Dear .Mac Team: Stop The Sex Pill Offers!

by Matthew Russell

Spammers don't need to use clever (or unclever) web-scraping techniques when they can just harvest e-mail addresses by brute force. There's just no other way to explain the correlation between the fury of suspicious, blank messages I've gotten lately along with the dramatic increase in offers for great sex-pills, "insider" stock info, and deals on vacations that are just too good to be true.

45 Comments

bigT
2006-06-16 05:40:30
Couldn't agree more, the amount of spam my .mac account spews is ridiculous. If my (free!) Yahoo and GMail accounts can offer (pretty effective) filtering why can't the account I'm actually paying for? Apple should be ashamed of this situation...or be made to feel ashamed!
Tim
2006-06-16 05:55:37
Same here. With Gmail and my ability to learn to use other sites to share photos with family, my family .mac account will be history unless there are some pretty big changes.
Paolo
2006-06-16 05:58:49
Interestingly, when I had my own "@mac.com" account (back when it still was free), I've had the opposite problem, i.e. there was in place a "silent" filtering (i.e. the incoming messages marked as spam were just dropped, with no notification to recipient) and unfortunately some of my mail happened to come from domains that were, in right or wrong, blacklisted.
At the end, when the service became a paid one, this was also a factor that weighed in for my decision to go elsewhere...
Apparently, as it seems from your words, they ditched it, but don't underestimate the effort to filter and at the same time avoid false positives, these are far more dangerous than annoying, if they're "transparently" deleted! No wonder both GMail and Yahoo! use a special folder where you can go and check what's there, the risk of getting the blame (and more) is all too real...
qka
2006-06-16 06:00:42
I'd like to take this opportunity to open a philosophical can of worms concerning email: Should email servers, in order to reduce spam attacks by brute force, be allowed to "absorb" messages to nonexistant addresses? Example: A message is sent to a@mac.com. However there is no account a@mac.com, but the .Mac mail server does not generate a "return to sender - no such address" message to the sender? Such an approach would deny spammers such a simple method of gathering email addresses.


Would this work?


Yes, it would force them to devise other means of identifying target email addresses, so it's only a small win in the war against spam.


I ask this because:
1) I understand it is contrary to the specifications for Internet email
2) Some email services do it anyhow. I have my own domain, and my hosting service allows me to select whether or not I do this for email to my domain.


Would anyone like to weigh in on this?


Chuck Toporek
2006-06-16 06:04:49
Hey Matt,


I know from my own interaction with the .Mac team that they do a significant amount of spam blocking on the server side before messages get to you. And, yes, some do slip through, just as they do here at O'Reilly. For example, we (O'Reilly employees) received an email this morning from one of our sysadmins saying that in the past 7 days (yes, only 7 days!):



"Our mail servers accepted 1,438,909 connections, attempting to deliver 1,677,649 messages. We rejected 1,629,900 messages and accepted only 47,749 messages. That's a ratio of 1:34 accepted to rejected messages!


How much spam do you get through other accounts? Gmail? Yahoo? Hotmail? Crap from Orkut that could be considered spam? Crap from LinkedIn that could be considered spam? etc.?


Or how much spam do you get at work? Would you quit your job just because you kept getting spam?


The point I'm trying to make here is that no matter how much spam blocking you do (and our guys here do a significant amount of spam blocking), some crap will find its way through the wormhole to your inbox.


The best way to deal with spam offenders and .Mac Mail is to view the message with the full headers and send that message (headers and all) to spam@mac.com.


Chuck

truth
2006-06-16 08:18:50
Pills, watches and the ever present vibrating ring,


identical messages that come from dozens of different addresses every day. with brand new originating addresses every day...


None of my other email accounts even come close.

xyz3
2006-06-16 08:32:06
I fully agree. The worst thing for me is that since dotMac Webmail is HTML based, I have not way to turn off the HTML rendering (like in Mail.app), which means when I click that spam email - because it "just might be" a real email, those linked 1 pixel images, etc.. load up..


But yes, perhaps they could enhance the filtering - but please leave the message in a Junk mailbox - just in case.



jbelkin
2006-06-16 09:35:24
TOTALLY AGREE! .Mac is a fine service but if gmail & yahoo can place mail into a junk filter, so should .Mac! Where's the petition?
rjschwarz
2006-06-16 09:41:05
Apple should sample the spam emails that come in to bogus accounts and see if the return address in such emails is legit or not. If the return address is not legit the source of the bogus email should be banned.


