US Military Looks For Massive Spam Solution 228
Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains. "Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."
Only one way to be sure (Score:5, Funny)
Nuke spammers from orbit.
Comment removed (Score:5, Insightful)
Re: (Score:2)
I've experienced a recent oddity. My public gmail account still traps and disposes of the usual range of adverts for pilules, fortunes from various dubious sources, and enlargement schemes. My business address has been suddenly deluged with adverts for otherwise-legitimate products; for example, garden plants and seedlings from known nurseries; "art" tchochkes from various "limited edition" emporiums, and golf and fishing equipment, and camping gear from known sporting-goods outlets. My server traps and bla
Re: (Score:2)
This one's simple: They are sufficiently new and different enough for the bayesian filter no not declare them spammy* enough.
* Yes, I just made that word up, and I'll sue you if you do *not* use it. ^^
Re: (Score:2)
I say spammers are natural selection at work. Let them be. As long as it takes power away from the retards, it's a good thing. ^^
Re:Only one way to be sure (Score:5, Funny)
Spammers can send, literally, infinite numbers of spam messages
You keep using that word. I do not think it means what you think it means.
-1
In discussions about very large numbers, "infinite" can be applied to numbers so large they might as well be infinite.
Re: (Score:2)
The poor kid has an uncle who is on /. - I'm not really sure the poor kid had a chance to begin with.
Re: (Score:2)
You keep using that word. I do not think it means what you think it means.
I think he means long term. Assuming long as there is an internet, spam will still be sent infinitely.
Possibly long after the sun burns out and heath death starts to kick in.
Perhaps we will have spam filters large as Jupiter in the future to deal with the intergalactic spammers trying to sell hapless aliens anti-black hole kits.
Re:Only one way to be sure (Score:5, Insightful)
In which case the proper word would be indefinitely.
Something that lacks a definable limit is not inherently infinite.
Re: (Score:2)
Incorrect.
Infinite can just mean an extremely large unknown number.
read up
http://en.wikipedia.org/wiki/Infinity [wikipedia.org]
Re: (Score:2)
Let's move on to the word "literally" then.
Re: (Score:2)
6i/2=3i
Re: (Score:2)
I mean
6/2i=-3i
Re: (Score:2)
Re: (Score:2)
How did we manage to get to where "Weapon of Mass Destruction" became a Euphemism for ABC weapons and not a weapon that causes massive destruction?
Re: (Score:3, Funny)
2. Rendition them to afghanistan
3. ?
4. Profit.
Re: (Score:3, Insightful)
You assume that spammers have a network to attack. I assure you, they do not. All this spam is coming from large networks of zombie machines. To launch a cyberattack on the source of the spam would effectively be a scorched Earth tactic. It might get rid of your spam, but it will also get rid of the architecture you're defending...
its pretty simple (Score:2, Interesting)
Establish a "fine" network.
Another mail network sends you spam?
You fine them.
They in turn fine whoever sent them spam.
Whoever does not pay then fine, gets turned off.
Nope, try again. (Score:3, Insightful)
Then I cut off you. After all, you didn't pay. Now no one on my network can email anyone on yours.
Back to the old drawing board.
Re: (Score:2)
Another idea: when anyone signs up for an account with an ISP, they put a small amount of money (let's say $10 just for sake of argument) in escrow. If their accounts are terminated because they violated their contract with the ISP, the escrow is forfeit to the ISP. If they terminate their account normally, the escrow is returned to them.
Now for most people, putting up $10 once when they sign up for internet service isn't a problem and they're going to get that back when they stop using that ISP. But th
Ten dollar tent (Score:3, Funny)
Re: (Score:2)
You're right. We need to use a MIRV ICBM [wikipedia.org]. We'd nuke multiple sites from orbit. It's the only way to be sure.
Re: (Score:2)
AIM-54C (Score:2)
Phoenix means you never had to say you're sorry.
Re:Ten dollar tent-Reconsider (Score:2)
If it actually is the botnet control center then it's probably worth taking out. And maybe you'll get the operator with it!
