This Sunday I watched a very long and depressing line of speakers from the United States Bureau of Making Shit Up. James Woolsey (former head of the CIA and freelance war-hawk) speculated wildly and baselessly about possible connections between Iraq and al-Qaeda. An anonymous terrorism expert moved beyond baseless allegation into nothing more than vague insinuations–he was particularly a fan of the claim that the Beltway sniper is actually an al-Qaeda operative, in spite of the complete lack of any basis whatsoever for asserting this to be probable, let alone true. Bill Kristol then got on and talked for a while about the need to bomb the world and starve North Korea, and practically accusing Tom Daschle of treason for daring to question the President’s authoritarian and secretive attitude towards Congress and the American people on foreign policy issues.

Well, OK. I expect this shit from Fox News. But while they drone on, an astounding grassfire movement against the war is welling up. The latest development is something that should get the attention of every Right-wing Bomb the World Republican, every spineless amoral Democrat, and the few progressives and genuine Lefties that remain in DC. Over the past week, MoveOn PAC‘s Reward the Heroes drive has raised over 1 million dollars for the campaigns of Congresspeople and Senators who opposed the President’s resolution for war against Iraq. Over $1,000,000 in a week! And we’re not talking about Republican or DLC-style contributions from millionaires here. We’re talking about over 37,000 individual contributions. An average of about $27 per contribution (I gave two contributions of $25, personally). If the DC cognoscenti start taking notice, this could be a very big deal. Money talks in DC, and right now, the people are screaming at the top of their lungs.

Of course, this campaign–like all campaigns–has its limitations. Among them:

• It’s depressing that this action will talk much louder than the hundreds of thousands of calls, letters, and e-mails against war on Iraq that were sent out over the past several weeks. The pre-eminence of PAC money-laundering in politics is not a trend that I really want to see strengthened, although I’m willing to work to get through to Congress by pretty much any just means necessary right now.

• The campaign is primarily focusing on funnelling money to support incumbent Democrats who voted against the war. With the exception of that lying goat Paul Wellstone, I don’t have any objection to supporting those who have taken a stand against war. But I’d also like to see a lot more invested in getting new blood into Congress, not just giving established Lefty Democrats a political sinecure.

• Maintaining a Congress which is independent of the grip of the far Right is important, but we have to do a lot more than that to keep the country from going to hell in a handbasket. Slowing the bleeding will only do so much.

• MoveOn, for all of its virtues in moving Internet activism out into the offline world, makes no particular efforts to reach out to people other than those who can receive their e-mail alerts or access their website.

Again, the power of the Internet as an organizing medium is simply astounding, and we have to take very seriously how we are going to make the best use of it. The MoveOn PAC campaign is one very important way to put a lot of energy into grassroots campaigns, but we have to see this as only the start, and improve from here.

So what do we need to do?

• We need to follow up this campaign with more campaigns that move beyond online voting and make concrete actions. Contributing to campaigns where necessary, I guess, but also building up funding reserves for other purposes–organizing spaces, grassroots organizing (including workplace unionizing), and all the other infrastructure of a successful, anti-vanguardist resistance to the Right-wing Powers that Be. MoveOn PAC’s campaign is a brilliant example of a dynamic, exciting, creative way of standing up against the flow in DC and making them listen. Let’s come up with more ideas.

• We also need to talk about ways to allow online campaigns to reach out to people who don’t spend a lot of time on the Internet–people who tend to be older, poorer, racial minorities, etc. The Right doesn’t care: every CEO and arm-chair warhawk columnist has e-mail, Web access, and all the money the Right-wing foundations have to offer. But we have to work with people, not just dollars, and we have to think about building a mass movement. Otherwise, as Martin Striz pointed out in this space:

  Unfortunately, this nascent form of democratic political transformation is only relevant to those who have an Internet connection, and the unfortunate divide between the haves and have-nots will continue to plague us.

  So what can we do to pull that off? Well, simply focusing on campaigns that move offline and into the world of street protests, organizing spaces, letters to the editor, and other things in the meatspace will help. But let’s start thinking about other ways to convert Internet organizing into a galvanizing force for everyone. I don’t have many more ideas than anyone else on this–I’ve lobbied for printable posters and flyers to be available from all websites that advertise an offline political event, and I think that working on developing phone trees that spread from online to offline contacts would also be a really cool idea. But I’m a neophyte like everyone else and I’m really interested in hearing some creative ideas about where we can go from here.