Apple should allow spam emails that originate from different countries/continents to be sorted and blocked. I don't know anyone in Russia/China or Nigeria so why can't I block them all? Yeah some will sort through the UK and the spammers will eventually find work arounds but this would be a start.

Sick of the crap
2006-06-16 09:41:35
Why can't they do something on the server side to at least determine and block those mails that are determined to be spoofed, or do whatever Spamcop is doing, or something.


If Spamcop can determine some of these things, Apple can. They could even just do minimal blocking on this, (blocking as in "I don't even want to see it or know about it"), and that would help. I'm willing to toss some false positives.


Providing some even minimal basic options would help. Maybe let me block, (same definition), mails that come from open proxies, domains that I specify, (*.ru, *.cn, for example), specify white lists, etc. But on the server side at the .Mac website.


Right now it seems like basically anything can come through and does, and I have to deal with it on the client side, waste of my time and space.


Why not have my trained Junk mail filter rules uploaded to my .Mac mail on the server side? If there are false positives, it's my fault.


G B
2006-06-16 10:04:54
Agree fully. I used to pride my .mac service on not having received any spam in more than 3 years, but now it is ridculous - my gmail account is just as good. Ç'mon .Mac team stop this madness.
Anon
2006-06-16 10:20:23
Cancellation ultimatums are always the best way to get what you want. Use them every day!
GJP
2006-06-16 10:27:13
If servers don't send back notification that the email address was not real, then whenever anyone typo's an email address, they'd have no way of knowing that the recipient never received it, other than going back through all their sent mail in their emailer to (re)check recipient email addys.


Just like I'd want to remain assured that when I make a phone call and leave a message on the answering machine, that message is not auto-deleted before it is even heard... by the phone company!

sjk
2006-06-16 10:41:27
No wonder both GMail and Yahoo! use a special folder where you can go and check what's there, the risk of getting the blame (and more) is all too real...


Please correct me if I'm wrong, but my layman understanding is that the TOS for those companies/services (any many others) basically state that they're not liable for lost content caused by use of their services. For example:


Gmail user gets kneecapped


So, what exactly is the all too real risk of getting the blame (and more) that you mention? Maybe you can blame them for lost mail (spam-related or not) but it seems to me like the best you can hope for is customer support resolution (if you can get it) and if that fails then attempt to stir up negative publicity about it and/or switch services.

aliensoup
2006-06-16 10:54:23
It's about time this got addressed. The amount of spam is building almost on a daily basis. Why can't we have a simple filter or rule system that says do not accept email from anyone not in my address book, like in Mail.app? Anyone else who has a legitimate reason for contacting me, will find another method such as snail mail or the phone.
soybomb
2006-06-16 13:03:04
Ditto! Since mid April I have gotten daily SPAM on my .Mac account. I never give out this address to anyone.
Mr. Bill
2006-06-16 13:22:40
Amen! Spammers have clearly put .Mac on their radar for some time now and its become a huge waste of time. At $100+ yr, spam filtering should be the standard, not an additional feature added later as if its something special. On the positive side, if they do address this, it will be better, clever, and more elegant than any other's solution out there.


.Mac, take notice and take action.

lll
2006-06-16 13:47:07
that's odd. i'm not seeing nearly the volume of spam as with my other two major email
accounts (one protected by postini and no idea what comcast uses).


it might be that i'm using apple mail and the junk filter has been really well trained.


my .mac account gets 1 or 2 junk emails per week while my postini filtered account
quartines several hundred per day and 10 or 20 still manage to get thru.

stingerster
2006-06-16 14:02:28
Mail already has a "bounce" feature. Do some research, it works pretty well. Look in the custom toolbars.
sjk
2006-06-16 14:26:51
Those 1:34 accepted to rejected messages ratio stats Chuck posted and most comments here remind me of some unsettling concerns about spam:


The generally accepted strategy towards dealing with spam is mostly defensive/reactive. Anti-spam resources can empower "responsible victims" to fight the symptoms, but how effective are those actions in actually combatting its causes and sources? And do more effective spam blocking techniques create an attitude of "defensive tolerance" towards it even when its costly damage still remains? Reducing the amount people receive doesn't seem to be making a significantly tangible difference in the amount that's being sent.