The military?! (Score:4, Funny)
Great, and then there will be secret abductions of spammers who are sent to Guantanamo without trial or hope of quick appeal. There will be water boarding and sleep deprivation and acts of humiliation.
Really, I think that my point is that it's not severe enough.
Router level solution (Score:2)
I don't understand why routers can not be programed to limit the number of emails it receives from a single source. For example, if a router detects that 10,000 emails are coming from a particular host, treat that host as if it's perpetrating a DOS attack. Routers can be programmed to ignore DOS attacks, why not use the same tech to block massive spamming?
Re:Router level solution (Score:4, Informative)
Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.
Re: (Score:3, Interesting)
Because spam doesn't work that way anymore. It comes from botnets where each individual zombie only sends one or less messages to the target and need only send out 20 or 30 each day total to still be effective.
First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion [mywot.com] spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.
Next, if we are assuming that your 20-30 number is correct, I assume many of these messages are identical or similar enough to be identified. I know I get several repe
Re: (Score:3, Insightful)
Whats the difference between legitimate listserv messages and spam in your scenario?
Re: (Score:3, Interesting)
Whats the difference between legitimate listserv messages and spam in your scenario?
Excellent question. Companies that send out legitimate mass emails would need to be added to an "allow-list".
I know, it sux, but the benefit of no spam outweighs the pain of asking legit listserv's to register.
Re: (Score:2)
Who defines "legitimate"? I'm sure that (if they could get away with it) some people at Microsoft would say that messages to the Linux Kernel Mailing List or from Apple are not legitimate mass emails, and I'm sure there are some fanatic followers of Linux or Apple who would say the same thing about any emails sent out from Microsoft.
Who determines which companies are allowed on the "allow-list"?
Can companies be remo
Re: (Score:2)
First, I wonder about the 20-30 messages a day bit. There are roughly 150 billion spam messages sent daily. There are 6 billion people on the planet. In order for your 20-30 messages a day number to be correct, that would every man, woman, and child on the earth would need a computer and every single one of them would be part of a botnet.
You make the error of assuming spam sending is distributed evenly. Compromised systems at large corps and government offices can easily send many orders of magnitude more spam and still get lost in the noise of legit email from their sites.
There are only so many routers that lead into the US, set these up to monitor email traffic (is it port 22? 25? I don't remember)... and look for patterns.
That's an increase in workload that is many orders of magnitude larger than what even the largest routers do now. Furthermore, the US has the second highest zombie infection rate in the world, so border routers aren't all that useful and sending the cops after people wi
Re:Router level solution (Score:5, Informative)
That's because you want a router to do something it doesn't care about. That would require full layer 7 visibility on the router - then it wouldn't be nearly as good at doing what its supposed to: routing.
Most routers rarely look above layer 3. Occasionally they'll do some layer 4 stuff, but that is best left to firewalls or load balancers.
Also, routers aren't programmed to ignore DOS attacks. They're programmed to ignore very specific types of DOS attacks, sometimes.
Re: (Score:3, Interesting)
Would it really require "full layer 7 visibility on the router" to count the number of port 25 messages coming from each host? I would assume the biggest problem would be the memory involved in counting the messages and keeping that count in RAM for each and every host, keeping track of which hosts are blocked by each router and every other router (national database) and securing the system so that some hacker can't get in there and put every Microsoft IP into the black-list.
Still, I don't see these proble
Re: (Score:2)
Also, not how SMTP works.
Counting connections themselves is pretty near useless, as SMTP is designed to allow single connection to dump large amounts of separate email. Often cases you'll have SMTP connections from places like hotmail or gmail connect once and dump dozens/hundreds/thousands of emails. This happens even more for mailing lists.
It can be done, but not at the router level. This is why appliances such as Ironport exist.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the mone
Re: (Score:2)
I know, they can pipe their email thru' Gmail ....
oh wait, nvm :P
Re: (Score:2)
(X) Mailing lists and other legitimate email uses would be affected
Legitimate mass mailers would require a registration to be placed on an allow list. Of course, spammers need not apply. Licensing fees could even be charged for this list to pay for the program, but that may not be fair.
