something like 50 email lists, some of which I follow closely, others of which have degenerated to the point that I check in them once a month to see if anything has changed. I get hundreds upon hundreds of messages to various accounts each day, most of which just get shuffled into their folders via rules.
However, I do a lot of work via email too. I get documents, proposals, images, schedules, etc. Most people who know me know I don't really do phones very well, and while the odds of getting a call back are good, the odds of actually catching me are low. But I do check my email religiously... or rather I did. You basically have two options for spam blocking, server-side or client-side, although some use a combination of the both.
Most client-side solutions have started to kinda... suck... over the last while. I'm very suspicious that some of this is intentional, because for awhile there they got very good. Then came those spams that, and I swear to gawd, seemed to be about nothing more than screwing up your filters. I know spammers were testing their messages against solutions to see what would and wouldn't get through, and these messages didn't seem to be about that... they just seemed to exist to screw up your filters enough to either make you give up, or become ineffective enough that the floodgates would open for the rest of the spam. Either way, it's seemed to have kinda worked.
Ever email client worth its salt had some sort of baysean-esque system for learning what was and wasn't spam. As an example, Mac OS X's Mail has a similar system which worked well for many people, but if my inbox of people asking for other solutions is any indication, it started to kinda suck with 10.3. Whether this is because of changes made to it in Panther, or a combination of the new uber-spam, I don't know. There are some better, paid solutions, but when you're paying $30-$50 just to be able to read your email, something is seriously screwed up. Personally, I think ThunderBird has the best built-in spam protection I've seen, but everyone knows ThunderBird is still kind of an afterthought for OS X.
Things on the server-side, which is the type I use, have gotten much smarter in a way as new types of spam-checking have come online. Before, you were basically limited to:
- Running the email past a blacklist-service, to see whether it's 'signature' had been reported before, or if the host had. This basically meant you had to hope the spam had become widespread enough to make it into a service, or it was coming from a known source... and you had to be really careful about some of those sources as some of the best were also a little overzealous.
- Your own training of your filters based on the type of mail, and from whom, you normally get, just like you'd generally do client-side.
- Blocking out half the known world, like South Korea, China or Russia from even contacting you at all. This has become less and less effective as broadband has grown in the USA, and it's easier for the spammers to pay people in Russia who send out the spam through say, your neighbor's hacked Windows box.
While other aspects have gotten smarter, one of the big things to come online was checking against the domains being linked in the spam, similar to how anti-comment-spam systems work on websites. Blacklist the site being mentioned in the email, and no matter what form it happens to take next time, or who it says it from, if that URL is mentioned, *poof. It really was a great idea, especially in terms of the large amounts f 'phishing' spam that was going out. Unfortunately...
- The types of spam that don't include any form of URL whatsoever have risen dramatically over the last little while. These generally have to do with penny-stocks, or other weird shite, and hopefully someone has started a website to track these miracle stocks mentioned in these spams to see how they actually perform.
- There's a DNS hit whenever a URL needs to be checked, and some of these spams, for whatever reason, are including monstrous amounts of links. This can start to put some vicious load on wherever you're doing your lookups, and slows everything way down. Additionally, after you've had it around for awhile and built up a selection of blacklisted domains, this can start to get expensive in terms of CPU cycles, and the process can already add quite a bit of load.
Another bring problem is the sheer size of spam at the moment. When your average spam message is 8k-16k, something freakish is going on, and I know I have started to avoid pulling down all my mail whenever I'm on a very slow connection and haven't checked for a few days.
Some people have this way worse than me, which means I'd have to imagine they're close to giving up on email altogether. In terms of the rate of spam, there's certainly been some surges lately on my end. I'm currently getting about 1,800 spams per day. Even assuming my spam solution had a 99% accuracy rate, that would mean ~18 spams were getting into my various inboxes every day instead of the spam folder.