In the meantime, toss a few bucks to the [MoveOn PAC][] Reward the Heroes campaign, and help make our voice heard in support of pro-peace candidates.

Steve Outing recently published a column bemoaning the sorry state of spam filtering software today. I think his article goes off in entirely the wrong direction, but it touches on some important issues that I only raised in passing in my previous post on spam management, and which I would like to take the time to expand on.

E-mail is the killer app of the Internet. Nothing, not even web surfing (and I say this with all due respect to you, gentle reader) matters a whit compared to the vast significance that e-mail has had on our every-day communications. Not only has e-mail enabled us to get in one-on-one contact with (potentially) anyone anywhere in the world for virtually free, it has also created and nurtured the listserv, where any group of people–small or large, far-flung or local–can instantly, reliably, and painlessly communicate with one another and collaborate on projects, whether this takes the form of a one-to-many newsletter, or a many-to-many discussion group. The cost is often nothing more than some time and labor to administer the list, and the fixed costs of Internet access. This medium for cheap/free communications has created vital communities all over the Internet, more or less single-handedly made the open source movement possible, and changed the face of every form of communication, from news to activism to comic strips. But as Outing points out, there is something rotten in the state of Denmark. As he argues in his article, the wars between spammers and bad spam filters are beginning to seriously impair the usability of the medium.^*

How does this happen? Well, think about the nature of a listserv for example. When you receive a message from a listserv, it is one of many–potentially thousands or even more–copies of the same message being sent out to many users. The From: header is an address that you may have never personally contacted, or even be a newsletter robot rather than a real person. The To: header may be the resender address rather than your address–making it appear forged. And content is included such as Remove me from this list, a website to go to for more information on the list, and perhaps even content such as routine fundraising appeals. It may also contain trip words such as viagra which are actually a part of ordinary conversation, but set off spam alerts. If you’re familiar with how spam filtering works, you’ll see that the M.O. of a listserv is well-nigh indistinguishable from the M.O. of a spammer as far as a spam filter can see. The only clear difference between spam and legitimate listserv traffic is that you have voluntarily opted in for the listserv traffic, and you can voluntarily opt out; whereas spammers don’t care what you think or what you want, and barrage you with their messages without asking you for permission and without caring whether or not you’ve told them not to. This is all the difference in the world, of course, but it’s not a difference that spam filters have any way of seeing. It happens off-camera because there’s no way right now for a spam filter to monitor which listservs you have signed on for, or which e-mails come from those listservs.

The spam situation is growing intolerable. But spam filters that kill listservs and newsletters are unacceptable. Some of Hotmail’s more over-zealous versions of its junk filter have trashed perfectly legitimate personal e-mails and listserv e-mails, and since the user set up the Junk Mail folder specifically so she doesn’t have to look at it, she ends up not knowing that anyone wrote or that her request to join the listserv has been honored. And since she doesn’t know these messages are coming in, she has no reason to change her junk filter so she never changes it so that new communications can get in. This is the absolute worst way to respond to spam: the whole point of spam management is supposed to be improving the user experience of reading e-mail, not breaking the e-mail system to the point of unusability.

As I said in my previous post, one of the first principles of a good spam solution is that it must be respectful of users’ legitimate e-mail. Spam blocking must never ever interfere with properly receiving legitimate e-mail. If it does somehow block a legitimate e-mail, this fact should be easily detectable, the e-mail should be easily recoverable, and measures should be taken to ensure that it doesn’t happen again. One crucial aspect of respecting legitimate e-mail is that spam management software must be aware of listservs and respectful of e-mail sent over them.

As Outing points out, for usability and responsibility’s sake, system administrators should not take control of content-based spam-screening out of the hands of users. There’s an problem in designing spam solutions that rarely gets discussed: in spam filtering, your system administrator’s interests may not be the same as yours. Filters imposed on everyone by the administrator can make a big effect in reducing the load on mail servers, but individual filters that users apply in their clients doesn’t reduce the load on mail servers at all. And it’s not the admin’s personal e-mail which gets deleted or bounced in false positives. Therefore, admins tend to be comfortable with very strict spam filter rules even if they block a lot of legitimate e-mail. End-users, on the other hand, don’t care much about system load, and want to receive all the legitimate e-mail that’s sent to them. They want spam filtering that is flexible, fine-grained, and which they can adjust according to their own levels of comfort and trust.