(X) Many email users cannot afford to lose business or alienate potential employers
Like who? Spammers? If you send less than, say, 10,000 emails a day, you shouldn't have to worry about anything. If you do legitimately send that many emails, see my response to your previous complaint.
(X) Open relays in foreign countries
How many "pipes" are there at US borders? Put filters on all of these.
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
Machines that
Re: (Score:3, Informative)
As a sibling post pointed out, this checklist is used whenever there's discussion of solutions to the spam problem.
(X) Mailing lists and other legitimate email uses would be affected
Legitimate mass mailers would require a registration to be placed on an allow list. Of course, spammers need not apply. Licensing fees could even be charged for this list to pay for the program, but that may not be fair.
What if I'm a legitimate mass mailer who, say, wants to organize political protests? Who may not want their activities on a government list?
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
Machines that have been zombiefied would be cut off from the web at the router level. They will be allowed back on once their ISP can verify they have been de-zombied.
How long do you think AT&T and other broadband ISPs would put up with this? All the customer sees is "My Internets is broken. $ISP sucks, I'm switching." Also, if there's a 10000 per host limit (over a particular period), 9999 * 10 million is a pretty s
Re: (Score:2)
I'd forgotten about this form letter; thanks. I needed a laugh on a Friday afternoon...
Re: (Score:2)
Re: (Score:2)
I don't understand why routers can not be programed to limit the number of emails it receives from a single source.
If you're asking whether a router can can impose limits such as the number of simultaneous connections allowed from a given host, or the rate at which new connections are established, then yes, that's perfectly do-able and good sense for not just SMTP traffic. Restricting the receipt of email messages, however, is a very different problem as has already been pointed out. That's not to say tha
Re: (Score:2)
There is a legal definition to SPAM, so I could want to send out, say a million political email, it isn't considered spam.
SO basically you are cutting an avenue for political speech.
And no, I don't give a crap about your definition of SPAM. Wide scale Solutions must only consider the legal definitions.
Of course your sig certianly implies an inability to think beyond what ever thing happens to pop in your head, so I don't expect expect your idea to be well thought out.
Why bother with an IT solution? (Score:5, Informative)
I'd certainly appreciate real action like getting rid of spam than for the CIA/US Military to spend time chasing down far fetched terrorist plots. I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.
Re: (Score:2)
Seriously, it's less than two dozen guys pumping out 90% of the spam in the world.
Do you have a source for this? It's interesting...
Re: (Score:2, Informative)
Re:Why bother with an IT solution? (Score:5, Informative)
The numbers I had in my mind are an outdated estimate I've heard a couple of years back. It's good to remember to question information and it looks like I forgot about keeping my assumptions up to date...
Re:Why bother with an IT solution? (Score:5, Funny)
Only 200? I buy 50 round boxes of 9mm for about $12/box. Spam is a problem that could be solved for $50.
Re: (Score:2)
Why does everyone think these people don't ahve security?
I dare you to try and shoot one of these bozos.
Re: (Score:2)
I'm dying to know what the extra $2 is for. Convenience charge?
Re: (Score:2)
Who would be replaced in minutes.
Re: (Score:2)
He's saying the guy is pulling stuff outta his ass, mods.
Geez, one Wikipedia mooning and the downmodding begins in full force.
Re:Why bother with an IT solution? (Score:4, Insightful)
I'm constantly stunned that given the damage spam creates, special branches aren't more active in tracking and _eliminating_ the sources of these things.
But no one yet understands the damage spam creates except for those of us with an IT bent. Back in WWII days and directly after, Radiation was your friend. It could do everything for the man of tomorrow! The first people to learn how dangerous it really was were the scientists getting really bad radiation poisoning and cancer. Even after that, it took a while for the public to switch from Radiation==Good to Radiation==NotGood, and even then, they over-simplified to the point that people still fear irradiated foods (which are not radioactive).