However, it's not even close to 99% at the moment, and I actually do take the time to train my filters once, and sometimes twice or three times per day. It's more like 85% accuracy, which means on average 270 spams are getting through each day.
It's horrid, and causes me to lose more time than you'd think because they are just spewed all over my inbox. I have to check to make sure I'm not not missing something mixed in with the flood of spam sitting there unread, which eats up way more time than it should. Additionally, I have to go through that spam that has been flagged and moved to a separate folder, scanning at least semi-carefully so that I'm not missing an important message. It's happened way too often than I'd like, because humans really suck at this sort of thing.
As a confession, I brought some of this upon myself by trying to be clever. Ever notice how site after site wants you to use your email addy as your login? That worked OK for me, until I kept remembering which email I'd actually used for that site... so I came up with nice little mnemonics for the username of the email address, like say, 'stupidstore [ a t ] drunkenblog [ dot] com'. Give it a nice chopped-mnemonic variation for the password, and I was basically set.
It not only let me see how people were getting to that email, or worse, selling it, but it let me remember how to get into where without having to consult a spreadsheet. (as an aside, ZDnet is evil about giving your info away -- avoid) This worked perfectly fine, until spammers stumbled upon the habit of just tacking any name they could think of onto a domain and sending their spam to it. This means that if you send something to adam@theblog, I'll get it. However, when this first started, spam filters were actually kinda rocking and it wasn't such a big deal... at least on my end.
That's all pretty much changed, and nothing more than a fond memory at this point. And I'm screwed in the sense that I have probably hundreds of those things out there, and I'm really not looking forward to turning off the catch-all functionality and going to every single site and updating all of that info so that their stuff gets to me. Others are in much of the same boat -- their current email might be getting slammed with spam, but changing it to something else requires going to countless sites, like their bank, shopping sites, everywhere, and changing that info.
And don't even start in with me about those evil Windows users -- many of the really popular email viruses at the moment are spread socially, which means the person getting infected actually has to do something to start spreading the hurt. Technical issues just don't really apply.
Back when I had something like two readers, the blog was often me just posting weekly statistics on how many of what virus crossed paths with my various inboxes that ClamAV had rendered neutered. I basically stopped doing it, mostly because my solution for getting the count was so hacky that I kept having to enter in the new virus names to be checked. I stopped doing it, and I really don't have the desire to do it now.
The problem hasn't really gone away, and has actually gotten much, much worse, even if there is a lull from time to time. Without going into a bunch of stats, I can say that over the last month, my various inboxes, and sites for people I have up, have averaged around 785 actual viruses getting stripped per day. Luckily, I don't deal with a huge amount of sites, but I can honestly see why a lot of hosts don't want to deal with server-side virus processing and such. Every message has to be scanned against a database of known virus signatures, and what was once basically an effortless chore for the weakest of servers can start to lay down some real hurt.
The side-effects of the processing can just be one hell of a bitch sometimes too, like the dreaded double-extension problem. The idea is that, lets say I send you a file named 'MySexyPic.jpg.exe'. Many Windows installs are set to have extensions turned off by default, so you'd be well within your rights to think you're opening a picture... because the .exe is hidden. You've now just been 0wned, and there are craploads of these nasty types of things emailed around, and it's a good idea to cull things that try to exploit it.
Unfortunately, while I am very mindful about the extensions of files I'm sending to people, many aren't, and I end up with them sending me something like 'MySexyPic.jpg.zip', which promptly gets stripped and means I have to go searching for it from the stripped and quarantined attachments. It's not the end of the world, but I have gotten dreadfully sick of dealing with it and having to be mindful of it... and I'm not the only one.
This is probably the most serious, mostly because I use MovableType and haven't yet switched to something else... and there's a reason why many hosting companies have started to literally ban it from their servers.
I've mentioned my reasons for using it before over other things I've looked at moving to, but the big one was static pages. If you use something like WordPress, your pages are all nice and dynamic via PHP, which is really nice in a way. Basically just means you change something, and it's instantly that way on the site, at the cost of some increased load on the server.