As users, we’re just going to have to be up-front and hold our system administrators accountable on this issue. We’ll take our business elsewhere if we start losing messages because of your spam filtering. There are still plenty of milder rules that system administrators can impose that will block significant amounts of spam–such as rejecting e-mail from open relays, using Vipul’s Razor to bounce messages that can be proven to be spam, or setting up "trap" accounts to identify spam attacks in progress and temporarily block off the source of the deluge. However, content filtering based on heuristics and trigger words should only be done at the client level, not by sysadmins.

All well and good; so what can we do to deal with the situation?

• Listserv software needs to get its act together. It’s absolutely maddening to try to put together e-mail filters for listservs, because there is absolutely no standardization of how to indicate that messages are being sent over a listserv. And once you get a filter set up, the list owner may change software or robot addresses along the way, at which point you have to through out all your work and make a new filter. All listserv software should standardize on a common set of headers to indicate that e-mail has been sent out over a listserv, as well as some information about that listserv (such as a web page with more information, addresses for unsubscribe/subscribe, and so on). Any standard scheme which is expressive enough will do. They should also develop standardized methods for alerting the list robot that you wish to subscribe to or unsubscribe from the list. With standard features in place, it will be much easier for users to write and maintain filters for dealing with listserv traffic. Also, intelligent spam software can now relax its rules when it is examining list traffic, since we know that we’re dealing with a listserv.

• Listservs should authenticate themselves. If we do adopt a standard scheme, and that scheme is used to relax spam filtering rules, then you can bet that spammers will immediately start forging listserv headers to make sure that their e-mails get through. The solution to this problem is to return to a principle I mentioned in the previous post: double-key encryption should be used to authenticate genuine messages. Basically, each listserv gets a unique double-key ID. When a user subscribes, she gets the public key as part of the subscription. Whenever a message is sent out over the listserv, the listserv software uses the private key to add its signature to the message as it is resent. Smart mail readers can then allow you to filter mail based on the ID of its resender rather than headers that might be forged.

• Listserv operations must be integrated with mail readers. So far everything has pretty much been minor reforms in the already-established interface for listservs and e-mail filtering. the purpose. However, this is much more of a quantum leap solution. To really improve the usability of listservs and deal with spam lists, e-mail clients themselves should be aware of and work with listservs.

  Here’s an example that should be obvious and trivial. The closest thing there is to a standard identifier for listserv resending (Majordomo doesn’t have it, but most other products do) is the List-Unsubscribe: header. This header gives the user a URL — usually just a mailto: link for the list robot — where the user can unsubscribe from the list. It’s really a bit puzzling that no major e-mail software that I’m aware of (drop me a comment if you know of any counter-examples!) creates a quick “Unsubscribe from this List” button when it encounters a message with the List-Unsubscribe: header. This would instantly make things easier on millions of listserv users, and prevent thousands of misdirected Please unsubscribe me! messages from flooding listservs.

  Let’s dig down a bit more. We suggested a standardized method for subscribing to any listserv, and subscription requests can be mechanically generated if they are given the address of the list that is being subscribed to. Then a smart client could feature a Subscribe… button where users can enter the address of any listserv and the subscription will be automagically handled by the mail reader. Do you see where this is going? That’s right: client integration would solve the off-camera problem once and for all. All subscriptions and unsubscriptions are being handled by automated modules in the client. The reader can track these actions and maintain an accurate list of all the mailing lists the user is on. By using double-key IDs to prevent forging, this list can be made pretty darn near airtight. Now spam filters could separate the wheat from the chaff. They could intelligently relax their rules when they are scanning confirmed listserv e-mails, to avoid false positives, and jack them back up again when scanning non-listserv e-mails, to catch more spam.

• Finally, listservs must not become conduits for spam. Some spamhouses are already paying ordinary Internet users to act as mules — they sign up with their own e-mail address on a big listserv, confirm that the address is valid, and then send out a spam message through the listserv. I’ve seen attacks like this inundate more than one e-mail list that I’m on, not to mention the listservs which have been inundated with the Klez worm. Even a perfect scheme for identifying e-mail from listservs won’t matter, if the listservs themselves are resending spam or viruses. Listserv software authors should think about incorporating antivirus screening into their products, to prevent lists from being a dangerous vector of computer infectants. And list administrators need to use whatever options are available in their list software to prevent spam from being sent out. The obvious way is by requiring posts to be approved by a moderator who can screen for spam content. Some software (such as Yahoogroups) has improved on this by allowing listservs to be set so that only a user’s first message is screened by the moderator, and later ones are automatically approved. This way, a spammer will get blocked, since her first and only message is a spam message. However, the list moderator won’t be bothered with having to approve every message from regular list users.

