Saturday, May 17, 2008

How to stop spam from free email accounts

If you've noticed an increase in the amount of spam you've been getting lately, it's probably because the captchas for both Gmail and Yahoo mail have been broken recently.

Ye gods, how hard can it be to solve this problem? I gave it five minutes of thought just now and came up with an utterly trivial solution that will completely stop free email accounts from being used for spam:

1. Whenever a message is sent to a recipient that has never received a message from that account before, modify the message to include a link at the top that the recipient can click on if the message is spam.

2. Limit the number of new recipients that can receive email from that account to a few dozen a day.

3. If the number of spam reports from that account exceeds a certain threshold, shut the account down.

4. Require a valid credit card number to set up a new account. Even better, charge $1 for a new account.

Point 4 is going to be somewhat controversial because the email providers will argue that if they do this then people will just use someone else's service. But this is not true. If only the Big 3 (GMail, Yahoo and Hotmail) instituted this policy that would be enough to force everyone else to follow suit. The reason is that spammers would abandon the Big 3 and start using smaller free email providers. Once people realized that a particular provider was laden with spam they would just start filtering out all messages from that provider. Once people with legitimate accounts realize that their messages are being spam filtered they will either pressure their provider to adopt the "credit card captcha" for new accounts, or they will switch to a provider that already uses it.

This would not just make a dent in spam from free email accounts, it would *completely* eliminate it because it would make it unprofitable. A single account could not be used to send out more than a couple of hundred spams before it would be shut down, and creating a new account would be too expensive to make spamming profitable. So the spammers wouldn't even try.

Note that this would not eliminate spam altogether, because spam could still be sent from botnets. But that kind of spam is pretty easy to filter.

Can anyone come up with a reason why this wouldn't work?

6 comments:

leondz said...

carders

stechert said...

I can think of a few.

Because spam filters currently exist (and will continue to), technique 1 can be circumvented by sending the first note out with the subject "viagra". That email would go to the user's spam folder and never be seen or clicked. The follow up message would then be crafted to get around the spam filter.

Having the spam filtering software automatically click the link has the usual problems (upgrading every install in the world, false positives).

Technique #2 is not necessarily useful in limiting spam if the spammer is doing his nefarious deeds by registering millions of accounts.

The choice of a threshold model is critical to technique #3. Using a constant as a threshold means that every time you send an email to a new person, they have the ability to silence you. E.g., how long is the link to report an email spammy valid? If someone started disliking what you were saying, what's to stop them from going back to that first email and reporting your input as "unwanted"?

Ron said...

> technique 1 can be circumvented by sending the first note out with the subject "viagra".

Good point, but easy to fix:

5. Run a standard spam filter on all outgoing email, and shut the account down if too many outgoing spams are detected. You'd have to figure out how many is "too many" but I suspect that it would be safe to shut the account down if more than, say, 50% of the outgoing messages are spam.

> Technique #2 is not necessarily useful in limiting spam if the spammer is doing his nefarious deeds by registering millions of accounts.

That's the reason for point 4.

> If someone started disliking what you were saying, what's to stop them from going back to that first email and reporting your input as "unwanted"?

Nothing, but if enough people went to the trouble of doing that then shutting the sender down could be the right thing to do.

In any case, false positives could easily be remedied by charging the user another dollar to re-activate the account.

Also keep in mind that the technique doesn't have to be perfect in order to be effective. It only has to achieve a high enough proportion of success to make spamming from a free account to expensive to be profitable.

Nitesh said...

Great stuff! Thanks for sharing, one fresh
idea and you can change the world, keep
up the great work.

Kalpesh Khivasara said...

Wouldn't Technique#4 ( the big email providers begin charging for accounts) come across as monopoly? Also, no company would want to go out first to charge for accounts and risk other players playing the "wait and watch" game or worse, increase it's market share at the expense of the first company to begin charging.

jing said...

SpamAid is a good solution for protection against spam and unsolicited emails. It works fine for me.