However, with MovableType if you're very... restrained... you can have everything be nice and static. This is sucky in a way, because if you change something on the page it has to be regenerated as a static file, but great in a way if you're expecting lots of traffic... because the server is basically handing stuff out hand over fist with very little overhead. It's just a tradeoff, but one this site benefited from greatly.
I mentioned comment spam, which just about anyone with a public blog has had to deal with. Mine was no big deal for awhile, probably averaging about three a day. Then I just started to get hammered and would wake up to find 200+ spams strewn about the blog. This caused me to get off my ass and finally install MT-Blacklist, which was a damn godsend. It was still there, and you still had some monster spam hits from time to time, and yes every once in awhile it caused some problems with people submitting comments, but it made everything manageable.
What's become unmanageable is the load placed on the server, namely because some spammer out there has gotten greedy beyond all means and just spews out spam via concurrent http connections. There's no trickle here, it's just a brutal frontal assault of comment spam. Anyone who has a popular MovableType-based site has seen what lots of concurrent comments being left, or even concurrent searches, can do to a server. For most blogs and such this isn't that big of a problem, but for a larger one it is an absolute killer.
The big problem here is Perl, or rather that MovableType spawns a new instance of it whenever you do a search, or in the case of a new comment, spawns a new instance and then rebuilds the page. In the case of something like MT-Blacklist, when a new comment comes it a new Perl process is spawned... which has to do all kinds of regex and other checks against a big list of no-no sites and patterns, and then if it goes through, rebuilds the page for others to see.
When these things are a trickle, as they usually are (even if you're getting tens of thousands of hits to something, only a fractional percentage will leave comments, trackbacks, etc), things are pretty peachy. Imagine what happens if you have 50 people all conducting a search at the same time, or, horrors of horror, 50 people all leaving comments being smacked against that list of no-no's. Now imagine it's a comment spammer just spewing these things out, hitting the blog with as many connections as apache will allow, and things are insane.
Now imagine you're on a shared host with multiple other sites, possibly other blogs being hit by similar things, and you can imagine why many bloggers have been annoyed at being told by their host they're not welcome as a customer anymore. DrunkenBlog has gone pseudo-down a few times over the last week, and it was entirely related to this. Seriously, nothing will stop your heart faster than logging in and seeing a load of over 200, all related to one MovableType-based site.
MovableType posted a fix for the issue, which basically involved making everything dynamic, which makes sense as while you induce extra load by being fully dynamic, it is absolutely nothing compared to what's happening now. Of course this has basically killed my reason for continuing to use it, so now it's just a matter of inertia and waiting for WordPress to hit a stable v1.5. And no, I don't hate MovableType or anything, I just know I'm going to WP eventually, not the least of which is OS X's freaky Perl issues which makes getting a local install of MovableType going a nightmare and of two things (the other being when I tried to get Evolution to install) that became such time sinks I eventually just gave up until something fundamental changes that causes me to revisit it.
And don't even get me started on TypeKey. TypeKey just sucks for a whole variety of reasons, and I eschew it completely, even when it means I'm not leaving a comment on some site that is TypeKey-only comments enabled. I'd Grrrr at the them, but the comments I leave at various places aren't exactly anything to write home about, so I'm sure they're not missing anything.
About the only real thing I've seen being on the issue is a new tagging scheme for links in comments, that Google and others have announced, which would theoretically ruin the incentive that comment spammers have for, well, comment spamming. The idea is that if you tag links in comments with this magical tag, google and others won't index it and allow it to influence their rankings... which is probably the primary goal of most of the comment spammers.
However, as we've seen with things like the rise of referrer spam, there are plenty of other goals that can be accomplished via comment spam, such as phishing and or just getting random people here and there to go somewhere you want them to, that can be accomplished simply because the cost of comment spamming is virtually nil. When I actually cared about some things, vast amounts of it was coming out of zombied home machines, and really they're just simple httpd POSTs.