Unfortunately, we can’t much count on listserv or newsletter patrons to come up with these solutions; most aren’t terribly tech-oriented, so we end up with columns like Outing’s, which just focuses on the problem rather than any solution, and where short-term solutions that authors can take are discussed but long-term technological solutions to the underlying problem are not discussed. And we can’t count on your average listserv author to come up with it either. The only people really concerned with ease-of-use in the listserv software world are big corporate entities like Yahoo! and Topica, who make their products easy for end-users but resist big technological jumps. And the only listserv software authors who make those jumps are clever Unix geeks who consider “arcane” to be a compliment when applied to software (take Majordomo–please!).

I love listservs and I pray that spam will not render them useless. I hope that some of us out there who still believe in usability but who don’t have much to lose from big experiments, can start creatively working out and implementing a framework something like this one, in order to prevent listservs from dying a death of the thousand spams. Read the rest of The A-List: More On Spam Management …

(I owe the first link to my friend Mark; the second link to Tom Tomorrow)

So it turns out that Congress doesn’t think that restitution through the civil courts is adequate to deal with malicious attacks on computer systems. Indeed, it wasn’t even harsh enough yet when the USA PATRIOT act classifies hacking, viruses, and other malicious computer damage as terrorist acts subject to its draconian measures. So, to remedy this dreadful situation, they’ve decided to put together the Cyber Security Enhancement Act (CSEA), under which police state powers would be greatly increased in computer crimes, and hackers could be thrown in a federal prison until they die.

Unless, of course, you’re a multibillion dollar entertainment corporation. You see, another bill being considered in Congress which would give recording companies and their representatives legal impunity to hack computers if they have a reasonable basis to believe that piracy is taking place, and to use malicious code to trash a publicly accessible peer-to-peer network on which piracy is occurring.

Oh, but don’t worry: if they wrongly destroy your computer… well, they won’t end up in prison for life. But you can sue them! That is, if the damages were over $250. And if the U.S. Attorney General grants you permission to file the lawsuit.

The hypocrisy and slavish appeasement of economic power is hovering somewhere between merely revolting, and physically nauseating.

Take action!

• Write your Congress-critters urging them to reject Rep. Berman’s proposal, and pointing out the hypocrisy of giving big corporations a blank check on a crime which could send anyone else to prison for life [EFF].

OK, so I’ve been away for a while, as will be obvious to all three of my loyal readers. I’ve been visiting a lot with my friend L. from Detroit, and also celebrating my 21st birthday, which was yesterday (no alcohol was consumed, but I did have some very inordinately tasty bread pudding).

On Friday, I got to see a very fun, if spotty, production of Hamlet at the Alabama Shakespeare Festival. The costuming was all over the place–doublets, late Victorian costumes, Norwegian commandos with AK-47s. And, I hate to be catty here, but the actor playing Laertes seemed like a terrible ham until I just realized that he has the misfortunate of this really weird, nasal voice that is really distracting. Max, who we saw at intermission, also pointed out that he disliked the direction of Polonius, who was being played completely buffo, without any of his underlying menace. All true. On the other hand, many of the actors were quite good — in particular, Hamlet (whiich is the important thing, of course), Horatio, Claudius, and Polonius (goofiness aside). And as always, the Shakespeare Festival is just a lovely place to go out for a night and see a play. Even if it were god-awful, I would have enjoyed the drive and sitting outside by the fountain. Yesterday we celebrated my birthday by going to see the fabulous film version of The Importance of Being Earnest at the Capri theatre and having dinner at the Warehouse Bistro in Opelika. And today, we are going to Cold Stone Creamery with Max to hang out and get some very tasty ice cream. All of this, I have to say, has been a lot more entertaining than, say, schlepping down to Bodega’s and giving myself alcohol poisoning with 21 shots.

Anyway, to come to the point of all of this reportage, another nice feature of my birthday weekend was that my mother returned home from Dallas bearing several cheaply-acquired computer goods (Office XP Professional for $60 — having relatives who work for M$ is very nice). So, for the next few days I’ll be working on hot-rodding my computer a bit. New wireless mouse and keyboard are already installed; I’ll be upgrading to Winders XP soon, and I’m going to go out shopping with some of my birthday money to pick up new gadgets to slap on to the system. It should be a pretty geektacular couple of days, so if I’m not around posting for a little while, that’s where I’ll be.

