Ah yes – after a few weeks of doing the holidaze thing I finally came back to check on comments and to make a new blog post and what do my wondering eyes do appear but 550 spam messages awaiting moderation.

Note to Spammers: What part of ALL COMMENTS ARE MODERATED are you failing to understand. – SHEESH!

550 spam messages in 3 weeks. I don’t know whether to be impressed or insulted. I’m thinking insulted as all of them are for drug companies and nothing for anything really all that great either. I mean really – amoxicillin? Just how many people are out there with ear infections anyways. Not one good product offering in the lot. No timeshares or toys or sex novelty items or vacations. Heck – I get better spam in my regular email than I do here.

Maybe this is a question of whether we are reaching a better class of spammer. I have a hard time buying this thou because a number of the IP addresses are spoofed and following some of the links you get into these round about situations where you aren’t actually taken to someplace where people can make a purchasing decision. As any good sale person knows – if you are going to sell someone make sure you have a contract in hand and don’t have to run back to the office to get one. The last thing you want to do is allow people to actually THINK about their decision until after the ink is dry and the contract is non-revocable.

Supposedly, the lastest stats to have out suggest that people who actually do fall for spam comprise only 1% of 1% of 1% of all spam messages that go out. So on a typicaly email campaign that equates to 20 sales for every 20M emails. While the cost to send out 20M emails is fairly small I really wonder how much money the spammers are pulling in compared to those that sell the “marketing” lists.

Of course then there are other purposes behind spam which are more nefarious. Finding email addresses which are actually valid – servers which have firewall gaps. These types of things. Much of the illicit spam that is being sent out there is the result of innocent people’s computers being compromised. Lack of firewall software and malware protection.

A number of governments are trying to find legislation that will actually work in order to solve the spam problem. Policy alone however I doubt very much is the answer. In order to really solve the problem we likely need to redefine the simple mail transport protocol (SMPT) and include sampling intrusion detection at key routing points throughout the Internet backbone.

First – you need to get some idea of whether an email is being spoofed or not. It is actually very easy to spoof an email and ip address for mail. For direct connections to something like a blog its a bit harder but not by much. So at key points in the overall network you include an intrusion detection device which reverse look-ups the sending IP address. Why is this important? Because if the real connection path is coming in from China but the IP address says its coming from Florida, you can tell from the number of hops between where you are, where you are coming from, and where you are going to if the communication is fraudulent or not.

For example: Lets say the average number of hops from Tampa to New York is 7 hops (i.e. physical router devices). If an email shows up in Los Angeles bound to New York from Florida, for that type of connection to work in reality it may require 14-20 hops. Even if one section of the network were down for some reason a doubling of hops is not realistic so you are pretty much assume that the communication is being spoofed through some other source. In addition, the local ID device would know what the last hop was. If it happened to be Tokyo – well that would certainly clinch it.

Next is tracing back communications. After the fact this is fairly difficult to do however if the SMTP were to be adjusted so that it had to show all hops in the path as part of the mail headers then there would be a logical trail to follow back to the originating source. In addition, this would make the tracking of such communications easier for post-delivery follow-up.

Once you have these two pieces in place now you have something to build a policy around. For example, any IP provider or carrier which knowingly transmits communications for which the source cannot be verified will be subject to regular bulk postal mail rates for each communication allowed through their network.

The cost could range but lets take $0.199/item as the general bulk rate for postcard barcoded items.

$0.199 x 20M pieces of mail = one hefty incentive to not send spam.

Of course if someone wanted to pay the same rates as the US postal service or other postal carrier then they should be, within reason, allowed to send mail all they want. I doubt however that the attractiveness of bulk email would be sufficient that people would be bothered by the same quantity of spam email that we have been subjected to in the past.

Notice though that similar to how the US government tackled the gambling industry problem by going after the banks rather than the gambling establishments themselves, a similar policy is likely to have similar effect for spam. 

Now if politicians could just grow a genetically modifiable backbone we’d be all set.