You also have the problem that most of these 'solutions' come about well after the problem has passed being a nuisance, and well after there are so many installs and such out there that whatever 'new' thing comes out will take ages to really come into its own. I'm sure you've gone to random blogs and seen them littered with comment spam, either because the person doing them gave up the fight or has just moved on... in this case it'll also be about upgrading, or taking the time to add the tag.
Playing devil's advocate, one might say that this new tagging initiative could have more of a dent than others because larger, and more popular sites, usually have a higher PageRank and them moving to the new system will have a disproportionate effect. However, playing the devil's advocate of the devil's advocate, one might note that many 'popular' sites and blogs have taken to not allowing comments at all, and if they do, are generally pretty careful about weeding spam off their blogs straight quick, and thus aren't even that big of a factor right now... yet it's still worth the spammers while to be doing it.
As a side-note, I don't blame larger sites for doing it, I've often considered it myself. The usual reason is that as you start getting larger, you start attracting... extreme... views, and if you're really lucky you start attracting trolls. The secondary reason is more of a marketing thing, in that if you have comments, people might be tempted to leave one instead of going to their site and linking to you with their comments. The third reason is also marketing-related, and ties into the first, and basically comes down to many just not wanting to get whatever they've thrown up torn apart in the comments, especially when it's warranted.
For this point though, let's stick to the first.
I have a pretty thick skin at this point, but every once in awhile I'll get an email from someone saying they would have left a comment, but didn't want to get ripped apart... which makes me consider removing comments. DrunkenBlog has a very 'diverse' readership in it's way, people from every platform and every skill level, and it's a shame if some people are literally afraid to comment, or find themselves cringing at what they see in the comments... At the same time I value the feedback, even when it's negative, and I listen to it and see where it's warranted and not.
You know, I have it on my to-do list to go back and edit the Apache section of Yin & Yang, simply because of the comments, to something that gives the same idea of services running at escalated privilege levels but in a way that both gets the point across and pisses few people off. Unfortunately it's very low on the to-do list, but it's there.
Besides, without the comments, the blog would have many more typos than it does now.
This is the newest one, or at least the severity is new. Someone, somewhere, has lately decided that referral spamming is where it's at. If you're not aware, there's an HTTP header field which allows the browser to send where you are coming from to where you are going to, in the same way that it sends along what browser you're using and platform.
This was originally a thing for testing, but has become an invaluable tool for advertising-related activities, and just figuring out how the hell people are getting to where they're getting to on your site. This one is a lot worse for others than it is for me. I don't exactly try to do a lot with advertising revenue on the blog... hell, I turned all revenue-generating aspects of the site off for the duration of the last traffic spike for various reasons.
But I still use them, for various purposes, all of which have essentially become null and void over the course of this month. It's just grown exponentially, almost daily, and I have the sneaking suspicion there aren't that many people actually behind it, it's much too uniform. You can try to grep it out to have something coherent to look at, but it's just becoming much too large of a problem to do so. And some of the blog-related services out there for whom is linking to whom just don't fill the void, which means I'm just dead in the water here.
If you're curious about why someone would actually care about hitting referrer logs... I'm honestly not sure what has actually changed recently, as this seemed to rise several years ago but petered to a nuisance. The basic idea is that lots of blogs, and other sites display, in various ways, who is getting to their site. This not only gives the referrer spammer a pagerank boost if the site happens to get googled while it's being shown, but visitors reading a blog might click a link if it's there, much as they do with Trackbacks. It's evil.
*rubs temples*
Communications I know, love, and rely on are just becoming more and more of a hassle. I don't check email nearly as much as I used to, simply because the act of checking it brings with it the unspoken agreement that I'm going to be spending anywhere from 10 seconds to a few minutes dealing with spam, and a few times a day much longer. It's becoming a burden, not an enabling technology, which means like many others I'm starting to gravitate towards alternatives... like instant messaging.