A few things have recently come together for me. First, Andrew Leonard recently penned an interesting column on spam-blocking technology for Salon; then Jennifer Lee wrote another interesting article for The New York Times. Finally, I made use of a brief free trial of McAfee’s SpamKiller software. I’ve also just been doing a lot of thinking lately about what needs to be done to seriously address the rising tide of spam that is flooding most everyone’s inbox. Spam e-mail has been getting worse over the past several years, and it’s been getting worse at an accelerating pace. If we don’t want Internet communications to become simply worthless from being drowned by spam e-mail, then we have to rethink our basic model for e-mail so that spammers can no longer take advantage of the system’s architecture to overwhelm legitimate messages with their crap. Lee’s article shows a good grasp of the problem and why anti-spam legislation won’t do much to solve it. Leonard’s has a good grasp on the overall technological shift needed to address the problem, but he doesn’t push the envelope nearly enough in the kind of framework that needs to be accomplished.

Leonard’s article describes the development of SpamAssasin, an open source spam blocker being adopted and improved by many system administrators. Leonard points out that the collaborative effort between legions of dedicated spam-fighters can greatly improve the ability of the software to identify spam messages. As Leonard puts it, The only way to stem the flood of unwanted e-mail may be to harness a million eyeballs and an army of open-source hackers. There’s an intuitive reason why this should be the case. Obviously, by harnessing the efforts of thousands of administrators who ferociously hate spam, it will get a big boost in productive energy. But that’s not all.

The basic problem is this: under the present e-mail architecture, the spam market works. It works phenomenally well, and especially well for the seedier side of online industries, in particular pornography and sex-related products, which can’t advertise through conventional media (other than other porn outlets) and don’t have any financial interest in maintaining a reputation as a friendly corporate citizen. The reasons are inherent features of the e-mail architecture:

• It costs nearly nothing to send spam: once you have an Internet connection set up (which you’ll need for your product’s website, anyway), it costs virtually nothing to send out scads and scads of spam e-mail. Labor costs can be reduced to nill by feeding addresses from a web crawler into an automated spamming program. This is a fundamental reversal from direct mail and telemarketing, where a fixed cost for contacting a person is borne by the advertiser.

• Lots of people see it: If you send out a spam message to a huge group of people, then most of the people you send it to will see it. In part, this is because e-mail is a durable medium, like direct mail or fax, and unlike the telephone, so if you send a message while the user is away, they still get it. It’s also due to the relatively primitive state of message sorting and spam filtering–users have very little control over the order and priority with which messages appear in their inboxes, so to get to the mesages they want, they generally have to wade through, or at least scan over, any spam that they get.

• It’s hard to track offenders. Many comparisons have been drawn between spam e-mail and the junk faxes whose rising costs spurred a federal law against them in 1991. The two are alike in that advertisers get a basically free contact, while victims are stuck with the primary costs (in paper, bandwidth, time, what have you) of the interactions. However, there is a crucial difference: junk faxes can easily be tracked to their perpetrator through phone company records. Offenders can be blocked and identified for legal action. Spam e-mails, on the other hand, are generally very difficult to track to their originators. Headers can easily be forged, server relays can be found to use, one-time-only addresses created with free services, work can be farmed out to mule computer users, who are paid a small amount to send out a huge volume of messages, and then take the fall if they get caught. The anonymity of e-mail and its reliance on the honor system for identifying senders makes spam very difficult to flag and filter.

When we look at all these factors, we begin to see that we need a comprehensive solution which will work to address these structural holes. We cannot rely on anti-spam legislation, since spammers will merely relocate to different states or different countries, and use the anonymity of the communication to further shield themselves. Spam is only going to get worse until we have mass deployment of an easy-to-learn, easy-to-use, agile framework which harnesses both human intelligence and high-quality, flexible technological solutions to make legitimate email easier to access and identifies and deals with spam.

Unfortunately, most anti-spam solutions fail, because they are focused narrow-mindedly on a single goal–the goal of accumulating as many heuristic rules as possible to identify and kill spam (this is reflected in the names–McAfee’s SpamKiller, SpamAssasin, and so on. The most common and most maddening manifestation of this is scorched-earth spam programs such as SpamKiller, which works entirely by accumulating thousands and thousands of rules to try to identify common patterns in the way that spam messages are written or addressed. These do indeed catch a lot of spam, but they also slam perfectly legitimate e-mail. For example, my decision to uninstall SpamKiller was finalized when I saw it was trashing legitimate e-mails because a filter (one of thousands, which took lots of scrolling to find) was killing messages because they contained the word rape. Now, look, folks, I’m pretty much physically nauseated by some of the spam ads I’ve received for rape-fetish pornography sites. But I’m an anti-rape activist, and I receive tons of perfectly legitimate e-mail with the word rape in it. SpamKiller’s approach to spam is like trying to kill a swarm of mosquitoes with a cluster bomb, and plenty of perfectly innocent messages were getting clobbered.