What we need are some public service announcements: "Unrequested mass mailings use our nation's internet bandwidth, reducing our GDP, making it easier for the terrorists to win, and have a carbon footprint equal to 5,000,000 cattle, a Rush Limbaugh, and a Michael Moore. You can do your part to help! Change your email default viewing to 'text only' so you don't load their images. Stop clicking on their links. Send them to your junk folder. Report them if your email system has a spam-reporting function. Like Spamsy the Cat says: 'I may be lazy, but even I can stop spam just by doing nothing!'"
Re: (Score:2)
Well, you are clearly over the top, but the best way to fight spam is with education.
Don't pass it on, recognizer something questionable, what to do if you gt something questionable, and some things you can do to prevent SPAM.
No product recommendation from any for profit Anti-virus/spam products.
Re: (Score:3, Funny)
To go a step further, what happens if it can be determined that the spammers are enemy combatants waging war against the United States infrastructure?
In other news today, US Military Drones attacked 200 hundred spam headquarters in coordinated action last night. Anti-war protestors took the streets by the thousands to show their support...
Unclassified? (Score:3, Funny)
The US Military already has a solution. (Score:4, Funny)
Bounce confirmation whitelist (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
This can be fixed with "white words" - certain things that are unique enough to the type of email that you might get to be considered a pre-confirmation. This is particularly important for getting electronic receipts - as the servers sending those out aren't going to participate in a challenge response. But they're pretty likely to have used something like your name, zip code, or other piece of text you don't find in Spam very often.
Likewise, using a subject line code word can allow humans to send more gen
Re: (Score:3, Informative)
Oh, so you are now a source of spam and back scatter since every single email address that sends a message to you (forged or otherwise) you reply to it as it were a legitimate message. Thanks for contributing to the problem and making it more likely I will not ever contact you via email. One of the reasons e-mail became so heavily used and therefore depended upon is the ease of communication. If you require a manual or auto (like yourse) moderated permission to communicate I guess I will just have to go to
Re: (Score:2)
Also, a friend's yahoo account was compromised, so I started getting email "from him" (except not really). Not even whitelisting protects you then. (But the worst part was, my "real" email address was in his contacts list, so after 7 solid years, it was compromise
Re: (Score:2)
The Challenge Response Authentication Protocol is crap. Most humans don't answer the question either, and just go away. Some of us block the sender as a spammer.
Re: (Score:2)
That's old school. Considering the from address is usually faked in suck large quantities, you will get SPAM from people on your whitelist.
This was a good solution years ago, and it's is a good step now, but it's effectiveness is limited.
Wouldn't it be nice? (Score:5, Funny)
For this rare instance I would certainly condone a few black ops. Find the people who are responsible, capture them, torture them and if they are bad enough, kill them. When there is money involved, it should be trivial to follow that money back to the people who collect it.
This also gives me a great idea for a movie sequel to "Taken." '...I have a very special set of skills... I will find you and I will kill you.' '//good luck//'
Yeah, I would totally watch that...
Re: (Score:2)
The responsible part of me wants to say this isn't an appropriate use of the military.
The email user in me wants to make sure this "black op" sends them some place where torture is legal.
-Steve
Re: (Score:2)
Just take them to a US base. Duh. :P
Re: (Score:2)
Yah, but the US bases only use the Wishy-washy tortures like stress positions (which, according to Army Lawyers quoted in the report on torture is probably a violation of the UCMJ and possibly torture)
I wanna see these guys put into iron maidens, and their balls shocked with electricity until they turn black and fall off. Slowly cut after cut administered to their skin.... oh yah take that spammers!
-Steve
Re: (Score:2)
Its the same thing as with the whole "Extended car warranty" companies that have been violating the do not call list..
Why doesn't someone at the FTC just answer a call or email, and just give them a credit card number (that is arranged ahead of time with the CC companies) and follow the stinking money trail!?
In other words ... (Score:4, Insightful)
NOT!