It hasn't really been a conscious choice, it's just sort of happened... I don't look forward hitting send and receive in my mail client anymore, and other people seem to have gravitated towards hitting me with with an IM instead of an email, in the expectation that I'll just get it when I come back. This often isn't idea at all, as there are serious benefits to getting it via email the way most IM currently works... it enables many more options in how I actually get it. Same deal for mailing list replacements... there are forums, etc., but tradeoffs go with that.
Unfortunately, it's not a situation I see improving any time soon. On the technical side of things, we've seen some new things introduced but no real silver bullets. SPF, Domain Keys, etc. Of course the idea to some is that using the new technologies in combination can lead to a solution greater than the sum of it's parts, ala Voltron, but because of the way things work on the internet as a whole... even if these things do pan out it'll be years until they have any serious effect. My inbox doesn't really have years. Don't even come to me with the ridiculous 'sender-pays' scheme, where you're charged postage for something that is, for all intents and purposes, data just like everything else. That way madness and stagnation lies.
The vast majority of spam comes from a relative handful of people, which you'd think would make it relatively easy to hunt these bastards down, and then shut them down. Unfortunately, the government has shown it's not really up to the job:
- There's been little legislation, which I guess I should quantify by saying there's been little effective legislation. There's been some at both the State and Federal level... but most of it does very little to actually stop the tide and instead just makes it easier for ZDnet to sell my information to Colgate or whoever else they're whoring themselves to this week, even though you have specifically taken a screenshot showing you clicked the box saying don't send me a damn thing.
- A lot of spam has money behind it -- which means there is a trail. Sometimes it's a weird and convoluted trail, but it's still a trail, simply because there's a lot of money there. If they're pointing you at a site that takes money in some way, there's a trail going back somewhere that can be followed. It rarely is, at least not to the degree that would be necessary to really start stamping on these people. My understanding is that most of this type of spam originates through Americans, or citizens of countries where this is considered evil, but goes out through people in countries where people could care less... people rarely disappear off the spammer halls of fame.
- The damn foreign ISPs often couldn't care less about what is and isn't going out over the networks, it's just too lucrative in a way. I'm not talking about a Bittorrent site in Sweden, but rather Chinese/Russian/Asian ISPs which get hammered with spam complaints, then take a month to deal with them after much pressure is applied. They do get around to kicking the spammer off their network, but of course they just somehow end up popping back up on the same network doing the same things. You might not be aware, but for a lot of these ISPs it's just a known quantity, and they have seperate prices for bandwidth being used normally and bandwidth being used for evil... and they just happen to charge a lot more for the bandwidth being used for evil. But they do sell it. We're not even going to mention Russia. The Russian government doesn't give a crap that there's some phishing site siphoning off credit card numbers, they don't even have laws against most of it.
- Much of, if not all of the above is exacerbated by the fact that more resources are put into tracking down a teenager snagging a copy of SpiderMan 2 than are at tracking down the people killing the infrastructure. More money, more lobbying, more everything is being pushed at China to enact new copyright laws than to shut down this kind of crap on their ISPs.
It might not seem like that big of a deal to you in the grand scheme of things, but this stuff is having a very real effect. More than 75% of all email sent now, globally, is spam. Some day it's more like 80%, but what's a few percentage points when it comes to spam? It doesn't really matter, it's just expected to get worse in 2005, and virus counts have grown at almost the exact same rate as spam has. Hell, half the spam now actually contain a virus...
All this crap: email spam, comment-spam, referrer spam, is actually affecting services you can get, and that are being offered for what price. It's actually affecting tuition costs at some Universities. A trickle of spam is almost negligable in the grand scheme of things, to the point of being 'free', but we're actually paying for it now. Faster hardware to handle the load, newer software, and worst of all: time. Software, hardware, all those options are relatively plentiful... but time is a finite resource.