The problem here is that most people who work on spam-blocking software and most of those who purchase it are basically in the frame of mind of trying to get rid of a source of long-term and maddening irritation. Programs tend to be reactively focused on axing spam by any means necessary, rather than proactively focused on improving the e-mail user’s experience. But if we keep our mind on what users need and want, rather than what gives us the temporary satisfaction of the kill, then we should begin to see a bit more clearly what needs to be done.

To reduce the effectiveness of spam, first spam management software needs to be widespread, usable, and respectful of user’s legitimate e-mail. With millions of users employing software that lets them take control of their own inboxes, users will be able to stay on top of their legitimate e-mail and sidestep the spam. Information for identifying spam should come from automated reports that millions of users submit: when a spam slips through, the recipient presses one button in the mail client and it is registered as a spam message so that no-one else receives it (SpamAssassin uses Vipul’s Razor, a system which does just this, but it needs to be integrated into easy to use clients, not just arcane Unix mail filters).

Second, we need to plug the anonymity hole through use of double-key authentication and encryption of e-mail. E-mail clients could prioritize messages which can be verified as coming from a valid address, and also messages which are encrypted for the recipient’s eyes only. Spammers who want their messages seen would have to separately acquire a public key for, and encrypt the message for every intended recipient. For millions of e-mail addresses, that’s an awful lot of extra processor time, network bandwidth, and human labor that the spammer has to pay for. Furthermore, the spammer’s PGP signature or signatures can be blacklisted as quickly as the spams start going out.

Finally, system administrators at big ISPs need to get responsible. One of the biggest conduits for spam open relays, poorly configured mail servers which allow anyone on the Internet to send e-mail through the server by forging headers to pose as a machine on the server’s network. System administrators need to get serious about ensuring that connections are only accepted from authenticated users or legitimate machines on the ISP’s own subnet. And when spam is being sent by a user, they need to be quick about axing that user’s account.

What you can do now:

You can do some things now, both short-term and long-term, to keep yourself from being overwhelmed and work towards an Internet not being drowned in spam.

• Use shield accounts for online commerce. A lot of high-end spamhouses harvest addresses by buying them from merchants such as Amazon.com. For online interactions which won’t be anything other than perfunctory receipts, it’s good to maintain a shield account (say, diespammersdie@hotmail.com or somesuch) as the address through which you interact with online stores.

• Download and use PGP. You can get PGP — a great security program which will let you securely sign messages (so that the recipient can verify your identity) and/or encrypt messages (so that only the recipient can read them). The Windows version of PGP automates the process of creating and using PGP keys, and has plugins for popular Windows e-mail clients which let you use simple pushbuttons for its functions. PGP will make your e-mail more secure, and also help build an Internet environment where spammers can no longer hide behind forged headers to conceal their identities.

• Look for solid anti-spam software that suits you. If you can find spam management software which suits your needs, grab it! If you’re willing to geek around a lot, SpamAssasin looks very good. Better yet, Deersoft is in the process of developing SpamAssassin Pro, a commercial product for Windows based on the SpamAssassin engine and integrated with your mail client. Unfortunately, most spam management software I’ve tried (e.g., SpamKiller) is crap.

• More tips: Jennifer Lee’s article is accompanied by some tips for avoiding spam, some of which I agree with, and others of which I don’t. Unfortunately, the present spam-heavy environment is encouraging a lot of people to take up measures which cut down spam at the expense of breaking human usability of the e-mail system. Lee suggests using complex e-mail addresses, which do thwart spammers who use dictionary searches on mail services, but which also makes it hard for your friends to remember your e-mail address. She also suggests removing your e-mail from any online directories in which it may be included, which will again thwart spammers but also keep people from being able to reach you. I totally disagree with this method of spam filtering. Again, it amounts to protecting your inbox at the cost of shredding real people’s ability to contact you. Nevertheless, some of her suggestions (such as disposable forwarding accounts for use on Usenet and bulletin boards) are solid.