Here goes another few hundred million .... *sigh*
If we really believe in taxation without representation then my unborn baby should be able to vote already ...
Re: (Score:2)
Obligatory checklist (Score:5, Funny)
The Defense Information Systems Agency advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. The idea will not work. Here is why it won't work. (One or more of the following may apply to this particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
(X) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to this are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
(X) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about them:
( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and they're stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Re: (Score:2)
Interesting that the checklists don't match, isn't it? Does that say more about the problem... or the people (excuse me, this is slashdot: "guys") filling in the checklists?
Re: (Score:2)
Well, we had a slightly different set of concerns. Of course, mine is redundant because I took 6 minutes longer in filling it out.
Easy enough to do (Score:2)
The thing that most people don't get is that the spammers are known. We know where they are, we know who they are, and how they work. Cash does get traced, and it can't be hidden all that well.
The problem is that most of these cretins are either in countries that have governments that don't care, have no laws against this, or have better things to do. In some cases, they are, or have purchased the government.
So, since we know who they are, where they are, and many of the details, the solution is simple.
The
Re: (Score:2)
"You can be a cop or a soldier, not both"
Don't send police to do the military's job, then?
OMG (Score:2)
How many more times can i explain this, the ONLY foolproof model, is to charge per email sent, even if it is .01 of a cent, this will force not only the bad guys to spend money, and leave a paper trail for those using their own servers..which will then tend to up the bids and make alot less sense to use spam to send advertising per capital.
This would also be a quick sure way to let someone know they have been compromised, they could have
a first offense 100$ cap for emails sent from their PCs, then 500$ cap
Re:OMG-Second This (Score:2)
I'll second you on this. As much as I love Free - and Free really is and always has been one of my most favorite things - an economic solution to this is by far the best approach to this. Give the money to the person receiving the e-mail - e.g. you pay me to receive your message - and I can use that as credit against e-mails I send myself. Then I might even accept that crap - before
Re: (Score:2)
Let's get this straight - who gets charged?
If it's a bot sending the mail, do we charge the owner of the pwned computer (who won't really notice), or the owner of the botnet?
Do we charge based on sending address, in which case anybody can be bankrupted with a sufficiently large Joe job?
Some variation on this plan might have worked ten years ago. It's hopelessly obsolete now.
Letters of Marque (Score:3, Interesting)
Yeah there's a solution, it's cheap, and it's even explicitly in the Constitution: get Congress to issue Letters of Marque.
I'm sure there are plenty of people who would take care of the problem for free, if only they got suitable permission.
Dunno if it's been said, yet, but... (Score:2)
Simply make an e-mail whitelist for that network. It's not that hard. Deny all external emails except for external authorized users (IE They're logged into the network thru a VPN or something) and basically deny any email outside of defined IP addresses. That should cut about 90% of your problem.
Wanna kill the other 10%? Get your network offline and keep it to internal usage only.
Massive spam or massive solution...? (Score:2)
I'm confused!
Partner with Google (Score:2)
Echelon (Score:5, Funny)
Change the word table from:
"Bomb", "Terrorist", etc...
to
"Penis", "Pen1s", etc...
then
Give Chuck Norris a call.
We need a whitelist that doesn't suck (Score:5, Interesting)
The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.
The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.
The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").
Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.
My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.
There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.
The current email system is a "Default Permit" system (the #1 dumbest idea on this list [ranum.com]). It has to change.
This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).
Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.
Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.
steveha
WoT the whitelist (Score:2)
Publish/share whitelists. You haven't whitelisted your friend, but somebody has. Find 3 people who say "this guy is not a spammer," who themselves (recursion alert!) are not spammers.
In other words, guess their spammer rep the same way you guess whether or not to use an OpenPGP key that you haven't pe
Uh, we scan about 50 million messages a week. (Score:5, Insightful)
9 servers. 50 million messages a week. Those 9 servers cost maybe $3,000 each. We have 9 servers because we want some redundancy. So let say you multiply that by 7. So you get ~50 machines to handle the army's volume. $150,000. Plus all the extras, so multiply that by 6. That's about a million dollars.