You can only slice the 'time pie' so thin before the wedge just crumbles and you have no choice but to move on... Which means IM services better step up and start to kick ass this year, as I am starting to believe 2005 will be the year my inboxes die.
Posted by drunkenbatmanJanuary 20, 2005, at 05:40 AM
Comments (21)
Posted by: Carl at January 20, 2005 06:50 AM
I thought I had a chance FP, but when I reloaded after reading to see if I still did, Jon's comment was so cool, I didn't even care about missing it.
Anyhow, I would say that the severity of the problem depends on how socially wired in you are. I've only got 170 names in my Address Book.app, so, I'm a definite small timer at the email scene. My Yahoo mail usually gets 5 or so spams a week, but they all get filtered into the bulk folder. My usa.co.jp has no filtering whatsoever, but still only gets 10 or so spams a week. (Mostly virus mails from some guy at the India Times or something… Very bizarre.) The addresses for my other accounts are kept close to my chest, and don't get any spam. Back in university, the only spam I ever got was a Nigerian scam. My website's wiki has been spamed two or three times, but only on individual pages, so it was easy to clean up.
So, I would say that there is a real problem here, but the severity of it really just depends on who you are and how popular your site is.
So, the moral of the story: Damn, I *wish* I got spam like that.
Posted by: Chucky at January 20, 2005 06:53 AM
Fascinating look at the dysfunctional internet.
My personal solution is to just change email addresses once a year, and force my correspondents to deal with it.
---
And as long as I'm on the topic, can I interest you in any bargain Viagra, or perhaps some naked pictures of Brittney Spears?
Posted by: eLani at January 20, 2005 07:04 AM
Only you could write 20 pages about his spam problem... not sure if that is a compliment... but i keep coming back... also.... don't single out just bandwidth from outside the USA sold to spammers... it is true it is there but mostly through subsidiaries of larger hosters... and really the larger problem is with american hosters companies who sell pink bandwidth to other american companies... yes much spam and others comes through american bandwidth and not hacked boxes... the spammers want the big phat pipes...
Posted by: Alunn Cs at January 20, 2005 08:19 AM
Ah.... Voltron.
Actually I've noticed a lot of talk about referral spam lately on other blogs. Maybe that means spammers are feeling the pressure and moving onto something new?
Posted by: vastheman at January 20, 2005 08:25 AM
I hate the spammers. One web site I was operating started attracting so much spam sent to random usernames that the hard disk would fill up within 24 hours! No kidding! So I had to configure it to bounce all e-mail sent to unknown addresses.
But the weird thing is, I haven't been careful with my e-mail address. It's posted all over the web. Yet I get roughly one spam message every three months. I just don't get it.
Posted by: Kint at January 20, 2005 09:13 AM
My solution is fairly effective, but a bitch to maintain / use.
I have a GMail account, which I use for mailing lists, and websites that require login credentials to be sent to you via email.
I have a personal email server, on which I filter incoming email and allow only specific people to reach me (think ACLs for your email). Only friends, and business associates can reach me there. Right now I'm doing this with procmail, which is not the most elegant way of doing it. I'm thinking about moving this on the postfix side, where the email won't be accepted at all unless it comes from a verified source.
As for the GMail account, when it gets to the point where I can't tolerate wading through the filth to get to the info I need, I send myself an invite and start anew.
Like I said, a pain. But it works.
Posted by: mindflayer at January 20, 2005 11:04 AM
"Anyone who has a popular MovableType-based site has seen what lots of concurrent comments being left, or concurrent even searches, can do to a server."
Hell, my blog is not popular at all (despite the odd links I get), and I am deluged. It sucks.
As far as email - I have tried about everything. I work for a company who is a leader in this field, and we block more than 1B spams a day. For someone running his own small mail server, though, it's a bit harder to do pre-delivery heuristics, since it's just you and a handful of others. I use spamassassin, but it's not fool-proof, and spammers are constantly pushing the capabilities, so some spam slips through. I also use Entourage's junk mail filter, but it's not foolproof, either.