I hope it becomes easier for people to be aware of what they can do and have methods to help reduce the causes of spam instead of just making it more convenient to ignore.


2006-06-16 14:40:05
fastmail.fm offers some server based rules. Even better, for a one time fee, you can get a spam header entry which you can use in your rejection rules if you like. I still use dotMac for the Disk & sync (don't get me started on that one)
Philippe
2006-06-16 14:57:44
There is no need to use brute force to get a .mac address... you just have to search for site:homepage.mac.com in google and derive the mac address from the site address... i have 2 addresses, one does not have a site and i never get spam...
Flip
2006-06-16 15:23:18
I have 2 .Mac accounts and I run sites under both of them. No spam at all.
Grant
2006-06-16 16:30:28
Hmmm, no problems here with my .Mac email account. Unless you count iTunes New Music Tuesday emails as spam. :)

2006-06-16 17:00:15
Bounce is useless. It tells the spammers that your e-mail address is genuine. There are commercial Apple mail spam filters that do a much better job than .Mac. Given that and the new ability of Firefox to sync via Google I'm having a hard time seeing why I should renew my .Mac subscription which is due in 29 days. I think I'm just going to use GMail for everything.
WakeUpMac
2006-06-16 17:13:03
I agree 100% with the article, I too am looking at ways of dropping .mac from my life. We need more control over the spamming coming into our mail boxes. It all leads to the phrase I say a few times before changing from one company to another, "what am I paying you for"? Get it together .mac, you will lose two customers when I leave....which is in a month.
David K
2006-06-16 17:26:06
You are soooo right. Thanks for saying it!
Walt French
2006-06-16 18:40:29
I took a quick look at my Junk folder... not one email sent to my (only 5-letter) NAMEX@Mac.com. Either these clever spammers haven't gotten up to 5-letter dictionary words yet, Apple IS filtering out all that spam, or your thesis is wrong.


My JunkMail stats:
- One had a blank "To:" field. Dunno how I got it.
- 3 addressed to 2 Yahoo! groups that I used to participate in, and stopped because Yahoo! is flaky about preventing spam
- a bunch to an EarthLink address that includes "Spam" in its name, because I use it to sign up for dodgy sites, and so it's easy to throw away anything that doesn't get filtered out,
- and a lot to an address I've used since the early 90's, and has probably been sold hundreds of times.


- Zero GMail spam,
- Zero DotMac spam,
- Zero PacBell spam -- all addresses that I seldom use except for very limited circles.


EarthLink actually stops well over half of the spam that comes my way, and Mail does a good job on the rest.


I guess it'd be good for DotMac to have some spam filtering, but theoretically, it'd be about the same as what Mail has, so wouldn't add any value.


Methinks your address has just gotten about too much.

Peter Gnemmi
2006-06-16 19:01:58
Because of the spam, I added an email-only account to my major account and did not send email using that account. I received two emails, one welcoming me to dotMac, a second about sex pills. Either the spammers are real good guessers, or dotMac is really screwed up.
nikster
2006-06-16 22:46:00
Yeah, considering that we pay for the service it's pretty ridiculous that it's falling more and more behind the free Gmail service in terms of features.
GMail's web interface is leaps and bounds better than .Mac, gmail allows POP access, gmail has unlimited storage (... and counting...).


So the least .Mac could do for me would be to provide a service similar to SpamArrest or even make a deal with SpamArrest. SpamArrest keeps a whitelist of people who are allowed to send you email and if some unknown person sends you mail, that person has to verify they are a real live person by entering a string from a blurry image online. It works 100%, and it's good. .Mac should offer that for free.


Automated filtering which doesn't work very well - Google already does that for me. .Mac costs money, and therefore should be better.


I don't think spam that contains just an image with a list of ci - A - lis prices and a web address can be detected by spam detectors. It's just as likely somebody sent me an image of their baby and the address where i can see more. SpamArrest or a similar system (I can imagine many ways to do the same thing) is the only option there.

nikster
2006-06-16 22:51:33
PS: If I was a Spammer, I didn't have to send out emails to get all .Mac accounts.


I would just write a script that goes to homepage.mac.com/(random) and see what I get back. Also, you don't do it randomly, you use a dictionary or a phone book for names.