Seriously? From the article they say it would cost $100 million. Do you really think that is going to cost $100 million dollars? Seriously?
WTF. I need to become a DoD contractor.
Re: (Score:2)
You for got to then times that by 100 that is required for the DOD to write any check. The extra zeros are simply printed on the checks to save time.
Re:Uh, we scan about 50 million messages a week. (Score:4, Insightful)
Ok, now you can't just stand up 50 machines to handle email. They have to be coordinated (and load-balanced).
Plus you have to have test and dev boxes. (Because you aren't doing that on live boxes, right?)
So, lets add a few high-end ethernet switches in. And don't forget things like DNS boxes (to cache, so you have decent performance for all the DNS lookups most spam systems do these days), and a few really high-end firewalls. Oh, and racks to mount these all in, plus cabling. And a power supply. (Not the ones in the boxes, the one outside the building converting the mains power to 110. You'll need at least one extra.) Oh, which reminds me: Better have a backup generator. And a failover UPS for the whole place.
Heck, you may need a new building to put all this in. Which will need an HVAC system, of course.
Oh, and those machines won't run themselves. So you'll need to hire a few people; fairly qualified admins.
Which mean they need desks, computers, monitors, chairs, phones, pagers, possibly laptops.
And it's a decent-sized team, so remember to fund their manager, and possibly an HR person for them too.
We haven't mentioned the actual data line yet. It's going to have to be a big one, probably installed especially for this. Oh, and you'll want it redundant. So, make that two. (And better remember how much it is going to cost just to negotiate for those lines: That's several man-months of time, most likely.)
Of course, we haven't talked software yet: Likely you'll want Unix/Linux, but for this you'll probably want an official support contract. Which covers the OS. We'll also want one on whatever anti-spam package we are using. And possibly one on a monitoring package, to help keep track of when it is up. There may be others as well.
Oh, and for full redundancy, you'll probably want to set up at least two separate sites. So, double most of the above. (We'll use the same admins for both.)
Hmm. Haven't talked backups yet. That's probably going off-site. A few more computers, a tape machine, off-site transport, admins to run all of it...
So, um, how long is that $100 million supposed to last for anyway?
Kill The Spammers (Score:3, Insightful)
For *once*, "world police" sounds good to everyone (Score:2)
Seriously. You have troops, agents and all. Just shoot them. And if they are in another country, and that country refuses to extradite them, invade 'em. It's what you do best, and for once, everybody on the whole world could agree. Even North Korea and the Taliban. ^^
It's simple, really.... (Score:4, Interesting)
....You hunt them down and kick their asses.
Cops and prisons exist for a set of very real reasons. Applying technical 'fixes' to what is a criminal enterprise is like busting your ass building ever higher and ever thicker walls around your house: If you don't deal with the root of the problem, the criminals themselves, all you're doing is delaying the inevitable.
Everybody up to this point has been engrossed in spending all this time and money building ever higher and ever futile walls, ceding the world of the Internet to the criminals while we try to make our tiny little pieces of turf 'safe.'
Personally, I think it's time we took the Internet back.
'Nuff said.
centralize! (Score:2)
Oh yeah, centralize that. Good idea. Then only one system needs to be compromised -- I mean only one system needs to be defended.
Hmm, didn't somebody here mention people with guns?
simple solution (Score:2)
bomb the spammers.
Yeah, "spam." (Score:2)
I'm sure that's what they want to scan all of our emails for. Certainly.
This has potential (Score:2)
This could be useful. It will result in an official DoD list of known spammers. That will make prosecutions easier. And the "attack on Government computer" provision in the Computer Crime Act will apply.
If someone from DISA pushes hard enough, the FBI can be tasked to take down the top spammers. It doesn't matter where they are; if the U.S. Government is annoyed enough with them, they can be shut down. That's what the State Department is for.
If one spammer a month went to jail, there would be a hug
Re: (Score:2)
Spammer have gone to jail. note the lack of less spam.