Hidden email address? I have an email address on .Mac that I have never used anywhere. I still get from 5 to 20 spam messages a day there.
Posted by: Aurora at January 20, 2005 11:07 AM
The weariness I feel after reading this entry resonates deeply. There's something fundamentally wrong when ordinary users have to take up such arms just to use email. I mean, massive spam trafficking ought to be punished as harshly as drug trafficking. Time is a precious resouce and these subhumans are stealing our lives from us.
Posted by: Twist at January 20, 2005 02:30 PM
Another big problem that needs to be tackled are all the damn zombie PC's around that are being used to send out thousands if not hundreds of thousands of pieces of spam per day per machine. My sister betrayed me recently by buying a Dell and in less than a month she managed to collect about 8 different spyware/adware/malware things that Adware was able to detect and remove and half the time she can't even connect to the internet because the 802.11g card in the thing is so crappy (she gets like 1 out of 5 bars on it but my iBook will get 3 out of 4 sitting right next to it).
I don't do a lot of emailing but that doesn't prevent me from receiving spam. Back before I went broadband I probably didn't keep the same email address more than six months or so, but now that I have had the same account for five years I get way more than I care for. I use a major ISP (SBC ick) but I am lucky that I have a domain that they stopped using for new member accounts a few years back. I can only imagine how much spam people get on the more common domains. That said on some days nearly 100% of my email is spam. I use Mail in training mode still because I don't trust it with my real email. So I let it highlight what it thinks is junk and then I manually scan it all myself.
As far as comment spam goes I haven't had to deal with that but I wouldn't think it would be bad enough to switch to WordPress from MovableType which is a much better system overall IMHO. Of course I am lazy and use Blogger but even it is better than WordPress.
Posted by: ryan king at January 20, 2005 03:00 PM
There is a solution to spam. If people would just not click on spam links, there would be no financial incentive to spam (besides google-juice). As it is, spam works for the spamers and that is the problem.
Posted by: Mike at January 20, 2005 04:06 PM
I really don't know why but I am not hammered with spam, ever. I get about 5 spam messages a month which I simply 'bounce' with OS X Mail (sends back a faked 'this address does not exist' message to the sender). I don't use my email often I have to admit, and I gave up on a hotmail address a long time ago. I personally use fastmail.fm which gives me decent IMAP, webmail and spam filtering (which I don't use!) for a small one-off fee. I converted my mum to a yearly $19.99 account with them from a very slow webmail server and she likes it too. Maybe I'm just lucky, I guess!
Posted by: Adrian at January 20, 2005 04:11 PM
I guess what Ryan is suggesting is already happening. People got educated and know spam from actual mail. Problem is that since email sending is virtually for free, spammers just increase their effort. This could be viewed like the final bloating of a star before it finally breathes out its existence and finally collapses. While this picture is a nice thought when applied to spam I think the situation will just get worse and worse until maybe the infrastructure starts to collapse every now and then under the pressure caused by all this traffic. The problem is that all the important people who are supposed to act and also have the power to change legislation don't suffer from the problem of spam. They have their secretaries or their staff reading the mail and sifting through the piles of spam. Without awareness there's no need to act for them.
Posted by: Robert Briggs at January 20, 2005 04:32 PM
You can only slice the 'time pie' so thin before the wedge just crumbles and you have no choice but to move on... Which means IM services better step up and start to kick ass this year, as I am starting to believe 2005 will be the year my inboxes die.
You're not alone in your frustration! I think we will see more "push" services crop up, like IM and RSS, to take the place of email. It's simple, the technology companies have failed us by not acting soon enough, and the bandwidth companies have a conflict of interest and do not track down spammers like they could.
Posted by: Tarous Zars at January 20, 2005 04:32 PM
I have a nobody site for an archaic video game, that gets hardly any traffic.