The only defense is to come up with a long and silly name that no one can guess. I will actually do that - if that gets out,too then I know there really is something wrong with .Mac....

jc
2006-06-16 23:45:23
When the day comes when sending email incurs a charge, this problem will end.
Peter Walker
2006-06-17 04:44:14
Couldn't agree more. I was just thining tonight that I'd have to start going through the list of web sites that use my .Mac account as the sign-on and start changing them over to another email address.


The .Mac account delivers about 20 junk emails per day.....I don't get why I'm spending money on this whole service.

Mac user
2006-06-17 07:42:14
I don't think you understand how spammer work : most of the spam that you are receiving is not coming from the spammer itself. So trying to return a mail error to the "From" or "Reply-to" will only generate more mail traffic to other users that spammer hijack for their email address.


As someone else mentionned earlier in the thread if you receive some spam, then forward the source of the message or at least the full header to spam@mac.com and they should take of it.

"b"
2006-06-17 10:18:37
Well, I guess i'm in the minority here. I have NEVER had any spam in my .mac mail, and I have been a member since they stopped making itools for free. Of course I don't publish my .mac account when I post and the only mail I use it for is mainly for business. Guess I'm lucky.
sjk
2006-06-17 18:36:12
The only defense is to come up with a long and silly name that no one can guess. I will actually do that - if that gets out,too then I know there really is something wrong with .Mac....


Last year I created a Gmail account using a fairly long, obscure address name and received spam relatively soon afterwards without ever having sent a single message from it except the invitation acknowledgment.


That's one personal example of address leakage to spammers where the most plausible explanations of how it happened are troubling to consider, assuming it wasn't an unlikely randomly generated guess.


Are there any recommended methods we can use that actually help stop spammers instead of just blocking/filtering the spam they're generating? Sadly (IMO), pretty much every comment here only seems concerned about the latter.

donncha
2006-06-18 02:44:18
Just been thinking the same thing myself, as the vast majority of spam I get is now on my .Mac account. I'm not renewing unless something is done about it soon. At least tag the mails with SpamAssassin or something.
JZ
2006-06-18 08:10:39
I cannot agree more with this article. The amount of spam is out of control. I've tried to train Mail to catch most of it, and I'm 95% successful, but every once in a while a real message gets snagged, so I can't just tell Mail to $hitc@n all suspected spam messages as I'd like.


At the very least, .Mac should bounce empty emails.

a sharp old jewel
2006-06-18 08:55:15
I never give out my @mac.com address, and thus it never gets spammed. My business addresses get spammed repeatedly. I just checked: since March, Mail has caught over 11000 spams to my 4 accounts. Of those, 5 were sent to my .mac and the rest to my other email addresses, which I have to publish to the web.


Same rule as 5 years ago, folks: If you don't want junkmail, don't give out your address to strangers.

RJ
2006-06-19 08:23:49
The best way to change this situation is to give Apple feedback. If enough people complain, changes will happen. Go to www.apple.com/feedback. Select .Mac.
Michael Shapiro
2006-06-20 08:41:20
Hm. I thought they just gather email addresses with their robots.
www.milliondollarhosting.net
Cyberbat
2006-06-20 08:49:13
The Apple Mail client has pretty effective junk mail filtering you can train. dotMac has an iSync engine. Is it too much to ask Apple to sync up my Apple Mail junk mail filter and mail rules with the dotMac servers so all the filtering can take place at the server before the mail gets to me on my Apple Mail client or dotMac web-based mail client ?
ptwobrussell
2006-06-21 18:53:02
Just as an FYI to everyone, here's the line I just dropped to the .Mac team at http://www.apple.com/feedback/mac/tm.html


I recommend you do the same if you'd like to express your feedback.



Hello,


I recently blogged about a problem with your service in an attempt to express my frustrations and also to muster a moderate amount of feedback for you. If you'd please take a look at


http://www.oreillynet.com/mac/blog/2006/06/dear_mac_team_stop_the_sex_pil.html


I believe it would help you understand that the *apparent* lack of server side spam filtering is a problem that would be in your interests to address. I hope you find this feedback helpful and that you can use it to improve your .Mac product.


Sincerely,
Matthew Russell

imparare
2007-04-14 23:12:26
Interesting comments.. :D
imparare
2007-04-15 01:31:07
Interesting comments.. :D