About a month ago I dropped MT because I was getting so much comment spam.
I decided to write my own solution because I want to use it on a family website and they need simple.
Movable Type is Cool.
But it isn't worth the spam.
Posted by: Jeremy at January 20, 2005 04:40 PM
You might want to look in to TMDA for you spam email problem. I get upwards of 500 spam emails a day. I have not seen but one sense installing TMDA 2 years ago. Some people find the idea of Confirmation/Response not to their liking. I myself swear by it, I have my inbox back. After the initial setup, whitelists, mailing list rules, and checking tmda-cgi everyday for the first two weeks (just in case). You have nothing to do after that. It just works.
-Jeremy
Posted by: Cap'n Hector at January 20, 2005 05:07 PM
Well, I've got two comments here…fairly simple ones.
I've got a bunch of full e-mail accounts…with disk space, servers etc. I get the most spam on Earthlink, then .Mac. Oddly enough, my own mail address is pretty unaffected. (me at caphector dot com). When I sign up for something I'm suspicious of, I create a forwarding account for that domain that forwards to my main account…and I have one or two address that I change for "static" temp addresses. This lets me track where stuff is being set from, but without the catch-all disadvantage. Regrettably, I do have to create a forwarding account each time, but it works for me.
As for blogging software, I use BBlog for my little review site. No comment spam, but it's not static…it uses a normal MySQL backend for posts. If open-source gives you the warm fuzzy feeling, it's GPL'd.
Posted by: bonaldi at January 20, 2005 10:28 PM
Email spam: I totally solved my spam problem (and I'm a big email user) by using www.sneakemail.com for all my online addresses. My 'real' address only gets given out by my voice to another human, while I use one of the generated aliases every time I need it to be machine-readable. The address used here is an example.
If spam starts coming in to a particular alias, I just delete it and generate a new one. If I change my real address, I just tell sneakemail and all 80-odd of my aliases are redirected to it.
In the past month, I've seen three spam emails. All three were done by address guessing. If you're think you're going to give up on email, why not have one last go at starting afresh?
Posted by: Fazal Majid at January 21, 2005 04:13 AM
I used to have a catch-all domain, but had to move because of dictionary attacks. I now have one personal domain and a domain just for websites, merchants and the like. I create addresses in the latter manually, but could as well have used a hashing/checksum scheme combined with a revocation list. Migrating required me to write Python scripts to data-mine my Outlook mailbox for all addresses. The fact I am an email pack rat helps (I have pretty much all my personal email since 1994 on file).
Comment spam was predictible, so I dropped comments as soon as I migrated away from Radio Userland 2 years ago.
Referrer spam is a nuisance, but I have a script that catches 99% (with a 5% false positive rate). As a side-effect, it gives me a chronologically sorted list of new referrers to my blog.
Posted by: Squozen at January 21, 2005 06:57 AM
Spam Karma keeps my comments spam-free, and I've also installed a nofollow plugin to stop comments from benefitting a spammer even if they DID slip one past me.
OS X Mail is keeping what small amount of junk I get on my 'spam' email account under control. My other accounts don't get spam as I don't use them for anything beyond personal correspondence with non-asshats.
Posted by: Erik Hollensbe at January 21, 2005 08:31 AM
Andrew Chen over at AndrewSW.com has had a lot to say about this as well - him and I briefly discussed talking about a PGP-based system, circling around the concept of the "Web of Trust", which is a popular concept majorly in the GnuPG circles - that is, you trust one person, and you trust (to some degree) all the people that they trust as well. For sites that have trouble with comment spam, they could only allow "trusted posters". This would blend well with the metaWeblog API.
I really would like to get the ball rolling on this, but neither Andrew or I really have the time to persue such things at the time. If anyone is interested in actually taking the steps to do it, I would be happy to provide counsel on the issue.
It's enough to drive a man to drink.